Report: Feds to push for Net encryption backdoors

The Obama administration wants to force Internet e-mail and other communications companies to build in encryption backdoors for government surveillance, The New York Times reports.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

The Obama administration will seek a new federal law forcing Internet e-mail, instant-messaging, and other communication providers offering encryption to build in backdoors for law enforcement surveillance, The New York Times reported today.

Communication providers, apparently including companies that offer voice over Internet Protocol (VoIP) services, would be compelled to reconfigure their systems so that police could be guaranteed access to descrambled information.

Encryption image

It could become illegal for a company to offer completely secure encrypted communications--through a protocol such as ZRTP, for instance--if its customers held the keys and the provider did not.

Valerie Caproni, the FBI's general counsel, stressed to the Times that agents would still need a court order to force providers to unlock encrypted data. "We're talking about lawfully authorized intercepts," Caproni said. "We're not talking expanding authority. We're talking about preserving our ability to execute our existing authority in order to protect the public safety and national security."

The FBI says that its ability to conduct wiretaps of criminal suspects and terrorists, a mainstay of investigations, is becoming limited as more and more people turn to Internet communications instead of using telephones for communication.

The administration's proposal, which is expected to be submitted to the U.S. Congress when it convenes next year, faces a number of potential obstacles, including opposition from civil libertarian and business groups and concerns about its practicality and constitutionality.

Even the federal government can't force overseas companies with no domestic offices to comply with a U.S. law mandating backdoors, and those products would probably become the ones that criminals and terrorists adopt.

And inside the U.S., a federal appeals court has ruled that encryption code is protected by the First Amendment's guarantee of freedom of speech, meaning that open-source developers may be able to continue to produce secure software. "Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment," the 6th Circuit ruled in 2000.

"The migration to open-source peer-to-peer services will accelerate and the federal government will end up worse off than it is today," Jim Harper, an attorney and policy analyst at the free-market Cato Institute, said today. "This is a reason to worry about so-called 'cloud' services, which provide a centralized surveillance point."

If Congress does not enact a law, law enforcement still has options. Police can obtain a special warrant allowing them to sneak into someone's house or office, install keystroke-logging software, and record passphrases. The Drug Enforcement Agency adopted this technique in a case where suspects used PGP and the encrypted Web e-mail service Hushmail.com. And the FBI did the same thing in an investigation of an alleged PGP-using mobster named Nicodemo Scarfo.

Another option is to send the suspect spyware, which documents obtained by CNET through the Freedom of Information Act last year showed the FBI has done in cases involving extortionists, database-deleting hackers, child molesters, and hitmen. The FBI's spyware is called CIPAV, for Computer and Internet Protocol Address Verifier.

The current FBI proposal, which is still in draft form, is likely to reignite debates from the 1990s over encryption, privacy, security, and how to balance the needs of law enforcement with Americans' right to privacy.

Other nations recently have confronted similar issues. BlackBerry maker Research In Motion has been fending off threats by the Indian government to shut down the service if it does not allow for ready monitoring. (In the United States, a 1994 law called the Communications Assistance for Law Enforcement Act requires that telephone companies make their networks wiretap-ready, but does not apply to Internet-only services.)

If President Obama does embrace the FBI's proposal, he runs the risk of alienating civil libertarians who supported him in 2008, when he ran on a platform that said as president, he would "strengthen privacy protections for the digital age."

In response to a CNET Technology Voters' Guide survey, then-candidate Obama said at the time that: "I will work with leading legislators, privacy advocates, and business leaders to strengthen both voluntary and legally required privacy protections."

Update 10:37 a.m. PDT: I should have noted earlier that Vice President Joe Biden proposed something quite similar in the 1990s. As I wrote in an earlier article, when Biden was chairman of the Senate Judiciary Committee, Biden introduced an anti-encryption bill called the Comprehensive Counter-Terrorism Act. It said: "It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law." It was Biden's bill--and the eventual threat of encryption being outlawed--that Phil Zimmermann said at the time "led me to publish PGP electronically for free that year."