How the FBI Wants to Penalize Internet Companies for Providing “Too Much” Security

Remember my recent post titled: Former FBI Agent: All Phone Conversations are Recorded and Stored?  Well now they now want to ensure doing the same on the internet is as easy as possible.  The latest proposal by the FBI, which would require companies to provide a backdoor for the feds to spy on American citizens on the internet, has been covered extensively in the mainstream media over the past couple of weeks, first in the Washington Post and then later in the New York Times.  It centers around this push to make communications on the internet “wiretap capable” and would impose fines of $25,000 per day for companies that do not comply with Big Brother.  Julian Sanchez of Wired has written and excellent article explaining how this proposal would not only crush privacy rights of law abiding citizens, but would also help cyber criminals, enable totalitarian governments, make the internet less secure and stifle the remnants of innovation that remain in the economy.  Oh, and unsurprisingly, Obama backs the proposal.  My favorite excerpts:

The FBI has some strange ideas about how to “update” federal surveillance laws: They’re calling for legislation to penalize online services that provide users with too much security.

I’m not kidding. The proposal was revealed in The Washington Post last week — and a couple days ago, a front-page story in The New York Times reported the Obama administration is preparing to back it.

While it’s not yet clear how dire the going-dark scenario really is, the statutory “cure” proposed by the FBI — with fines starting at $25,000 a day for companies that aren’t wiretap capable — would surely be worse than the disease.

The FBI’s misguided proposal would impose costly burdens on thousands of companies (and threaten to entirely kill those whose business model centers on providing highly secure encrypted communications), while making cloud solutions less attractive to businesses and users. It would aid totalitarian governments eager to spy on their citizens while distorting business decisions about software design. Perhaps worst of all, it would treat millions of law-abiding users with legitimate security needs as presumed criminals — while doing little to hamper actual criminals.

But if the FBI gets its way, companies won’t be able to adopt that “end to end” encryption model, or offer their users the security it provides. A wiretap interface is essentially an intentional security vulnerability, as network engineer Susan Landau points out — which means requiring companies to be wiretap-capable is also mandating them to design less secure services.

That comes with a potentially large economic downside — and not just to cloud companies: If cloud providers can’t promise iron-clad confidentiality, corporations may well keep operating their own outdated systems, even though shifting to a secure cloud solution would be more efficient and less expensive.

Typically, the FBI is claiming that they just want internet platforms to be subject to the same requirements as phone networks (which are familiarly accessible to them under CALEA).

But as a group of renowned computer scientists point out in an important new paper, “Going Bright: Wiretapping without Weakening Communications Infrastructure,” this misleading analogy ignores key differences between the architectures of these networks.

For one, online platforms are altered and updated far more frequently than phone networks — and there are a hell of a lot more online services than there are phone carriers. That means an interception mandate imposes a greater burden on a larger number of much smaller firms.

But if slowing innovation and weakening security is the price of catching terrorists and child pornographers, isn’t it a price worth paying?

Not if it doesn’t work.

Once it’s clear that online companies can’t promise true security, the most sophisticated and dangerous criminals will simply implement their own client-side encryption.  DIY encryption may be too difficult or inconvenient for ordinary users, who benefit from services that take the hassle out of security — but the criminals the FBI is most interested in will doubtless find it worth the extra trouble.

Instead of being decided by what’s best for the vast majority of users, communications architectures would be determined by what makes things easiest for law enforcement – essentially trading off the costs of the rare and tiny fraction of users who might be criminals with the the benefits of the many.

That’s utterly at odds with the spirit of permissionless innovation that has made the internet such a spectacular engine of economic and cultural growth.

Move along, nothing to see here.

Full article here.

In Liberty,
Mike

Follow me on Twitter!

Like this post?
Donate bitcoins: 35DBUbbAQHTqbDaAc5mAaN6BqwA2AxuE7G


Follow me on Twitter.

2 thoughts on “How the FBI Wants to Penalize Internet Companies for Providing “Too Much” Security”

  1. One silver lining is that we know with fair confidence that the FBI doesn’t have the technical capability to crack the encryption easily–otherwise this conversation in Congress would be moot. Doesn’t mean they can’t, though. It just may be an expensive and cross-agency endeavor.

    A few things you can use to stymie wiretapping:

    Off-the-record (OTR) chat (e.g. encrypting Google Talk)
    https://en.wikipedia.org/wiki/Off-the-Record_Messaging

    PGP Encryption of email (link for Thunderbird plugin and GPG)
    http://www.enigmail.net/home/index.php
    http://www.gnupg.org/

    Some things that make it harder to wiretap in flight data, but not at the end points would be:

    HTTP Everywhere
    https://www.eff.org/https-everywhere

    TOR Network
    https://www.torproject.org/
    https://guardianproject.info/

    Even if you happen to trust the crap out of the U.S. government, there’s still hundreds of other countries to worry about, too.

    Also, don’t trust the crap out of the U.S. government.

    Reply
  2. Just a bunch of complete and total morons in gov. The only thing they are accomplishing with this drivel is driving existing USA based companies to move outside the USA and new ones from NOT STARTING a new business IN the USA.

    The end result is always the opposite of what gov. wants to accomplish. Stupidity in action. USA USA USA!

    Reply

Leave a Reply