

Panel seeks to fine tech companies for noncompliance with wiretap orders - gsibble
http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tech-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-b029-8fb7e977ef71_story.html

======
dobbsbob
You'd think we would learn our lessons about sabotaging our infrastructure and
software to enable easy LE wiretap access after the Olympics spying scandal in
Athens when somebody discovered this back door and used it to spy on the Prime
Minister plus a hundred other dignitaries such as the US Ambassador.

Wonder how this panel's decision will affect projects such as Textsecure and
Redphone which were sadly sold to Twitter, and therefore under US jurisdiction
to force backdoors into. Same goes for Phil Zimmerman's new service.

~~~
rdtsc
> Wonder how this panel's decision will affect projects such as Textsecure and
> Redphone

I say it is only a matter of time. The wheels are already turning in that
direction. Just need a few terrorism/child porn high profile cases where
someone on behalf of FBI will testify how they had to let the evil perpetrator
go because encryption made it impossible to wiretap them -- and bam
legislation will be out in no time.

Remember many countries make cryptography illegal and even in US exporting
string cryptographic software was the same legally as exporting the designs
for bombs and rockets. And ban and/or arm twisting fines are just around the
corner I suspect.

------
minimax
People surprised by this probably ought to revisit the trap and trace
requirements that the telcos have had in place _for decades_.

[http://en.wikipedia.org/wiki/Communications_Assistance_for_L...](http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)

~~~
cube13
The legal framework was established in the 60's:

[http://www.aarclibrary.org/publib/church/reports/book3/html/...](http://www.aarclibrary.org/publib/church/reports/book3/html/ChurchB3_0147b.htm)

------
salem
People will have a really tough time complying with this. CALEA requires that
the subject of the intercept not be made aware of intercepts being made. If a
target can check that the IP of his peer and is own is public, by a side
channel for example, and a 3rd party IP is still used for 'nat/firewall
traversal' that is known not to be needed, then the game is up. As usual,
you'll only catch the clueless.

~~~
peejaybee
I once set up a bridging firewall (using LEAF Bering) for a friend's business
to control traffic invisibly (this wasn't for any nefarious purposes -- he
really needed a firewall that didn't take up an IP number on his public
network.)

Configuring it was a pain in the ass (you couldn't telnet/ssh into it because
it had no IP number) but it worked very well and didn't show up in pings,
traceroutes, or much of anything else.

You can do a lot at the frame layer.

------
benguild
I find it funny that because technology began in the simplest, unencrypted,
analog formats that now the government expects the ability to wiretap anything
with ease.

~~~
k2enemy
Not to mention the implicit idea that if something makes law enforcement's job
easier, then it should be legally mandated.

~~~
jfoutz
I know, pulling over for flashing lights and sirens, what BS is that?

Seriously though, it often makes sense to build in affordances for
enforcement. We may not agree what laws exist, but if they're going to be
enforced, they should be enforced uniformly and efficiently.

~~~
betterunix
No, we should _not_ enforce laws efficiently, because that weakens the
protection against tyranny. We want law enforcement agencies to have to jump
through hoops so that tyrannical and oppressive laws are hard to enforce. The
reason the US government is so inefficiently organized is to thwart the
establishment of tyranny. Yes, it means that people who creep us out, who are
"obviously" guilty, and whom we personally want to punish will continue to
walk free. As H. L. Mencken famously said,

"The trouble with fighting for human freedom is that one spends most of one's
time defending scoundrels. For it is against scoundrels that oppressive laws
are first aimed, and oppression must be stopped at the beginning if it is to
be stopped at all."

~~~
jfoutz
I dunno. i think that's the kind of thinking that pushed the cost to defend
against a federal case up to 1.5 million.

I'm not advocating we just throw people who might be guilty in jail. Everybody
deserves their day in court. I think you'd be hard pressed to find someone
(who's not directly involved in something horrible - father of a murdered
child, etc) that disagrees with getting a fair trial.

For example, i'm a big fan of red light cameras. I hate them, but the blind
uniform enforcement is great. Doesn't matter if you're a cop, or an important
business man, or late for school. You break the law, you pay your ticket and
move on.

Laws are for cases where it's hard to get everyone to agree in the heat of the
moment, that's why we write them down beforehand. Arguing about Alice killing
Bob is different from arguing about Alice buying a car from Bob. It's still a
negotiation, but adding some special cases so everyone gets all the facts
doesn't seem wrong. Remember, the prosecution still has to turn all that stuff
over.

~~~
betterunix
"I think you'd be hard pressed to find someone (who's not directly involved in
something horrible - father of a murdered child, etc) that disagrees with
getting a fair trial."

I am pretty sure your local district attorney would disagree. The majority of
prisoners in America -- the _overwhelming_ majority -- did not have a trial
and took a plea deal instead. A standard prosecutor tactic is to make the list
of charges as long and extensive as possible, to pressure the defendant into a
guilty plea. It has been suggested that if everyone were to refuse a plea deal
and demand a jury trial, the justice system would be completely overwhelmed
and unable to handle the load.

"For example, i'm a big fan of red light cameras. I hate them, but the blind
uniform enforcement is great. Doesn't matter if you're a cop, or an important
business man, or late for school. You break the law, you pay your ticket and
move on."

I had not thought of that, but it is a _perfect_ example of why we do not want
law enforcement to become too efficient:

[http://www.marketplace.org/topics/life/shorter-yellow-
lights...](http://www.marketplace.org/topics/life/shorter-yellow-lights-mean-
more-red-light-revenue)

~~~
jfoutz
Is the district attorney's opinion because of your strategy to make everything
expensive?

We build other systems that are very complex, explicit and efficient. Less
prosecutor discretion, and more adaptive law seems better than making trial
costs spiral out of control.

Yes, and yellow light timing isn't contentious at all, is it? It's almost like
perfect enforcement of stupid laws gets those laws modified to not be stupid.
But whatever, i'm sure your way is good too.

------
jchrisa
The Coming War on General Purpose Computation <http://craphound.com/?p=3817>

------
revelation
I like how fines will double each day if left unpaid. Within a few months, the
fine will be much much higher than all money in existence.

------
deepblueocean
A good starting place to think about the CALEA system (besides, as other
comments mention, looking at CALEA itself) is this paper from Matt Blaze and
his students: <http://www.crypto.com/blog/calea_weaknesses/>

Also interesting is Steve Bellovin et al.'s excellent report on security
implications of extending CALEA to VoIP:
<https://www.cs.columbia.edu/~smb/papers/CALEAVOIPreport.pdf> Steve Bellovin
is now the FTC's Chief Technologist and spends his days trying to bring
technical sanity to the government in various ways.

------
rubbingalcohol
So companies will have to build in "wiretap friendly" monitoring capabilities
into their products in order to facilitate regulatory compliance? Is the
government going to subsidize the cost of developing this stuff? Aside from
how insidious the requirement seems from a privacy standpoint, it seems to
place undue economic burden on businesses from a compliance standpoint.

------
venomsnake
And now I can write a simple greasemonkey script that can encrypt the text
send to facebook chat and the other side decrypting it. We just need to be
able to exchange keys by other channels - not hard at all.

And on any device with root you can install driver that encrypts the mic
signal.

So instead of terrorists we will have technology literate terrorists.

------
D9u
1984... "Freedom is Slavery!" "War is Peace!"

------
eksith
I can see why there's a demand for a P2P/distributed routing for voice/video
services to get around this as they would require working with multiple ISPs
at the least and at most involve some sort of end-to-end encryption.

Wonder if it's possible to implement something like Tor for VoIP.

~~~
jeffasinger
I think the hard part about doing Tor for VoIP would be latency. It would be
pretty difficult to have a voice conversation with the sort of latency you'd
get from bouncing a connection through a bunch of volunteer computers.

~~~
eksith
Good point. It may make more sense to initiate a connection via multiple
routes (node discovery) and then direct-connect securely. Of course that won't
prevent anyone eavesdropping of knowing _where_ the call is going, just keep
them from knowing _what_ they were talking about.

