Government To Industry: Secure Your Systems, But Also Make Them Easy To Wiretap

You can’t blame tech companies if they feel a little confused about Washington’s security priorities this week.

For months, Congress and the Obama administration have been pushing for public-private cooperation to improve the state of cybersecurity. It’s not enough for companies that run critical infrastructure in telecommunications, finances and power to their individual defenses; the government also needs to make it easier for them to pool their knowledge and resources.

Congress just hasn’t been able to agree on how to do this in two weeks of trying. For the second year in a row, a “CISPA” (Cyber Intelligence Sharing and Protection Act) bill passed by the House has stalled out in the Senate over fears about privacy and accountability, backed up by veto threats from the White House.

Now comes news, courtesy of a front-page story in Monday’s Washington Post, that an administration task force is proposing a system of steep and escalating fines to push tech companies to open up encrypted online communications channels to wiretap requests:

“Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders [….] After 90 days, fines that remain unpaid would double daily.”

The story by my former colleague Ellen Nakashima goes on to note that while this proposal would be tech-agnostic, allowing companies to develop their own backdoors for the FBI and other law-enforcement agencies, it would also exempt smaller companies from these fines.

The piece notes the difficulty or impossibility in enabling real-time decryption in many of these situations, especially those involving peer-to-peer systems, but does not describe what will ensure that bad guys only stick to big-name communications systems. And that’s nowhere near the only head-scratching moment in this idea, which the White House has apparently not yet signed off on.

Consider this paragraph further down in the article:

“Former officials say the challenge for investigators was exacerbated in 2010, when Google began end-to-end encryption of its e-mail and text messages after its networks were hacked. Facebook followed suit. That made it more difficult for the FBI to intercept e-mail by serving a court order on the Internet service provider, whose pipes would carry the encrypted traffic.”

I’m not unsympathetic to the difficulties law enforcement can have here. But these companies–beyond Google and Facebook, you can add Microsoft and Twitter to the list–adopted full-time encryption, among other overdue security upgrades, for the sound reason that their users’ accounts kept getting compromised by man-in-the-middle eavesdropping.

If the cost of making it easy for the Feds to listen in on the communication of criminals is to open up everybody else’s chatter to Chinese hackers… yeah, good luck with that.

This tradeoff between increasing law-enforcement access to data and degrading the overall security of an Internet communications system should not be news to people.

We had about the same discussion in the early 1990s, when the Clinton Administration pushed a “key escrow” technology called the Clipper chip. Companies would have to include this in encrypted voice-calling hardware (with a similar “Capstone” chip going into data-encryption products) to allow police agencies to unlock those conversations “with appropriate legal authorization.”

Activists protested that this system–with a classified encryption algorithm free from peer review–would become a massive target for hacking attempts and, therefore, a government-mandated single point of failure.

Meanwhile, programmer Phil Zimmermann had set out to demonstrate the folly of banning certain computing capabilities by having his open-source Pretty Good Privacy encryption program shared online. It’s still out there, and the current task force’s proposal wouldn’t stop anybody from using it to encrypt their e-mail or make those messages easier to decrypt.

(The legal protections for stored e-mail and other online records remain shamefully weak, held back only by the higher standards a few companies have set for government access.)

The government investigated Zimmermann for several years before giving up in 1996. Zimmermann’s current project, an encryption app called Silent Circle, has apparently drawn some interest from government agencies.

And some of those agencies, including the State Department and the Pentagon, have also been subsidizing the development of surveillance-resistant networking tools for use by dissidents living under repressive regimes. But I’m sure the bad guys would never think to use those here.