March 15, 2004
A Race the FBI Can't Win: The Increasingly Asymmetric Costs of Wiretap Surveillance vs. Wiretap Avoidance
LawMeme briefly summarizes and collects a number of articles on several law enforcement agencies' (FBI, DOJ and DEA) recent petition to the FCC to expand government wiretap capability (FBI seek to expand the system-formerly-known-as-Carnivore).
C|Net News reports that the petition "aims to give police ready access to any form of Internet-based communications" (FBI adds to wiretap wish list):
Legal experts said the 85-page filing includes language that could be interpreted as forcing companies to build back doors into everything from instant messaging and voice over Internet Protocol (VoIP) programs to Microsoft's Xbox Live game service. The introduction of new services that did not support a back door for police would be outlawed, and companies would be given 15 months to make sure that existing services comply.
That's just wonderful. And I suppose only the US government will have access to these backdoors?
The Washington Post (reg. req.) talks to one of the leading experts on wiretapping, CDT's James X. Dempsey (Easier Internet Wiretaps Sought):
But privacy and technology experts said the proposal is overly broad and raises serious privacy and business concerns. James X. Dempsey, executive director of the Center for Democracy & Technology, a public interest group, said the FBI is attempting to dictate how the Internet should be engineered to permit whatever level of surveillance law enforcement deems necessary.
"The breadth of what they are asking for is a little breathtaking," Dempsey said. "The question is, how deeply should the government be able to control the design of the Internet? . . . If you want to bring the economy to a halt, put the FBI in charge of deploying new Internet and communications services."
Dempsey is right. The amount of intervention in technology development necessary for the FBI and DOJ to accomplish what they want with regard to wiretapping is enormous. The costs will be both direct (money out of consumer's pockets) and indirect (loss of innovation). However, that is only half the picture. Unfortunately for the FBI, the costs to defeat the wiretapping are relatively small and will continue to decrease. We have here an asymmetric situation that will only grow more asymmetric as time goes on.
The problem is with the underlying architecture of the internet. Advances in technology along with the end-to-end/layers principle mean that it will always be cheaper to add encryption to the edges of the network than to increase the amount of surveillance at the center of the network. How much does it cost to write an encrypted VoIP app? Not much. How much does it cost to build the surveillance mechanism and conduct the surveillance across all possible ISPs? A heck of a lot more.
Ok. Now that the first encrypted VoIP app is compromised ... how much will it cost to build another encrypted layer on top of the first one? How much will it cost to conduct surveillance on this new layer? Hmmmm, if this progression continues, as we add additional layers of encryption and surveillance, the costs will increasingly diverge. Not a game you can win ultimately. In fact, it doesn't make much sense to even start. The FBI should be happy with what they've got.
Nor should we forget how darn cheap computing is getting. I wish my first computer had the power of a Treo 600. How hard is it to write voice encryption software for Treos and all the follow-on smart phones? How hard will be to add additional layers to the communications stack especially given all the various options for communication being made available through ubiquitous grid-network wireless?
If I were the FBI, I wouldn't waste my time on a battle I ultimately couldn't win and instead would concentrate my efforts on the place where I could still achieve my goals - the ends. You want to know what someone is up to online? I would recommend, for example, key loggers, "real" spyware, and social engineering. It ain't gonna be easy, but you have a chance of winning in the long term. The sooner you quit a race you can't win, the faster you can enter a race where you have a chance.
Bonus FBI Inanity: Sunday, March 14th was the 54th birthday of the FBI's "Top Ten Most Wanted Fugitive List." What better way to celebrate than with a humorous quiz? For example,
5. What Bible-carrying female impersonator was captured in 1964 while working as "Bobo the Clown" with a traveling carnival?
ANSWER: Leslie Douglas Ashley. And for extra credit, Isaie Aldy Beausoleil [apparently another man] was arrested in 1953 dressed as a woman...acting v-e-r-y suspiciously in a Chicago ladies' restroom.
7. Who was arrested in Japan, extradited to the U.S., and in Honolulu presented FBI Agents--in all seriousness--with [sic] a Monopoly "Get Out of Jail Free" card?
ANSWER: James Robert Ringrose, arrested in 1967.
And this one is really a laugh riot, har-d-har-har:
4. What Top Ten terrorist who was apprehended in 1995 said at his trial in New York City, "I am a terrorist, and I am proud of it"?
ANSWER: Ramzi Ahmed Yousef, who masterminded the 1993 World Trade Center bombing in New York and planned the bombing of an American airplane in the Far East, an act that was prevented. Judge Kevin Thomas Duffy of Manhattan's Federal District Court called him "an apostle of evil [who] wanted to kill for the thrill of killing human beings."
Bonus FBI Inanity 2: A Strengthened Partnership to Protect Children: Name that Sexual Predator! - That's the real name for the page - no foolin'. Frankly, I am somewhat disturbed when law enforcement agencies turn child abuse into a game.
Brother Dana has some observations here: Following The Chinese Way
Posted by Ernest at 7:48 AM
Comments and Trackbacks (http://www.corante.com/cgi-bin/mt/mt-tb.cgi/1644)
Crytpo Wars Starting New Round
For a good roundup of the current state of play on crypto tech & politics, see The Importance of…: A Race the FBI Can’t Win: The Increasingly Asymmetric Costs of Wiretap Surveillance vs. Wiretap Avoidance. I’d write more on this &...
Read the rest...
I'd like to believe that you're right, but I'm not so sure. Let's look at VoIP and think about how the FBI might crack down, requiring a government back door (activated only under court order, of course).
Any commercial solution is going to have to comply. And contrary to what you say, it is not necessarily easy or even possible to add an encryption layer on top of an existing, closed source commercial app. The VoIP client is going to be a black box that you can't just bolt layers onto.
So let's look at noncommercial software, open source. So far no one has come up with an open source VoIP application. See http://www.speak-freely.org/ for some of the technical difficulties involved. And even if these are overcome, it is likely that there will be centralized elements, for phone number lookup and to deal with technical problems of firewalls.
So while it may be possible eventually to create a decentralized, open source VoIP system that sort of works, it's not going to be turnkey, easy to use and ready to be adopted on a wide scale by Americans. Remember, in this scenario the program is illegal! Businesses won't use it. Most people will be perfectly happy with the legal stuff, because they aren't terrorists or criminals. Nobody refuses to use the telephone today on the grounds that it might be tapped, and the same will be true with the FBI-approved VoIP apps of the future.
A few hardcore cypherpunks and criminals will use the illegal VoIP, just like with PGP and similar encryption programs today. But it won't be widespread and universal; it will be incompatible with the legal programs, and probably won't interface with the physical telephone network.
Now, I hope that we can stop the FBI from mandating that VoIP include government trapdoors in its encryption. As you say, there are high costs, especially considering all the new communication applications which haven't even been invented yet. But I'm afraid you're fooling yourself if you think that there are technical reasons why the FBI could not successfullly regulate this technology.
I'm not so sure that the future for VoIP is going to be a closed source commercial app that one cannot bolt new layers on. I think we are moving to a world of open standards for VoIP, which will allow people to bolt on all sorts of interesting layers. After all, who is going to want a VoIP service that restricts people from doing neat and interesting things (other than the FBI)? That is one of the benefits of switching to VoIP.
In any case, virtually any near-real-time communications system will be able to VoIP, such as IM and videogames, for example. If I want to talk to my Al-Queda buddies, couldn't I just launch some first-person shoot 'em up and get a nice chat going on while we kill virtual representations of aliens? Are all of these applications going to be closed standards? This is a major undertaking.
In any case, the FBI is not only worried about VoIP, that is only one small aspect. They want general wiretap power for any bits coming out of your computer. And let us not forget all the strides being made in anonymity with regard to filesharing and private networks (thanks, RIAA).
The point isn't that the FBI can't regulate this technology or that there are technical reasons it is bound to fail. The point is that the costs to make it succeed will be disproportionate to the possible benefit.
The arguments for back-doors are virtually identical to those made for cryptography export rules (which I unfortunately know way too much about – dealing with those rules cost one of my previous companies about 20% of their total work load). My experience with these rules echo the problems mentioned above: they are costly, they inhibit innovation, and they don't really work.
I can also tell you exactly the arguments that the FBI uses to advance these rules. It goes something like this: Criminals (and terrorists) are not perfect. They may generally use encryption and other good hiding techniques – but once in a while they slip up. We needs systems in place to exploit these mistakes.
So basically they are asking congress to ignore all the civil liberties issues, the cost to industry, and the reduced innovation all on the chance that they can take advantage of the occasional mistake! The worst part is that this argument has gotten them just what they wanted many times in the past.