FBI Complains About Wiretapping Difficulties Due To Web Services 228
c0lo writes with news that the Federal Bureau of Investigation is lamenting the difficulty in executing wiretaps because of "web-based e-mail, social-networking and peer-to-peer services."
"President Barack Obama's administration is debating ways to deal with Web-based services not covered by traditional wiretap laws, including incentives for companies to build in surveillance capabilities, said Valerie Caproni, general counsel at the FBI. Many Internet services are not covered by the Communications Assistance for Law Enforcement Act (CALEA), which requires traditional telecom carriers to allow law enforcement agencies real-time access to communications after a court has issued a wiretap order, she told members of a subcommittee of the US House of Representatives Judiciary Committee. But Caproni told lawmakers she was not asking for expanded CALEA powers. And she stopped short of calling for rules requiring Web-based communication providers to build in so-called back doors allowing law enforcement access to their software, although she said she's optimistic the US government can find incentives for companies to 'have intercept solutions engineered into their systems.'"
What about encrypted communications? (Score:4, Interesting)
A few reasons (Score:5, Interesting)
I can think of about 84,000 good reasons we don't want to make pushbutton law enforcement any easier than it already is.
Watching people is supposed to be resource intensive, that's what makes sure they only do it when it's absolutely necessary.
Here's an idea, I will build in a police API to tap the web messages BUT it will automatically CC all requests to the EFF, ACLU, and Wikileaks. By using the API they agree to the CC up front.
I'm guessing it will be the world's least used police back door.
Re:Police work is not SUPPOSED to be easy (Score:1, Interesting)
Remember, folks. This is now OBAMA'S FBI. Where are all the cries of, "Fascist!" and "ZOMG Nazi!" now?
Gitmo still open? Check!
US Gov't still conducting warrantless wiretaps on citizens? Check!
US Gov't still in bed with mega corporations? Double check!
Still bogged down in 2 sandy 3rd world shitholes populated by diaperheads that hate us? Check!
yea no... (Score:4, Interesting)
Re:The Backdoor Exists Already. (Score:5, Interesting)
I agree the vulnerabilities you mentioned are correct, but I really don't think "security theater" is appropriate here.
First, SSL as a technology works just fine. It's entirely possible to create a restricted set of CAs and certificates and have a system at least as secure as, say, SSH. I know I do something similar with OpenVPN connections, which use OpenSSL certificates. Not every use of SSL is the mess that the typical HTTPS in your browser is.
Second, it reduces the number of individuals who can successfully MITM you massively. For a live demonstration of this, walk into any coffee shop and fire up FireSheep, and look at how many people are vulnerable. Flip on SSL and, far from security theater, they are at least safe from you.
By contrast, what Schneier was talking about was specifically the act of guarding against the sort of threat you'd see as a movie plot, which is a real threat, but is so unlikely and specific that defending against it simply isn't worth it -- often, it's not just a matter of money and resources, it actually buys you no additional security, whereas SSL does provide some security.
Let me put it this way: Forcing you to remove your shoes and surrender any significant amounts of liquid is security theater, because it's defending against specific threats which we've already seen -- I suppose the next bomb will be in someone's hat instead, or made of solid pastes instead of liquid. By contrast, a bulletproof vest is not security theater just because it doesn't defend against a headshot -- even ignoring that helmets exist for that purpose, if it really seems likely you'll get in a firefight of some sort, it's still going to be a lot harder for someone to take you out of the fight, and certainly harder for them to do anything fatal.
I do share your concern for SSL, though. If I may abuse the above analogy, it's become apparent that we need helmets, and maybe better armor.
Re:The Irony Gets Thicker (Score:3, Interesting)