Online monitoring scheme bad news for security, opponents say

Government efforts to allow law enforcement to intercept all online communications would dramatically weaken Internet companies’ ability to secure their infrastructure, opponents say.

A government task force is working on legislation that would penalize companies such as Google and Facebook that failed to heed court-issued wiretapping orders presented by law enforcement, The Washington Post reported on Monday. Failing to provide the data would result in court-levied fines starting at 10s of thousands of dollars. After 90 days, unpaid fines would double daily.

Law enforcement with court orders can obtain email and other online communications stored in a central server. The legislation in the works would extend the 1994 Communications Assistance for Law Enforcement Act (CALEA) to Internet phone calls between computer users. Microsoft-owned Skype is the best-known example of such peer-to-peer communications, but telecom companies, Internet service providers and Internet companies also provide similar services.

Law enforcement’s need for better online surveillance has grown as more people use social media, chat services and Internet telephony for communications. Criminals and terrorists utilize these services as much as law-abiding citizens.

Opponents of the pending legislation reported by The Post do not argue against the need for wiretapping in criminal investigations. However, there is currently no easy way to tap peer-to-peer communications without building a backdoor in the provider’s infrastructure.

Doing so, would create a hole that could be exploited by criminals, making the whole system less secure, said Joseph Hall, senior staff technologist at the Center for Democracy and Technology, a Washington, D.C., non-profit focusing on issues of privacy and security.

“A wiretap is essentially a tailor-made vulnerability,” Hass said on Monday.”It provides turnkey access to any content flowing through your network and your software.”

While having such backdoors would help U.S. law enforcement, it would also provide a new vector for state-sponsored hackers searching for communications between dissidents, opponents say.

Intercepting VoIP calls or text could also provide information that could be used in spear-phishing attacks to steal intellectual property from companies or classified documents from government agencies.

“We may in the process actually help extremely sophisticated kinds of attackers, such as nation-states,” Hall said.

[Also see: Islamic group expands targets in bank DDoS attacks]

While wiretapping in general is an important investigatory tool, federal law enforcement have not shown that the information they currently get from online communications is inadequate or does not arrive quick enough, Hall said.

“Before we take a drastic step that basically involves anyone making any type of communications technology build in these backdoors, there’s got to be a discussion to figure out if there’s better ways to do this kind of stuff,” he said.

Nevertheless, the FBI argues that without access to communications as they occur, critical evidence can be missed. Andrew Weissmann, general counsel of the FBI, addressed the issue last month during an American Bar Association discussion in which he described the gap in following online activities as “going dark.”

“The importance to us is pretty clear,” Weissmann said. “What we don’t have is the ability to go to court and say, ‘We need a court order that actually requires the recipient of that order to effectuate the intercept.'”

Weissmann argued that other countries provide law enforcement with the legal tools to tap into online communications and that most non-lawyers would expect the same in this country, when police meet the high standards set for obtaining a court wiretapping order.