CALEA and encryption

Reading through Charlie Savage's New York Times piece yesterday, which arguably marks the beginning of the 2nd crypto wars, one might get the impression that law enforcement officials are merely seeking to tweak the law, in order to maintain the existing status quo:

"We're talking about lawfully authorized intercepts," said Valerie E. Caproni, general counsel for the Federal Bureau of Investigation. "We're not talking expanding authority. We're talking about preserving our ability to execute our existing authority in order to protect the public safety and national security."

...

To counter such problems, officials are coalescing around several of the proposal’s likely requirements:

* Communications services that encrypt messages must have a way to unscramble them.

I think it is reasonable to assume that very few people have read the text of the Communications Assistance for Law Enforcement Act (CALEA), and so it is quite reasonable that the average layperson (or even interested technologist) might assume that existing US law has nothing to say about encryption, since, after all, Skype didn't exist when CALEA was passed in 1994. That is incorrect -- not only does the law speak about encryption, but it specifically protects the right of companies to build strong encryption for which only the customer has the decryption key into their products.

47 USC 1002(b)(3):

A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

Also from the CALEA legislative history:

Finally, telecommunications carriers have no responsibility to decrypt encrypted communications that are the subject of court-ordered wiretaps, unless the carrier provided the encryption and can decrypt it. This obligation is consistent with the obligation to furnish all necessary assistance under 18 U.S.C. Section 2518(4). Nothing in this paragraph would prohibit a carrier from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access

...


Nothing in the bill is intended to limit or otherwise prevent the use of any type of encryption within the United States. Nor does the Committee intend this bill to be in any way a precursor to any kind of ban or limitation on encryption technology. To the contrary, section 2602 protects the right to use encryption.”

If the FBI and other law enforcement agencies get their way, they will not be tweaking existing law to deal with new technologies, but fundamentally changing how the government regulates technology.

Reading between Yoo's lines

Writing in the Wall Street Journal yesterday, torture/illegal wiretapping enabler John Yoo argued:

Unlike, say, Soviet spies working under diplomatic cover, terrorists are hard to identify. Yet they are vastly more dangerous. Monitoring their likely communications channels is the best way to track and stop them. Building evidence to prove past crimes, as in the civilian criminal system, is entirely beside the point. The best way to find an al Qaeda operative is to look at all email, text and phone traffic between Afghanistan and Pakistan and the U.S.

While Yoo doesn't come out and say it, the far more obvious difference between KGB spies and Al Qaeda operatives is that the Russians probably used strong encryption, and not, say, a shared Hotmail account.

The US government snooped on the communications of millions of Americans because Joe Terrorist still doesn't know how to use Pretty Good Privacy. If Al Qaeda's communications were all protected by strong encryption, it probably would have been much tougher to justify (even inside the permissive Yoo/Gonzales Department of Justice) the disgraceful warrantless interception and "other programs" which we still have yet to learn much about.