Mark M. Jaycox and Seth Schoen
According to the New York Times, President Obama is “on the verge of backing” a proposal by the FBI to introduce legislation dramatically expanding the reach of the Communications Assistance for Law Enforcement Act, or CALEA. CALEA forces telephone companies to provide backdoors to the government so that it can spy on users after obtaining court approval, and was expanded in 2006 to reach Internet technologies like VoIP.
The new proposal reportedly allows the FBI to listen in on any conversation online, regardless of the technology used, by mandating engineers build “backdoors” into communications software. We urge EFF supporters to tell the administration now to stop this proposal, provisionally called CALEA II.
The rumored proposal is a tremendous blow to security and privacy and is based on the FBI’s complaint that it is “Going Dark,” or unable to listen in on Internet users’ communications. But the FBI has offered few concrete examples and no significant numbers of situations where it has been stymied by communications technology like encryption. To the contrary, with the growth of digital communications, the FBI has an unprecedented level of access to our communications and personal data; access which it regularly uses. In an age where the government claims to want to beef up Internet security, any backdoors into our communications makes our infrastructure weaker.
Backdoors also take away developers’ right to innovate and users’ right to protect their privacy and First Amendment-protected anonymity of speech with the technologies of their choice. The FBI’s dream of an Internet where it can listen to anything, even with a court order, is wrong and inconsistent with our values. One should be able to have a private conversation online, just as one can have a private conversation in person.
The White House is currently debating whether or not to introduce the bill. Here’s why it shouldn’t:
Did the encryption stop the investigation, or even prevent the wiretappers from figuring out what was being said? No. The report admits that in all of these instances, police were able to obtain the plain text of communications. Previous years’ numbers are similar. Aside from government reports, in 2012 telecommunications companies also revealed that a very low percentage of law enforcement requests for user information were rejected. In AT&T’s case, only 965 out of over 250,000 requests for user information were rejected. Overall, the available public statistics don’t appear to support the FBI’s claims about its inability to access communications.
Indeed, former White House Chief Counselor for Privacy Peter Swire and Kenesa Ahmad argued persuasively in 2011 that, overall, “today [is] a golden age for surveillance“—regardless of whether law enforcement is assured of automatic access to each and every kind of communication, and regardless of whether individuals sometimes succeed in using privacy technologies to protect themselves against some kinds of surveillance.
First, there’s information obtained from cell phones. In July 2012, the New York Times reportedthat federal, state, and local law enforcement officials had requested all kinds of cell phone data—including mappings of suspects’ locations—a staggering 1.3 million times in the previous year. Cell phone companies can create what amounts to detailed maps of our locations and turn them over to law enforcement. Even without asking for cell phone providers’ direct assistance, law enforcement has considerable ability to use mobile devices to track us. Federal and state law enforcement have made extensive use of IMSI catchers (also popularly called “stingrays,” after the brand name of one such device). These devices can act as a fake cell phone tower, observing all devices in a certain area to find a cell phone’s location in real-time, and perhaps even intercept phone calls and texts.
Laws compelling companies to divulge user information accompany these techniques. For instance, National Security Letters, served on communications service providers like phone companies and ISPs, allow the FBI to secretly demand stored data about ordinary Americans’ private communications and Internet activity without any meaningful oversight or prior judicial review. And Section 215 of the PATRIOT Act allows for secret court orders to collect “tangible things” that could be relevant to a government investigation. The list of possible “tangible things” the government can obtain is seemingly limitless, and could include everything from driver’s license records to Internet browsing patterns. The FBI has even broken into individuals’ computers to collect data from inside the computers themselves. More backdoors aren’t needed.
A proposal to expand backdoors into communications software ensures that online hackers, communications company insiders, and nation-states have a direct entrance to attack—and steal from—companies and government agencies. In one notorious example, someone exploited backdoors in a Greek phone company’s systems and recorded sensitive conversations involving the Prime Minister. Wiretapping backdoors even affect national security. In 2012, Wired revealed the NSA’s discovery and concern that every telephone switch for sale to the Department of Defense had security vulnerabilities due to the legally-mandated wiretap implementation. If politicians are serious about online security, they will not make these security blunders even worse by bringing more sensitive communication technologies under CALEA’s scope.
Just last week, an ad hoc group of twenty renowned computer security experts issued a reportexplaining their consensus that CALEA II proposals could seriously harm computer security. These experts said that a requirement to weaken security with deliberate backdoors “amounts to developing for our adversaries capabilities that they may not have the competence, access or resources to develop on their own.”
And now the Washington Post has reported that intruders, allegedly working on behalf of the Chinese government, broke into Google’s existing surveillance systems. (In this case, the report says that the intruders learned who was targeted by these systems, rather than accessing the contents of the targets’ accounts or communications—but it’s easy to see that wiretap contents would ultimately represent an even bigger target, and a bigger prize. Even more exciting would be the prospect of remotely activating new wiretaps against victims of an intruder’s choice.)
Once those “crypto wars” were over, the US government seemed to accept the right of Americans to secure communications and abandon the idea of forcing innovators to dumb down these technologies. We turned our concerns to foreign governments, several of whom were trying to ban communications tools for being “too private.” (For instance, the Associated Press reported five countries threatened to ban BlackBerry services in 2010 because the services protected user privacy too well.) Americans, including the US State Department, began supporting the development and distribution of secure communications tools to foreign rights activists who need them. Now this battle may be coming home.
Even with these tools, most Americans can protect only a tiny fraction of the trail of data we leave behind electronically as we live our lives. But we still have the right to choose them and try our best to keep our private communications private.
The government should place any proposal to expand CALEA on hold. There is little evidence the FBI is actually “going dark,” especially when balanced with all the new information they have access to about our communications. And backdoors make everyone weaker. In a time when “cybersecurity” is supposed to be a top priority in Washington, the FBI is pushing a scheme that directly undermines everyone’s online security and interferes with both innovation and the freedom of users to choose the technologies that best protect them. Tell the White House now to stop the proposal in its tracks.