Written by Mark M. Jaycox and Seth Schoen
According to the New York Times, President Obama is "on the verge of backing" a proposal by the FBI to introduce legislation dramatically expanding the reach of the Communications Assistance for Law Enforcement Act, or CALEA. CALEA forces telephone companies to provide backdoors to the government so that it can spy on users after obtaining court approval, and was expanded in 2006 to reach Internet technologies like VoIP. The new proposal reportedly allows the FBI to listen in on any conversation online, regardless of the technology used, by mandating engineers build "backdoors" into communications software. We urge EFF supporters to tell the administration now to stop this proposal, provisionally called CALEA II.
The rumored proposal is a tremendous blow to security and privacy and is based on the FBI's complaint that it is "Going Dark," or unable to listen in on Internet users' communications. But the FBI has offered few concrete examples and no significant numbers of situations where it has been stymied by communications technology like encryption. To the contrary, with the growth of digital communications, the FBI has an unprecedented level of access to our communications and personal data; access which it regularly uses. In an age where the government claims to want to beef up Internet security, any backdoors into our communications makes our infrastructure weaker.
Backdoors also take away developers' right to innovate and users' right to protect their privacy and First Amendment-protected anonymity of speech with the technologies of their choice. The FBI's dream of an Internet where it can listen to anything, even with a court order, is wrong and inconsistent with our values. One should be able to have a private conversation online, just as one can have a private conversation in person.
The White House is currently debating whether or not to introduce the bill. Here's why it shouldn't:
The starting point for new legislation should be a real, serious, and well-documented need. Despite the FBI's rhetoric, there are few concrete examples of the FBI's purported need to expand its already efficient all-seeing eye. Current law requires annual reporting by the Department of Justice (DOJ) regarding the use of the government's wiretapping powers; the report includes statistics on how often Federal law enforcement has been impeded in a court-authorized investigation by encryption or has been unable to access communications. These statistics show that this has happened only rarely. In its most recent report—from 2010—DOJ reported that encryption had only been encountered all of 12 times.
Did the encryption stop the investigation, or even prevent the wiretappers from figuring out what was being said? No. The report admits that in all of these instances, police were able to obtain the plain text of communications. Previous years' numbers are similar. Aside from government reports, in 2012 telecommunications companies also revealed that a very low percentage of law enforcement requests for user information were rejected. In AT&T's case, only 965 out of over 250,000 requests for user information were rejected. Overall, the available public statistics don't appear to support the FBI's claims about its inability to access communications.
Any requested expansion of FBI surveillance authority has to consider the overall ability of law enforcement to investigate crimes. What the FBI doesn't mention when pushing new backdoors into our communications is that now, due to the shift to digital communications, law enforcement has an unprecedented level of access to, and knowledge of, the public's communications, relationships, transactions, whereabouts, and movements. Law enforcement now can gain 24/7 monitoring of most people's movements using cell phone location data. But that's just the beginning. A glance at the Wall Street Journal's multi-year What They Know project shows some of the treasure troves of data that are being maintained about all of us. By accessing these databases and by using new electronic surveillance technologies law enforcement already has visibility into almost every aspect of our online and offline lives—capabilities beyond the wildest dreams of police officers just a few decades ago.
Indeed, former White House Chief Counselor for Privacy Peter Swire and Kenesa Ahmad argued persuasively in 2011 that, overall, "today [is] a golden age for surveillance"—regardless of whether law enforcement is assured of automatic access to each and every kind of communication, and regardless of whether individuals sometimes succeed in using privacy technologies to protect themselves against some kinds of surveillance.
First, there's information obtained from cell phones. In July 2012, the New York Times reported that federal, state, and local law enforcement officials had requested all kinds of cell phone data—including mappings of suspects’ locations—a staggering 1.3 million times in the previous year. Cell phone companies can create what amounts to detailed maps of our locations and turn them over to law enforcement. Even without asking for cell phone providers' direct assistance, law enforcement has considerable ability to use mobile devices to track us. Federal and state law enforcement have made extensive use of IMSI catchers (also popularly called “stingrays,” after the brand name of one such device). These devices can act as a fake cell phone tower, observing all devices in a certain area to find a cell phone's location in real-time, and perhaps even intercept phone calls and texts.
Laws compelling companies to divulge user information accompany these techniques. For instance, National Security Letters, served on communications service providers like phone companies and ISPs, allow the FBI to secretly demand stored data about ordinary Americans' private communications and Internet activity without any meaningful oversight or prior judicial review. And Section 215 of the PATRIOT Act allows for secret court orders to collect “tangible things” that could be relevant to a government investigation. The list of possible “tangible things” the government can obtain is seemingly limitless, and could include everything from driver’s license records to Internet browsing patterns. The FBI has even broken into individuals' computers to collect data from inside the computers themselves. More backdoors aren't needed.
CALEA II will force companies with messaging services—from Google to Twitter to video game developers—to insert backdoors into their platforms. But backdoors only make us weaker and more vulnerable. It's ironic that CALEA II may be proposed only months after Congress pushed “cybersecurity” legislation to protect our networks. The notion of mandating backdoors in software is the antithesis of online security, which is why some academics have called it a “ticking time bomb.”
A proposal to expand backdoors into communications software ensures that online hackers, communications company insiders, and nation-states have a direct entrance to attack—and steal from—companies and government agencies. In one notorious example, someone exploited backdoors in a Greek phone company's systems and recorded sensitive conversations involving the Prime Minister. Wiretapping backdoors even affect national security. In 2012, Wired revealed the NSA's discovery and concern that every telephone switch for sale to the Department of Defense had security vulnerabilities due to the legally-mandated wiretap implementation. If politicians are serious about online security, they will not make these security blunders even worse by bringing more sensitive communication technologies under CALEA's scope.
Just last week, an ad hoc group of twenty renowned computer security experts issued a report explaining their consensus that CALEA II proposals could seriously harm computer security. These experts said that a requirement to weaken security with deliberate backdoors “amounts to developing for our adversaries capabilities that they may not have the competence, access or resources to develop on their own.”
And now the Washington Post has reported that intruders, allegedly working on behalf of the Chinese government, broke into Google's existing surveillance systems. (In this case, the report says that the intruders learned who was targeted by these systems, rather than accessing the contents of the targets' accounts or communications—but it's easy to see that wiretap contents would ultimately represent an even bigger target, and a bigger prize. Even more exciting would be the prospect of remotely activating new wiretaps against victims of an intruder's choice.)
Expanding CALEA is not only a tremendous risk for our online security; it's a slap in the face of Internet users who want to protect themselves online by choosing privacy-protecting software to shield their communications. Ordinary individuals, businesses, and journalists want and often need state-of-the art software to protect their communications in an era of pervasive spying by commercial rivals, criminals, and governments around the world. The government's rhetoric takes us back to the early 1990s when US law enforcement spoke openly of banning secure encryption software to keep it out of the public's hands. EFF and others had to fight—including in the Federal courts—to establish the principle that publishing and using encryption tools is an essential matter of individual freedom and protected by the First Amendment.
Once those “crypto wars” were over, the US government seemed to accept the right of Americans to secure communications and abandon the idea of forcing innovators to dumb down these technologies. We turned our concerns to foreign governments, several of whom were trying to ban communications tools for being “too private.” (For instance, the Associated Press reported five countries threatened to ban BlackBerry services in 2010 because the services protected user privacy too well.) Americans, including the US State Department, began supporting the development and distribution of secure communications tools to foreign rights activists who need them. Now this battle may be coming home.
Even with these tools, most Americans can protect only a tiny fraction of the trail of data we leave behind electronically as we live our lives. But we still have the right to choose them and try our best to keep our private communications private.
The government should place any proposal to expand CALEA on hold. There is little evidence the FBI is actually “going dark,” especially when balanced with all the new information they have access to about our communications. And backdoors make everyone weaker. In a time when “cybersecurity” is supposed to be a top priority in Washington, the FBI is pushing a scheme that directly undermines everyone's online security and interferes with both innovation and the freedom of users to choose the technologies that best protect them. Tell the White House now to stop the proposal in its tracks.