How the FBIs online wiretapping plan could get your computer hacked

700_9a2b00452de2b0c7fda81c5066609acb (1)The FBI is pushing for expanded power to eavesdrop on private Internet communications. The law enforcement agency wants to force online service providers to build wiretapping capabilities into their products. But a group of prominent computer security experts argues that mandating “back doors” in online communications products is likely to compromise the security of Americans’ computers and could even pose a threat to national security.

The fundamental problem is that eavesdropping facilities are a double-edged sword. They make it easier for the U.S. government to spy on the bad guys. But they also make it easier for the bad guys to hack our computers and spy on us. And, the researchers say, the Internet’s decentralized architecture makes it particularly hard to build effective and secure wiretapping capabilities online.

Since the 1994 Communications Assistance for Law Enforcement Act (CALEA), telephone companies have been legally obligated to build wiretapping capabilities into their telecommunications equipment. But CALEA didn’t apply to Internet-based communications technologies. The result, the FBI says, is that its surveillance capabilities are “going dark,” as criminal suspects increasingly shift to digital communications platforms that don’t offer real-time interception capabilities.

In response, the government is reportedly seeking to impose CALEA-type requirements on Internet services. But rather than mandating the implementation of specific surveillance standards, as the original CALEA did, the government’s proposal would fine online service providers who failed to comply with a wiretapping request from the government — leaving it to each individual firm to decide the best way to comply.

Crucially, according to reporting by The Washington Post, the FBI proposal would apply even to “Internet phone calls conducted between two computer users without going through a central company server.” In a paper published Friday by the Center for Democracy and Technology, more than a dozen prominent computer security experts warn that such a requirement would be a disaster for the security of online communications.

If information isn’t flowing through a central server, then the only way to intercept it is to add surveillance software to the user’s PC. But popular software is constantly being probed by hackers seeking vulnerabilities they can exploit. The more complex a system, the more likely programmers are to make mistakes that could provide hackers with an opening. And surveillance features are particularly dangerous, the researchers argue.

“The cleverest and most dangerous cyber-attackers are those who are able to not only compromise a system but also to evade detection,” they write. “That is also precisely the objective of a government surveillance solution.”

Even worse, a huge number of companies could be forced to comply with the government’s proposed regulations. Ed Felten, a computer scientist at Princeton and one of the paper’s authors (and, full disclosure, my graduate adviser) points out that a growing number of companies are adding peer-to-peer communications capabilities to their products.

( via )