Groups criticize FBI plan to require Internet backdoors for wiretaps
U.S. task force reportedly working on plan to severely penalize companies that fail to comply quickly with wiretap orders
Privacy groups are denouncing a federal government move to force Internet companies like Facebook and Google to build backdoors that would let the FBI and other agencies snoop in on real time online communications.
The Washington Post reported this week that a government task force is is working on such a plan at the behest of the FBI and other law enforcement agencies that contend that they can't tap the Internet communications of terrorists and other criminals on such sites.
Privacy advocates say the plan could bankrupt smaller Internet companies and increase chances that hackers can access user data.
FBI officials didn't respond to a request for comment on the report.
The Post reported that the plan would subject Internet companies that failed to respond to federal wiretap requests to an automatic judicial review and fines starting at tens of thousands of dollars. Fines that remain unpaid after 90 days would double daily, the Post reported.
Internet companies would be free to implement any mechanism that would let law enforcement agencies tap Internet communications in real-time, the Post reported, citing unnamed sources.
Analysts say the agencies are proposing the changes due to a growing frustration over their inability to legally spy on communications carried on by suspects over Internet-based services such as webmail, and peer-to-peer services like chat, and social networks.
The Communications Assistance for Law Enforcement Act (CALEA) of 1994 already requires that telecommunications carriers provide government agencies with the ability to track traditional telephony and mobile communications on their networks when legally authorized to do so.
Over the years, the CALEA law has been expanded and interpreted by different courts to also cover broadband Internet service providers and Voice over IP services. Also, the federal government has long had the authority to legally obtain stored electronic communications from ISPs and telecommunication carriers in connection with criminal investigations.
However, the government's ability to monitor real-time email, chat and social network communications has been limited because providers of such services don't have intercept mechanisms in place or do not readily comply with wiretap requests.
The FBI describes such lack of easy access as the 'Going Dark" problem, a term used to describe the growing gap between the government's authority to conduct legal surveillance and their ability to actually do so.
In the past, the FBI has complained about a growing inability to collect evidence against online criminals, drug traffickers and terrorism suspects that use Internet-based communications services to communicate.
Such concerns are valid said Joshua Hall, senior staff technologist at the Center for Democracy and Technology (CDT). However, threatening Internet companies with financial penalties is wrong, Hall said.
"We're not against wiretaps" where warranted, Hall said. "The shot clock is the problem."
Under the proposed approach, any company that receives a federal wiretap request will have a specific time period in which to comply. If the company already has an intercept mechanism in place, complying with the request should not be a problem.
But smaller companies that don't have such a capability in place will be forced to implement something quickly to avoid huge penalties, he said. "Companies are going to say 'let's do this as cheaply as we can,'" Hall said. Such rush jobs would produce insecure and poorly integrated tools, he added.
Alan Butler appellate advocacy counsel at the Electronic Privacy Information Center (EPIC), said the FBI proposal would force companies to build unsecured backdoors into otherwise secure communications services.
Many communications providers currently use encrypted connections to ensure greater security for their users, a policy that makes "perfect sense at a time when cyberattacks are a persistent threat and both Congress and the Obama Administration have been focusing on implementing a comprehensive cybersecurity program," Butler said.
"Many companies, like Google, already have access to the content of their user's communications, but other newer companies are competing for users based on the security and privacy of their services," he noted. "A truly secure communications connection would not have an access point that could be used by some unknown intermediate party to monitor the conversation."
In addition to encouraging the creation of security vulnerabilities, the proposed system of penalties would also degrade some privacy protections, he said.
"In many cases the service provider is the only party able to advocate on behalf of user privacy in the case of an overbroad or otherwise illegal law enforcement surveillance request," Butler said.
The proposal would punish such companies by threatening fines that could quickly outstrip their entire revenue stream. "This would mean that companies like Twitter can no longer advocate for their user's privacy without risking financial ruin."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about security in Computerworld's Security Topic Center.