Monday, September 27, 2010

New wiretap Bill


It appears the Obama administration is attempting to expand (or simply renew, depending on who's view you read) the government's ability to listen in on communications. It seems the law enforcement agencies are getting feeling left-out in the age of TCP/IP based communications. While their power currently gives them the authority to monitor internet traffic, the new age of readily available and virtually uncrackable encryption protocols has the security agencies in a tizzy.

If I follow their argument correctly, they would require communications companies (which is only loosely defined at the moment) to have backdoors into the encryption algorithms that they use to protect customer data. This would give law enforcement a way to quickly eavesdrop on communications being sent by a party. Allegedly they would still need a warrant and everything to carry out these wiretaps.

As an initiate in the field of computer security I have a few REALLY big problems with this plan.

First, obviously, a potential invasion of personal privacy. Supporters may say "but they already have the ability to wiretap which seems pretty legit" and it does to a point. But the fact of the matter is wiretapping a person's phone takes a little more than decrypting messages; it requires hardware to be installed, bugs to be placed, personnel to be positioned, etc. These extra measures makes it prohibitively expensive to perform a phone wiretap on anyone except those you have reasonable suspicion against. Having a back door to an encryption algorithm would, in theory, allow one guy with a warrant and a laptop to go to a ISP network hub and listen to any transmission over that line. Would they, maybe-maybe not, but it would potentially give them the ability, with appropriate legislation, to screen all private, encrypted transmissions for keywords or suspicious activity.

Secondly, possibly more importantly, this measure could open a massive security hole in traditionally secure transmissions. If the companies and the government have a backdoor to the encryption then (especially if it is well known that there is a backdoor) you'll have every kiddie, hacker and bored college student from here to china trying to get in. Will they be able too? That depends on the amount of work the company puts into designing this back door. The algorithms and keys would need to be constantly updated or someone will figure out the way in and could potentially access millions of confidential transmissions. All those engineers working on this would cost the company time and money which will lead to a higher cost and or a lower quality service to the consumer.

Three, this would be a logistical nightmare to implement. The cost of designing and testing new algorithms with the backdoor would be enormous. It took nearly two years for the DES algorithm to be designed and tested, and that turned out to not be totally secure (reasonably secure, but not totally).

Four, this bill passing would likely spur a wave of third-party anonymous freeware algorithms; most of which would probably be weak from a security stand-point, but would gain the security through obscurity bonus on a scale the likes of which we've never seen.

Five, This wouldn't stop client-side encryption with secure protocols, only ISP side encryption; so any terrorist with half a brain would put all of his communications through AES and the government would be SOL.

There's probably more reasons but that's what I can think of for now.


  1. I disagree, the internet is secure and we can keep anyone out, just you watch

  2. Like you I have huge problems with the lack of privacy that'd bring... We have rights.

  3. Everyday our right are infringed upon more and more

  4. Just came across your blog bro. You should visit mine too. I just started it.

  5. It's always a catch 22, we want to be safe, but we have to ask ourselves at what cost to our freedoms and privacy.

  6. Wow, this is pretty fucking scary. Shit is getting real in the United States. Keep the good info coming, bro.