Last fall the FBI issued an alarm: its wiretapping efforts were "going dark" and soon the bureau would not be able to eavesdrop on criminals. Echoing complaints from India, Dubai, and the United Arab Emirates, the FBI said it needed access to keys used in encrypted messages and that peer-to-peer architectures such as Skype needed to be rearchitected for wiretapping. The Communications Assistance for Law Enforcement Act (CALEA) needed updating for the Internet age.
Now it is true that the bureau faces a problem. The phone network is centralized -- calls go through the company's central offices -- making wiretapping a relatively easy task. But figuring out where decentralized Internet communications should be tapped can be difficult when targets are mobile (think coffeehouse, hotel, or airport lounge) or using the latest communications tools (think Skype or Voice over IP).
Now not all modern communications are hard to tap. Cell phones are easy to tap, as are certain centralized Internet communications such as Facebook and Gmail. But peer-to-peer communications that use the robust Internet communications network to its fullest and encrypted communications pose a problem to the bureau -- and its counterparts abroad (including when those seek to spy on U.S. businesspeople overseas).
Enabling legal wiretap creates serious risk. As I've already written about earlier, in 2004-2005, parties unknown broke into a Vodafone Greece switch that had been equipped with wiretapping capabilities designed to accommodate law-enforcement requirements. The result was one hundred senior Greek officials, including the prime minister, were wiretapped for ten months. Between 1996-2006, over six thousand Italians, including judges, politicians, celebrities, and sports figures, were similarly wiretapped, presumably for bribery and blackmail purposes (the case remains in court). Last year an IBM researcher found that a Cisco switch designed to accommodate law-enforcement wiretapping could be spoofed, allowing unauthorized parties to initiate eavesdropping.
But theft of U.S. intellectual property -- business plans, inventions, research data -- may be the most significant cybersecurity risk this nation faces according to the U.S. Department of Defense. So it makes little sense to build surveillance technologies into our communications infrastructure. When a company doesn't properly secure its systems, it is at risk. When a communications infrastructure, whether a switch or an application, is made insecure, all communications traveling through it are at risk. Building wiretapping into communications infrastructure threatens our security for the long term.
There are other solutions. Instead of pressing for wiretapping technologies that would ultimately make U.S. communications insecure, the FBI should figure out how to tap new communications technologies when they hit the street, not when a case hits the bureau (or as the Boy Scouts say, "Be Prepared"). The FBI should be providing state and local law enforcement, who conduct the majority of criminal wiretaps, with state-of-the-art information on wiretapping procedures for new technologies (currently such arrangements are "ad hoc" according to recently released documents). Finally the bureau should take even greater advantage of transactional data, the who, when, how long, of communications. Cell networks and the Internet provide rich information for investigators, who have used transactional data to track down Khalid Sheik Mohammed, the July 21st London bomber who fled to Rome, and Philip Markoff (the "Craigslist" murderer); such data should be even further exploited. Transactional data is what the NSA uses ever since communications content went "dark."
During the 1990s's passage of CALEA, FBI Director Louis Freeh forcefully argued the law was needed to investigate kidnappings. But kidnapping investigations constituted fewer than six wiretaps a year, a poor argument in which to base a rearchitecture of communications technologies -- even if an emotionally laden one for congressmen. So far there has been little data to support the bureau's going dark claims -- FBI General Counsel Valerie Caproni mentioned only two cases in congressional testimony in February. Before rearchitecting communications technologies to accommodate electronic eavesdropping -- which could well enable our enemies to spy on our communications -- we need to understand the risks "solutions" raise and the full panoply of alternatives. Only then can we resolve the situation in a way that secures us for the short -- and long -- term.