[ISN] Big Brother's Last Mile

[InfoSec News]

http://www.securityfocus.com/columnists/261

By Mark Rasch 
Aug 16 2004 

On August 9th, 2004, the U.S. Federal Communications Commission (FCC)  
took a major step toward mandating the creation and implementation of
new Internet Protocol standards to make all Internet communications
less safe and less secure. What is even worse, the FCC's ruling will
force ISP's and others to pay what may amount to billions of dollars
to ensure that IP traffic remains insecure.

The FCC ruling comes pursuant to a request by U.S. law enforcement
agencies to extend the reach of a decade old federal statute, the
Communications Assistance for Law Enforcement Act, or CALEA, to
broadband Internet service providers including cable companies, DSL
providers, satellite providers and even electric companies that
provide inline Internet access. The ruling, if it becomes final, may
require such ISPs to create and deploy new and expensive technologies
that would ensure that communications carried over broadband were
deliberately insecure and capable of being intercepted, retransmitted,
read, and understood by law enforcement. Of course, whatever law
enforcement can do, hackers will be able to do easier and faster. What
this means is that IP protocols may have to be adjusted, and the
future of encryption may also be in doubt.


A Brief History of Taps

To understand CALEA, you need a bit of history. From the dawn of
Alexander Graham Bell to 1968, there were few if any specific rules on
the legal requirements for listening in on electronic communications.  
The U.S. Supreme Court had tried to apply the precepts of the Fourth
Amendment's protections of the privacy of "persons, places, houses and
effects" to a voice traveling over a wire, finally concluding in 1963
that the amendment protects people's privacy rights, not simply their
physical location. In response, Congress passed the Omnibus Crime
Control and Safe Streets Act of 1968, Title III of which established
the rules for intercepting telephone calls.

Concerned that the FBI lacked the technical ability to install and
monitor wiretaps, Congress in 1970 mandated that the cops could ask
for, and a court could order, the phone company to give the police
"information, facilities, and technical assistance necessary to
accomplish the interception unobtrusively and with a minimum of
interference with the [the company's] services." It also provided that
the communications company "be compensated . . . by the applicant for
reasonable expenses incurred in providing such facilities or
assistance." In other words, a court could order an ISP to cooperate,
conditioned on the cops agreeing to pay for the help. Effectively,
this is no different than requiring a landlord, when presented with
both a court authorized search warrant and an order requiring
cooperation, and an order requiring the cops to pay up, to show the
police where the target's apartment is, and maybe show them how to
pick the lock.

In 1994, however, at the request of law enforcement, Congress broadly
expanded the law. No longer was the phone company merely required to
provide technical assistance to help execute an already issued wiretap
order -- now all covered telecommunications providers had to spend
billions of rate-payer's dollars to design their systems in such a way
as to be susceptible to the possibility of later court ordered
surveillance. This is the equivalent of requiring that the landlord
design the building without doors or locks (or with very weak ones),
just in case the cops later want to search anyone in the building. As
the Department of Justice described it, "CALEA for the first time
required telecommunications carriers to modify the design of their
equipment, facilities, and services to ensure that lawfully-authorized
electronic surveillance could actually be performed."

But CALEA never applied to ISPs, per se. In fact, section 102 of CALEA
states that it "does not [apply to] persons or entities insofar as
they are engaged in providing information services" although it does
apply to "person[s] or entit[ies] engaged in providing wire or
electronic communication switching or transmission service to the
extent that the Commission finds that such service is a replacement
for a substantial portion of the local telephone exchange service and
that it is in the public interest to deem such a person or entity to
be a telecommunications carrier."

In other words, if you are replacing the local telephone exchange
service, and the FCC concludes it is in the public interest, you might
be covered by CALEA. On August 9th, the FCC tentatively concluded that
broadband providers were exactly that.


Push Me, Pull You

The FCC concluded that "facilities-based providers of any type of
broadband Internet access service. . . are subject to CALEA because
they provide a replacement for a substantial portion of the local
telephone exchange service."

They arrived at this conclusion, it turns out, by completely
misreading recent technology history The FCC wrote that, at the time
CALEA was enacted, Internet services were generally provided on a
dial-up basis by two separate entities providing two different
capabilities -- a local exchange telephone company carrying the calls
between an end user and her chosen Internet Service Provider, and the
ISP providing e-mail, content, Web hosting and other Internet
services.

ISPs were exempt from CALEA. But because the local phone company was
subject both to FCC jurisdiction and to CALEA, dial-up access was
implicitly covered as well: to accomplish its purposes of intercepting
communications pursuant to a court order, the FBI only had to capture
the communication at the POTS (Plain Old Telephone Service) line, and
the problem was solved.

The FCC's reasoning is that because broadband replaces dial-up access
to the Internet, and dial-up was subject to CALEA, broadband must ipso
facto be subject to CALEA.

However, while most individual users in 1994 connected to the Internet
via dial-up, the Internet was already built principally on broadband
communications. In fact, from its inception until 1991, very little of
the overall bandwidth of the Internet consisted of an individual user
dialing into a node for access. Most users were government, industry,
military or educational users sitting at terminals with relatively
fast (for 70's and 80's technology) non-dial-up connections. Broadband
isn't some newfangled replacement for dial-up: it's the backbone and
spine of the Internet, and has been for decades.


A Brave New Internet

The FBI, in requesting this authority defined "broadband access
service" as "the process and service used to gain access or connect to
the public Internet using a connection based on packet-mode technology
that offers high bandwidth" but "does not include any 'information
services' available to a user after he or she has been connected to
the Internet, such as the content found on Internet Service Providers'
or other websites."

Essentially, the FCC concluded that CALEA can't force website
operators to design their systems to reveal the IP addresses or
identity of people who visit the site, but could force ISPs not only
to reveal the identical information, but also to design the system to
enable law enforcement to reveal the information.

It is important to note that this expansion of CALEA was not needed to
compel the ISPs to comply with a lawful subpoena. ISP's and everyone
else must already comply under existing law. But a subpoena can only
compel a recipient to turn over documents or records that exist.

The FCC's ruling goes well beyond the extensive subpoena authority of
the grand jury and the Foreign Intelligence Surveillance Court, and
even the USA-PATRIOT Act. By making ISPs the electronic equivalent of
the phone company, and therefore subject to CALEA, the FCC opens the
door to mandating that all future TCP/IP technologies -- possibly even
encrypted ones -- be designed at the outset to be tapable. After all,
it would do the cops no good to receive a mass of encrypted packets.

What's worse, all of this would be done on your dime. As Commissioner
Abernathy pointed out in a statement, "upgrading networks to comply
with a new packet-mode standard for surveillance will be a costly
endeavor, and there are many unanswered questions about how these
costs should be recovered."

The FBI had an answer when ISPs and phone companies complained about
the cost. The Bureau suggested that the cost be defrayed by increasing
the rates you and I pay. So much for the government's E-rate program
to make broadband more affordable.

I am all for letting the cops tap phones, and even IMs, chat sessions,
e-mail and websites with appropriate court orders. What I don't like
is making us reinvent the Internet just for these purposes. The FCC
action is a large step towards requiring this.



SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the
Justice Department's computer crime unit, and now serves as Senior
Vice President and Chief Security Counsel at Solutionary Inc.