“Going Dark” vs. “Going Secure” New CDT Experts’ Report on CALEA II
According to press reports, the FBI is close to persuading the rest of the Obama administration to support major changes to the Communications Assistance to Law Enforcement Act of 1994 (CALEA). A major new report of technical experts released this week concludes: “Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences for the economic well-being and national security of the U.S.”
Until now, CALEA has applied to telephone services and software and has required that they be “wiretap ready,” so that a wiretap court order can be carried out successfully. Under the new proposal, this “wiretap ready” requirement would apply far more broadly, to peer-to-peer VoIP (voice over Internet protocol) systems—the many types of software and services that allow direct, peer-to-peer communication. Examples range from instant messaging and chat to Skype to Google Hangouts to Xbox Live.
When CALEA was first considered, the FBI had wanted its requirements to apply broadly to the Internet; it’s safe to say that this would have stifled the incredible innovation and diversity on the Internet that has occurred since 1994.
The FBI has argued that these new technology mandates are needed because it is “going dark,” because new and evolving Internet technologies mean that government may not have a way to get the content of communications with a wiretap order. In a 2011 paper, Kenesa Ahmad and I argued that “going dark” is the wrong image and that today should instead be understood as a “golden age of surveillance.” As members of the IAPP know, law enforcement and national security agencies today have far greater data gathering capabilities than ever before, such as: (1) location information; (2) information about contacts and confederates, and (3) an array of new databases that create digital dossiers about individuals’ lives.
Rather than focusing on the validity of the FBI’s claim that it is being disadvantaged by the advance of technology, the technologists’ report examines the technical aspects of expanding wiretap obligations. A central point is that a wiretap mandate will present serious security risks, a point that Susan Landau has explained in detail in her excellent book “Surveillance or Security?” Building holes and backdoors into widely-available software and services creates vulnerabilities that can be exploited by a range of bad actors, including hackers, individual employees at the software companies and government officials in the numerous countries that will expect the same access afforded to the FBI. When it comes to cybersecurity online, the first rule for government should be “do no harm.”
Unfortunately, the FBI proposal would harm cybersecurity.
For more detail, I strongly support going to the technologists’ report. What is at stake is no less than the future of secure communications on the Internet. In the 1990s, law enforcement agencies tried to prevent the use of effective encryption for fear that the wiretaps of that era would no longer succeed. After extended debate, the Clinton administration in 1999 ultimately decided that strong encryption should become widely used, as I have discussed in a 2012 paper on “Encryption and Globalization.”
We should learn the lessons from the “crypto war” debates of the 1990’s. The widespread use of effective encryption does mean changes in the ways that law enforcement will seek lawful access to communications, including greater reliance on stored records rather than real-time communications. But we should choose to “go secure” in our Internet infrastructure, especially since the case is so weak that the FBI and other agencies are actually “going dark.”
About the Author
Peter Swire, CIPP/US, is the Nancy J. & Lawrence P. Huang Professor at the Georgia Institute of Technology, in the Scheller College of Business. He is a Senior Fellow with the Future of Privacy Forum and the Center for American Progress, and Policy Fellow with the Center for Democracy and Technology.
In 2013, Swire served as a member of President Obama’s Review Group on Intelligence and Communications Technology. Previously, he was co-chair of the Do Not Track standards process of the World Wide Web Consortium. He served in the White House under both Presidents Clinton and Obama, and is lead author of two texts for Certified Information Privacy Professionals examinations of the IAPP.