Feynman
08-21-2004, 08:10 PM
Big Brother's Last Mile
The FCC's new ruling on broadband wiretaps will force customers to pay for
the privilege of making the Internet less secure.
On August 9th, 2004, the U.S. Federal Communications Commission (FCC) took
a major step toward mandating the creation and implementation of new
Internet Protocol standards to make all Internet communications less safe
and less secure. What is even worse, the FCC's ruling will force ISP's and
others to pay what may amount to billions of dollars to ensure that IP
traffic remains insecure.
The FCC ruling comes pursuant to a request by U.S. law enforcement agencies
to extend the reach of a decade old federal statute, the Communications
Assistance for Law Enforcement Act, or CALEA, to broadband Internet service
providers including cable companies, DSL providers, satellite providers and
even electric companies that provide inline Internet access. The ruling, if
it becomes final, may require such ISPs to create and deploy new and
expensive technologies that would ensure that communications carried over
broadband were deliberately insecure and capable of being intercepted,
retransmitted, read, and understood by law enforcement. Of course, whatever
law enforcement can do, hackers will be able to do easier and faster. What
this means is that IP protocols may have to be adjusted, and the future of
encryption may also be in doubt.
A Brief History of Taps
To understand CALEA, you need a bit of history. From the dawn of Alexander
Graham Bell to 1968, there were few if any specific rules on the legal
requirements for listening in on electronic communications. The U.S.
Supreme Court had tried to apply the precepts of the Fourth Amendment's
protections of the privacy of "persons, places, houses and effects" to a
voice traveling over a wire, finally concluding in 1963 that the amendment
protects people's privacy rights, not simply their physical location. In
response, Congress passed the Omnibus Crime Control and Safe Streets Act of
1968, Title III of which established the rules for intercepting telephone
calls.
[...]
By making ISPs the electronic equivalent of the phone company, and
therefore subject to CALEA, the FCC opens the door to mandating that all
future TCP/IP technologies be tapable by design.
[...]
Concerned that the FBI lacked the technical ability to install and monitor
wiretaps, Congress in 1970 mandated that the cops could ask for, and a
court could order, the phone company to give the police "information,
facilities, and technical assistance necessary to accomplish the
interception unobtrusively and with a minimum of interference with the [the
company's] services." It also provided that the communications company "be
compensated . . . by the applicant for reasonable expenses incurred in
providing such facilities or assistance." In other words, a court could
order an ISP to cooperate, conditioned on the cops agreeing to pay for the
help. Effectively, this is no different than requiring a landlord, when
presented with both a court authorized search warrant and an order
requiring cooperation, and an order requiring the cops to pay up, to show
the police where the target's apartment is, and maybe show them how to pick
the lock.
In 1994, however, at the request of law enforcement, Congress broadly
expanded the law. No longer was the phone company merely required to
provide technical assistance to help execute an already issued wiretap
order -- now all covered telecommunications providers had to spend billions
of rate-payer's dollars to design their systems in such a way as to be
susceptible to the possibility of later court ordered surveillance. This is
the equivalent of requiring that the landlord design the building without
doors or locks (or with very weak ones), just in case the cops later want
to search anyone in the building. As the Department of Justice described
it, "CALEA for the first time required telecommunications carriers to
modify the design of their equipment, facilities, and services to ensure
that lawfully-authorized electronic surveillance could actually be
performed."
But CALEA never applied to ISPs, per se. In fact, section 102 of CALEA
states that it "does not [apply to] persons or entities insofar as they are
engaged in providing information services" although it does apply to
"person[s] or entit[ies] engaged in providing wire or electronic
communication switching or transmission service to the extent that the
Commission finds that such service is a replacement for a substantial
portion of the local telephone exchange service and that it is in the
public interest to deem such a person or entity to be a telecommunications
carrier."
In other words, if you are replacing the local telephone exchange service,
and the FCC concludes it is in the public interest, you might be covered by
CALEA. On August 9th, the FCC tentatively concluded that broadband
providers were exactly that.
[...]
Push Me, Pull You
The FCC concluded that "facilities-based providers of any type of broadband
Internet access service. . . are subject to CALEA because they provide a
replacement for a substantial portion of the local telephone exchange
service."
They arrived at this conclusion, it turns out, by completely misreading
recent technology history The FCC wrote that, at the time CALEA was
enacted, Internet services were generally provided on a dial-up basis by
two separate entities providing two different capabilities -- a local
exchange telephone company carrying the calls between an end user and her
chosen Internet Service Provider, and the ISP providing e-mail, content,
Web hosting and other Internet services.
ISPs were exempt from CALEA. But because the local phone company was
subject both to FCC jurisdiction and to CALEA, dial-up access was
implicitly covered as well: to accomplish its purposes of intercepting
communications pursuant to a court order, the FBI only had to capture the
communication at the POTS (Plain Old Telephone Service) line, and the
problem was solved.
The FCC's reasoning is that because broadband replaces dial-up access to
the Internet, and dial-up was subject to CALEA, broadband must ipso facto
be subject to CALEA.
However, while most individual users in 1994 connected to the Internet via
dial-up, the Internet was already built principally on broadband
communications. In fact, from its inception until 1991, very little of the
overall bandwidth of the Internet consisted of an individual user dialing
into a node for access. Most users were government, industry, military or
educational users sitting at terminals with relatively fast (for 70's and
80's technology) non-dial-up connections. Broadband isn't some newfangled
replacement for dial-up: it's the backbone and spine of the Internet, and
has been for decades.
A Brave New Internet
The FBI, in requesting this authority defined "broadband access service" as
"the process and service used to gain access or connect to the public
Internet using a connection based on packet-mode technology that offers
high bandwidth" but "does not include any 'information services' available
to a user after he or she has been connected to the Internet, such as the
content found on Internet Service Providers' or other websites."
Essentially, the FCC concluded that CALEA can't force website operators to
design their systems to reveal the IP addresses or identity of people who
visit the site, but could force ISPs not only to reveal the identical
information, but also to design the system to enable law enforcement to
reveal the information.
[...]
It is important to note that this expansion of CALEA was not needed to
compel the ISPs to comply with a lawful subpoena. ISP's and everyone else
must already comply under existing law. But a subpoena can only compel a
recipient to turn over documents or records that exist.
The FCC's ruling goes well beyond the extensive subpoena authority of the
grand jury and the Foreign Intelligence Surveillance Court, and even the
USA-PATRIOT Act. By making ISPs the electronic equivalent of the phone
company, and therefore subject to CALEA, the FCC opens the door to
mandating that all future TCP/IP technologies -- possibly even encrypted
ones -- be designed at the outset to be tapable. After all, it would do the
cops no good to receive a mass of encrypted packets.
What's worse, all of this would be done on your dime. As Commissioner
Abernathy pointed out in a statement, "upgrading networks to comply with a
new packet-mode standard for surveillance will be a costly endeavor, and
there are many unanswered questions about how these costs should be
recovered."
The FBI had an answer when ISPs and phone companies complained about the
cost. The Bureau suggested that the cost be defrayed by increasing the
rates you and I pay. So much for the government's E-rate program to make
broadband more affordable.
I am all for letting the cops tap phones, and even IMs, chat sessions,
e-mail and websites with appropriate court orders. What I don't like is
making us reinvent the Internet just for these purposes. The FCC action is
a large step towards requiring this.
quelle:
http://www.securityfocus.com/columnists/261
By Mark Rasch
The FCC's new ruling on broadband wiretaps will force customers to pay for
the privilege of making the Internet less secure.
On August 9th, 2004, the U.S. Federal Communications Commission (FCC) took
a major step toward mandating the creation and implementation of new
Internet Protocol standards to make all Internet communications less safe
and less secure. What is even worse, the FCC's ruling will force ISP's and
others to pay what may amount to billions of dollars to ensure that IP
traffic remains insecure.
The FCC ruling comes pursuant to a request by U.S. law enforcement agencies
to extend the reach of a decade old federal statute, the Communications
Assistance for Law Enforcement Act, or CALEA, to broadband Internet service
providers including cable companies, DSL providers, satellite providers and
even electric companies that provide inline Internet access. The ruling, if
it becomes final, may require such ISPs to create and deploy new and
expensive technologies that would ensure that communications carried over
broadband were deliberately insecure and capable of being intercepted,
retransmitted, read, and understood by law enforcement. Of course, whatever
law enforcement can do, hackers will be able to do easier and faster. What
this means is that IP protocols may have to be adjusted, and the future of
encryption may also be in doubt.
A Brief History of Taps
To understand CALEA, you need a bit of history. From the dawn of Alexander
Graham Bell to 1968, there were few if any specific rules on the legal
requirements for listening in on electronic communications. The U.S.
Supreme Court had tried to apply the precepts of the Fourth Amendment's
protections of the privacy of "persons, places, houses and effects" to a
voice traveling over a wire, finally concluding in 1963 that the amendment
protects people's privacy rights, not simply their physical location. In
response, Congress passed the Omnibus Crime Control and Safe Streets Act of
1968, Title III of which established the rules for intercepting telephone
calls.
[...]
By making ISPs the electronic equivalent of the phone company, and
therefore subject to CALEA, the FCC opens the door to mandating that all
future TCP/IP technologies be tapable by design.
[...]
Concerned that the FBI lacked the technical ability to install and monitor
wiretaps, Congress in 1970 mandated that the cops could ask for, and a
court could order, the phone company to give the police "information,
facilities, and technical assistance necessary to accomplish the
interception unobtrusively and with a minimum of interference with the [the
company's] services." It also provided that the communications company "be
compensated . . . by the applicant for reasonable expenses incurred in
providing such facilities or assistance." In other words, a court could
order an ISP to cooperate, conditioned on the cops agreeing to pay for the
help. Effectively, this is no different than requiring a landlord, when
presented with both a court authorized search warrant and an order
requiring cooperation, and an order requiring the cops to pay up, to show
the police where the target's apartment is, and maybe show them how to pick
the lock.
In 1994, however, at the request of law enforcement, Congress broadly
expanded the law. No longer was the phone company merely required to
provide technical assistance to help execute an already issued wiretap
order -- now all covered telecommunications providers had to spend billions
of rate-payer's dollars to design their systems in such a way as to be
susceptible to the possibility of later court ordered surveillance. This is
the equivalent of requiring that the landlord design the building without
doors or locks (or with very weak ones), just in case the cops later want
to search anyone in the building. As the Department of Justice described
it, "CALEA for the first time required telecommunications carriers to
modify the design of their equipment, facilities, and services to ensure
that lawfully-authorized electronic surveillance could actually be
performed."
But CALEA never applied to ISPs, per se. In fact, section 102 of CALEA
states that it "does not [apply to] persons or entities insofar as they are
engaged in providing information services" although it does apply to
"person[s] or entit[ies] engaged in providing wire or electronic
communication switching or transmission service to the extent that the
Commission finds that such service is a replacement for a substantial
portion of the local telephone exchange service and that it is in the
public interest to deem such a person or entity to be a telecommunications
carrier."
In other words, if you are replacing the local telephone exchange service,
and the FCC concludes it is in the public interest, you might be covered by
CALEA. On August 9th, the FCC tentatively concluded that broadband
providers were exactly that.
[...]
Push Me, Pull You
The FCC concluded that "facilities-based providers of any type of broadband
Internet access service. . . are subject to CALEA because they provide a
replacement for a substantial portion of the local telephone exchange
service."
They arrived at this conclusion, it turns out, by completely misreading
recent technology history The FCC wrote that, at the time CALEA was
enacted, Internet services were generally provided on a dial-up basis by
two separate entities providing two different capabilities -- a local
exchange telephone company carrying the calls between an end user and her
chosen Internet Service Provider, and the ISP providing e-mail, content,
Web hosting and other Internet services.
ISPs were exempt from CALEA. But because the local phone company was
subject both to FCC jurisdiction and to CALEA, dial-up access was
implicitly covered as well: to accomplish its purposes of intercepting
communications pursuant to a court order, the FBI only had to capture the
communication at the POTS (Plain Old Telephone Service) line, and the
problem was solved.
The FCC's reasoning is that because broadband replaces dial-up access to
the Internet, and dial-up was subject to CALEA, broadband must ipso facto
be subject to CALEA.
However, while most individual users in 1994 connected to the Internet via
dial-up, the Internet was already built principally on broadband
communications. In fact, from its inception until 1991, very little of the
overall bandwidth of the Internet consisted of an individual user dialing
into a node for access. Most users were government, industry, military or
educational users sitting at terminals with relatively fast (for 70's and
80's technology) non-dial-up connections. Broadband isn't some newfangled
replacement for dial-up: it's the backbone and spine of the Internet, and
has been for decades.
A Brave New Internet
The FBI, in requesting this authority defined "broadband access service" as
"the process and service used to gain access or connect to the public
Internet using a connection based on packet-mode technology that offers
high bandwidth" but "does not include any 'information services' available
to a user after he or she has been connected to the Internet, such as the
content found on Internet Service Providers' or other websites."
Essentially, the FCC concluded that CALEA can't force website operators to
design their systems to reveal the IP addresses or identity of people who
visit the site, but could force ISPs not only to reveal the identical
information, but also to design the system to enable law enforcement to
reveal the information.
[...]
It is important to note that this expansion of CALEA was not needed to
compel the ISPs to comply with a lawful subpoena. ISP's and everyone else
must already comply under existing law. But a subpoena can only compel a
recipient to turn over documents or records that exist.
The FCC's ruling goes well beyond the extensive subpoena authority of the
grand jury and the Foreign Intelligence Surveillance Court, and even the
USA-PATRIOT Act. By making ISPs the electronic equivalent of the phone
company, and therefore subject to CALEA, the FCC opens the door to
mandating that all future TCP/IP technologies -- possibly even encrypted
ones -- be designed at the outset to be tapable. After all, it would do the
cops no good to receive a mass of encrypted packets.
What's worse, all of this would be done on your dime. As Commissioner
Abernathy pointed out in a statement, "upgrading networks to comply with a
new packet-mode standard for surveillance will be a costly endeavor, and
there are many unanswered questions about how these costs should be
recovered."
The FBI had an answer when ISPs and phone companies complained about the
cost. The Bureau suggested that the cost be defrayed by increasing the
rates you and I pay. So much for the government's E-rate program to make
broadband more affordable.
I am all for letting the cops tap phones, and even IMs, chat sessions,
e-mail and websites with appropriate court orders. What I don't like is
making us reinvent the Internet just for these purposes. The FCC action is
a large step towards requiring this.
quelle:
http://www.securityfocus.com/columnists/261
By Mark Rasch