Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

I. INTRODUCTION¶1 For several years, the FBI has warned that newer communications technologies have hindered its ability to conduct electronic surveillance.6 Valerie Caproni, General Counsel of the FBI, said in Congressional testimony:Methods of accessing communications networks have similarly grown in variety and complexity. Recent innovations in hand-held devices have changed the ways in which consumers access networks and network-based services. One result of this change is a transformation of communications services from a straight- forward relationship between a customer and a single CALEA-covered provider (e.g. customer to telephone company) to a complex environment in which a customer may use several access methods to maintain simultaneous interactions with multiple providers, some of whom may be based overseas or are otherwise outside the scope of CALEA.As a result, although the government may obtain a court order authorizing the collection of certain communications, it often serves that order on a provider who does not have an obligation under CALEA to be prepared to execute it.7¶2 The FBI\u0027s solution is \"legislation that will assure that when we get the appropriate court order . . . companies . . . served . . . have the capability and the capacity to respond.\"8¶3 While on the one hand this request is predictable given past precedent, it is rather remarkable given current national cybersecurity concerns and in light of stark evidence of the significant harm caused by CALEA. The request to expand CALEA to IP-based communications places the needs of the Electronic Surveillance Unit above all else, including the security risks that arise when building wiretapping capabilities into communications infrastructure and applications, other government agencies who face increased risk from hackers and nation states who may exploit this new vulnerability, and the national need for innovation which drives economic prosperity. Rather than examine the issue in terms of social good-which the FBI already does each time it prioritizes certain types of investigations (terrorism cases, drug cases, etc.) or decides whether to conduct a particular investigation-the FBI has thrown down a gauntlet that ignores long- term national interest.¶4 The FBI\u0027s preferred solution-\"requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly\"9-will create security risks in our already-fragile Internet infrastructure, leaving the nation more vulnerable to espionage and our critical infrastructure more open to attack, and hinder innovation.10 Securing communications infrastructure is a national priority. By weakening communications infrastructure and * 7 8 9 10 applications, the FBI\u0027s proposal would mostly give aid to the enemy. Surely that is neither what the FBI intends nor what sound national priorities dictate.¶5 The problem is created by technology. Over the course of the last three decades, we have moved from a circuit-switched centralized communications network-the Public Switched Telephone Network (PSTN)-run by a monopoly provider, to a circuit- switched centralized communications network run by multiple providers, to an Internet- Protocol (IP) based decentralized network run by thousands of providers. The first change, from the monopoly provider to multiple providers, gave rise to the need for the Communications Assistance for Law Enforcement Act (CALEA). This simplified law enforcement\u0027s efforts to manage wiretaps with multiple, though relatively few, providers. However, in certain situations, such as when peer-to-peer communications or communications encrypted end-to-end are used, legally authorized wiretaps may be impeded. Even if law enforcement does not currently have a serious problem in conducting authorized wiretaps, with time it will. Thus, there is a serious question of what is to be done. …