Online monitoring scheme bad news for security, opponents say

Government efforts to allow law enforcement to intercept all online communications would dramatically weaken Internet companies' ability to secure their infrastructure, opponents say.

A government task force is working on legislation that would penalize companies such as Google and Facebook that failed to heed court-issued wiretapping orders presented by law enforcement, The Washington Post reported on Monday. Failing to provide the data would result in court-levied fines starting at 10s of thousands of dollars. After 90 days, unpaid fines would double daily.

Law enforcement with court orders can obtain email and other online communications stored in a central server. The legislation in the works would extend the 1994 Communications Assistance for Law Enforcement Act (CALEA) to Internet phone calls between computer users. Microsoft-owned Skype is the best-known example of such peer-to-peer communications, but telecom companies, Internet service providers and Internet companies also provide similar services.

Law enforcement's need for better online surveillance has grown as more people use social media, chat services and Internet telephony for communications. Criminals and terrorists utilize these services as much as law-abiding citizens.

Opponents of the pending legislation reported by The Post do not argue against the need for wiretapping in criminal investigations. However, there is currently no easy way to tap peer-to-peer communications without building a backdoor in the provider's infrastructure.

Doing so, would create a hole that could be exploited by criminals, making the whole system less secure, said Joseph Hall, senior staff technologist at the Center for Democracy and Technology, a Washington, D.C., non-profit focusing on issues of privacy and security.

"A wiretap is essentially a tailor-made vulnerability," Hass said on Monday."It provides turnkey access to any content flowing through your network and your software."

While having such backdoors would help U.S. law enforcement, it would also provide a new vector for state-sponsored hackers searching for communications between dissidents, opponents say.

Intercepting VoIP calls or text could also provide information that could be used in spear-phishing attacks to steal intellectual property from companies or classified documents from government agencies.

"We may in the process actually help extremely sophisticated kinds of attackers, such as nation-states," Hall said.

[Also see: Islamic group expands targets in bank DDoS attacks]

While wiretapping in general is an important investigatory tool, federal law enforcement have not shown that the information they currently get from online communications is inadequate or does not arrive quick enough, Hall said.

"Before we take a drastic step that basically involves anyone making any type of communications technology build in these backdoors, there's got to be a discussion to figure out if there's better ways to do this kind of stuff," he said.

Nevertheless, the FBI argues that without access to communications as they occur, critical evidence can be missed. Andrew Weissmann, general counsel of the FBI, addressed the issue last month during an American Bar Association discussion in which he described the gap in following online activities as "going dark."

"The importance to us is pretty clear," Weissmann said. "What we don't have is the ability to go to court and say, 'We need a court order that actually requires the recipient of that order to effectuate the intercept.'"

Weissmann argued that other countries provide law enforcement with the legal tools to tap into online communications and that most non-lawyers would expect the same in this country, when police meet the high standards set for obtaining a court wiretapping order.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags skypeapplicationsGoogleMicrosoftonline wiretappingwashington postsoftwaredata protectionData Protection | Data PrivacyFacebook

More about Andrew Corporation (Australia)FacebookFBIGoogleMicrosoftSkypeTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts