Deconstructing the CALEA hearing

Last Thursday, the House Judiciary Committee held a hearing focused on law enforcement surveillance of modern Internet services.

Although both the New York Times and CNET have stories on the hearing, I don't think either publication covered the important details (nor did they take the time to extract and post video clips).

The FBI is no longer calling for encryption backdoors

When Charlie Savage at the New York Times first broke the news last year that law enforcement officials were seeking more surveillance capabilities, it seemed quite clear that the FBI wanted to be able to access to encrypted communications. Consider, for example, this statement by the General Counsel of the FBI:

"No one should be promising their customers that they will thumb their nose at a U.S. court order," Ms. Caproni said. "They can promise strong encryption. They just need to figure out how they can provide us plain text."

That threat spooked the hell out of a lot of people in the privacy community and at technology companies. However, in the months that followed, rumors started to circulate that as a result of negotiations within the administration encryption was now "off the table."

Thus, many of us in Washington were not entirely surprised to see Ms. Caproni walk back her previous statements on encryption when she testified last Thursday:

Law enforcement (or at least, the FBI) has not suggested that CALEA should be expanded to cover all of the Internet...

But lets turn directly to encryption. Encryption is a problem. It is a problem we see for certain providers. Its not the only problem.

If I don't communicate anything else today, I want to make sure that everyone understands. This is a multifaceted problem. And encryption is one element of it, but it is not the entire element. There are services that are not encrypted, that do not have an intercept solution. So it's not a problem of them being encrypted. It's a problem of the provider being able to isolate the communications and deliver them to us in a reasonable way so that they are usable in response to a court order...

There are individual encryption problems that have to be dealt with on an individual basis. The solution to encryption that is part of CALEA. Which says that if the provider is encrypting the communications, and so if they have the ability to decrypt and give them in the clear, then they're they're obligated to do that. That basic premise. That provider imposed encryption, that the provider can give us communications in the clear, they should do that. We think that is the right model. No one's suggesting that Congress should re-enter the encryption battles that were fought in the late 90's, and talk about sequestered keys or escrowed keys and the like. That is no what this is about.

Why the FBI doesn't really need encryption back doors

The bit of CALEA that she is talking about is 47 USC 1002(b)(3), which states that:

A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

US law is surprisingly clear on the topic of encryption -- companies are free to build it into their products, and if they don't have the decryption key, they can't be forced to deliver their customers' unencrypted communications or data to law enforcement agencies.

While Skype uses some form of proprietary end-to-end encryption (although it should be noted that the security experts I've spoken to don't trust it), and RIM uses encryption for its Enterprise Blackberry messaging suite, the vast majority of services that consumers use today are not encrypted. Those few services that do use encryption, such as Google's Gmail, only use it to protect the data in transit from the user's browser to Google's servers. Once Google receives it, the data is stored in the clear.

There is one simple reason for this, which I described in a law journal article last year ago:

It is exceedingly difficult to monetize a data set that you cannot look at. Google’s popular Gmail service scans the text of individual emails, and algorithmically displays relevant advertisements next to the email. When a user receives an email from a friend relating to vacation plans, Google can display an advertisement for hotels near to the destination, rental cars or travel insurance. If those emails are encrypted with a key not known to Google, the company is unable to scan the contents and display related advertising. Sure, the company can display generic advertisements unrelated to the user’s communications contents, but these will be far less profitable.

Google’s Docs service, Microsoft’s Hotmail, Adobe’s Photoshop Express, Facebook, and MySpace are all made available for free. Google provides its users with gigabytes of storage space, yet doesn’t charge a penny for the service. These companies are not charities, and the data centers filled with millions of servers required to provide these services cost real money. The companies must be able to pay for their development and operating costs, and then return a profit to their shareholders. Rather than charge their users a fee, the firms have opted to monetize their user’s private data. As a result, any move to protect this data will directly impact the companies’ ability to monetize it and thus turn a profit. Barring some revolutionary developments from the cryptographic research community, advertising based business models are fundamentally incompatible with private key encrypted online data storage services.

Robert Scoble also addressed this very same issue last year, writing about the reasons why major location based services have not adopted privacy preserving technologies:

Well, there’s huge commercial value in knowing where you’re located and [service providers] just aren't willing to build really private systems that they won’t be able to get at the location info. Think about a Foursquare where only your friends would be able to see where you were, but that Foursquare couldn’t aggregate your location together with other people, or where it wouldn’t be able to know where you are itself. They wouldn't be able to offer you deals near you when you check in, the way it does today.

The FBI knows that most services are not going to be using full end-to-end encryption, and as such, there is not much to be gained by fighting a public battle over encryption backdoors. In her testimony on Thursday, Ms. Caproni drove this point home:

We're suggesting that if the provider has the communications in the clear and we have a wiretap order, that the provider should give us those communications in the clear.

For example, Google for the last 9 months has been encrypting all GMail. As it travels over the internet, its encrypted. We think that's great. We also know that Google has those communications, and in response to a wiretap order, they should give them to us, in the clear.

Privacy by design vs. insecurity by design

In the report it issued in December, the Federal Trade Commission called on companies to embrace "privacy by design":

[C]ompanies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices. Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy.

Building encryption into products, turning it on by default, and using it to protect all data is the ultimate form of privacy by design. While the FTC is encouraging firms to embrace this philosophy, the FBI is betting that poor security will remain the default. Sure, a few individuals will know how to encrypt their data, but the vast majority will not. It is because of this that the FBI can avoid a fight over encryption. Why bother, when so little data is encrypted?

Consider Ms. Caproni's argument:

There will always be criminals, terrorists and spies who use very sophisticated means of communications that create very specific problems for law enforcement. We understand that there are times when you need to design an individual solution for an individual target. That's what those targets present. We're looking for a better solution for most of our targets, and the reality is I think sometimes we want to think that criminals are a lot smarter than they really are. Criminals tend to be somewhat lazy, and a lot of times, they will resort to what is easy.

So long as we have a solution that will get us the bulk of our targets. The bulk of criminals, the bulk of terrorists, the bulk of spies, we will be ahead of the game. We can't have to design individualized solutions as though they were sophisticated targets, who was self-encrypting, putting very difficult encryption algorithm on, for every target we find. Because not every target is not using such sophisticated communications.

While I understand her perspective, the problem I have is that her description of criminals as "lazy" people who use technology that is "easy" similarly describes the vast majority of the general public. As such, for the FBI's plan to work, encryption technology needs to be kept out of the hands of the general public in order to similarly keep it out of the hands of lazy criminals.



If encryption is off the table, what is the FBI after?

During the hearing Ms. Caproni noted that both RIM and Skype were foreign companies, and not subject to CALEA. She had ample opportunities to call out these companies, and instead, opted to not do so. As such, at least right now, it looks like the two firms may be safe.

As such, with Skype, RIM, and the general encryption issue off the table, you must be wondering, what exactly does the FBI want? From what I can gather, quite a few things, many of which impact privacy in a big way, but which will lead to far less press than those other high profile issues.




Ms. Caproni didn't name names at the hearing, but it is pretty easy to identify the companies and services that she and her colleagues are interested in.

• Real-time interception of cloud services. Google, Microsoft, Facebook and Twitter are all legally required to provide after-the-fact access to their customers' stored data, in response to a valid legal process. The law does not require them to provide real-time interception capabilities. What this means is that while the government can go to Google and ask for all searches conducted by a particular user, they can't ask for all future searches or Google Chat instant message communications. These companies are under intense pressure to provide such real-time, prospective access to user data.


• Voice services that do not connect to the public telephone network. Google and Facebook both offer in-network audio chat to their users (Google also offers video). Microsoft's XBox 360 service, Blizzard and several other online video game platforms allow users to insult each other chat while they play against other users online. At least from published information, I'm not aware of any one of these companies offering interception capabilities -- and so law enforcement agencies almost certainly want access to this


• Virtual Private Network (VPN) services. These services, many of them paid, are increasing in popularity among users who want a bit of privacy when they surf. They enable users to browse the web when using unsecured public WiFi networks without having to worry about hackers stealing their data; browse the web at home without having to worry about their broadband Internet Service Provider using Deep Packet Inspection technology to spy on them; access streaming content that is restricted by country (for example, allowing foreigners to watch hulu, or US residents to watch the BBC); and download files from P2P networks without having to worry about Hollywood studios, record labels and porn companies suing them.
  
  Many users turn to these commercial VPN services in order to obtain privacy online, and it is because of this that many services have strict no-logging policies. They do not know what their users are doing online, and don't want to know. However, many of these services are based in the US (or at least, have many servers in US datacenters), and could very easily keep logs if they were forced to do so.

What happens next?

Last week's hearing was just the first step in what will likely be a long battle. There will be more hearings, and eventually, the FBI will return with draft legislation. In the mean time, all the major tech companies in Silicon Valley will no doubt continue to engage in private, high-pressure negotiations with senior FBI officials who will tell them they can avoid new legislation by voluntarily building new surveillance capabilities into their products.

No New Surveillance Powers For The War On Drugs

At two hearings over the past month, including one yesterday, senior officials from the Department of Justice asked Congress to significantly expand its ability to monitor and investigate the online communications of Americans.

Law enforcement officials claim that it is too difficult to snoop on users of modern services like Skype, Blackberry, Facebook and Google, as the companies have not built wiretap capabilities into their services. The Department of Justice would also like wireless and residential Internet Service Providers to keep records that would make it easier to determine after-the-fact which particular customer visited specific websites.

These officials argue that technology companies should be required to build new surveillance capabilities in order to more effectively investigate child pornographers and terrorists. This is a politically savvy argument, as no member of Congress will want to risk appearing weak on terrorism or child pornography.

The reality is that most law enforcement surveillance powers are used in support of the war on drugs, not to investigate terrorists or pedophiles. As such, Congress should first demand reliable statistics on law enforcement’s existing Internet surveillance activities before even considering the FBI’s request for more powers.

The American public may be willing to give up their privacy and civil liberties in order to actually prevent terrorism and the sexual exploitation of children. This deal is far less attractive if the new surveillance powers will instead be used to to continue a failed prohibition opposed by millions of Americans.

Statistics are useful

Each year, federal and state law enforcement agencies obtain thousands of court orders that allow them to secretly wiretap the telephones of American citizens. We know this because Congress requires annual reports regarding the use of these surveillance powers.

The first documented instances of law enforcement wiretaps were used to investigate bootleggers during the prohibition. Decades later, as the wiretap reports confirm, the vast majority of intercepts are used to enforce our modern day prohibition: the war on drugs. For example, of the 2,376 wiretap orders issued in 2009, 86% (2,046) were obtained as part of narcotics investigations.

Similarly, of the 763 “sneak and peek” search warrants obtained in 2009, 474 were obtained in investigations of drugs, and only 3 were used in investigations of terrorism. These surveillance orders allow government agents to search a home without telling the owner or resident until weeks or months later. Law enforcement agencies were given this authority as part of the Patriot Act, after the Department of Justice claimed that the powers were necessary to allow “law enforcement to conduct investigations without tipping off terrorists.” However, a report published by the Administrative Office of the Courts in 2009 revealed that the powers are primarily used to investigate drugs, not terrorism.

Unfortunately, while accurate statistics exist for wiretaps, and for the sneak and peek authority granted as part of the Patriot Act, we are largely in the dark regarding most of the tens of thousands of requests made each year to phone companies and Internet service providers. There are no statistics that document law enforcement requests for email, instant messaging, social network profiles, search engine history, or geographic location information from mobile phones.

Not only do we have no way of knowing the total number of requests made by law enforcement officers each year, but we also do not know what kinds of crimes they are investigating. Instead, all we have are unverifiable anecdotes from law enforcement officials, who selectively reveal them in order to justify their push for increased surveillance powers.

If the statements of law enforcement officials are to be believed, most of their online investigations involve child pornography. However, the published statistics for other forms of surveillance suggest that they are likely in support of the war on drugs. The only way to be sure would be for Congress to require the collection and publication of statistics covering law enforcement agencies’ surveillance of Internet applications and communications. As Senator Leahy noted more than 10 years ago, surveillance statistics serve as a “more reliable basis than anecdotal evidence on which to assess law enforcement needs and make sensible policy in this area.”

Rather than granting the Department of Justice the sweeping new surveillance powers it seeks, Congress should first seek and obtain detailed reports on the use of modern surveillance techniques. There is no need to rush the passage of new authority; especially since, as the debate over the renewal of the Patriot Act has clearly demonstrated, rolling back powers is much tougher than granting new ones.

CALEA: It is about the money

Cash Rules Everything Around Me
C.R.E.A.M.
Get the money
Dollar, dollar bill y'all
-- Wu Tang Clan

Tomorrow, the House Judiciary Committee will hold a hearing on the topic of CALEA, and the FBI's desire to get backdoors in modern services like Skype, Google, Facebook and RIM's Blackberry. The mass adoption of these services, the FBI claims, is leading to a situation where law enforcement agencies have "gone dark," and lost the ability to intercept the communications of suspects in real time.

This is not the first time that the FBI has come to Congress to ask for increased surveillance powers -- The FBI spent a good part of the 90s sending people to Capitol Hill, asking for backdoors in encryption.

What does surprise me is that the tech companies are nowhere to be seen, and have not deployed anyone publicly to fight this proposal. Compare this, for a moment, to the cloud computing privacy hearing held by the same House Committee last September, where Google, Microsoft, Amazon, Rackspace and Salesforce all sent executives to argue for stronger privacy laws.

Last year, those companies were vocally asking for stronger privacy laws that would make it more difficult for law enforcement agencies to access their customers' data. Now, these same firms are being asked to put backdoors in their services, and make it easier for the government to snoop on their customers. Are they fighting this? No.

Instead, they are hiding behind industry-funded advocacy groups, like the Center for Democracy and Technology, which has written a softly-worded statement of concern.

Google, Microsoft and Facebook have excellent, well-funded teams of lobbyists. The fact that they are not appearing at the hearing tomorrow and have not issued any public statements about the topic is a clear sign that these companies are doing everything possible to keep a low profile on this issue.

If I had to guess why, I suspect that they don't want to do anything to upset Congress, particularly now that topic of commercial privacy is very much on the legislative agenda. If they put their foot down on CALEA, they may find themselves with few friends when members start considering bills to limit behavioral advertising.

Priority #1: Gotta get paid

When Congress passed CALEA in 1994, it set aside $500 million to help with the cost of designing and deploying wiretap capable networking equipment. Unfortunately, as 2008 DOJ Inspector General report (pdf) revealed, it was not possible to tell if the money was well-spent, since neither the telecoms nor the switch makers were willing to share the necessary information.

With that in mind, this bullet point from CDT's statement of concern caught my eye:

"Avoid unfunded mandates: The costs of implementing any new proposals should be borne by the government."

While tech companies aren't particularly crazy about adding new snooping capabilities into their services, they are even less excited about having to eat the financial cost of developing and deploying those backdoors.

Even though CDT seems to think otherwise, there are strong policy advantages to sticking companies with these costs. The most important one being that Google and Facebook are far more likely to take a strong position against CALEA II if they are going to get stuck with the check. If these firms know they are going to get millions of dollars for upfront surveillance development, they are far less likely to fight, and will instead spend more of their time haggling over the details, and in particular, lobbying for a larger payout with less oversight.

Charging the government for individual requests is good

"When I can follow the money, I know how much of something is being consumed - how many wiretaps, how many pen registers, how many customer records. Couple that with reporting, and at least you have the opportunity to look at and know about what is going on.
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.

This is not to say that I am opposed to companies making the government pay for the assistance they are legally required to provide. I just think that the payment should be associated with specific investigations and requests, rather than a huge cash payment for developing and deploying surveillance capabilities.

The reason for this is that invoices for surveillance serve as a fantastic paper trail documenting the scope and scale of government snooping. Through Freedom of Information Act requests, I have obtained invoices from both Google and Yahoo, which detailed the kinds of requests they were getting, and helped me to discover that the US Marshals have essentially granted themselves a new surveillance power that is not in the law.

Charging for law enforcement assistance also tends to limit their use to only those records necessary. As Al Gidari told the House Judiciary Committee in testimony last year:

When records are "free," such as with phone records, law enforcement over consumes with abandon. Pen register print outs, for example, are served daily on carriers without regard to whether the prior day's output sought the same records. Phone record subpoenas often cover years rather than shorter, more relevant time periods. But when service providers charge for extracting data, such as log file searches, law enforcement requests are more tailored.

It is for these reasons that I have pleaded with attorneys at Microsoft and Facebook to start charging the government. Even though the law permits them to do so, both firms currently deliver user data to law enforcement agencies for free.

Recoup the high costs of surveillance technology though high per-request fees

A 2006 report from the DOJ Inspector General revealed that:

One carrier informed us that most of the costs it billed to law enforcement are for overtime and recovery of capitalized hardware and software costs. These representatives stated that capital costs are the major costs incurred by a carrier, and that these costs are entirely proper for carriers to recover.

For once, I actually agree with the carriers. If they had to spend millions of dollars deploying CALEA compliant intercept equipment, then it is only reasonable that they recoup it by charging $3500 for a 30 day wiretap (as Cox communications does).

The problem with charging $3500 for a wiretap, is that the police will complain, as this money comes out of their budget. The same 2006 Inspector General report confirmed this:

Law enforcement's biggest complaint regarding CALEA is the relatively high fees charged by carriers to conduct electronic surveillance. A traditional wiretap costs law enforcement approximately $250. However, a wiretap with CALEA features costs law enforcement approximately $2,200 according to law enforcement officials and carrier representatives we interviewed. A law enforcement official noted that, "[w]ith CALEA, the carriers do less work but it costs approximately 10 times as much to do a CALEA-compliant tap versus a traditional tap."

If Congress is considering spending another $500 million on CALEA II (and I hope it doesn't), it should give it out in grants to state and local law enforcement agencies. Give them each a pool of money, and let them decide how they want to spend it. If they want to use it to hire more officers, or buy body armor, that is their choice. If they want to pay for CALEA II wiretaps provided by Google, Facebook and Skype, well, that is their choice too. In the real world, there are opportunity costs associated with every purchase, and the police should have to experience these too. Surveillance should be expensive -- that is the best way to make sure these powers are not overused, or abused. Unfortunately, at just $25 for an individual user's account, Google and Yahoo are not charging nearly enough.