Must Read: Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

Steven M. Bellovin (Columbia), Matt Blaze (Penn), Sandy Clark (Penn), and Susan Landau (Harvard; Sun Microsystems) have posted an incredible paper that was presented at the Privacy Legal Scholars Conference in June 2013. The paper is entitled "Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet"; I have a general aversion to the term "must read," so my use of that term is indicative of the quality of the content.

 The abstract:

For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, though, the changing structure of telecommunications — there was no longer just “Ma Bell” to talk to — and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which mandated a standardized lawful intercept interface on all local phone switches. Technology has continued to progress, and in the face of new forms of communication — Skype, voice chat during multi-player online games, many forms of instant messaging, etc.— law enforcement is again experiencing problems. The FBI has called this “Going Dark”: their loss of access to suspects’ communication. According to news reports, they want changes to the wiretap laws to require a CALEA-­like interface in Internet software.  

CALEA, though, has its own issues: it is complex software specifically intended to create a security hole — eavesdropping capability — in the already-­complex environment of a phone switch. It has unfortunately made wiretapping easier for everyone, not just law enforcement. Congress failed to heed experts’ warnings of the danger posed by this mandated vulnerability, but time has proven the experts right. The so-­called “Athens Affair”, where someone used the built-­in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, including the Prime Minister, is but one example. In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including the security problems it has visited on the phone system. 

In this paper, we explore the viability and implications of an alternative method for addressing law enforcement's need to access communications: legalized hacking of target devices through existing vulnerabilities in end-­user software and platforms. The FBI already uses this approach on a small scale; we expect that its use will increase, especially as centralized wiretapping capabilities become less viable. 

Relying on vulnerabilities and hacking poses a large set of legal and policy questions, some practical and some normative. Among these are: 

• Will it create disincentives to patching?
• Will there be a negative effect on innovation? (Lessons from the so-­called “Crypto Wars” of the 1990s, and, in particular, the debate over export controls on cryptography, are instructive here.)
• Will law enforcement’s participation in vulnerabilities purchasing skew the market?
• Do local and even state law enforcement agencies have the technical sophistication to develop and use exploits? If not, how should this be handled? A larger FBI role?
• Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals?
• What happens if these tools are captured and re-purposed by miscreants?
• Should we sanction otherwise-­illegal network activity to aid law enforcement?
• Is the probability of success from such an approach too low for it to be useful? 

As we will show, though, these issues are indeed challenging. We regard them, on balance, as preferable to adding more complexity and insecurity to online systems.

Read More

Featured Paper: Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow

Stephanie K. Pell has posted a new paper on SSRN entitled: "Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow." Hat-tip to Chris Soghoian for mentioning it on Twitter. The article abstract is below:

While the Jones Court held unanimously that the government’s use of a GPS device to track Antoine Jones’ vehicle for 28 days was a Fourth Amendment search, the Justices disagreed on the facts and rationale supporting the holding. Beyond the very narrow trespassed-based search theory regulating the government’s attachment of a GPS device to Jones’ vehicle with the intent to gather information, the majority opinion does nothing to constrain government use of other tracking technologies, including cell phones, which merely involve the transmission of electronic signals without physical trespass. While the concurring opinions endorse application of the Katz reasonable expectation of privacy test to instances of government use of tracking technologies that do not depend on physical trespass, they offer little in the way of clear, concrete guidance to lower courts that would seek to apply Katz in such cases. Taken as a whole, then, the Jones opinions leave us still jonesing for a privacy mandate. As of the writing of this Article, Congress has not been successful in passing legislation that would regulate government use of tracking technologies. A third regulator of government power has emerged, however, in the form of technology itself, specifically in new(ish) methods an individual or group of individuals can use to make it more difficult, in some cases perhaps impossible, for law enforcement to obtain the information it seeks. While waiting for more definitive action from the courts and Congress, such “privacy enhancing” anonymization and encryption technologies can provide a temporary “fix” to the problem of ever-expanding police powers in the digital age, insofar as they make law enforcement investigations more difficult and expensive, thereby forcing law enforcement to prioritize some investigations and, perhaps, de-emphasize or drop others. Moreover, at a time when cybersecurity is a national security priority and recommended “best practices” include the use of encryption technologies to protect, among other things, US intellectual property, law enforcement is likely to face continued instances of “Going Dark” as it attempts to intercept communications in the face of the increasing availability and use of encryption technologies. As Congress considers possibilities for expanding law enforcement interception capabilities, it will be forced to accommodate the complex dualistic properties of technologies that, on one hand, bolster our national security against certain kind of threats while, on the other, they limit or thwart law enforcement’s ability to fulfill its traditional public safety function of investigating crimes.

Read More