As the Obama administration considers supporting a proposal to help law enforcement eavesdrop on Internet communications, experts warn the measure could have an unintended consequence: creating digital "backdoors" for cybercriminals to exploit.
The FBI has been pushing for legislation that would force companies like Google and Facebook to create ways for law enforcement to conduct court-approved surveillance on their networks. The Obama administration is "on the verge of backing" a measure that would fine Silicon Valley companies that refuse to build wiretapping capabilities into their systems, according to The New York Times.
But security experts and at least one lawmaker say it could make the Internet less safe by requiring tech companies to essentially design a security flaw into their products.
"The government should be doing everything in its power to increase the security of our communications networks, not riddling them with interception backdoors that will likely be exploited by criminals and foreign governments," Chris Soghoian, a policy analyst for the American Civil Liberties Union, said in a statement. "History has shown time and time again that interception backdoors are fundamentally at odds with good cybersecurity."
Rep. Hank Johnson (D-Ga.), a member of the House Judiciary committee where wiretapping legislation would be considered, said he opposes the FBI's proposal.
“At a time when we need sensible legislation to confront cyber threats, the F.B.I. proposal is a step in the wrong direction on security and privacy," Johnson said in a statement. "Forcing companies to engineer backdoors for information requests would increase the risk of hacking, identify theft, and mass surveillance.”
The proposal comes amid growing debate over how to combat terrorism and cybercrime. The Boston bombings have heightened awareness over national security and whether law enforcement should conduct surveillance on suspected terrorists who communicate online. At the same time, hackers are increasingly breaking into computer networks of major corporations and government agencies, raising alarm about the need to combat cyber threats.
The FBI argues the wiretapping mandate is needed because new forms of Internet-based communication have outpaced the Communications Assistance for Law Enforcement Act, or CALEA. The 1994 law requires telecommunications companies to make their networks wiretap-friendly, but does not apply to most Internet companies.
If the law is overhauled to include providers of Internet-based communications services, it could create a new target for hackers looking to exploit weaknesses in those networks, according to Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University.
Two years ago, Landau warned a congressional committee of a "serious risk" that wiretaps built into communications networks "will be subverted either by trusted insiders or skilled outsiders, including foreign governments, hackers, identity thieves and perpetrators of economic espionage."
It has happened before. In 2004, for example, hackers gained access to the wiretapping capabilities built into the network of Greece's largest cellular service provider and eavesdropped on more than 100 Greek government officials, including the prime minister.
"Rather than securing us, such capabilities endanger us," Landau said in written testimony.
At the same hearing, Valerie Caproni, who was the FBI's general counsel at the time, insisted that the bureau "doesn't want backdoors" and that "the security of the Internet is extremely important to the FBI."
"But I also get kept up by worrying that we have got criminals running around that we can’t arrest and can’t prosecute because we can’t actually execute a wiretap order," she said, according to a transcript of the hearing.
In an op-ed on Wired.com earlier this year, Matt Blaze, professor of computer science at the University of Pennsylvania, argued against creating mandatory wiretaps for Internet services. Instead, he suggested that law enforcement should conduct surveillance through another controversial method: hacking into suspects' computers.
"Instead of changing the law, they can use specialized, narrowly targeted exploit tools to do the tapping," Blaze wrote.
The FBI is already attempting to use this surveillance technique, but the courts have not always approved. Last month, a judge in Texas rejected a request by the FBI to remotely hack into a computer to obtain emails, chat-messaging logs and other documents to investigate a bank fraud and identity-theft case that began earlier this year.
In a written opinion, U.S. Magistrate Judge Stephen Smith said the FBI needed to ensure that such techniques didn't allow law enforcement to also gather information on people not suspected of committing a crime.
"This is not to say that such a potent investigative technique could never be authorized," Smith wrote in his opinion. "But the extremely intrusive nature of such a search requires careful adherence" to the rules.
This story has been updated to include comment from Rep. Hank Johnson (D-Ga.).