FBI Complains About Wiretapping Difficulties Due To Web Services

c0lo writes with news that the Federal Bureau of Investigation is lamenting the difficulty in executing wiretaps because of "web-based e-mail, social-networking and peer-to-peer services." "President Barack Obama's administration is debating ways to deal with Web-based services not covered by traditional wiretap laws, including incentives for companies to build in surveillance capabilities, said Valerie Caproni, general counsel at the FBI. Many Internet services are not covered by the Communications Assistance for Law Enforcement Act (CALEA), which requires traditional telecom carriers to allow law enforcement agencies real-time access to communications after a court has issued a wiretap order, she told members of a subcommittee of the US House of Representatives Judiciary Committee. But Caproni told lawmakers she was not asking for expanded CALEA powers. And she stopped short of calling for rules requiring Web-based communication providers to build in so-called back doors allowing law enforcement access to their software, although she said she's optimistic the US government can find incentives for companies to 'have intercept solutions engineered into their systems.'"

What about encrypted communications?

[BitterOak]

Would peer to peer services which offer end to end encryption like Skype be required to re-engineer their software to allow government wiretaps? This could be the end of personal use encryption as we know it.

A few reasons

[sjames]

I can think of about 84,000 good reasons we don't want to make pushbutton law enforcement any easier than it already is.

Watching people is supposed to be resource intensive, that's what makes sure they only do it when it's absolutely necessary.

Here's an idea, I will build in a police API to tap the web messages BUT it will automatically CC all requests to the EFF, ACLU, and Wikileaks. By using the API they agree to the CC up front.

I'm guessing it will be the world's least used police back door.

Re:Police work is not SUPPOSED to be easy

[Anonymous Coward]

Remember, folks. This is now OBAMA'S FBI. Where are all the cries of, "Fascist!" and "ZOMG Nazi!" now?

Gitmo still open? Check!

US Gov't still conducting warrantless wiretaps on citizens? Check!

US Gov't still in bed with mega corporations? Double check!

Still bogged down in 2 sandy 3rd world shitholes populated by diaperheads that hate us? Check!

yea no...

[Charliemopps]

My companies solution to this was to ship the entire email nightmare over to Google, let them deal with it. In fact, if law enforcement were to REQUIRE we do something anyway I'd think we'd just drop email all together. It's not profitable, we can't charge for it, it's nothing but a headache. So basically law enforcement would just be force ALL email off shore.

Re:The Backdoor Exists Already.

[SanityInAnarchy]

I agree the vulnerabilities you mentioned are correct, but I really don't think "security theater" is appropriate here.

First, SSL as a technology works just fine. It's entirely possible to create a restricted set of CAs and certificates and have a system at least as secure as, say, SSH. I know I do something similar with OpenVPN connections, which use OpenSSL certificates. Not every use of SSL is the mess that the typical HTTPS in your browser is.

Second, it reduces the number of individuals who can successfully MITM you massively. For a live demonstration of this, walk into any coffee shop and fire up FireSheep, and look at how many people are vulnerable. Flip on SSL and, far from security theater, they are at least safe from you.

By contrast, what Schneier was talking about was specifically the act of guarding against the sort of threat you'd see as a movie plot, which is a real threat, but is so unlikely and specific that defending against it simply isn't worth it -- often, it's not just a matter of money and resources, it actually buys you no additional security, whereas SSL does provide some security.

Let me put it this way: Forcing you to remove your shoes and surrender any significant amounts of liquid is security theater, because it's defending against specific threats which we've already seen -- I suppose the next bomb will be in someone's hat instead, or made of solid pastes instead of liquid. By contrast, a bulletproof vest is not security theater just because it doesn't defend against a headshot -- even ignoring that helmets exist for that purpose, if it really seems likely you'll get in a firefight of some sort, it's still going to be a lot harder for someone to take you out of the fight, and certainly harder for them to do anything fatal.

I do share your concern for SSL, though. If I may abuse the above analogy, it's become apparent that we need helmets, and maybe better armor.

Re:The Irony Gets Thicker

[Aryden]

and just who do you say we vote in? the next guy that will do the same thing, but said he wouldn't during the election? Get real. The problem lies in the system of electing people who WANT to be in those positions rather than people who are actually qualified to be in them. I do not give 2 shits if a politician has experience in foreign policy if that self same politician is making, executing or ruling on IP Law. I want people that actually understand what IP law is and the technologies involved doing that.