«
»

The more things change (wiretapping the internet)

I feel like we’ve been here before.  The Administration is planning to sponsor legislation to make it easier to (legally) “wiretap the Internet“.  Based on what little has been written, it appears that Justice is arguing that CALEA (and more!) should apply to the Internet.  If that’s the case, then every manufacturer of Internet routing and switching gear would be required to build in the capability for law enforcement to activate a “tap” remotely and with no way for the provider to be aware of it.  Oh, and LE gets decryption assistance, too.

This will not end well.  I don’t have lots of answers, but I’ve got a lot of questions.  Feel free to answer them in the comments 🙂

1. Why bother with the legislation?  The Bush Administration already illegally authorized wiretapping.  Oh, you want the evidence admissible?

2. Which equipment will this apply to?  Large core routers and switches, certainly.  What about my home router?  What about equipment manufactured in China, Russia, Taiwan?  So, all networking gear has to have government approval before installation?  What about a VM appliance, or a home-grown BSD-based firewall?  Will it become illegal to create your own firewall, or use an open source based router/firewall?

3. How will the requirements to support decryption work?  Will US citizens (and companies) be forced to use NERF’ed encryption?  Will the end-to-end SSL/TLS model be deliberately broken to force enabling of  a man-in-the-middle attack?  How will this play against PCI requirements to use best practices.  We’re already seeing massive data spills of credit card and personal data, and the common denominator is often poor or nonexistent encryption.

I don’t claim that there is no need for increased ability for law enforcement to collect and process digital evidence, including network traffic.  That need is real, and in our collective best interests.  But this legislation, as currently described, is impractical and over-reaching, prone to abuse and unenforceable, and completely changes the balance of power between individuals and the government.

Related Articles

This entry was posted on January 16, 2011, 11:48 am and is filed under best practice, personal privacy, System Administration, the business of system administration. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.