by Declan McCullagh
May 4, 2012
from
CNET
Website
CNET learns the FBI is quietly pushing
its plan to force surveillance backdoors on social networks, VoIP,
and Web e-mail providers, and that the bureau is asking Internet
companies not to oppose a law making those backdoors mandatory. |
The FBI is asking Internet companies not to oppose a controversial proposal
that would require firms, including
Microsoft,
Facebook, Yahoo, and
Google, to
build-in backdoors for government
surveillance.
In meetings with industry representatives, the White House, and U.S.
senators, senior FBI officials argue the dramatic shift in communication
from the telephone system to the Internet has made it far more difficult for
agents to wiretap Americans suspected of illegal activities, CNET has
learned.
The FBI general counsel's office has drafted a proposed law that the bureau
claims is the best solution: requiring that social-networking Web sites and
providers of VoIP, instant messaging, and Web e-mail alter their code to
ensure their products are wiretap-friendly.
"If you create a service, product, or app
that allows a user to communicate, you get the privilege of adding that
extra coding," an industry representative who has reviewed the FBI's
draft legislation told CNET.
The requirements apply only if a threshold of a
certain number of users is exceeded, according to a second industry
representative briefed on it.
The FBI's proposal would amend a 1994 law, called the Communications
Assistance for Law Enforcement Act, or
CALEA, that currently applies only to
telecommunications providers, not Web companies.
The Federal Communications Commission
extended CALEA in 2004 to apply to broadband networks.
"Going Dark" timeline
-
June 2008: FBI Director Robert
Mueller and his aides brief Sens. Barbara Mikulski, Richard
Shelby, and Ted Stevens on "Going Dark."
-
June 2008: FBI Assistant Director
Kerry Haynes holds "Going Dark" briefing for Senate
appropriations subcommittee and offers a "classified version of
this briefing" at Quantico.
-
August 2008: Mueller briefed on
Going Dark at strategy meeting.
-
September 2008: FBI completes a
"high-level explanation" of CALEA amendment package.
-
May 2009: FBI Assistant Director
Rich Haley briefs Senate Intelligence committee and Mikulsi
staffers on how bureau is "dealing with the 'Going Dark'
issue.'" Mikulski plans to bring up "Going Dark" at a
closed-door hearing the following week.
-
May 2009: Haley briefs Rep. Dutch
Ruppersberger, currently the top Democrat on House Intelligence,
who would later co-author CISPA.
-
September 2008: FBI staff briefed by
RAND, which was commissioned to "look at" Going Dark.
-
November 2008: FBI Assistant
Director Marcus Thomas, who oversees the Quantico-based
Operational Technology Division, prepares briefing for
President-Elect Obama's transition team.
-
December 2008: FBI intelligence
analyst in Communications Analysis Unit begins analysis of VoIP
surveillance.
-
February 2009: FBI memo to all field
offices asks for anecdotal information about cases where
"investigations have been negatively impacted" by lack of data
retention or Internet interception.
-
March 2009: Mueller's advisory board
meets for a full-day briefing on Going Dark.
-
April 2009: FBI distributes
presentation for White House meeting on Going Dark.
-
April 2009: FBI warns that the Going
Dark project is "yellow," meaning limited progress, because of
"new administration personnel not being in place for briefings."
-
April 2009: FBI general counsel's
office reports that the bureau's Data Interception Technology
Unit has "compiled a list of FISA dockets... that the FBI has
been unable to fully implement." That's a reference to telecom
companies that are already covered by the FCC's expansion of
CALEA.
-
May 2009: FBI's internal
Wikipedia-knockoff
Bureaupedia entry for "National Lawful
Intercept Strategy" includes section on "modernize lawful
intercept laws."
-
May 2009: FBI e-mail boasts that the
bureau's plan has "gotten attention" from industry, but "we need
to strengthen the business case on this."
-
June 2009: FBI's Office of
Congressional Affairs prepares Going Dark briefing for
closed-door session of Senate Appropriations subcommittee.
-
July 2010: FBI e-mail says the "Going Dark Working Group (GDWG) continues to ask for examples
from Cyber investigations where investigators have had problems"
because of new technologies."
-
September 2010: FBI staff operations
specialist in its Counterterrorism Division sends e-mail on
difficulties in "obtaining information from Internet Service
Providers and social-networking sites."
FBI Director Robert Mueller is not asking
companies to support the bureau's CALEA expansion, but instead is "asking
what can go in it to minimize impacts," one participant in the discussions
says.
That included a scheduled trip this month to the
West Coast - which was subsequently postponed - to meet with Internet
companies' CEOs and top lawyers.
A further expansion of CALEA is unlikely to be applauded by tech companies,
their customers, or privacy groups. Apple (which distributes iChat and
FaceTime) is currently lobbying on the topic, according to disclosure
documents filed with Congress two weeks ago.
Microsoft
(which
owns Skype and Hotmail) says its lobbyists are following the topic
because it's,
"an area of ongoing interest to us."
Google, Yahoo, and Facebook declined to comment.
In February 2011, CNET was
the first to report that then-FBI general counsel
Valerie Caproni was planning to warn Congress of what the bureau
calls its "Going Dark" problem, meaning that its surveillance capabilities
may diminish as technology advances.
Caproni singled out,
"Web-based e-mail, social-networking sites,
and peer-to-peer communications" as problems that have left the FBI
"increasingly unable" to conduct the same kind of wiretapping it could
in the past.
In addition to the FBI's legislative proposal,
there are indications that the Federal Communications Commission is
considering reinterpreting CALEA to demand that products that allow video or
voice chat over the Internet - from Skype to Google Hangouts to Xbox Live -
include surveillance backdoors to help the FBI with its "Going Dark"
program.
CALEA applies to technologies that are a
"substantial replacement" for the telephone system.
"We have noticed a massive uptick in the
amount of FCC CALEA inquiries and enforcement proceedings within the
last year, most of which are intended to address 'Going Dark' issues,"
says Christopher Canter, lead compliance counsel at the
Marashlian and
Donahue law firm, which specializes in CALEA.
"This generally means that the FCC is laying
the groundwork for regulatory action."
Subsentio, a Colorado-based company that sells
CALEA compliance products and worked with the Justice Department when it
asked the FCC to extend CALEA seven years ago, says the FBI's draft
legislation was prepared with the compliance costs of Internet companies in
mind.
In a statement to CNET, Subsentio President Steve Bock said that the measure
provides a "safe harbor" for Internet companies as long as the interception
techniques are,
"'good enough' solutions approved by the
attorney general."
Another option that would be permitted, Bock
said, is if companies,
"supply the government with proprietary
information to decode information" obtained through a wiretap or other
type of lawful interception, rather than "provide a complex system for
converting the information into an industry standard format."
A representative for the FBI told CNET today
that:
"(There are) significant challenges posed to
the FBI in the accomplishment of our diverse mission. These include
those that result from the advent of rapidly changing technology. A
growing gap exists between the statutory authority of law enforcement to
intercept electronic communications pursuant to court order and our
practical ability to intercept those communications.
The FBI believes that if this gap continues
to grow, there is a very real risk of the government 'going dark,'
resulting in an increased risk to national security and public safety."
Next steps
The FBI's legislation, which has been approved by the Department of Justice,
is one component of what the bureau has internally called the "National
Electronic Surveillance Strategy."
Documents obtained by the Electronic Frontier
Foundation show that since 2006, Going Dark has been a worry inside the
bureau, which employed 107 full-time equivalent people on the project as of
2009, commissioned a RAND study, and sought extensive technical input from
the bureau's secretive Operational Technology Division in Quantico, Va.
The division boasts of developing the,
"latest and greatest investigative
technologies to catch terrorists and criminals."
But the White House, perhaps less inclined than
the bureau to initiate what would likely be a bruising privacy battle, has
not sent the FBI's CALEA amendments to Capitol Hill, even though they were
expected last year.
(A representative for Sen. Patrick Leahy, head
of the Judiciary committee and original author of CALEA, said today that "we
have not seen any proposals from the administration.")
Mueller
said in December that the CALEA amendments will be,
"coordinated through the interagency
process," meaning they would need to receive administration-wide
approval.
Stewart Baker, a partner at
Steptoe and
Johnson who is the former assistant secretary for policy at Homeland
Security, said the FBI has,
"faced difficulty getting its legislative
proposals through an administration staffed in large part by people who
lived through the CALEA and crypto fights of the Clinton administration,
and who are jaundiced about law enforcement regulation of technology -
overly jaundiced, in my view."
On the other hand, as a senator in the 1990s,
Vice President Joe Biden
introduced a bill at the FBI's behest that
echoes the bureau's proposal today.
Biden's
bill said companies should,
"ensure that communications systems permit
the government to obtain the plain text contents of voice, data, and
other communications when appropriately authorized by law."
(Biden's legislation spurred the public release
of PGP, one of the first easy-to-use encryption utilities.)
The Justice Department did not respond to a request for comment. An FCC
representative referred questions to the Public Safety and Homeland Security
Bureau, which declined to comment.
From the FBI's perspective, expanding CALEA to cover VoIP, Web e-mail, and
social networks isn't expanding wiretapping law: If a court order is
required today, one will be required tomorrow as well. Rather, it's making
sure that a wiretap is guaranteed to produce results.
But that nuanced argument could prove radioactive among an Internet
community already skeptical of government efforts in the
wake of protests
over the Stop Online Piracy Act, or
SOPA, in January, and the CISPA
data-sharing bill last month.
And even if startups or hobbyist projects are
exempted if they stay below the user threshold, it's hardly clear how
open-source or free software projects such as
Linphone,
KPhone, and
Zfone -
or Nicholas Merrill's proposal for a privacy-protective Internet provider -
will comply.
The FBI's CALEA amendments could be particularly troublesome for Zfone.
Phil Zimmermann, the creator of PGP who
became a privacy icon two decades ago after being threatened with criminal
prosecution, announced Zfone in 2005 as a way to protect the privacy of VoIP
users.
Zfone scrambles the entire conversation from end
to end.
"I worry about the government mandating
backdoors into these kinds of communications," says Jennifer Lynch, an
attorney at the San Francisco-based Electronic Frontier Foundation,
which has obtained documents from the FBI relating to its proposed
expansion of CALEA.
As CNET was the first to report in 2003,
representatives of the FBI's Electronic Surveillance Technology Section in
Chantilly, Va., began quietly lobbying the FCC to force broadband providers
to provide more-efficient, standardized surveillance facilities.
The FCC approved that requirement a year later,
sweeping in Internet phone companies that tie into the existing
telecommunications system. It was upheld in 2006 by a federal appeals court.
But the FCC never granted the FBI's request to rewrite CALEA to cover
instant messaging and VoIP programs that are not "managed"--meaning
peer-to-peer programs like Apple's Facetime, iChat/AIM, Gmail's video chat,
and Xbox Live's in-game chat that do not use the public telephone network.
If there is going to be a CALEA rewrite,
"industry would like to see any new
legislation include some protections against disclosure of any trade
secrets or other confidential information that might be shared with law
enforcement, so that they are not released, for example, during open
court proceedings," says
Roszel Thomsen, a partner at Thomsen and Burke
who represents technology companies and is a member of an FBI study
group.
He suggests that such language would make it
"somewhat easier" for both industry and the police to respond to new
technologies.
But industry groups aren't necessarily going to roll over without a fight.
TechAmerica, a trade association that includes representatives of HP, eBay,
IBM, Qualcomm, and other tech companies on its board of directors, has been
lobbying against a CALEA expansion.
Such a law would,
"represent a sea change in government
surveillance law, imposing significant compliance costs on both
traditional (think local exchange carriers) and nontraditional (think
social media) communications companies," TechAmerica said in e-mail
today.
Ross Schulman,
public policy and regulatory
counsel at the Computer and Communications Industry Association, adds:
"New methods of communication should not be
subject to a government green light before they can be used."