Arguing Against CALEA

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought:

In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale. The job of the illegal eavesdropper has gotten significantly easier, with many more options and opportunities for them to exploit. Compromising our telecommunications infrastructure is now little different from performing any other kind of computer intrusion or data breach, a well-known and endemic cybersecurity problem. To put it bluntly, something like Salt Typhoon was inevitable, and will likely happen again unless significant changes are made.

This is the access that the Chinese threat actor Salt Typhoon used to spy on Americans:

The Wall Street Journal first reported Friday that a Chinese government hacking group dubbed Salt Typhoon broke into three of the largest U.S. internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, to access systems they use for facilitating customer data to law enforcement and governments. The hacks reportedly may have resulted in the “vast collection of internet traffic”; from the telecom and internet giants. CNN and The Washington Post also confirmed the intrusions and that the U.S. government’s investigation is in its early stages.

Tags: , , , ,

Posted on April 8, 2025 at 7:08 AM8 Comments

Comments

Clive Robinson April 8, 2025 11:47 AM

@ Brian, Bruce, ALL,

As noted above,

“.GOV ain’t about to give up…”

No it’s not be it .gov.us .gov.uk .gov.eu and all the others.

If we assume –and it’s a very big assumption– that we have nixed backdoors in crypto so that full E2EE becomes acceptable if not the norm, a question arises, and that is

“Where will they take the war next?”

My viewpoint suggests to me that they will “backdoor the User Interface” next.

That is because that is where the “plaintext” of message information rather than meta-data is. But it is beyond the “security endpoint” but by necessity needs to be able to reach back to and through the “communications endpoint” and out into the “general / publicly accessable network”.

We’ve already seen this nonsense attempted by Apple with what was claimed was CSAM image scanning technology.

The problem is the method at the low level was way way to generic and would work for any type of scanning just as well if not more effectively than for CSAM images.

The fact is that “CSAM images” was just an excuse[1] to,

“Get the hooks in to every Apple product user.”

It does not matter what Tim Cook or other Apple seniors think the fact is either they lied, collaborated or were played by “ulterior motives”.

The fact this faux-CSAM got contested, and the high level user scanning of “See What You See”(SWYS) / user device scanning has been removed for now[2]. Does not mean the low level parts of the system nor the hooks to use them were removed.

Think for a moment what that actually means above and beyond confirming peoples suspicions[2] and what the known “future path” will achieve[3].

It was exactly this “low level system and hooks” situation that allowed the “alleged” Chinese Communist Party associated hackers to run rampant through the CALE Act interfaces.

Worse they were not the first the NSA and CIA were known to not just have used the low level CALE system and interface during the “Greek Olympics”. The Greek Government has named one US operative for the murder made to look like suicide of a Greek Vodafone Engineer to cover up how the NSA / CIA had done it through the CALE low level system and hooks.

Much as Lockdown was an excuse to put the low level processes of BLE or WiFi “beaconing” into the two major mobile / smart device OS’s produced by Alphabet/Google and Apple. Now they are there they represent a significant security vulnerability even though comparatively they have a very low bandwidth to communicate.

Why?

Because all they have to do is return the user device electronic serial number and a “flag” that could be the equivalent of one bit of information. The other “tracking systems” already in place will give “general movement / usage patterns” thus setting up a targeted higher bandwidth BLE / WiFi base becomes an almost trivial task.

As all these low level systems and hooks remain in the OS’s still a question has to be asked,

“What is the excuse for these backdoor communications systems?”

Thus “What is the real reason they have not been removed?”

My viewpoint is that this has already been thought out (after all if I can think it out… so can several of the many thousands that work for the Intel Services like the FiveEyes).

The next step will be “See What You See”(SWYS) scanning based on “On device AI” something Microsoft is “busy ramming in Win 11” and “busy ramming Win 11 on all users” (now might be a good time to find an OS with good security no AI and capable of running fully energy gapped).

But for it to work the user device must have “connectivity to the mothership” some how. Which is possibly yet another reason Microsoft is trying to force “always on line” on people.

So logically you need to “cut the umbilical cord” to publicly accessable or external communications[4].

But is this mitigation by “energy gap” sufficient or even usable?

The answer for many is “No” for various reasons most of which can be mitigated another way.

I’ve mentioned quite a few times about “going off device” to put the “security endpoint” that terminates E2EE and provides “plaintext” for the “user interface” safely beyond the “communications endpoint” such that if there is SWYS / user device scanning in place it can not communicate back.

How to go about this is conceptually simple[5] but is somewhat messy to do effectively, so I won’t go into the long-winded details, just simply say,

If the user interface is the only place there is “plaintext”[5] and there is no communications path back across the security endpoint then high levels of privacy can be achieved.

[1] It’s now reasonably well documented thus established that those who make and consume CSAM are not negatively effected by authorities attempts to use high end technology against them. In fact an argument can and has been made that attempts to use technological means whilst achieving at best very little if anything, takes very significant resources away from more established and successful means of combating CSAM users, producers, and abusers.

[2] By many reports the high level CSAM scanning was not much of a success any way as the false positive and false negative rates were not that good due to trying to limit the SWYS scanning impact[3].

[3] There are many reasons why this early scanning was a failure the simplest to understand is “CPU cycles”. That is the high number of CPU cycles required not only slowed things down it put a significant hit on the battery life. Because the hardware to do better was not available then. Now however the talk is of adding AI hardware for “Digital Assistants / Agents” such hardware will reduce the impact of scanning significantly.

[4] Simply breaking the bridge by which “SWYS / user device scanning” communicates back renders it a technological failure. Hence “mitigation by segregation” or putting things behind an “energy gap”.

[5] Importantly not storing, processing/using or communicating information in an unencrypted or “plaintext” format keeps it away from “SWYS / user device scanning.

Clive Robinson April 8, 2025 1:12 PM

@ Matt Blaze,

If you are reading this thread and I suspect you are…

I do not agree with your final sentence,

“And the capabilities should be required to be off by default, rather than enabled even in facilities where no wiretaps are
active.”

Whilst I agree very much with the sentiment, I happen to know that you can not design a software based system where “off” has the equivalent meaning as “pulling the plug” or “cutting the wire”. That is where just a simple mechanical operation is the equivalent of “air-gapping” at that point[1].

The issue is that all such intercept access points require an “inbuilt tee” or splitter that duplicates traffic at the tap point. In software based systems this means that you have a floating “hook” just waiting to be connected to.

The issue is either the tap tee capability is there “permanently built in” or “it’s not there at all”.

So you have the issue that you can not have “required to be off by default” just “hard to use” when it’s a software system.

Thus the question of how to put in the equivalent of a “plug and socket”[1] that gives either an “air or energy gap” that can not be enabled remotely in any way?

For those that suggest the likes of Data Diodes, I’ve shown in the past that apart from physical diodes nearly all have a “back channel” in the reverse direction simply due to “flow control” and “error correction” requirements.

The back channel bandwidth may not be high, but then it does not need to be in most cases.

[1] Yes I’m more than aware that you cannot realistically use a high reliability “switch” due to “contact capacitance” and likewise line inductance and how you can “jump the contacts” using a version of “cross talk”. However the devices required to do this are “physically obvious” to even cursory technical examination, unlike software modifications that are almost always designed to be unobvious to all.

ResearcherZero April 8, 2025 9:31 PM

@Clive Robinson, JohnKnowsNothing, ALL

If John was here he could explain this far better than I, but I will have a crack at it.

The software may be an API in some cases. This is the proposed plan for IRS data. Which if we are to believe reports and the ambition of Palantir CEO Alex Karp and the young bucks at DOGE, this involves taking databases written in COBOL and Assembly and knocking out an API in 30 days. The original plan was apparently over a period of six months.

The intended operation is claimed to be a “force multiplier” that will be a “revolution” and will move fast (probably break things), and there will be “ups and downs”.

Data is siloed to provide security. Databases are designed to be up and must be very carefully designed, so that they properly sync data that is delivered through multiple inputs without dropping entries, corrupting or overwriting existing data, while maintaining data integrity.

If the system is not well designed, like the Fujitsu cock-up with Horizon accounting software which led to the British Post Office scandal, entries can be dropped when sent to the database and inputs may be corrupted, compromising data integrity. Such a system can be used against individuals, while failures in the design and implementation are hidden from the public, so that those responsible for the flawed implementation can maintain their own integrity – which will of course come at the expense of those impacted.

Alarmingly, because the integrity of entries has been corrupted in such cases, the evidence that would normally absolve victims of any wrongdoing is itself corrupted or missing. This can then be weaponized to shift blame from culprit or instigator to the very people that it caused harm. The result may be the loss of income and livelihood, imprisonment and suicide.

One hopes the system will not be frequently DOWN, but being UP may also present issues. 🙁

In the real world, carefully constructed inputs can also be abused to achieve ye old SQL Injection attack, which is a well known way of exploiting databases to retrieve information without authorization. APIs can allow automated dumping of data from databases – in bulk, either by abusing vulnerabilities in a poorly designed access system, or via obtained credentials. There are plenty of new attacks – providing multiple points of entry.

Just as Palantir CEO Alex Karp stated, “We love disruption and whatever is good for America will be good for Americans and very good for Palantir. Disruption at the end of the day exposes things that aren’t working. There will be ups and downs. This is a revolution, some people are going to get their heads cut off.”

When the most sensitive financial data of American’s is inevitably exposed and abused, that prediction may indeed become far more chilling true than Karp imagines.

ResearcherZero April 8, 2025 9:59 PM

@Clive Robinson

There is an awful amount of electronic signal leakage and side channels that can be used to collect intelligence from. There are also many private public sources that can be tapped.

The problem with allowing such intelligence gathering tools as Palantir’s Gotham and Foundry products into the sensitive personal data space is more than just a little Batman, as Batman turned off his eavesdropping system when he was finished saving the day.

Palantir already has insights into health and supermarket data, now it wants access to the crown jewels, the complete financial records of every American citizen. That is both a front door and a back door. It would allow very deep insights into private lives.

This data will ultimately be used to allow Palantir to hone other products such as long-range targeting capabilities and the mobile Army Tactical Intelligence Targeting Access Node it is developing for military capability.

From the marketing material, “TITAN provides game changing technologies on how we collect, process and disseminate intelligence across the battlefield, providing us a decisive edge in supporting Multi-Domain Operations.”

The so-called Rings of Power. The all-seeing eye makes the magical seeing stones look like a cheap trick, when in comparison the eye allows both stealth, influence and control. A one stop shop for complex analysis of very sensitive private data points.

Oh, I just finished completing my tax return, submitting it – and it has vanished.

ResearcherZero April 9, 2025 12:53 AM

There was another Congressional hearing looking at the dangers to civil liberties.

‘https://www.biometricupdate.com/202504/congressional-hearing-reveals-deep-concerns-about-federal-surveillance-practices

the many types of creep in the surveillance data space

https://www.cambridge.org/core/journals/european-journal-of-international-security/article/politics-of-creep-latent-development-technology-monitoring-and-the-evolution-of-the-schengen-information-system/B9F7AEC5F60F02E72BF8FEC852988B6E

Jim April 10, 2025 12:09 PM

I’m a big fan of Ron Wyden, though on almost opposite sides of the political spectrum. After 9/11 it was easy to understand the motivation for the Patriot Act. Now it gives power to the gov. Law enforcement clearly needs enough sources to do their job, and I think they have the means, without the Patriot Act.

In many ways I’m a fan of the Donald. Like Matt Blaze, when the opposite side is in the Oval Office, I’m suspicious and fearful.

Dr Blaze and Rep Wyden, many of us on the right-ish would be happy to make common-cause with you on this issue. Not everything, but definitely this thing.

After the fall of East Germany, a McClatchy reporter interviewed an ex-Stazi officer, maybe Wolfgang Schmidt, and a quote was, “It is the height of naivety to think that once the information is gathered it will not also be used

Clive Robinson April 10, 2025 8:10 PM

@ Jim,

You say of the Patriot Act,

“Now it gives power to the gov. Law enforcement clearly needs enough sources to do their job, and I think they have the means, without the Patriot Act.

One of the issues with the Patriot Act is that chunks of it are “secret law”, this is actually bad for any kind of Government be they truly democratic or oppressively authoritarian.

Secret law almost always backfires on the framers of it (even if they live for just a short time after it’s enacted). Because by it being used partial information leaks, and people will start joining dots and coming to conclusions that may or may not be valid. Either way,

“Things will out irrespective of want.”

But another issue with the Patriot Act secrecy is we have no way of judging it’s effectiveness, as there is no visible accounting or oversight.

Based on what little we’ve observed my guess is that the secret parts of the Patriot Act are like much modern technological legislation actually fairly useless for “law enforcement”(LE) activities.

One of my reasons to think this is that “Methods and Sources” are “fragile” at best. Whilst they may be of use for just Intelligence Work as carried out by Government Intel Agencies that have no “disclosure requirements” LE primarily are about “disclosure” into the public forum of a Court. Even when held “in camera” much about a Court Case leaks in a way it can be “surmised”, and like the pieces of a jigsaw put together such that a picture builds…

We’ve seen this with the US FISA cases and in the UK the recent nonsense with “Apple -v- Home Office” has resulted in what the UK Home Office most certainly does not want, which is an adverse judicial decision making things front page news.

The simple fact is a look at US LE successes they are all basically by “old school / traditional” methods that “do what they say on the tin”.

As far as we know the UK Apple case is the first serious test of the “Snoopers Charter” and it’s unraveling fast… Whilst it’s based on RIPA 2000 judges have been very reluctant to allow the use of aspects of it, that were called into question back in the 1990’s when it was being discussed.

Whilst legislators may draw up powers and grant them foolishly, judges siting in Courts generally tend to see such wayward legislation as the sort of infernal devices that you can easily be hoist by, thus treat them with significant caution. Something that even William Shakespeare was all too aware of nearly half a millennium ago, hence the oft quoted “petard” phrase.

Modern politicians unfortunately appear to view the making of unsound wayward legislation a priority in their activities, rather than proceeding with thought, consideration, and care.

Need it be said,

“If you jerk a knee, then kickback is to be expected…”.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.