Security News > 2004 > August > Big Brother's Last Mile
http://www.securityfocus.com/columnists/261 By Mark Rasch Aug 16 2004 On August 9th, 2004, the U.S. Federal Communications Commission (FCC) took a major step toward mandating the creation and implementation of new Internet Protocol standards to make all Internet communications less safe and less secure. What is even worse, the FCC's ruling will force ISP's and others to pay what may amount to billions of dollars to ensure that IP traffic remains insecure. The FCC ruling comes pursuant to a request by U.S. law enforcement agencies to extend the reach of a decade old federal statute, the Communications Assistance for Law Enforcement Act, or CALEA, to broadband Internet service providers including cable companies, DSL providers, satellite providers and even electric companies that provide inline Internet access. The ruling, if it becomes final, may require such ISPs to create and deploy new and expensive technologies that would ensure that communications carried over broadband were deliberately insecure and capable of being intercepted, retransmitted, read, and understood by law enforcement. Of course, whatever law enforcement can do, hackers will be able to do easier and faster. What this means is that IP protocols may have to be adjusted, and the future of encryption may also be in doubt. A Brief History of Taps To understand CALEA, you need a bit of history. From the dawn of Alexander Graham Bell to 1968, there were few if any specific rules on the legal requirements for listening in on electronic communications. The U.S. Supreme Court had tried to apply the precepts of the Fourth Amendment's protections of the privacy of "persons, places, houses and effects" to a voice traveling over a wire, finally concluding in 1963 that the amendment protects people's privacy rights, not simply their physical location. In response, Congress passed the Omnibus Crime Control and Safe Streets Act of 1968, Title III of which established the rules for intercepting telephone calls. Concerned that the FBI lacked the technical ability to install and monitor wiretaps, Congress in 1970 mandated that the cops could ask for, and a court could order, the phone company to give the police "information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the [the company's] services." It also provided that the communications company "be compensated . . . by the applicant for reasonable expenses incurred in providing such facilities or assistance." In other words, a court could order an ISP to cooperate, conditioned on the cops agreeing to pay for the help. Effectively, this is no different than requiring a landlord, when presented with both a court authorized search warrant and an order requiring cooperation, and an order requiring the cops to pay up, to show the police where the target's apartment is, and maybe show them how to pick the lock. In 1994, however, at the request of law enforcement, Congress broadly expanded the law. No longer was the phone company merely required to provide technical assistance to help execute an already issued wiretap order -- now all covered telecommunications providers had to spend billions of rate-payer's dollars to design their systems in such a way as to be susceptible to the possibility of later court ordered surveillance. This is the equivalent of requiring that the landlord design the building without doors or locks (or with very weak ones), just in case the cops later want to search anyone in the building. As the Department of Justice described it, "CALEA for the first time required telecommunications carriers to modify the design of their equipment, facilities, and services to ensure that lawfully-authorized electronic surveillance could actually be performed." But CALEA never applied to ISPs, per se. In fact, section 102 of CALEA states that it "does not [apply to] persons or entities insofar as they are engaged in providing information services" although it does apply to "person[s] or entit[ies] engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier." In other words, if you are replacing the local telephone exchange service, and the FCC concludes it is in the public interest, you might be covered by CALEA. On August 9th, the FCC tentatively concluded that broadband providers were exactly that. Push Me, Pull You The FCC concluded that "facilities-based providers of any type of broadband Internet access service. . . are subject to CALEA because they provide a replacement for a substantial portion of the local telephone exchange service." They arrived at this conclusion, it turns out, by completely misreading recent technology history The FCC wrote that, at the time CALEA was enacted, Internet services were generally provided on a dial-up basis by two separate entities providing two different capabilities -- a local exchange telephone company carrying the calls between an end user and her chosen Internet Service Provider, and the ISP providing e-mail, content, Web hosting and other Internet services. ISPs were exempt from CALEA. But because the local phone company was subject both to FCC jurisdiction and to CALEA, dial-up access was implicitly covered as well: to accomplish its purposes of intercepting communications pursuant to a court order, the FBI only had to capture the communication at the POTS (Plain Old Telephone Service) line, and the problem was solved. The FCC's reasoning is that because broadband replaces dial-up access to the Internet, and dial-up was subject to CALEA, broadband must ipso facto be subject to CALEA. However, while most individual users in 1994 connected to the Internet via dial-up, the Internet was already built principally on broadband communications. In fact, from its inception until 1991, very little of the overall bandwidth of the Internet consisted of an individual user dialing into a node for access. Most users were government, industry, military or educational users sitting at terminals with relatively fast (for 70's and 80's technology) non-dial-up connections. Broadband isn't some newfangled replacement for dial-up: it's the backbone and spine of the Internet, and has been for decades. A Brave New Internet The FBI, in requesting this authority defined "broadband access service" as "the process and service used to gain access or connect to the public Internet using a connection based on packet-mode technology that offers high bandwidth" but "does not include any 'information services' available to a user after he or she has been connected to the Internet, such as the content found on Internet Service Providers' or other websites." Essentially, the FCC concluded that CALEA can't force website operators to design their systems to reveal the IP addresses or identity of people who visit the site, but could force ISPs not only to reveal the identical information, but also to design the system to enable law enforcement to reveal the information. It is important to note that this expansion of CALEA was not needed to compel the ISPs to comply with a lawful subpoena. ISP's and everyone else must already comply under existing law. But a subpoena can only compel a recipient to turn over documents or records that exist. The FCC's ruling goes well beyond the extensive subpoena authority of the grand jury and the Foreign Intelligence Surveillance Court, and even the USA-PATRIOT Act. By making ISPs the electronic equivalent of the phone company, and therefore subject to CALEA, the FCC opens the door to mandating that all future TCP/IP technologies -- possibly even encrypted ones -- be designed at the outset to be tapable. After all, it would do the cops no good to receive a mass of encrypted packets. What's worse, all of this would be done on your dime. As Commissioner Abernathy pointed out in a statement, "upgrading networks to comply with a new packet-mode standard for surveillance will be a costly endeavor, and there are many unanswered questions about how these costs should be recovered." The FBI had an answer when ISPs and phone companies complained about the cost. The Bureau suggested that the cost be defrayed by increasing the rates you and I pay. So much for the government's E-rate program to make broadband more affordable. I am all for letting the cops tap phones, and even IMs, chat sessions, e-mail and websites with appropriate court orders. What I don't like is making us reinvent the Internet just for these purposes. The FCC action is a large step towards requiring this. SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/