Feeds

Footing the Big Brother webtap bill

CALEA snoops, you pay

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

On 9 August 2004, the US Federal Communications Commission (FCC) took a major step toward mandating the creation and implementation of new Internet Protocol standards to make all Internet communications less safe and less secure. What is even worse, the FCC's ruling will force ISP's and others to pay what may amount to billions of dollars to ensure that IP traffic remains insecure.

The FCC ruling comes pursuant to a request by US law enforcement agencies to extend the reach of a decade old federal statute, the Communications Assistance for Law Enforcement Act, or CALEA, to broadband Internet service providers including cable companies, DSL providers, satellite providers and even electric companies that provide inline Internet access. The ruling, if it becomes final, may require such ISPs to create and deploy new and expensive technologies that would ensure that communications carried over broadband were deliberately insecure and capable of being intercepted, retransmitted, read, and understood by law enforcement. Of course, whatever law enforcement can do, hackers will be able to do easier and faster. What this means is that IP protocols may have to be adjusted, and the future of encryption may also be in doubt.

A brief history of taps

To understand CALEA, you need a bit of history. From the dawn of Alexander Graham Bell to 1968, there were few if any specific rules on the legal requirements for listening in on electronic communications. The US Supreme Court had tried to apply the precepts of the Fourth Amendment's protections of the privacy of "persons, places, houses and effects" to a voice traveling over a wire, finally concluding in 1963 that the amendment protects people's privacy rights, not simply their physical location. In response, Congress passed the Omnibus Crime Control and Safe Streets Act of 1968, Title III of which established the rules for intercepting telephone calls.

Concerned that the FBI lacked the technical ability to install and monitor wiretaps, Congress in 1970 mandated that the cops could ask for, and a court could order, the phone company to give the police "information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the [the company's] services." It also provided that the communications company "be compensated... by the applicant for reasonable expenses incurred in providing such facilities or assistance". In other words, a court could order an ISP to co-operate, conditioned on the cops agreeing to pay for the help. Effectively, this is no different than requiring a landlord, when presented with both a court authorized search warrant and an order requiring co-operation, and an order requiring the cops to pay up, to show the police where the target's apartment is, and maybe show them how to pick the lock.

In 1994, however, at the request of law enforcement, Congress broadly expanded the law. No longer was the phone company merely required to provide technical assistance to help execute an already issued wiretap order - now all covered telecommunications providers had to spend billions of rate-payer's dollars to design their systems in such a way as to be susceptible to the possibility of later court ordered surveillance. This is the equivalent of requiring that the landlord design the building without doors or locks (or with very weak ones), just in case the cops later want to search anyone in the building. As the Department of Justice described it: "CALEA for the first time required telecommunications carriers to modify the design of their equipment, facilities, and services to ensure that lawfully-authorized electronic surveillance could actually be performed."

But CALEA never applied to ISPs, per se. In fact, section 102 of CALEA states that it "does not [apply to] persons or entities insofar as they are engaged in providing information services" although it does apply to "person[s] or entit[ies] engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier."

In other words, if you are replacing the local telephone exchange service, and the FCC concludes it is in the public interest, you might be covered by CALEA. On August 9th, the FCC tentatively concluded that broadband providers were exactly that.

Push-Me, Pull-You

The FCC concluded that "facilities-based providers of any type of broadband Internet access service... are subject to CALEA because they provide a replacement for a substantial portion of the local telephone exchange service."

They arrived at this conclusion, it turns out, by completely misreading recent technology history The FCC wrote that, at the time CALEA was enacted, Internet services were generally provided on a dial-up basis by two separate entities providing two different capabilities - a local exchange telephone company carrying the calls between an end user and her chosen Internet Service Provider, and the ISP providing e-mail, content, Web hosting and other Internet services.

ISPs were exempt from CALEA. But because the local phone company was subject both to FCC jurisdiction and to CALEA, dial-up access was implicitly covered as well: to accomplish its purposes of intercepting communications pursuant to a court order, the FBI only had to capture the communication at the POTS (Plain Old Telephone Service) line, and the problem was solved.

The FCC's reasoning is that because broadband replaces dial-up access to the Internet, and dial-up was subject to CALEA, broadband must ipso facto be subject to CALEA.

However, while most individual users in 1994 connected to the Internet via dial-up, the Internet was already built principally on broadband communications. In fact, from its inception until 1991, very little of the overall bandwidth of the Internet consisted of an individual user dialing into a node for access. Most users were government, industry, military or educational users sitting at terminals with relatively fast (for 70's and 80's technology) non-dial-up connections. Broadband isn't some newfangled replacement for dial-up: it's the backbone and spine of the Internet, and has been for decades.

A brave new Internet

The FBI, in requesting this authority defined "broadband access service" as "the process and service used to gain access or connect to the public Internet using a connection based on packet-mode technology that offers high bandwidth" but "does not include any 'information services' available to a user after he or she has been connected to the Internet, such as the content found on Internet Service Providers' or other websites".

Essentially, the FCC concluded that CALEA can't force website operators to design their systems to reveal the IP addresses or identity of people who visit the site, but could force ISPs not only to reveal the identical information, but also to design the system to enable law enforcement to reveal the information.

It is important to note that this expansion of CALEA was not needed to compel the ISPs to comply with a lawful subpoena. ISP's and everyone else must already comply under existing law. But a subpoena can only compel a recipient to turn over documents or records that exist.

The FCC's ruling goes well beyond the extensive subpoena authority of the grand jury and the Foreign Intelligence Surveillance Court, and even the USA-PATRIOT Act. By making ISPs the electronic equivalent of the phone company, and therefore subject to CALEA, the FCC opens the door to mandating that all future TCP/IP technologies - possibly even encrypted ones - be designed at the outset to be tapable. After all, it would do the cops no good to receive a mass of encrypted packets.

What's worse, all of this would be done on your dime. As Commissioner Abernathy pointed out in a statement, "upgrading networks to comply with a new packet-mode standard for surveillance will be a costly endeavor, and there are many unanswered questions about how these costs should be recovered."

The FBI had an answer when ISPs and phone companies complained about the cost. The Bureau suggested that the cost be defrayed by increasing the rates you and I pay. So much for the government's E-rate program to make broadband more affordable.

I am all for letting the cops tap phones, and even IMs, chat sessions, e-mail and websites with appropriate court orders. What I don't like is making us reinvent the Internet just for these purposes. The FCC action is a large step towards requiring this.

Copyright © 2004, 0

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Easy VoIP wiretaps coming soon
Webtapping battle lines drawn
Spooks seek right to snoop on Internet phone calls

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.