Want CNET to notify you of price drops and the latest stories?

FBI to announce new Net-wiretapping push

CNET learns that the agency will reveal it is "increasingly unable" to conduct some types of electronic surveillance because of Web-based e-mail, social networking sites, and P2P technology.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read

The FBI is expected to reveal tomorrow that because of the rise of Web-based e-mail and social networks, it's "increasingly unable" to conduct certain types of surveillance that would be possible on cellular and traditional telephones.

FBI general counsel Valerie Caproni will outline what the bureau is calling the "Going Dark" problem, meaning that police can be thwarted when conducting court-authorized eavesdropping because Internet companies aren't required to build in back doors in advance, or because technology doesn't permit it.

Any solution, according to a copy of Caproni's prepared comments obtained by CNET, should include a way for police armed with wiretap orders to conduct surveillance of "Web-based e-mail, social networking sites, and peer-to-peer communications technology."

The last example, which was floated last fall, is likely to be the most contentious. When an encrypted voice application like Phil Zimmermann's Zfone is used, the entire conversation is scrambled from end to end. It's like handing a letter directly to its recipient--bypassing workers at the neighborhood post office, who could be required to forward a copy to the FBI.

Forcing companies like Zfone and Skype, which also uses encryption for peer-to-peer calls, to build in back doors for police access was rejected in the 1990s and would mark a dramatic departure from current practice. And anyone hoping to foil the FBI could download encrypted VoIP software from European firms like Lichtenstein-based Secfone, which sells it for Android phones.

Caproni's remarks don't, however, include a specific proposal. "Most our interception challenges could be solved using existing technologies," she says, "that can be deployed without re-designing the Internet and without exposing the provider's system to outside malicious activity." In addition, she says, "the Going Dark problem does not require fundamental changes in encryption technology."

The FBI's announcement comes amid two countervailing trends: a coalition of advocacy groups and technology companies including AT&T and Google is pressing to rewrite federal law to include additional privacy protections for cloud computing and mobile devices. Meanwhile, the Justice Department and some conservative Republicans have proposed that Internet service providers (and perhaps Web companies as well) be required to keep records of what their customers are doing, a concept called data retention.

Yesterday some members of that same coalition--the American Library Association, the Center for Democracy and Technology, NetCoalition (Google, Yahoo, and CNET are members), and TechFreedom--released an open letter expressing concerns about the FBI's push to broaden wiretapping laws. At the very least, the letter says, the bureau must "identify the particular services or technologies most in need of additional surveillance capability" and demonstrate that alternatives to new laws won't work.

The FBI is couching its arguments in broad terms, saying it's only trying to preserve the ability to conduct wiretaps as technology advances. "Any solution to the Going Dark problem should ensure" that once a judge has approved a wiretap request, Caproni is expected to tell a House of Representatives committee tomorrow, "the government is technologically able to execute that court order in a timely fashion."

Today's capabilities
Electronic Frontier Foundation attorney Kevin Bankston said this evening that the FBI already can intercept messages on social-networking sites and Web-based e-mail services with existing law. (This was the purpose of the FBI surveillance system known as Carnivore, later renamed DCS1000.)

"Facebook messages and Gmail messages travel in plain text over those same broadband wires for which the FBI demanded wiretapping capability just a few years ago," Bankston said. "Why has that new capability not been sufficient?"

Congress should investigate exactly how the FBI has used its existing interception capabilities, he said, before contemplating "adding to that capability and forcing online communications service providers to redesign their systems to introduce new security vulnerabilities to facilitate government wiretapping."

Under a 1994 federal law called the Communications Assistance for Law Enforcement Act, or CALEA, telecommunications carriers are required to build in back doors into their networks to assist police with authorized interception of conversations and "call-identifying information."

As CNET was the first to report in 2003, representatives of the FBI's Electronic Surveillance Technology Section in Chantilly, Va., began quietly lobbying the FCC to force broadband providers to provide more-efficient, standardized surveillance facilities. The Federal Communications Commission approved that requirement a year later, sweeping in Internet phone companies that tie into the existing telecommunications system. It was upheld in 2006 by a federal appeals court.

But the FCC never granted the FBI's request to rewrite CALEA to cover instant messaging and VoIP programs that are not "managed"--meaning peer-to-peer programs like Apple's Facetime, iChat/AIM, Gmail's video chat, and Xbox Live's in-game chat that do not use the public telephone network.

In the last few years, according to Caproni's prepared remarks, investigations have been hindered because of the lack of built-in back doors. Examples she cites include a two-year Drug Enforcement Administration investigation into cocaine importation that was thwarted because an unnamed communications provider lacked intercept ability, and a 2009 child pornography prosecution where neither the (unnamed) social networking site nor the (unnamed) communication provider could intercept the communications.

"On a regular basis, the government is unable to obtain communications and related data, even when authorized by a court to do so," Caproni's statement says. It adds, however, that the Obama administration does not have an official position on whether any legislative changes are necessary.

If Congress does nothing, law enforcement still has options. Police can obtain a special warrant allowing them to sneak into someone's house or office, install keystroke-logging software, and record passphrases. The Drug Enforcement Agency adopted this technique in a case where suspects used PGP and the encrypted Web e-mail service Hushmail.com. And the FBI did the same thing in an investigation of an alleged PGP-using mobster named Nicodemo Scarfo.

Another option is to send the suspect spyware, which documents obtained by CNET through the Freedom of Information Act in 2009 showed the FBI has done in cases involving extortionists, database-deleting hackers, child molesters, and hitmen. The FBI's spyware is called CIPAV, for Computer and Internet Protocol Address Verifier.

Update 12:00 a.m. PT Thursday: I should have noted that the EFF obtained some relevant documents via FOIA a few weeks ago that they posted on Wednesday, just in time for the House hearing. Among the high points: the FBI's Operational Technology Division says that the Going Dark program is one of the FBI's "top initiatives." There's a five-pronged Going Dark program that includes extending existing laws and seeking new federal funding to bolster lawful intercept capabilities. Going Dark has been an FBI initiative since at least 2006 and has involved writing checks to consultants at RAND Corporation and Booz, Allen and Hamilton to come up with solutions.