Law enforcement, intelligence agencies want to 'like' you on social media
WASHINGTON — Law enforcement and intelligence agencies want to be able to wiretap social media, instant message and chat services. But building in ways to wiretap these kinds of communication can lead to less secure systems, say technical experts, including former National Security Agency officials.
Some security experts suggest hacking as an alternative, but other experts, including FBI officials, say that method poses serious risks.
Right now only phone companies, broadband providers and some Internet phone services are required by law to build in intercept capabilities, but the government wants to extend that requirement to online communication providers.
“From a purely technical perspective, when you add this sort of law enforcement access feature to a system, you weaken it,” said Steven Bellovin, a computer science professor at Columbia University. “First, it creates an access point that previously didn't exist. Second, you've added complexity to the system ... and most security problems are due to buggy code.”
In 1994, the government passed the Communications Assistance for Law Enforcement Act, which mandated that phone companies make their systems wiretap-ready.
Richard “Dickie” George, a former NSA technical director until he retired in September 2011, recalled how in the mid-1990s, “in the early days of CALEA,” the NSA tested several commercial phone systems with intercept capabilities, and “we found problems in every one.” Making the systems hack-proof, he said, “is really, really hard.”
He said, however, that over the years, “we've come a long way.”
Susan Landau, a faculty member in the Worcester Polytechnic Institute Department of Social Science and Policy Studies in Massachusetts, said phone services are more complicated now — and so the switches are, too.
“It's highly doubtful,” she said, “that the new switches are secure.”
The United States, she said, “has a lot more to lose by building ways into communications networks than it has to gain, because those ways last for a very long time, and we enable others who couldn't afford to build ⅛back doors⅜ in themselves with ways to get into our communications systems.”
One alternative to wiretaps is to hack the target's phone or computer, Bellovin and Landau said. In so doing, the FBI would be exploiting software flaws that exist instead of making new ones, Landau said. And the FBI would be getting communications before they are encrypted or after they are decrypted, Bellovin said.
“They have to be very careful that they don't create a risk that the exploit will proliferate elsewhere,” Landau said. “That's why we argue for increasing the funding for research.”
Marcus Thomas, a former FBI official, said hacking is “unreliable and dangerous because hacks can propagate.”