Not Being Able To Spy On Everyone Online Is A Feature, Not A Bug

from the tell-the-FBI dept

Mon, Oct 11th 2010 12:03pm — Mike Masnick

With the recent news coming out that the feds plan to introduce dangerous legislation early next year to mandate backdoors for wiretapping into every form of internet communications, plenty of people have expressed their horror at such a plan. It's not just the basic questions of due process and privacy, but the massive burdens lumped upon all sorts of companies, combined with the equally worrisome security holes opened up by such demands.

Julian Sanchez has a wonderful article over at the American Prospect discussing just how problematic this plan would be:

But the current proposal is far more radical, in part because the Internet is not much like a traditional phone network. To see why, consider Skype, a popular program that allows users to conduct secure text chats, phone conversations, video conferences, and file transfers. Skype is designed as a distributed peer-to-peer network, meaning there's no central hub or switching station through which calls are routed; only the login server used to register members as they sign on to the network is centralized. Calls are encrypted end-to-end, meaning that only the end users who are parties to a call hold the secret keys to secure the conversation against online snoops. There's no device Skype can install at their headquarters that would let them provide police with access to the unencrypted communications; to comply with such a mandate, they'd have to wholly redesign the network along a more centralized model, rendering it less flexible, adaptable, and reliable as well as less secure.

Skype is just one of the thousands of firms, large and small, that would be burdened with the obligation to design their systems for breach. We've already seen how this can cause security vulnerabilities on traditional phone networks: In 2005, it was discovered that unknown hackers had exploited wiretap software built into Vodaphone Greece's computer system for law-enforcement use to eavesdrop on the cellular phone conversations of high Cabinet officials and even the prime minister. Designing for surveillance means, more or less by definition, designing a less secure, more vulnerable infrastructure. It's for just this reason that similar proposals were wisely rejected during the Crypto Wars of the 1990s, a decision that helped give rise to a thriving online economy that's wholly dependent on strong encryption.

It's not just hackers who could exploit such vulnerabilities, of course. A network architecture designed for the convenience of American law enforcement also necessarily makes eavesdropping easy for the many regimes whose idea of a "national-security threat" includes political dissent or blasphemous speech. And there's always the threat of interception by insiders: An engineer at Google was recently fired for using his privileged access to snoop into the private accounts of several teenage users. One way to alleviate such concerns is for firms like Google to enable end-to-end encryption, so users can feel secure that even the company's own employees won't have the keys needed to read their communications. The government's proposal would deny them the ability to make that promise.

Sanchez also has a wonderful line towards the end. In discussing why law enforcement would obviously love this kind of access (while also highlighting its widespread past abuses of wiretapping ability, he notes:

But while governments may consider it a bug when network architecture renders such sweeping surveillance infeasible, citizens should probably regard it as a feature.

An important feature, too, and one that we shouldn't easily part with just because a government with a history of abusing surveillance rights doesn't want to do any legwork anymore.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: internet, spying, surveillance, us government

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 11 Oct 2010 @ 12:10pm

A fair idea
If they have a back door into my computer, I get a back door to theirs. It's all about openness in government, isn't it?
[ link to this | view in chronology ]
- Anonymous Coward, 11 Oct 2010 @ 12:32pm
  
  Re: A fair idea
  This is a really good point. How long after these mandates are in place will it be before hackers have the backdoor figured out and ALL government systems are compromised?
  [ link to this | view in chronology ]
  - :Lobo Santo (profile), 11 Oct 2010 @ 12:35pm
    
    Re: Re: A fair idea
    About 3 weeks before the plan is "officially" to be put into action.
    [ link to this | view in chronology ]
  - Bruce Ediger (profile), 11 Oct 2010 @ 10:03pm
    
    Re: Re: A fair idea
    There have been persistent rumors that Evil Hackers have used the DCS-3000/DCS-6000 systems for their own uses.
    
    The DCS systems are the ones formerly known as "Carnivore" and mandated by the CALEA.
    [ link to this | view in chronology ]
  - Anonymous Coward, 13 Oct 2010 @ 3:10pm
    
    Re: Re: A fair idea
    Happened about 5 to 10 years ago.
    [ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2010 @ 12:35pm

only the login server used to register members as they sign on to the network is centralized
Of course, this is probably where the tap could be (and is, if you believe the theory that the SIGINT agencies don't consider Skype a problem) implemented, by listing certain users or IPs whose communications are to be routed to a certain set of machines under the control of NSA/FBI/other TLA agency. What are the statuses of breaking the Skype protocol and reverse-engineering the binary now?
[ link to this | view in chronology ]
- Rikuo (profile), 11 Oct 2010 @ 12:52pm
  
  Re: #3
  Now, I'm not pretending to be a network expert, but if the Fbi et al tap the login server, the only data they're going to get is that X is talking to Y. The computers at Skype headquarters don't actually transmit or receive any of the actual conversation data. That information is stored on whatever computers that X and Y are using.
  [ link to this | view in chronology ]
  - Andrew F (profile), 11 Oct 2010 @ 1:22pm
    
    Re: Re: #3
    If you tap the login server, you could probably impersonate one of the users and get in that way. You'd probably also have to alter the client software to broadcast to multiple peers (including the FBI) rather than just one.
    
    It's doable, but it does open up a lot of security holes though.
    [ link to this | view in chronology ]
  - Derek Kerton (profile), 11 Oct 2010 @ 1:36pm
    
    Re: Re: #3
    The point is that the proposed legislation would require Skype to change the way it works so that the authorities could intercept the person-to-person conversation. One bad option would be a re-route through a central server.
    
    Among Mike's point are one that this might break Skype. Another is that it would make Skype much less desirable by users.
    
    Making things suck for government's convenience, or making technology crawl so that our own governments can spy on us is policy more becoming of North Korea or China. Not the USA.
    
    The consequences are dire. If this passes, all residents of New Hampshire will die. (Or at least need to change their license plates.)
    [ link to this | view in chronology ]
weneedhelp (profile), 11 Oct 2010 @ 1:00pm

Whats shocking
is that the argument is about the technology limitations, rather than our government wishes to have this kind of power.
[ link to this | view in chronology ]
- Rikuo (profile), 11 Oct 2010 @ 1:15pm
  
  Re: Whats shocking
  Ummmm...what article are you reading? This article is about why its bad for the government to have this kind of power, it just goes into tech-talk to give one explanation for why its bad. I'm presuming you didn't read "A network architecture designed for the convenience of American law enforcement also necessarily makes eavesdropping easy for the many regimes whose idea of a "national-security threat" includes political dissent or blasphemous speech."
  [ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2010 @ 1:41pm

God I hope this goes through. If everything is easily tapped it'll be so much easier for the really tech savvy and motivated get the login passwords of different government officials (probably not the higher ups, but a good number of the lower echelon passwords will be up for grabs). The media spectacle following the massive amount of information that gets leaked will probably be enough of a reason for me to start watching the news again.
[ link to this | view in chronology ]
Zacqary Adam Green (profile), 11 Oct 2010 @ 3:27pm

On the plus side, this sort of attitude is what causes the Justice Department to actively fight against three-strikes legislation, because that would encourage people to encrypt everything.
[ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2010 @ 3:45pm

If it's true, it could be big business.
Question:
Why else do you think AT&T was allowed to go on its M&A spree a few years ago?

Answer:
It was because they had a solid business plan with forward-thinking, marketplace defining, consumer-friendly business practices that place customer satisfaction as #1 priority and at the center of their business.
[ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2010 @ 4:02pm

Yup...of COURSE you can trust the government. Just go ask a native American Indian! (rolling my eyes)
[ link to this | view in chronology ]
Derek, 11 Oct 2010 @ 4:49pm

For The Children! (tm)
It will be interesting to see which congress-critters jump onboard to sponsor this sort of legislation, then rush home to froth about government over-regulation and interference with business.
[ link to this | view in chronology ]
BruceLD, 11 Oct 2010 @ 9:47pm

Subject
This would make way for peeping toms to spy on your wifes beach vacation photos, your daughters pool party pictures and would allow pervs to snoop around in your families email and online banking transactions and even tax information.

Yep. Sounds like a good idea!

Here's another great idea, why not let the movie and music industry spy on your family and children too? They would LOVE to do this, and no doubt these "spy" laws can be helpful to them too!

YAY!!!!
[ link to this | view in chronology ]
- The Groove Tiger (profile), 12 Oct 2010 @ 5:33pm
  
  Re: Subject
  I get that spying on people's beach and pool photos make you a peeping tom, but I don't understand the relationship between pervs and bank/tax records
  [ link to this | view in chronology ]
Rikuo (profile), 11 Oct 2010 @ 11:48pm

Dan Brown
What's surprising me here is that this is pretty much the plot of Dan Brown's "Digital Fortress". American law enforcement want to be to tap everything, so they build a supercomputer able to crack any encryption...
[ link to this | view in chronology ]
Pastychomper, 13 Oct 2010 @ 1:09am

Skype wouldn't be hard to change
I'm no expert, but I think Skype's protocol would be very easy for the company to compromise. It's been capable of conference calls for years, all Skype needs to do is introduce a "feature" that silently adds a third caller when the login server asks it to.

Admittedly one of the users might notice that Skype was using more bandwidth than usual - or that it's now transmitting to two places instead of one - but there are various ways to make it harder to spot. For example, they could increase the compression so the perv/scammer/spy/carefully-vetted law enforcement officer gets a lower quality but still audible signal. Or just pay a few people to spread rumours about Skype's ridiculous new encryption that interferes with its compression under certain circumstances...
[ link to this | view in chronology ]
Kevin, 16 Oct 2010 @ 1:24pm

1984
1984 was a book, not an instructional guide.
[ link to this | view in chronology ]