Surveillance or Security? The Risks Posed by New Wiretapping Technologies

And so it’s my pleasure to introduce Susan
Landau, who is currently a visiting scholar in the Department of Computer Science at Harvard.
She’s an expert on Cyber Security policy. She’s written a number of books on these
issues. Previously she was at Sun for ten years where she worked on the policy side
and also on the technical side. And today she’s going to talk about surveillance and
security and the policy issues related to this (unintelligible). So, here’s Susan. Thank you. And one correction it’s surveillance
or security. Not surveillance and. So, I want to talk to you about wire-tapping. And the
three pictures I have up here on the left, my left, my right, your left is a still from
the movie “The Lives of Others”. A film about wire-tapping in east Germany and surveillance
in east Germany and the corruption of a society by excessive surveillance. It’s a fabulous
film if you haven’t seen it. In the middle is the FBI which has been pushing for increased
wire-tapping capability in law as well as in technology. And on the right is a Blackberry
and it’s partially there because of all the issues about international tapping. And
I’m going to try and cover all three in my talk today. So, in wire-tapping you want to focus on which
technology. This is the phone that I and a couple of people in the audience grew up with.
The notable thing about this phone is it doesn’t move. It stays where, it stays in one place.
It rings very loudly during the ice, the snow storm we just had in, in western Massachusetts
these phones worked and electric phones didn’t. The phone wires are, are, are designed to
actually keep going even during bad storms because they have very little electricity
in them. But wire-tapping, which technology, those
phones don’t move. These phones don’t, do move. But it turns out wire-tapping them
is not particularly hard in two out of three cases. So, this phone the way you wire-tap
the, the, the immobile phone, the wire line phone, is you modern phone technology is you
put a wire-tap in at the telephone central office. That’s the office right near the
telephone, within a few miles of where the telephone is. The wire-tap goes at the telephone
central office. This phone, the wire-tap goes at the home location register. That’s the
location where the phone is registered. So, when a phone call comes into the phone it
goes, the phone call first goes to the home location register. The home location register
says oh this person isn’t roaming and taps the call. Or the phone says this person is
roaming, but I know where they are, I know which cell they’re in, and informs that
cell that there’s a wire-tap. And that cell executes the wire-tap. If the phone is roaming
and the person making the call wants to make a call but there’s a wire-tap on it then
the phone, the first call that person makes, the call goes to the home location register
to check whether or not the person has a paid up phone and the home location says wire-tap
that call, and the call gets wire-tapped. After that, after it’s said that there’s
enough money on the phone for the phone to make a call, after that the calls don’t
go through the home location register. And usually there isn’t tapping. Okay. So, the
tapping there is complicated. You can tap, but it’s a more complicated situation. There are also other types of communications
that you want to tap. One of them is something called Facebook. But Facebook turns out also
to be easy to tap. Because all the communications go into a central location. And you tap at
the central location. So, you don’t care about the pathway that it takes to get into
that central location. You only care that it goes to the central location. And then there are communications that are
harder to tap. Skype is the quintessential example. The reason Skype is hard to tap is
the communication goes peer to peer. When you do a Skype call it travels via other people’s
computers that are also Skype enabled. And it goes to the other end. Now your Skype communication
is encrypted end to end from your machine to the other person’s machine. There are
two reasons to do this. The first is, excuse me. The first is that when your communication
is encrypted end to end, as your communication travels on other people’s machines they
can’t listen in on you. The other reason is when your communication is encrypted end
to end, when your communication travels on other people’s machines, you can’t mess
with other people’s machines because it’s an encrypted communication. You can’t download
malware. You can’t do anything bad to their machine. So, the encryption has two purposes. But wire-tapping has become increasingly problematic
for the FBI. And the reason is peer to peer communications encrypted communications and
so on. Let me tell you the problem in wire-tapping. So, we’ve got Bob and we’ve got Alice.
And Bob is at the coffee house and he wants to do a VoIP comm call with Alice who is sitting
at an airport lounge. But of course Bob doesn’t know where Alice is. So, Bob’s ISP, his
local ISP, his SIPS ISP, Bob’s ISP is going to try to initiate the conversation. And so
Bob’s VoIP provider is Packatalk. So, his local ISP, SIPS ISP says Bob wants to do a
VoIP communication, tells Packatalk. Packatalk says oh he wants to do it with Alice. Alice
is at IP Voice. IP Voice says let me check if Alice is on line. Oh my goodness yes she
is at Fly ISP. Her IP address is whatever Alice’s IP address has been designed to
here at the airport lounge by Fly ISP. And Packatalk and IP Voice do an exchange of IP
addresses. That’s called a rendezvous. That’s the last time that Packatalk and IP Voice
are involved in the conversation. After that the communication travels peer to peer over
the internet. Well what does that mean for wire-tapping? If you’re the FBI and you’re
wire-tapping Bob, you tell Packatalk I want a wire-tap on every one of Bob’s conversations.
Everyone that goes through Packatalk gets wire-tapped. But Bob’s conversation right
here when he’s at the coffee house doesn’t go through Packatalk. Only the rendezvous
information does. Now could Packatalk tell SIPS ISP about where Bob is? No. Because it’s
the court and the FBI that has to send the wire-tap order to SIPS ISP. It’s even worse
than that. We don’t even know who owns SIPS ISP. It might be the coffee house, or it might
be the coffee house that’s owned by organized crime. And this would be a very effective
way for Bob to find out he has a wire-tap ordered. Okay. So, it cannot be the case that
Packatalk lets Fly IS, uh SIPS ISP know about the wire-tap order. It has to be law enforcement
that does. And if the conversation is brief, the conversation happens in real time, that
wire-tap order isn’t going to get over. That’s what actually makes wire-tapping
in a mobile IP world complicated. Okay are you guys with me? Good. So having told you a little bit about what’s
complicated, I want to tell you about what U.S. law has to say. And all of wire-tap law
is, stems from issues related to the Fourth Amendment, which says: “The right of the
people to be secure in their persons, houses, papers, and effects, against unreasonable
searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable
cause, supported by Oath or affirmation, and particularly describing the place to be searched,
and the persons or places to be seized, things to be seized.” It’s really important.
Our Fourth Amendment comes from what we call the Writs of Assistance during the colonial
period where the British had a general writ that said they could grab anything in the
house. They could take anything in the house. The Fourth Amendment says you’re given a
warrant to search for marijuana plants, you can search for marijuana plants in the house,
but you can’t open the night table drawer and find the concealed weapon, the un-registered
concealed weapon, because marijuana plants don’t grow in night table drawers. On the
other hand if you have the warrant to look for the concealed un-registered concealed
weapon, you’re allowed to go into the greenhouse and see the marijuana plants because of course
the gun could be in the… Okay? So, wire-tap laws are subject to the Fourth
Amendment. The history of U.S. wire-tap law is a 1968 law on criminal wire-taps, a 1978
law that says how you can do wire-taps for foreign intelligence, and then a whole bunch
of laws starting in 1994. I’m going to focus on the latter half, but let me tell you two
pieces of the first two. Title III says, limits the cases under which you can do a wire-tap
warrant. It has to be a serious crime. One of a list of about a hundred. Lists started
with twenty-five back in 1968. It’s been expanded to about a hundred. Those are the
only crimes under which you can get a wire-tap order. It has to be probable cause that the
suspect is committing this serious crime. The communication device has to be part of
the planning for the crime. And it has to be essentially last resort. It doesn’t have
to be last resort; it just has to come close to it. Foreign Intelligence Surveillance Act
does many of the same things, except it’s not a probable cause that the suspect is committing
a serious crime. It’s probable cause that the suspect is an agent of a foreign power
or a terrorist group. But it is these laws that I want to focus
on. Patriot Act, so I’m sorry. I let me back up one second. CALEA in 1994 the U.S.
government passed a rather unusual law. The first two I’ve described, describe the warrant
procedure for when the U.S. government can get a warrant. It also says when there can
be a warrant by the states for a wire-tap, which it has means it has to be those states
can apply for a wire-tap warrant only under at least as restrictive rules as the federal
government. They can be more restrictive, but they can’t be less. 1994 U.S. government
passes a law that’s not about when the government can wire-tap, it’s about what the phone
companies have to do to accommodate wire-taps. And it’s even odder; it’s much more odd
than that. It says the wire, the phone companies have to design their switching networks to
accommodate wire-taps. All digitally switched telephone networks have to be built wire-tap
enabled. Well, we have a slew of wire-tap laws starting
in 2001 with the Patriot Act. Patriot Act, probably the most significant piece of the
Patriot Act in terms of wire-tap law is it, there have been a wall between the foreign
intelligence investigations and the Title III the criminal investigations. The purpose
of the wall was to prevent law enforcement from using the Foreign Intelligence Surveillance
Act, the FISA wire-taps which are, all you have to do is show that the person is agent
of a foreign power instead of probable cause there’s committing a serious crime. It was
to prevent using the lesser proof to go, get a wire-tap and then using the evidence to
convict somebody. Cause with foreign intelligence, quite often it is not a criminal case. And
you want to restrict the power of the government to do as invasive a search as a wire-tap is,
and the ability, with given that the government has the ability to throw somebody into jail
you want restrictive power on the power of the wire-tap. Are you guys with me? Including
those of you far away? So, what the 2001 Patriot Act did among other
things was it said instead of foreign intelligence being the primary purpose of a FISA tap, it
only needed to be a significant purpose. Lowered the wall between the Title III and the FISA
taps and it enabled in more cases for a FISA tap to then be used, FISA evidence scouring
it from a FISA tap to be used in a, a, a criminal case. But the thing that I want to focus on is CALEA
and in 2003 the FBI asked that CALEA be extended to cases where a VoIP, voice over IP. There
are other things that happened. The warrantless wire-tapping appeared, the Protect America
Act, the FISA Amendments Act. So, let me tell you briefly about those. I’ll start with the Communications Assistance
for Law Enforcement Act. So, it was passed in the transition from a wire-line phone,
to digitally switched phones. And in 2003 the FBI said (unintelligible, due to audio
breaking up) digitally switched phones to the internet we need help. Okay? The law,
CALEA explicitly says it has an exemption for information services. Okay we shouldn’t,
in 1994 meant the internet. But in 2003 the FBI pushed for CALEA extending to the internet
to voice over IP. In 2004 the FCC agreed with this somewhat to our surprised that our being
the Civil Liberties Groups and industry. In 2005 the Appeals Court agreed with the FCC.
And I recently spoke to someone at the FCC who said they were as startled as the rest
of us. Okay. Two to one decision the FC…the Appeals Court said that VoIP, that CALEA could
extend to VoIP. Now what the FBI, what the FCC had said is CALEA could extend to certain
cases of VoIP, what’s called facilities based VoIP. What that means is it looks like
a telephone from you to the central office. It can be anything at all, in the phone company.
It could be a packet, it could be circuit, could be anything at all. And then at the
other end it doesn’t matter. But from you to the phone company it looks like a wire,
same way it always did. And those kind of cases are actually pretty easy to wire-tap,
because you put a wire-tap on at the phone company the same way you always did. I just want to tell you in this context a
little bit about the Protect America Act and the FISA Amendments Act. This is a map of
the world. And as you notice, the United States is in the middle, which always happens when
the U.S. designs the map. But in this particular case, there’s a good reason for the U.S.
to be in the middle. The red lines are the cables, the fiber optic cables. This map is
a few years old. You’ll notice huge cables that all come and go to the United States.
And that’s because of the fiber overbuilding that happened in the 1990’s. You’ll also
notice cables from South America and so on. What happens as a result of these cables is
when you have a call from Europe to Asia it often goes through the United States. When
you have a call from Brazil to Argentina it often goes through the United States. Why?
Because the previous technology was satellite technology. When you do a phone call from
Brazil to Argentina and it goes up to a satellite, there’s a quarter second delay. People don’t
like a quarter second delay in a phone conversation. It’s irritating. That much of a delay is
noticeable and it bothers us. But if you do it by a fiber, by a fiber optic cable to Miami
and back, there’s no quarter second delay. It happens like that. Now you do a call from
Brazil to Argentina by way of Miami it goes into the United States and it’s very easy,
physically, to wire-tap it. Legally, it wasn’t easy to wire-tap it, because legally it was
a call that was inside the United States, so you need a wire-tap order. But to the NSA
and to the U.S. government it seemed inappropriate you would need a wire-tap order for them. Other case that involves calls that goes through
the United States, even though it seems like they shouldn’t is it used to be the case
you couldn’t call from Taiwan to China, because the Chinese government and the Taiwanese
government didn’t talk to each other. The way you called from Taiwan to China is you
called by way of a switch in California, and then the call went through. Now if you’re
AT&T you’re very careful about how you write your contracts. And you know that the situation
of Taiwan and China not talking to each other is not going to last forever. But you want
to make that deal that you get the calls for a long time so you write the contract. So,
the contract exists much longer than the, the inability to call. So, calls from Taiwan
to China go through the United States. And it didn’t use to be the, it did used to
be the case. It’s no longer the case now, but it used to be, but if you did Gmail you
used a server in the United States. Now Gmail has, Google has servers all over. But for
a while the servers of Gmail, Yahoo, and so on were all in the U.S. So, so you could be
doing e-mail from Europe to Europe, from the U.K. to the U.K. and they would be going through
the United States. The U.S. government saw this as an opportunity to more cheaply wire-tap.
But the problem was the law was written in such a way that you needed a wire-tap warrant
because the communication was inside the United States. To pass the Protect America Act, which
said that all calls where one end is reasonably likely to be outside of the United States
you don’t need a wire-tap warrant. That law lasted six months, was controversial,
got renewed for two weeks and then didn’t get renewed. It was replaced by the FISA Amendments
Act. And there will be a quiz at the end of this talk. You have to distinguish when it’s
a U.S. person, a non-U.S. person, whether the communication is wired, wireless. A protected
communication means a wire-tap warrant is needed. An unprotected communication means
it can be tapped without a warrant. If you look at the map of the United States and you’re
calling from the Midwest to Maine, upper Midwest to Maine it’s quite likely that a call can
go through Canada. If you’re calling, certainly that’s true when you’re in the upper peninsula
of Maine. When you’re calling from Mexico to the Caribbean it could go through either
the United States. There are all these complicated edge cases of when can you tap, when can you
not tap with a warrant, without a warrant. FISA Amendments Act, you can ask me questions
later, but I’m going to, I just did the map to show you the complexity. So, wire-tapping, what you want to do when
you talk about wire-tapping, you want to how efficacious are the solutions. And it depends
on the type of case. So, when CALEA passed in 1994 the FBI director went to Congress.
He went to all the Congress (unintelligible) and said look, you don’t want kids in your
district kidnapped and we can’t find the kidnapper. You don’t want us to not be able
to listen to the call. That is we got the call and we can’t figure out what the guy
is saying. But the numbers tell a slightly different story. The numbers tell you a story
of fewer, now this is 1994. This is numbers from about 1968 to about 1998 and then the
situation changes. The number of kidnapping cases in which wire-taps warrants were used
were about six a year. Because you didn’t know who the kidnapper was. And if you were
listening into the call at the house of the family where the person was kidnapped, that’s
not a wire-tap, not from the point of law, and not from the point of technology. It’s
what’s called a consensual overhear. You don’t need a wire-tap warrant. The numbers
go up recently and the reason the numbers go up is because of cell phones. So, when
a kid gets kidnapped, they’re often kidnapped by a non-custodial parent, the parent who
doesn’t have custody. We don’t think of that as a kidnapping, but it is a kidnapping.
But then you know the phone number of the non-custodial parent, often the kid that is
you know the cell phone number. And the kid often has a cell phone. And so tracking the
cell phone tracks the kid. And so, that is a kind of, it’s not exactly a content wire-tap,
it’s a pin registered trap and trade. So, it’s now used more often. Other kinds of investigations: When the wire-tap
laws were passed gambling was the big case. And the reason for that is because gambling
is what organized crime supported itself on. We got state gambling in, in terms of lotteries
and so on. And gambling became less of an issue for organized crimes of support method
it moved to drugs and… In 2006 the Department of Justice had a counter-terrorism white paper
that said 441 defendants have been charged with terrorism or terrorism related activities.
When you look at the numbers you discover that only 123 had prison sentences. 14 had
five years or more. 6 had twenty years or more. When you look at the numbers again,
the numbers look better than this. So, on the one hand only six had serious cases. But
on the other hand there were many people who got deported, who were bad guys. And they
don’t show up in the numbers I’ve just shown you. What that tells you is that the
numbers are kind of funny. So, I’ve told you a little bit about why
wire-taps are not so useful. Let me tell you a little bit about why wire-taps are useful.
And this is a case that the federal government doesn’t talk about in terms of wire-taps
being useful. (unintelligible name given) was an Afghan raised partially in the refugee
camps of Pakistan and partially in the United States. Mostly in the United States. His family
moved to Colorado. At some point he was, he was selling food off of a food cart in the
U.S., was well liked by his customers. At some point he went to Pakistan a whole bunch
of times. He had been married to a cousin, and he was going to visit his wife. And then
after one of his trips, he came back to the U.S., went to stay with his family in Colorado,
and the next thing you knew there was this news story that said: Colorado man who drives
to New York in a rented car, stopped by the George Washington Bridge, car inspected, visited
some friends in Queens, driving back was arrested, suspection of terrorism. Next story says a
little bit more. Next story says a little bit more. Next story says a little bit more.
And then finally you get him pleading guilty to potentially blowing up subway cars. And
when you read the affidavit and you read the story that you discover that in August of
this is going to be 2010, is that right? 2009 August of 2009 he is, he rents a motel, a
hotel room twice in Colorado. After the second time, the FBI goes in, and examines the hood
over the stove and discovers chemicals used in bomb making. And they do web searches on;
they do searches of his laptop, to discover what web searches he’s been doing. He’s
done web searches for how to pick up other chemicals used in bomb making. These are in
Queens, New York. He has, there are videos of him picking up other chemicals used in
bomb making around Colorado, which he then presumably used in the motel room. But what
you notice is the FBI did not search the first time he went to the motel room. Okay? And
you also notice that he made three increasingly frantic phone calls the, the second time he
was in the hotel room. What I’ve just told you, that last fact tells you when he got,
why he got picked up. He made three increasingly frantic calls to somewhere outside the United
States for information about bomb making. They checked the hotel room afterwards, found
the chemicals, tracked him, arrested him after he got spooked and started driving. So they
searched him when he came into New York because they were afraid he had bad stuff in his car,
searched him when he got spooked and started driving back west, and caught him on a few
small lies (unintelligible due to audio breaking up) made these key increasingly frantic calls
to, to Pakistan. So, I’ve told you some, in some cases wire-tapping
information is not as useful as the law enforcement claims. In other cases it’s been tremendously
useful. The other thing I want to tell you is that transactional information is remarkably
revelatory. It located the planner of the September 11th attacks through his cell phone
when he was in Pakistan. In July 2005 there were bombings that destroyed subway cars,
three bombings that destroyed subway cars in London, and one that destroyed a bus. There
was an attempted replication on July 21st. The Brits tracked the cell phone of a friend
of one of the alleged bombers of the July 21st group. They found it in Rome near the
brother of one of the alleged bombers. They went to the apartment and found the guy himself,
the alleged bomber. It’s cut time for investigation in Marshall
Services as U.S. Marshall Services track fugitives. It used to be it took forty-two days on average
to try a fugitive. With cell phones you checked where the guy is at ten p.m. at night. You
check where he is at eight a.m. in the morning. And then the next day, and then you look who
his family and friends are in that location. And then the next day you pick him up. Two
days is the average now. This is not your parent’s communication
world. When I was growing up that telephone was the kind of phone I used. I actually still
have one on my desk in my study. But that telephone in order to call England for example,
I had grandparents in England; you had to book the phone call ahead of time. In the
1970’s you could dial direct. Now you can dial direct, and you don’t even have to
know where the person you’re calling is. Not your parent’s business world. We outsource,
which means that we do lots of communications abroad. We do just in time manufacturing.
We send critical infrastructure information over the network, and we have mobile communications.
It’s not your parent’s business world or communications world. So, it used to be
that switches looked different from one another. But that’s not the case anymore. Using a
Cisco switch in the United States, they’re using the same Cisco switch in other parts
of the world. Somebody figures out how to break into a Cisco switch in Astonia, they
know how to break into that same Cisco switch in Kansas. And what’s more, through the
internet they can get there. Everybody’s using the same kind of technology. When you build wire-tapping capability into
communications infrastructure and into applications you create two kinds of risks. You remove
the carriers from the equation. And we all know that if you have to explain to somebody,
you have a warrant, here’s the warrant, and so on that effort causes you to be more
honest yourself. The other thing is that you remove technical forms of minimization. And
when, about five years ago when the Protect America Act passed, we made these points.
I did this joint work with several other people. We made points. A couple of years later the
“New York Times” reported that the kind of wire-tapping allowed under the Protect
America Act and the FISA Amendments Act, had picked up various people they shouldn’t
have picked up. One of them was former President Bill Clinton. Building wire-tapping capability into communications
infrastructure and applications creates risks of exploitation and over collection. Let me
give you a couple of examples. One is Greece. So, for ten months between 2004 and 2005 a
hundred senior members of the Greek government were wire tapped. What happened is Votaphone
Greece had bought a switch from Erickson. They hadn’t arranged for wire-tapping capability
in the switch. When the switch got updated, wire-tapping capability was built into the
switch, but because Votaphone Greece hadn’t paid for wire-tapping there was no auditing
capability. Wire-tapping capability was shut off. Somebody went into the switch, turned
on the wire-tapping, sent the wire-tapped communications to sixteen cell phones. This
went on for ten months. When the switch was updated, whenever the switch was updated,
the wire-tapping capability was updated. One time the wire-tapper screwed up. They didn’t
update the wire-tapping capability. SMS messages went awry. Votaphone Greece began investigating
the problem, discovered the wire-tapping. The wire-tapping got shut off. I’ve now
told you how it happened. I haven’t told you who, and nobody knows who. They’re suspicions,
but nobody knows who. Telecom Italia between 1996 and 2006, ten
thousand Italians were wire-tapped illegally. This included judges, politicians, referees,
business people, celebrities, sports figures. What I’ve now told you is that there was
no political, or business, major political or business discussion that have happened
in private. Cases still going through the courts, but presumably this is a case of bribery
and blackmail and corruption. Ten thousand people in, in Italy I’m sorry six thousand,
six thousand people, it’s one in, it’s six thousand people, one in ten thousand Italians
was wire-tapped. Okay. Cisco built an architecture for wire-tapping
IP switches. They did the right thing by publishing it. Tom Cross and IBM researcher studied those,
those specs. And so these specs were based on European standards for law enforcement
interception. What Tom Cross discovered is that they’re easy to spoof. Which means
it’s easy; you can allow unauthorized parties to receive the interception. Making it easy to wire-tap means we’re wire-tapping.
Let me tell you about the exigent letters. So, post September 11th the Communications
Assistant Unit of the FBI was placed in the same room with the, with people from major
telecommunications carriers. And the idea was to help get them in, get information,
transactional information, who, what, when of a call quickly. And they did so. They had
something called national security letters which said to go through a subpoena you just
needed this national security letter, lower level of proof. This is im… it was piece
of, a legal document that said this is important to an ongoing investigation. One of the Toko
guys said how bout you do exigent letters. Just a quick letter that says you got us a
national security letter quickly. FBI thought this was a good idea, did it, carried the
practice onto other FBI offices. The result, exigent letters were never followed up with
national security letters. Data was given without written requests. If you don’t have
written requests, you can’t track what information what information was handled, handed from
the communications carrier to the, to the FBI. There was a lack of specificity. Let
me tell you what a lack of specificity means with a concrete example. The Code of Federal
Regulation says you can’t get any transactional information or wire-tap order on a journalist
without the written signature of the U.S. Attorney General. Nobody lower can do that.
Okay? That’s because the freedom of the press is really important in the United States.
It’s not a law. It’s a regulation. They used an exigent letter on a “Washington
Post” also on a “New York Times” reporter but the story I’m telling you is about the
“Washington Post” they used the exigent letter on the “Washington Post” reporter.
They didn’t put any dates on it. They thought this reporter had been talking to a terrorist.
They didn’t think she hadn’t been doing anything wrong, but they thought they could
track the terrorist. How easily could a reporter talk to sources if the sources know that who
she’s talking with are tracked. So, they were supposed to track her for a few weeks
while she was in Indonesia, They tracked her for seven months. They didn’t have dates
on it. And they deployed what are called community of interest tools. Community of interest tools
say, who are you talking with, who are those people talking with, let’s look at your
larger and larger community. Those were deployed without written requests. When you wire-tap or you do any kind of surveillance,
you have to ask who are, what are the threats we face. We face the threat of non-state actors.
We face the threat of insiders and the insider I have up here is Ken Filby. He was the British
spy, the Soviet spy working for the British intelligence unit for a very long time. Very
damaging and nation states. The non-state actors are not terribly, oh and when I talk
to you about what threats we face, it’s not only the one you expect, it’s also our
friends. Okay? Let me say more. The treats from non-state actors are still
at the nuisance level. Now if you live near the Worcester airport and the Worcester Airport
was disabled for six hours, that’s unpleasant. But all of these are at the nuisance level.
There haven’t been serious attacks yet. You hear it sometimes in the press, but it’s
not for real. The threats from insiders however are serious. And the reason they’re serious
is these guys know how you work, they know how you protect yourself, they know your systems,
they know how to get away with attacks on you without your knowing about it. So the
example that I can think about aside from Ken Filby of course is Bradley Manning, which
is another insider attack, Except in that case, I’m not even sure I’d call it an
attack. And since it wasn’t organized it was certainly an attack, but it wasn’t an
organized attack. It was a…whatever it was. Threats from state actors: So, in 2006 we
heard about the first story of an attack where stuff came out of four government military
sites. In all four cases it was unpatched systems and the attackers went in, the exploiters
went in, took the files they wanted, packed them up, took them out, one after the other,
the space of eight hours. Then we began hearing about more and more Trojans hidden within
e-mails, sophisticated attacks using highly targeted e-mails, careful reconnaissance that
allowed the attackers to go in, examine what they want and then slowly move the stuff,
then quickly move the stuff out when they’re ready. Who’s spying? During the Cold War it was
the Soviet Union. And then in, the 1970’s attention shifted to include defense contractors.
So, Soviet trade groups would come over and for example and visit (unintelligible) And
they’d wear double sided tape on the bottoms of their shoes so they could pick up little
pieces of composite metal to find what kind of composite metal we were using to build
our bombers or surveillance planes. Okay? But these kinds of delegations are expensive.
You have to spend many years developing the contacts and so on. Okay. By the 1980’s it wasn’t just the Soviet
Union, it was some of our friends as well. So, the French government for example says
look in military affairs we’re allies. In economic affairs we compete. Israel, Japan,
Iran, many countries. The estimate in 2003 was two hundred billion for exploitation,
for spying on industrial, for industry. But nobody knows the real numbers. There are two
new issues…the Internet and China. It’s expensive to develop the contacts and send
trade delegations over and it involves people. Doing it by the via the internet is much faster
and much cheaper. I want to switch topics completely and talk
to you about what threats we face in a different domain. That’s Katrina. And here are some
natural disasters. So you know about the Haitian earthquake, but the rest of those numbers
are amazing. So, when you start talking to first responders about what do they need during
a crisis, they need, first of all they need land mobile radio, because wire-line phones
go down. Cell towers go down. Satellite phones don’t work terribly well if there are tall
buildings, or clouds, or mountains in the way. They use land mobile radio. Have you
ever counted the number of, of antenna on the back of a police car? There are about
half a dozen. Right? That’s for the police car to communicate with his district, with
the next district over, with the fire department, the fire department the next district over,
with the ambulance, and the ambulance the next district over. They’re all not inter-operable.
Okay? None of them inter-operate. So what first responders need is land mobile radios
that’s inter-operable, inter-operable, inter-operable and secure. I talked to the head of Information
Assurance at the NSA, the technical director of the Information Assurance at NSA. He said
he wants to see land mobile radio available at Radio Shack. And then he said Uh oh no,
a secure land mobile and then he said oh no I’m not supposed to say that because he’s
not supposed to mention a particular company. Okay. But I told him I was going to use it
anyway. Well of course if secure land mobile radio
was available at the, at, at Radio Shack it’s not just; it’s not just the first responders
who are going to use it. Bad guys are going to use it too. But that’s NSA policy. They
want to see that. I want to talk to you for a moment about the
Preamble to the Constitution. It’s not something we talk about very much. But it happens that
it turns up in legal cases, occasionally. And the point I want to raise to you is that
the Preamble talks about securing the blessings of liberty to ourselves and all posterity.
Well what does that mean about what we need in terms of communication security and communications
interception? We want to enable secure communications in terms of national and international disaster.
And I think the numbers I just showed you, show you how often natural disasters happen
and how big they are when they happen. So we want to secure national, communication
when there’s a national disaster. Because of cyber exploitation we want to secure civilian
communications. And we want to enable successful investigations of criminal and terrorism cases.
And I pause it to you, that’s the order in which we should think about communications
security. What do we need in terms of communications
surveillance? Transactional information is the way the NSA has gone the last ten years.
Ten years ago, eleven years ago the NSA backed off on the control of, of crypto in export,
export control. And it was not because they don’t want to listen in, but because they
found transactional information and network exploitation where they had to go. Use the
vulnerability of end hosts to get at conversations when you can’t get at them otherwise and
be like the NSA. Use clever solutions. The point is CALEA isn’t free, but building
wire-tapping capability into the infrastructure into applications creates all sorts of risks,
and it’s not the FBI who’s footing the bill. What do you do for getting communications
security right? The point is that security of communication is important for freedom,
security, human dignity and consent of the governed. It should be designed with the bless,
the principle of securing the blessings of freedom for posterity. So, I mentioned the
Preamble, what do I mean? You build wire-tapping capability into a switch, or an application.
It lasts a very long time. Okay. You want security of, the freedom of, the blessings
of freedom for posterity. You don’t build surveillance capability into your infrastructure.
Any suspension of communications privacy should be brief, measured in days or weeks, not months
or years. When you build, when you, now why would I mention suspending communications
privacy? When you’re in Washington they talk about what happens if the nuclear bomb,
a nuclear bomb is detonated, detonated in New York or Washington. You could imagine
that all sorts of things would happen to our laws. Okay. In a case of national crisis,
communications privacy would disappear. You plan on it disappearing for days and weeks,
you don’t build surveillance into the infrastructure. You plan on it lasting for months and years,
you build it into the infrastructure. And then, the canary in the coal mine principle.
Communications surveillance should not impede the working of the press. Okay. Cause if you
impede the working of the press the next thing that goes is people’s freedom. And I want to end with a keyboard. Well not
quite with a keyboard to remind you about how long infrastructure lasts. That keyboard
was designed so that when you type the letters that most frequently appear in the English
language which are e, t, and so on the keys don’t hit each other. The metal keys that
extend from that key to the paper, don’t hit each other. When was the last time any
of you typed on a typewriter with metal keys? This was a typewriter that was made to make
it complicated to type the most frequent letters. Infrastructure lasts. You build wire-tapping
capability into the infrastructure its going to last a very long time. So with that I will sell you my book if you
want to buy it. I don’t actually have copies, but that’s my book where it talks more about
these issues and thanks very much. I guess I talked quickly which leaves you lots of
time for questions. Landon. So, you said that society needs to use the
vulnerability of end hosts. I was curious as to what you meant by that. Sure. So, Landon’s question was…I’ll
repeat the questions for those of you far away. Landon said what did I mean by the vulnerability
of end hosts? And that’s great because it lets me talk about things that I didn’t
have time to talk about. So, the FBI about a year ago, fourteen months ago, began saying
it’s going dark and it’s having trouble wire-tapping all sorts of communications.
It’s having trouble wire-tapping peer to peer; it’s having trouble wire-tapping when
the communication is encrypted. It’s having trouble wire-tapping when the communications
provider is outside of the United States. And it wants better capabilities written into
law. And then answer is the FBI needs to be smarter about what it’s doing. So, if I
go back all the way to the beginning of my talk, I had the slide that said Facebook isn’t
hard to wire-tap because it’s a centralized communication. Lots of communications we do
over the internet in fact are centralized even though we‘re using a peer to peer communication
network. What you want to do is separate the communications that you already have capability
for wire-tapping such as the circuit based systems. The ones which are not hard technically,
but may be hard for the FBI or local state and local law enforcement, because they don’t
have the technological know-how or the, the connections with the provider. So for example,
at the hearing that happened last February there was the FBI, there was the chief, the
president of the chiefs of state and local police, and that guy who’s a law enforcement
officer from Virginia talked about how hard it was to wire-tap all these different cell
phones cause each of them has a different operating system and a different way of working,
and da, da, da, da, da. And that’s true, but it’s not true in the sense that the
FBI should be the central repository for such information. And they should have that information
catalogued and not have it the case that when a local, state and local guy is tapping a
phone they’ve never seen before, they talk to a buddy at the state agency and the buddy
says oh I talk to so and so at the FBI, so you call on so and so at the FBI, so you call
so and so at the FBI, but so and so was off on vacation and so you can’t get through.
It should be up and accessible to state and local. They should be the go to source. At
the same time they should also be the, the research agency. So, right now FBI’s a case
based agency and when they have a wire-tap they try to figure out how to do that particular
wire-tap order on that particular technology. They should be going to communications conferences,
learning what new communications technologies evolving, and learn how to wire-tap, learn
who to talk to at the particular company and develop that ahead of time so that when they…wait
I’m getting to it. Okay. That takes care of two-thirds of their cases. Not two-thirds
of their cases. It takes care of a lot more than two-thirds of their cases. It takes care
of almost all of their cases. Then there are the cases that are hard, like Skype on a well
secured machine. After that they have to be clever and use the vulnerability of the end
host. So, I heard a talk by the former head of information assurance at NSA. And he said
the most effective nat…nation states if they want to go after you; they’re going
to find a way to get in. Okay. So, it’s a question of how much you spend to go after
your particular target. The FBI would like to be able to have everything simple, because
it makes their costs low. But making their costs low makes all the rest of us vulnerable,
and our risks are somewhere else. You make the costs high, some of the cases they’re
going to have to spend a lot of money, or not go after it. That’s not the solution
they want, but that’s what I mean by using the vulnerability of end hosts. I don’t
mean make end hosts vulnerable. Long answer, but I wanted to put it all in context. Okay. Right. So, you’re advocating for it
rather than making changes to the infrastructure which would be expensive and make everybody
vulnerable to sort of pack into individual’s machines? Landon’s question….should I repeat the
questions? Sure. So, Landon’s question was, was I really
saying that instead of making infrastructure and applications vulnerable, I’m urging
the FBI to hack into machines. And the answer’s yes. I’m…the FBI already does that. It,
it has something called, it has a key logger. I think the key logger is Magic Lantern if
I remember correctly. It has Trigger Fish, where it acts like a cell phone provider and
picks up signal. It has all sorts of tools like this. These tools are expensive to deploy.
They should be expensive to deploy. You don’t want a rogue agency like the (unintelligible)
and we don’t have, mostly we don’t have a rogue agency. I mean there have been rogue
instances. Whitey Bulgur in Boston is an example of a rogue instance. But mostly we don’t
have a rogue law enforcement. But the problem is that when you make wire-tapping easy to
happen, you one have lots of cases of wire-tapping where you shouldn’t have it. And I gave
the case of the exigent letters. But you also, in the case of the kinds of exploitations
we’re worried about now, which are the cyber exploitations and the deputy secretary of
defense William Lynn a year ago, a year and a half, a year ago, wrote that the most serious
long term cyber security problem is the theft of intellectual property. And he didn’t
mean Disney films. He meant plans and research and business plans and so on from high tech
and pharmacology and so on companies. When that’s your risk, then making it easy to
wire-tap is exactly the wrong way to go. When you, when it, when Lock Keyed Martin doesn’t
secure itself, Lock Keyed Martin is your risk. When Verizon doesn’t secure its switch,
every communication through Verizon is, is at risk. I promise not to answer so long a second time.
Yes? Why do you call it surveillance or security? Why do I call it surveillance or security?
Because the usual argument about wire-tapping or other kinds of surveillance is we got a
balance privacy versus security. And I think that’s a false model. Because in many cases
the surveillance capabilities do not make us more secure. And in this particular argument
and in the argument about the, the risks of building surveillance into a communications
system, I pause at them actually makes us less secure. So um… (Unintelligible talking by another person
in the room) That’s right. That’s right. So, if what
we’re worried about is cyber exploitation and so on building surveillance into communications
networks or into applications making it easier to wire-tap when is, is making us less secure.
Now we’re never going to get to the point that applications or infrastructure are completely
secure. You know I’ll quote the dir.., the former director of the Information Assurance
Directory. But it depends how much money and how much incentive the party going after you
has. If it’s organized crime they’re going to have a lot of money and they’re going
to have some incentive, but then they’re not going to have the money or the incentive
that the nation/state has. So the harder you make it to, to exploit the more secure you’re
making the parties you need to make secure. Yeah? So it, it seems like the end game is that
everybody puts encryption on their devices anyway. So, you know it seems like you know
Skype as, as an example that sort of that’s the direction things are going to be moving
in. So my, my question is, and, and you know your discussion with Landon was very interesting
and, and, and seemed to address a way that law enforcement could still access information
if they wanted to in that context. My question is if that is the end game, then what is it
that we’re really worrying ourselves about. Sure. Is it the, the mid-term between now and then? So, the question was it looks like the end
game is encryption on everybody’s devices and so on. And so if that’s the end game
why are we worried now. I’m going to give a long answer again. Because I rushed through
my talk, so I skipped details. So now you get to hear them. So, in the 1990’s when
we were fighting, fighting the crypto wars there was this funny race going on between
whether Europe and perhaps Asia, but mostly Europe weather Europe would beat us and steal
enough business away from U.S. computer manufacturers that um, that the FBI and the NSA would relent
and the U.S. government would change its policy and allow the deployment of strong encryption.
Or whether the FBI would get, and perhaps the NSA would get Europe to, to put restrictions
like we had on crypto. And it was just not clear which one was going to happen. And in
fact the former happened and partially it was Europe and partially it was various kinds
of domestic issues. We have all kinds of law in the United States. As Larry Lasik’s said,
there’s east coast law, and west coast law. East coast law is Washington and west coast
law is technology. So, I found it startling when Google did not have a way of logging
onto your e-mail but by a fixed password. And I talked to one of my friends at Google
and said I want to use s key which is a set of one time passwords, and he said they’ll
never go for it because that’s too complicated for the average user. And I suggested that
I don’t know maybe within six months of Gmail coming out then it was nice that you
could do SSL mail, that is secured Gmail. And, but you, that was not the default option.
Okay? And it was only after Google got attacked, got exploited by China that, that Google changed
its policy. The answer is there’s this funny contest going on. I would actually pause it
that part of the contest that’s going on is one that’s completely unseen and it’s
in different parts of the U.S. government. So, the FBI fourteen months ago went public
and said we want a new law. There were hearings in February. There’s no bill yet. The lack
of bill is not because I testified opposite the FBI no matter how well my testimony went.
The lack of bill is because other parts of the federal government, these Defense Department
and State Department opposed what the FBI want. Now the State Department has its set
of issues, cause it wants the ability of human rights workers and journalists to report insecurity
and safety and that means all kinds of encryption and so on. The State Depart, Defense Department
is looking at other kinds of things. Defense Department DARPA just funded I think it’s
a five million dollar grant which is not five million dollars’ worth of funding, not a
huge amount of money, but it’s interesting. It’s about secure, securing to our better.
So tour, for those of you who don’t know the onion routing, onion route, run, routing
is an application level, it’s an application that runs on top of the internet that secures
your transactional information. It doesn’t work in real time so you can’t use it for
VoIP, but you can use it for web browsing and so on. You can use it for accessing your
Gmail. You can use it for all sorts of things. You don’t, well you need it for accessing,
you don’t really need it for accessing your Gmail, but I guess you could use it for that.
You can use it for all sorts of things. And the point is that the def…this, this technology
was developed at the U, at the Naval Research Labs. It’s useful for law enforcement and
it’s useful for national security. You’ve got an operative working undercover in the
mid-east. Wants to communicate back with Annapolis. Doesn’t want the fact that their safe house
to be exposed they use TOR. The ISP doesn’t know who they’re communicating with. Okay.
And I’m giving you a real example. The details are not correct, but the flavor of the example
is correct. You’re law enforcement you’re going into a chat room. You want to see who’s
communicating in this, in this child pornography chat room. You don’t want your, your IP
address to say So, real examples. But that kind of technology one, only works
if there are users who are not working for the U.S. government, because otherwise it’s
obvious they work, everybody using it is with the U.S. government. So the code line is,
the catch line is anonymity loves company. You want this system to be more widely used.
The U.S., DARPA has just funded five million dollars’ worth of research to improve the
quality of TORA in all sorts of ways. So, you’ve got different sides of the U.S. government
working different ways. That’s part of the answer. Another part of the answer is content
is not as important as transactional information. So, let me give you a concrete example. If
the weekend before Oracle announced it was going to buy Sun you knew that the CEO of
Oracle talked to the CEO of Sun and then both of them talked to their lawyers and then both
of them talked again. And then both of them talked to their CTO’s and so on. You would
know what was happening without ever actually listening to the conversation. But I also
gave you plenty of examples. So, so it’s a, it’s a funny kind of race. And then I
was just reading, I was looking at somebody’s Ph.D. thesis the other day, and she made the
point that the NSA in the 1990’s knew it couldn’t stop the deployment of crypto,
but it could delay the deployment of crypto. I don’t know that the FBI is operating on
the same level, that it can’t stop this. I think it still thinks that it can stop this.
And it’s wrong. I think it’s wrong. But it can certainly delay it. And every day that
it delays it is one more day it has an easier way of doing a certain kind of investigation. I don’t know if I can do questions from
other people or not. Okay. (Unintelligible question from the room being
asked) It depends what kind of job you do doesn’t
it and who you are and so on. I mean it’s much harder in the U.S. Did everybody hear
the question by the way? I’m assuming you did. It used to be in the U.S. you didn’t
need a whole lot of identification. Now you need it for even you know waitressing jobs
and so on. That’s part of the answer. Another part of the answer has to do with an information
transference that I mentioned twice to people here. So I apologize for repeating to people
here. It used to be when you did a phone call, the two ends of the phone call knew where
each other was, cause the phone was at a physical location. Now that information is owned by
the phone company, because people do phone calls via cell phones. So, when you call somebody,
you’re calling their cell phone. The cell…the phone company knows who the two people are
and where they’re communicating from as opposed to before when the phone company knew
there was a call, but they didn’t know who was actually communicating. I think it’s a lot harder to start a new
life than it used to be. And that’s about general surveillance rather than about communication
surveillance. So, I think I’m telling you a general comment rather than something that
I have a whole lot of information more about. How bout here? Are we done? Well thank you.

3 thoughts on “Surveillance or Security? The Risks Posed by New Wiretapping Technologies

  1. If she's going to turn around, let the board be LEVEL with her and the mic attached to her. ASAAAAGGGHHH


Leave a Reply

Your email address will not be published. Required fields are marked *