Designing an Insecure Internet

[LoArmistead]

Posted by Julian Sanchez

 

If there were any doubt that the 90s are back in style, witness the Obama administration’s attempt to reignite the Crypto Wars by seeking legislation that would force Internet services to redesign their networks and products to provide a centralized mechanism for decrypting user communications. It cannot be stressed enough what a radical—and terrible—idea this is. I’ll be writing on this at greater length this week, but a few quick points.

 

First, while the Communications Assistance for Law Enforcement Act (CALEA) already requires phone and broadband providers to build in interception capacity at their network hubs, this proposed requirement—at least going on the basis of the press description, since there’s no legislative text yet—is both broader and more drastic. It appears that it would apply to the whole panoply of online firms offering secure communication services, not just big carriers, imposing a greater relative burden. More importantly, it’s not just mandating that already-centralized systems install a government backdoor. Rather, if I understand it correctly, the proposal would insist on a centralized (and therefore less secure) architecture for secure communications, as opposed to an end-to-end model where encryption is handled client-side. In effect, the government is insisting on the right to make a macro-design choice between competing network models for thousands of companies.

 

Second, they are basically demanding that providers design their systems for breach. This is massively stupid from a security perspective. In the summer of 2004, still unknown hackers exploited surveillance software built in to one of Greece’s major cell networks to eavesdrop on high government officials, including the prime ministers. The recent hack of Google believed to originate in China may have used a law-enforcement portal to acquire information about dissidents. More recently, we learned of a Google engineer abusing his access to the system to spy on minors.

 

Third, this demand has implications beyond the United States. Networks designed for interception by U.S. authorities will also be more easily tapped by authoritarian governments looking to keep tabs on dissidents. And indeed, this proposal echoes demands from the likes of Saudi Arabia and the United Arab Emirates that their Blackberry system be redesigned for easier interception. By joining that chorus, the U.S. makes it more difficult for firms to resist similar demands from unlovely regimes.

 

Finally, this demand highlights how American law enforcement and intel agencies have been circumventing reporting requirements designed to provide information on this very problem. As the Crypto Wars of the 90s drew to a close, Congress amended the Wiretap Act, which creates strong procedural protections when the government wants to use intrusive electronic surveillance, to add a requirement that agencies report each instance in which they’d encountered encryption. The idea was to get an objective measure of how serious a problem this posed. The most recent report, however, cited only one instance in which encryption was encountered, out of 2,376 wiretap orders. Why, then, are we now being told encryption is a huge problem? Almost certainly because law enforcement and intelligence agencies aren’t using the Wiretap Act to intercept electronic communications—preferring, instead, to avail themselves of the far more lax standards—and spare reporting requirements—provided by the Stored Communications Act. It’s always easier to claim you need sweeping new powers from Congress when you’ve managed to do an end-run around the provisions Congress put in place to keep itself informed about how you’re using your existing powers, after all.

 

http://www.cato-at-liberty.org/designing-an-insecure-internet/

[Waco]

This is such a horrible idea I don't even know where to start.

[endorphiend]

From a non-technical (read: political) standpoint, I can see the benefits of allowing the government to "wiretap" a suspected criminal's internet traffic.

 

From a technical point of view, like the OP posted, it falls apart. For years cryptographers have been building huge walls to keep data secret (assuming P != NP ), and this is asking them to build in a back door for government access. Not only that, but it's publicly announcing that back door will exist and is begging hackers to try and find it. At the very least, I'm sure it will keep both cryptographers and ISPs very busy for the next few years.

 

This reminds me of when politicians tried to legally declare an incorrect value for Pi: http://en.wikipedia.org/wiki/Indiana_Pi_Bill

[LoArmistead]

Washington is doing everything it can to get its grubby rat claws on the internet. Politicians are trying to simultaneously attack our liberties from the above-mentioned approach, from the net neutrality approach (internet Fairness Doctrine), and from the approach of outrightly blacklisting certain sites deemed inappropriate by government. Find out who the politicians are who support these bills, and do not vote for them. Better yet, write them and tell them to keep their collectivist booger hooks out of our private lives altogether. Remind them just who exactly they work for.

[k1e1v1i1n]

old ppl vote these ppl in and old ppl could care less about there internet to them its a place where they steal your info and pornographers live.

 

where there is a president who grew up with the internet you might see laws that make sense.

 

i am over 30 so i am prob out of touch just think how out of touch the ppl are who makes the laws

[LoArmistead]

It's our generation of 18 - 30 year-olds who put the people into power who are trying to do this. It's a bipartisan effort, but the core of the tyrannical movement lies within the US Democratic party. They claim to be the party of liberty and choice, but a century of actions that prove otherwise speak a lot louder than a 10-second sound byte and a nice haircut.

[bp9801]

Sometimes, I wish the Democrats hadn't gone all crazy on us. First it was trying to shove slavery down the throats of everyone and now this. When will they learn...

[sheldorisafk]

I don't even take sides with political parties anymore. I've decided the government just plains sucks right now...