Readers of spy thrillers and mysteries never question how the police and the telephone companies are able to nose their way into telephone communications. As it happens, law enforcement and national security agencies in the United States may wiretap legally for certain purposes.
Congress granted that power in the 1994 Communication Assistance for Law Enforcement Act (CALE). This legislation requires any digitally switched telephone network in the United States, both telephone and broadband, to have wiretapping capability built in according to standards developed by the FBI. Europe has similar requirements.
Law enforcement may use wiretapping to investigate drug cases, organized crime, and racketeering, and national security may use it to track foreign governments and their activities, terrorists, and international arms dealers, says wiretapping expert Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard. “Wiretapping is a remarkably effective tool because it captures the bad guy giving evidence against himself,” she says.
Landau will speak on “Surveillance or Security? The Risks Posed by New Wiretapping Technologies” on Thursday, April 21, at 8 p.m. at Small Auditorium at Princeton University. The event, hosted by the Princeton ACM/IEEE, is free. E-mail firstname.lastname@example.org, or visit www.acm.org/chapters/princetonacm.
A number of policy issues grow out of the existence of this wiretapping technology on telephone switches:
#b#Legitimate needs for wiretapping open the possibility for illegitimate uses#/b#. “Law enforcement and national security use wiretapping to protect the nation, but the problem is that if you build wiretapping technology into a switch, you may be building a way for others to get into the switch and wiretap others who shouldn’t be wiretapped,” Landau says.
She illustrates the problem with two examples. In Greece, in 2004 and 2005, 100 senior members of the Greek government, including the prime minister and heads of defense and the interior, were wiretapped for 10 months. A switch owned by Vodafone Greece had been updated with wiretapping technology, but because Vodafone had not paid for it, the technology should not have been turned on.
A further complication was that once the illegal wiretapping was discovered investigators could not figure out where the wiretapped information had gone because the automatic auditing capability had not been turned on.
A second example occurred in Italy, where 6,000 Italians — judges, politicians, celebrities, and sports figures — were illegally wiretapped between 1996 and 2006. “The assumption is that it was done for purposes of blackmail and distortion, and the court case is still going on,” says Landau. That means that one out of every 10,000 Italians was wiretapped, which would be comparable, says Landau, to having 30,000 people tapped for no reason in the United States.
“When you make wiretapping capability easy, it can be abused,” she says, “either by someone who can break in, as in Greece; or as in Italy, where it looks like an insider.”
#b#Intervention can affect innovation#/b#. The 1994 CALE act covers only digitally switched telephone networks, not the Internet. “Now the FBI wants it to apply to the Internet, which is a more complicated system and technology,” says Landau. Centralized communications like those going through Gmail or Facebook, where communications go into a server owned by a single company, are not that hard to tap, she says.
But peer-to-peer communications through services like Skype are difficult because you don’t know ahead of time where the message is going to travel. And any technology that permits wiretapping would be disruptive enough to the core communications technology to essentially break it.
The FBI floated proposals to require expanded wiretapping capability on the Internet and the Department of Justice was supposed to propose a bill in early January, but has not yet done so. Many people, however, are not so sanguine about this idea. “There is pushback from many who say it will threaten innovation and will have great civil liberties harm,” says Landau. “I have argued that it is a great security risk. It’s very hard to do it right. You’re doing an architected security breach: building a way for someone else to get to communications.”
In a 2010 article in the New York Times Landau expresses concern that an expansion of the law would be an obstacle to innovation by small startups. The article states: “Every engineer who is developing the wiretap system is an engineer who is not building in greater security, more features, or getting the product out faster.”
Landau, whose father was a jeweler, earned a bachelor’s in mathematics at Princeton University in 1976, a master’s in mathematics from Cornell in 1979, and a doctorate in theoretical computer science from MIT in 1983. Her first teaching job was at Wesleyan University, where she taught computer science. Next she was a research faculty member at the University of Massachusetts in Amherst. She then moved to industry, where she spent 11 years, from 1999 to 2010, at Sun Microsystems, the last five as a senior engineer.
At Sun she worked on security, cryptography, and policy, including surveillance and digital-rights management issues. She also advised government officials on security risks of various surveillance technologies, helped to develop privacy and security policies for the Liberty federated identity management system, and was instrumental in keeping the control of federal civilian computer security within civilian agencies.
In another New York Times article about issues involved in widening the periphery of the 1994 law, writer Charlie Savage points to the crux of the issue: the dilemma over how to balance Internet freedom with security needs in an era of rapidly evolving, global technology. He writes: “The issue has added importance because the surveillance technologies developed by the United States to hunt for terrorists and drug traffickers can be also used by repressive regimes to hunt for political dissidents.”