Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (2 page)

BOOK: Surveillance or Security?: The Risks Posed by New Wiretapping Technologies
13.46Mb size Format: txt, pdf, ePub
ads

I am sure that the company whose meeting it was did not arrange for
the guards. Rather it was the hotel that provided them as part of the service of running a conference. The service was unnecessary. Any determined
"spy"-I say "spy" in quotes because no proprietary information was
released during the conference-could have counterfeited a badge and
gone to hear the presentations. The guards kept out the hordes on the
street, except that the hotel was on an inaccessible four-lane roadway.
There was no street and no hordes. The guards were completely superfluous, but they were required by the hotel contract. The money the company
was spending on guards' salaries was money it was not spending on training additional security technicians, on upgrading its IT infrastructure, or
on improving the security of its products (which included defense information systems sold to the U.S. government). These guards were not providing good security. The situation was even worse. The cost of this "security"
prevented this company from protecting what mattered.

The guards provided what Bruce Schneier has called security theater: the
appearance of security rather than the genuine article. There are thousands
of examples of this, from TSA inspections of passengers and X-rays of their
hand luggage without accompanying inspection of the parcels that ride in
the bellies of the planes, to the ubiquitous closed-circuit TV (CCTV)
cameras appearing everywhere with little evidence that their usage actually
cuts crime.' The cost of CCTVs diverts money from such activities as community policing. As such, their use may actually be counterproductive.

Electronic communication is the lifeblood of modern society. Simultaneously, such communication can be central to how criminals and terrorists conduct their business. Not a day passes without another story of
Internet insecurities, critical infrastructure being attacked, attacks from
China on U.S. corporations, and Russian hackers targeting U.S. consumers
or Estonian government sites. In the decade since the attacks of September
11, in an attempt to keep the nation safe, the U.S. government has
embarked on an unprecedented effort to build surveillance capabilities into
communication infrastructure.

Unlike the TSA and CCTV examples, the issue of who is defending what
runs more deeply than the question of whether we are diverting funds
from techniques that may provide better security. What are these communication surveillance systems? Who are the guards? Are they really
protecting us? Or are they working for someone else? Could these surveillance capabilities be turned by trusted insiders for their own profit, or used
by our enemies to access our secrets? The fundamental issue is whether,
by housing wiretapping within communication infrastructure, we are creating serious security risks. Understanding whether building wiretapping into
communication infrastructure keeps us safe requires that we understand the technology, economics, law, and policy issues of communication surveillance technologies. That is the point and purpose of this book.

I begin in chapter 1 by laying out the issues of communication and
wiretapping within their social and legal contexts. In chapter 2, I discuss
the development of communication networks, both the telephone and the
Internet, while in chapter 3, I explain how the Internet came to be so
insecure. These two chapters are more technical than the rest of the book
and less technically trained readers may choose to skim them. I discuss
legal aspects of wiretapping in chapter 4, effectiveness of communications
surveillance in chapter 5, and evolving communications technologies in
chapter 6. In chapter 7, I examine who is intruding on our communications, how they intrude, and what they are seeking. Having built that
framework, in chapter 8, I look at the technology risks that arise when
wiretapping is embedded within communications infrastructures, while in
chapter 9, I look at the policy risks created by wiretapping technologies.
In chapter 10, I examine how communication takes place during disasters;
this gives different insights into communications security. I conclude in
chapter 11 by discussing how we might get communications security and
surveillance "right."

Note: Because my focus in this book is on whether widespread communications surveillance enhances or endangers national security, I am
not addressing broader policy issues of U.S. national security. In particular,
I will discuss only peripherally the role that the concentration of executive
power over the last decades, and most particularly under the administration of President George W. Bush, has had in determining current U.S.
communications surveillance policy. This issue-which has been the
subject of many other publications-is beyond the scope of this book.

 

My thanks, first and foremost, go to my long-term collaborator, Whitfield
Diffie, with whom I enjoyed many years of intellectual give-and-take.
Much of my thinking on the issues of privacy, security, and surveillance
has been influenced by our conversations. The direction my career has
taken is no small part due to Whit, and I am very grateful to him.

Sun Microsystems was a great place to work: full of smart people and the
ferment of ideas, and I was lucky to be there. I am particularly appreciative
of Bob Sproull's strong encouragement and support for writing this book.

Dancing between policy and technology is complicated, and I owe
many thanks to friends and colleagues who answered more questions than
they imagined existed. I particularly want to thank Steve Bellovin, Matt
Blaze, Clint Brooks, Jim Dempsey, Al Gidari, and Brian Snow. I very much
appreciate Nancy Snyder's work on the illustrations for the book. I have
benefited from meetings organized by Deirdre Mulligan and David Clark,
and I would like to thank them for those as well as for many stimulating
conversations. The following people generously shared their knowledge,
read over sections, and translated text: Steve Babbage, Curt Barker, Jim
Bidzos, Danny Cohen, Dennis Costa, Tom Cross, Gary Cutbill, George
Danezis, Roger Dingledine, Chris Essid, Dickie George, John Gilmore, Andy
Grosso, Ann Harrison, Paul Karger, Eleni Kosta, Leslie Lambert, Herb Lin,
Steve Lipner, Nick McKeown, John Morris, John Nagengast, Peter Neumann,
Hilarie Orman, Jon Peterson, Phil Reitinger, Jen Rexford, Ed Roback,
Greg Rose, Ari Schwartz, Renee Stratulate, Paul Syverson, Lee Tien, and
Jonathan Weinberg. I am very grateful to them all. In addition, there are
a number of knowledgeable high government and private-sector sources
whom I will have to thank anonymously.

Special thanks to Brown Kennedy, who told me to stop revising my
outline and start writing. Without her, this book might still be a highly
polished outline.

Everyone thanks their spouse or partner, and I am no exception. With
great equanimity my husband, Neil Immerman, put up with my intense
focus on surveillance, frequent travels to Washington, and a lifelong obsession, at least in pre-Internet days, with finding a copy of today's New York
Times. He found me texts, read multiple drafts of this book, and even
helped with typesetting.

It has been many years since I took a writing course with John McPhee
and learned how the fact-checkers at the New Yorker insist on the accuracy
of even the smallest fact.' My debt to John-and the legions of factcheckers employed by the New Yorker-is enormous. I have done my best
to apply the many lessons learned. Any errors in this book, however, are
my own.

 

Communication lies at the heart of being human. Communication can be
private-the whispered conversations of two lovers, the secretive negotiations of politicians, the hushed deals of businesspeople-or highly publicmarriage ceremonies, civic speeches, announcements of products and
mergers.

The invention of electronic communications-the telegraph in 1844,
followed by the telephone three decades later-enabled conversation at a
distance and substantially changed the way people interact. Cell phones,
the Internet, and other communication devices have so magnified this
change that in the modern world it is quite likely that more "conversations" occur electronically than face to face. This has a critical impact on
privacy. Or as the noted cryptographer Whitfield Diffie has put it, "In the
1790s, at the time the [U.S.] Bill of Rights was written, you could just walk
off a few feet down the road and there were no tape recorders, no shotgun
microphones, and you were having a private conversation in a way that
nobody can be sure of today."' The freedom to communicate at a distance
carries with it hidden risk: eavesdroppers may hear the conversation too.

Such risks have always existed, of course. The letters of Mary, Queen of
Scots, for example, were intercepted and read, leading to her conviction
for high treason and her death.' Thomas Jefferson worried about the interception of his communications; at times he avoided signing his letters-or
even writing them.3

For many years, protecting confidential communications through
encryption was a practice limited to governments; by and large, the public
rarely attempted such efforts. The arrival of the public Internet, and its
wide use by business, changed the situation. The risk of communications
interception has spread to a large swath of society. In the 1990s a pitched
battle ensued between the U.S. government, technologists, and academics
over the public's right to use cryptography.

The government argued that, important as confidentiality was for some
public business, the government's need for wiretapping was more critical;
widespread access to encryption would impede this. The public's need won
out. In 2000 the U.S. government began permitting most exports of strong
cryptography4 and thus indirectly enabling deployment and use of strong
cryptography within the United States.' Technologists and academics had
won the "Crypto Wars." Even the events of September 11, 2001, did not
shake the U.S. government position. Shortly after the Al Qaeda attacks, New
Hampshire senator Judd Gregg argued for the reinstatement of the cryptographic export controls, but there was no White House or NSA support of
his position. Widespread availability of cryptography was here to stay.

While the code warriors' may have emerged victorious in the battle over
confidential communications, there were signs of government efforts to
thwart the privacy that encryption engenders. A 1994 law regulating telephone carriers that passed during the early days of the Internet boom may
actually be the linchpin that undoes communications privacy.

The Communications Assistance for Law Enforcement Act (CALEA)
requires that digitally switched telephone networks be built with wiretapping capabilities designed by the federal government. In 2003 the Federal
Bureau of Investigation (FBI) pressed for CALEA's extension to instances
of Voice over Internet Protocol (VoIP), voice communication that traverses
the Internet, a position that was upheld by the U.S. Court of Appeals.

Events were occurring on other wiretapping fronts as well. In late 2005
and spring 2006 journalists at the New York Times and USA Today reported
that, without any warrants, NSA was surveilling domestic communications. In the summer of 2007 Congress passed the controversial Protect
America Act (PAA).7 Valid for only six months, the PAA allowed warrantless
wiretapping of communications if one end was "reasonably believed to be
outside the United States." How the new law would be implemented was
unclear-there had been minimal public discussion of the bill before it was
passed-but the actions at an AT&T switching office in San Francisco gave
hints. Large amounts of domestic traffic were being selected and shipped
to a "central location";' presumably this was the NSA.

The 1990s battle over encryption has shifted from the public's ability to
encrypt their communications to the government's requiring that surveillance capabilities be built directly into communications infrastructures.
With the shift of usage from the telephone network to the Internet, it
appears that the U.S. government is simply seeking to keep wiretapping
capabilities current with modern communications technology. But the
difference in techniques and scale is creating a substantial difference in kind.

BOOK: Surveillance or Security?: The Risks Posed by New Wiretapping Technologies
13.46Mb size Format: txt, pdf, ePub
ads

Other books

The Sleeping Night by Samuel, Barbara
The Fog Diver by Joel Ross
In Love and Trouble by Alice Walker
Fairy Thief by Frappier, Johanna
The Silver Thread by Emigh Cannaday
Bloodline-9 by Mark Billingham
Lujuria de vivir by Irving Stone