FCC Asks For Comments On Internet Wiretapping

SECURITY GURU writes "Security Focus has posted a story about The Federal Communications Commission (FCC) launching a public comment period on its plan to compel Internet broadband and VoIP providers to open their networks up to easy surveillance by law enforcement agencies. The 1994 Communications Assistance for Law Enforcement Act (CALEA), a federal law that mandates surveillance backdoors in U.S. telephone networks, is what would allow the FBI to start listening in on Internet communications. The EFF, ACLU, and the Electronic Privacy Information Center all opposed the plan, and an ACLU letter-drive generated hundreds of mailings from citizens against what the group called 'the New Ashcroft Internet Snooping Request.' If you have a comment on why you don't want the governemnt reading your email please post it here. All comments are due by November 8th."

But the EFF *wants* to tap when it come to p2p

Interestingly enough, the EFF *wants* the government/music industry to tap how we use the internet when it comes to thier file sharing [eff.org] solution.

No reason for alarm

If you ever thought your unencrypted traffic was safe from snooping over the Internet, you get what you deserve. If you don't like the idea of a company divulging your secrets, don't use that company, or add another layer of encryption on top of it. PGPPhone over VoIP anyone?

Re:No reason for alarm

It's a slippery slope you see. Soon the assholes will want backdoors to encryption programs or they will ban them outright. Obviously only a terrorist wouldn't want the government to see their traffic.

This isn't tin foil hat material folks... This is really what's going to happen if we continue down the road we have been traveling. If we don't stop it at the polls this year it's not going to be easily turned around.

Governments (regardless of party affiliation) love to have power. If one party can get the public brainwashed into believing that the measures they are taking are both necessary and acceptable the other side isn't going to complain when they have just that much more control over the population...

VOTE IN NOVEMBER AND PUT AN END TO THIS HORSESHIT.

Re:No reason for alarm

Governments (regardless of party affiliation) love to have power.

Here's my current .sig: "Government big enough to supply everything you need is big enough to take everything you have ... The course of history shows that as a government grows, liberty decreases." -- Thomas Jefferson

Re:No reason for alarm

Hmm... Let's see here. Name, Address, Email, and Phone. Yeah okay, filled out. After all, when the German government required registration for gun owners in 1938, they didn't immediately turn around and seek those people out when they banned guns. Err wait.

I would highly advise you to *not* fill out this form with any legitimate info (which is probably required for the comment to be considered). In fact, I would falsly fill it out with the personal information of your state auditor, governor, or other public figure.

I'm not a conspiracy theorist, but it should bother *anyone* that they request all this ridiculous information for simply leaving a comment.

(Note: 1928 was the first gun registration, but it was "improved" in 1938 to include mandatory registration for any type of weapon)

Please don't start...

...with that tired argument, "If you're not doing anything wrong, you have nothing to worry about."
That is hardly the point.

Re:Please don't start...

I answer it two ways. The first way is my favorite, and most agree with it. The second is a fallback that doesn't work often, but it's still worth a shot.

1 - We all go to the bathroom. Everyone does. It's biological. Nothing wrong with it. At one point or another, we've all made embarrasing sounds in the bathroom. Again, nothing wrong. But who would welcome an intrusion in that private moment? I wouldn't. There are times where I am engaging in activities that aren't wrong, but I'd be really upset if someone was watching/listening in. The same goes for comunications of any kind. We all discuss things with people that we don't want others to know. Even if the person listening in is benevolent and has no interest in revealing our secrets (or honestly doesn't even care), we'd still rather have that unknown third party not know. For your wife, ask her if she'd have a problem with some government terrorist sniffer listening in on a conversation she had with her doctor about a yeast infection. The spook doesn't know her, doesn't care, and would likely rather not have been privy to the details - but I doubt that would comfort your wife. All she knows is that an intimate discussion with a medical professional has been monitored and possibly recorded in a massive databse, JUST IN CASE.

2 - Sounds a little tin-foil-hattish, but here goes. Let's assume that we can trust the government of today not to abuse the power. We can pretend that everyone in power has the genuine intention of using this technology/law to stop suicide bombers (not a safe assumption to make, but hey - for the sake of argument, why not). What assurance do we have that the government of a year/5 years/10 years from now are just as trustworthy? We don't know that, we can't know that. But the law/technology will still be there, but the honest people it was meant for may be gone and replaced with a government you cannot trust. These things happen, even in American history (see: McCarthy, Hoover). Even if we can trust the leaders of today, it won't be the leaders who actually use the laws/technology. It will be hundreds or maybe thousands of government employees -- and anyone who has ever had experience with a civil servant can tell you that not all of them can be trusted. Maybe someone tries to get a job as a 'line sniffer' just so that they can listen in to private calls and jack off later to them (not likely, but hey - sick people exist). I know I'd feel violated because if that happened. Or maybe one of them hears something like a call between someone (such as a respected member of a conservative community) and asubstance abuse councelor about their secret addiction? Well, lookie-lookie. All of a sudden, this line sniffer has blackmail info. Or a more likely scenario - a call to a shop-by-phone company. With that one call, a crooked sniffer would have your name, address and credit card number. What's to say that government employees aren't subject to the same temptations as the rest of us? All it will take is time before you get the right combination of a morally-loose sniffer and the big promise of enough cash.

Hope that helps!

Why not?

Hey, if Ashcroft wants to read all my spam before I can purge it, can I get an ammendment to the act to allow them to delete it for me?

WE ARE CITIZENS!

Why the hell are they asking people for arguments against it? It's obvious it's unnecessary. We have processes in place to allow for wiretaps. The processes might not be easy and that's a GOOD THING.

Get your fucking warrant, set up your equipment, and do your thing. If that takes too long and you miss your chance to get what you need, tough fucking shit. I have no sympathy for you.

Just because we were attacked (and have threats of more) recently does NOT mean that we should treat every god damn citizen like a criminal. Why can we not learn from the past? McCarthyism/Cold War??? Come on, wake up, do NOT stand for this bullshit.

We are citizens and we have rights as such. Why the hell are we allowing the government to walk all over us? Make your complaints known to the FTC and in the polls in November.

Re:WE ARE CITIZENS!

Unfortunately, there are too many citizens willing to trade liberty for safety. They WANT the government to be able to look at the bad guy's traffic, and that's how the government bills this. They only time that they care is when it personally inconveniences them. That's not going to happen to the average Joe until everyone is using VoIP and the law enforcement officer starts snooping on THEM. It is not until they personally feel violated that they care. Otherwise, they're playing the, "must get the terrorist" game.

Re:WE ARE CITIZENS!

Hmmm... List three "liberties" that have been given up in the war on terror... that's a really hard one... I assume that you mean "rights" not "liberties".

Well, given that the USA PATRIOT act allows sneak and peek searches, I would say that the liberty to feel safe from searches in your own home... (That would be your rights under the Fourth Amendment)

Then there is the Sixth amendment rights to a fair, speedy public trial. Given that people held since 9/11 have been held without trial as "material witnesses", that the patriot act allows people to be held without access to legal defence... I think that might be number two. (I would point out that the sixth amendment does not say "Citizen".)

So, I only need to find another loss of a right within the bill of rights and I think I can claim that I am home free... Well, I'm going to do this the other way round for the last one... I'll pick an amendment and find ways that it has been broken (in my opinion)... I think the first amendment is a good one...

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

Hmmm, well, technically, Congress hasn't made many laws on this. However, the rights enumerated under this have definitely been violated.

We'll start with the "free speech" zones. So that the president doesn't have to see any opposition, people who want to "Peaceably asemble" are herded into little cages around the corner out of sight.

The military have "banned" certain types of photographs from being shown to the public... that sounds to me like the freedom of the press being violated.

After the Madrid bombing an Oregonian lawyer was accused (and later released) based on a poor match to a smudged partial print. His name was bandied about, his reputation dragged through the mud... and all because he was a Muslim lawyer. That sounds like an impediment to his free practice of religion.

Voter registrations in Ohio are being ignored because they are printed on the wrong paper, and voters in Florida are being unregistered because they have a similar name to someone who committed a felony in a different state. Both of those sound like they are an impediment to their right to petition government for a redress of greivances. If you can't vote against someone that you disagree with then your requests to them have less power.

Will that satisfy you?

or do I have to list more?

Z.

Great idea, honest!

Internet wiretaps don't make the world safer they do the opposite - they make the world less safe. Any serious criminal will encrypt their connection meaning that the only people a wiretap would be useful against are idiots.

Wiretaps have been abused and these will also be abused - I'm not happy about giving police that power that the return is likely to be so small.

Simon

ACLU

The ACLU also has a site set up for reading more about what's involved and for faxing your petition - ACLU [aclu.org]

This may help encryption adoption

Previously, we could only say something like, "Someone may tap into your communication channel" to steal credit card information, listen to your VoIP, etc.. Better start using encryption! Lots of people ignore vague warnings like that. This would give us an actual "enemy of privacy" to point at.

Pardon my Tinfoil...

But aren't "they" doing it already with ECHELEON [wikipedia.org]?

Re:Pardon my Tinfoil...

Yes, but Echelon only provides as much intelligence (on US citizens in the USA) as Canada, the UK, Australia and New Zealand [1] can gather electronically. This will allow the (US) Three Letter Agencies to gather much more intel, much more freely.

[1] Echelon is the UKUSA nations - USA, and the 4 listed above. It's a neat way to for the five nations to avoid spying on their own citizens - by getting their allies to do it.

They're welcome to try.

We're already implementing https and ssl irc over our network... not that they'll see even that far, they'll likely never see past the exterior VPN tunnels.

Go go gadget Tinfoil Hat!

If you have a comment on why you don't want the governemnt reading your email please post it here.

Don't you mean, "if you want the government to flag your IP address as a potential "iCriminal" post your comment there..along with your home address so we'll know where to send the net cops when it's time to serve warrants"?

Then again, it's not like Ashcroft will make decisions based on the peoples' opinions anyway. I am willing to bet that this is just an attempt at gaining the public's confidence by providing an open forum (regardless of how useless it will be) for gripes and concerns.

Nobody wiretaps my Asterisk box

The whole point of VOIP, is that it becomes so easy to set up your own private voip exchange. You dont need to use your ISP for anything other than carrying encrypted TCP/IP.

So all you really need is a VoIP system like Asterix and Pingtel, plus some standard VPN software at the sites where you need to use it.

So with off-the-shelf and open-source software you can create a network that is both isolated from and most likely incompatible with federal wiretaps.

Why should...

Why should the government require private corporations to pay to give the government easier access to their networks. That's what this is, an unfunded mandate. The government doesn't care how technically difficult this is, or how much it would cost to implement.

How about...

...creating holes and backdoors in these services will lead to exploits of those holes and backdoors above and beyond our kind benevolent government. Only a fool thinks that ISPs and government are above the curve when it comes to hackers.

They'll only catch what the bad guys give 'em

If I were a bad guy, intent on committing something evil, here's what I'ld do:

1. Setup several email accounts. Most are reserved for sending bogus traffic (trolling for ye olde jack-booted thugs). One or two will be reserved for actual correspondence.
2. When zero-hour approaches, send messages indicating "something will happen in (some place) on (some date)" using the trolling accounts. The message is intended to draw attention and resources away from the actual target and attack methodology. These would be encoded using a method with known problems. The encoding method used should be crackable, but not easily - We can't appear to be too st00pid.
3. Send all "real" correspondence via high security encryption. To make it more interesting, I would pre-arrange with my cohorts that only messages sent at certain times of day, even using the "real" accounts, would be considered valid. All other messages would be "bait".

I'm sure I'm not the first to come up with something like this. I'm pretty sure the Allies sent many bogus messages prior to the Normandy invasion. [utexas.edu]

Well I'm Writing in

For those of you who don't take crap like this seriously, just look at how far we've come with disolving American's rights since pre-9/11. I don't care if they don't take me seriously, I'm at the very least chiming in with them. Here's my comments to them below.

I have been involved with Internet architecture and security for more than ten years. I must warn you that what you're about to do will be devastating to privacy on the Internet and will ultimately lead to such a strong distrust of the Internet that it may render it useless for any type of corporate or personal communication. There are three very serious issued here that must be discussed.

First, the effects of putting a full-blown monitoring system in place, aside from its immense cost to the taxpayers, will ultimately lead to only one conclusion: a wide open hole for any Internet hacker to direct their exploits at with the reward of full access to anyone's information on the Internet. Security of such a tool would be futile, and trusting a government agency with the security and management of such a tool dangerous in light of the government's inability to secure their own systems. Privacy concerns, corporate espionage, and even snooping on other government agencies are all serious concerns that would undermine America's use of the Internet.

Second, Abuse by those in control. Supreme court justices and high officials are not those many are concerned about with regards to abuse - these individuals are not the individuals who are commissioned to secure and manage such a system. It is underpaid government systems administration staff who would be responsible for managing it, people who are very likely to abuse their power to snoop on the private correspondence of others. Keep in mind we're not necessarily just talking about email, but personal media (pictures for example), online banking communications, and even possibly streaming video which should remain confidential from prying eyes.

Third, Electronic correspondence is all too easily analyzed and mined. Clandestine government operations to collect and store data about an individual over a period of years could easily compromise the integrity of the Internet as a whole and lead to the unjust profiling and intervention of law enforcement agencies who seek to use the information for purposes other than wiretapping.

I sincerely hope you are giving this the most critical analysis possible. The 1994 CALEA law was not passed for Internet surveillance; it was passed for telephone wiretapping. In 1994, the Internet wasn't a legislative concern, therefore to allow the FBI to apply this act to the Internet's backbone is a terrible travesty of justice. Do not allow the FBI to become the legislative branch! Demand that a law be passed specifically for Internet wiretapping before you consider anything. If a system like this were to be put in place, I for one would strongly consider abandoning the Internet and I suspect millions of others would do the same.

Re:What happened to no unreasonable searches?

You're supposed to forego all of your constitutional rights to fight terrorism.

Whether you're making a clever joke, or telling it the way it is, you're right on the money.
Like it or not, since 9/11 we've seen some pretty wack stuff. Random searches? Patriot Act? Holding without just cause? What the hell is that? More and more, the Constitution has become something that only the rich can afford. In the meantime, those who are a day in the sun darker than those in power suffer because what was once regarded as "rights" are being thrown in the toilet. In the name of what? Some crusty white zealot's blood war.

Re:Still need a Court Order

The final version of the anti-terrorism legislation, the Uniting and Strengthening America By Providing Appropriate Tools Required To Intercept and Obstruct Terrorism (H.R. 3162, the "USA PATRIOT Act") limits judicial oversight of electronic surveillance by: (i) subjecting private Internet communications to a minimal standard of review; (ii) permitting law enforcement to obtain what would be the equivalent of a "blank warrant" in the physical world; (iii) authorizing scattershot intelligence wiretap orders that need not specify the place to be searched or require that only the target's conversations be eavesdropped upon; and (iv) allowing the FBI to use its "intelligence" authority to circumvent the judicial review of the probable cause requirement of the Fourth Amendment.

The FBI already has broad authority to monitor telephone and Internet communications. Current law already provides, for example, that wiretaps can be obtained for the crimes involved in terrorist attacks, including destruction of aircraft and aircraft piracy. Most of the changes to wiretapping authority contemplated in the USA PATRIOT Act would apply not just to surveillance of people suspected of terrorist activity, but to investigation of other crimes as well. The FBI also has authority to intercept communications without probable cause of crime for "intelligence purposes under the Foreign Intelligence Surveillance Act ("FISA"). The standards for obtaining a FISA wiretap are lower than those for obtaining a criminal wiretap.

Minimal and Inadequate Standards for Access To Internet Communications Section 216 of the USA PATRIOT Act substantially changes current law. Under current law, a law enforcement agent can get a pen register or trap and trace order requiring a telephone company to reveal the "numbers dialed" to and from a particular telephone. To obtain the order, the law enforcement agent must simply certify that the information to be obtained is "relevant to an ongoing criminal investigation." This a very low level of proof, far less than the probable cause standard (probable cause that a crime has occurred, is occurring or will occur.) - a standard that must be met now to authorize access to the contents of a communication. Under the proposed Section 216, the judge must grant the order upon receiving the certification. Even if the judge disagrees, and believes that law enforcement officers are on a fishing expedition that will yield up no relevant information, the judge must issue the order. The judge is therefore not positioned to protect the privacy of a person's telephone communications; he wields a rubber stamp.

Section 216 of the USA PATRIOT Act would extend this low threshold of proof to Internet communications that are far more revealing than the numbers dialed to or from a telephone, and to portions of e-mail communications that cannot readily be separated from content. Section 216 gives law enforcement agents who obtain pen register and trap and trace orders access to "dialing, routing and signaling information." The bill does not define those terms. They would apparently apply to law enforcement efforts to determine what websites a person has visited. This is like giving law enforcement the power -- based only on its own certification -- to require the librarian to report on the books you had perused while visiting the public library. This is extending a low standard of proof -- far less than probable cause -- to "content" information even while Section 216 purports to exclude content.

The contents of a telephone call are readily separated from the telephone numbers dialed to and from a telephone. However, the same cannot be said of an e-mail address and the contents of an e-mail message. This information moves together in packets. To execute the pen register and trap and trace orders authorized by Section 216, somebody must separate the e-mail address from the contents of the e-mail message of the target. The FBI's answer to this problem is troubling. It obtains access to the entire message. Then, it asser