LOS ALAMITOS, Calif., 11 February, 2013— Computer security experts in an upcoming IEEE Security & Privacy magazine article argue that the Federal Bureau of Investigation's bid to extend wiretapping-enabled design to Internet-based services will pose serious security risks to the US communications system.
In the article in IEEE Security & Privacy magazine's January-February issue, renowned computer security experts Steven M. Bellovin, Matt Blaze, Sandy Clark, and Susan Landau argue that there are viable alternatives to the FBI expanding the Communications Assistance for Law Enforcement Act (CALEA) from digital telephone networks to emerging IP-based communications. Bellovin is professor of computer science at Columbia University, currently on leave as chief technologist with the US Federal Trade Commission, Blaze is an associate professor of Computer and Information Science at the University of Pennsylvania, Clark is a graduate student in Computer and Information Science at the University of Pennsylvania, and Landau, a 2012 Guggenheim Scholar, is the author of Surveillance or Security, The Risks Posed by New Wiretapping Technologies (MIT Press, 2011).
Enacted in 1994, CALEA requires that switches in digital telephone networks be built wiretap-enabled—designed for eavesdropping. As an alternative to requiring that interception capabilities be built into IP-based communications systems, the authors say that the FBI could use passive interception or develop highly-targeted capabilities to exploit vulnerabilities in the computers and devices used by their wiretap subjects. This would allow the FBI to get necessary evidence with a wiretap order without further weakening the US communications infrastructure.
In "Going Bright: Enabling Legally Authorized Wiretapping While Securing Communications Infrastructure," the authors state that it's critical for national security that communications software and systems be designed to be as secure as possible against attack. Deliberate backdoors—whether by way of CALEA or through hidden "lawful intercept" access features included by software vendors complying with CALEA—inherently make systems more vulnerable. Worse, all users, not just wiretap targets, would suffer from increased exposure to attacks.
"The thought of the FBI exploiting vulnerabilities to conduct authorized wiretaps worries me," states Landau. "But such an approach is far more privacy and security protective than the alternative: requiring infrastructure—and apps—to have security holes built in."IEEE Security & Privacy magazine, published by the IEEE Computer Society, addresses a broad range of topics related to securing information and computing resources. Its primary goal is to bridge the gap between theory and practice. Published six times a year, the magazine provides a combination of research articles, case studies, tutorials, and regular departments and columns for the information security industry. For more information, visit www.computer.org/security. To read the full article on the risks of CALEA extensions, and possible solutions, visit http://www.computer.org/portal/web/computingnow/securityandprivacy