TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | “Going Dark” vs. “Going Secure” New CDT Experts’ Report on CALEA II Related reading: Notes from the IAPP Europe, 23 Feb. 2024



According to press reports, the FBI is close to persuading the rest of the Obama administration to support major changes to the Communications Assistance to Law Enforcement Act of 1994 (CALEA).  A major new report of technical experts released this week concludes: “Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences for the economic well-being and national security of the U.S.”

Until now, CALEA has applied to telephone services and software and has required that they be “wiretap ready,” so that a wiretap court order can be carried out successfully. Under the new proposal, this “wiretap ready” requirement would apply far more broadly, to peer-to-peer VoIP (voice over Internet protocol) systems—the many types of software and services that allow direct, peer-to-peer communication.  Examples range from instant messaging and chat to Skype to Google Hangouts to Xbox Live.

When CALEA was first considered, the FBI had wanted its requirements to apply broadly to the Internet; it’s safe to say that this would have stifled the incredible innovation and diversity on the Internet that has occurred since 1994.

The FBI has argued that these new technology mandates are needed because it is “going dark,” because new and evolving Internet technologies mean that government may not have a way to get the content of communications with a wiretap order. In a 2011 paper, Kenesa Ahmad and I argued that “going dark” is the wrong image and that today should instead be understood as a “golden age of surveillance.” As members of the IAPP know, law enforcement and national security agencies today have far greater data gathering capabilities than ever before, such as: (1) location information; (2) information about contacts and confederates, and (3) an array of new databases that create digital dossiers about individuals’ lives.

Rather than focusing on the validity of the FBI’s claim that it is being disadvantaged by the advance of technology, the technologists’ report examines the technical aspects of expanding wiretap obligations. A central point is that a wiretap mandate will present serious security risks, a point that Susan Landau has explained in detail in her excellent book “Surveillance or Security?” Building holes and backdoors into widely-available software and services creates vulnerabilities that can be exploited by a range of bad actors, including hackers, individual employees at the software companies and government officials in the numerous countries that will expect the same access afforded to the FBI. When it comes to cybersecurity online, the first rule for government should be “do no harm.”

Unfortunately, the FBI proposal would harm cybersecurity.

For more detail, I strongly support going to the technologists’ report. What is at stake is no less than the future of secure communications on the Internet. In the 1990s, law enforcement agencies tried to prevent the use of effective encryption for fear that the wiretaps of that era would no longer succeed. After extended debate, the Clinton administration in 1999 ultimately decided that strong encryption should become widely used, as I have discussed in a 2012 paper on “Encryption and Globalization.

We should learn the lessons from the “crypto war” debates of the 1990’s. The widespread use of effective encryption does mean changes in the ways that law enforcement will seek lawful access to communications, including greater reliance on stored records rather than real-time communications. But we should choose to “go secure” in our Internet infrastructure, especially since the case is so weak that the FBI and other agencies are actually “going dark.”

photo credit: Don Hankins via photopin cc


If you want to comment on this post, you need to login.