Security Risks of Wholesale Telephone Eavesdropping
A handful of prominent security researchers have published a report on the security risks of the large-scale eavesdropping made temporarily legal by the “Protect America Act” passed in the U.S. in August, and which may be made permanently legal soon. “Risking Communications Security: Potential Hazards of the ‘Protect America Act’“—dated October 1, 2007, and marked “draft”—is well worth reading:
The civil-liberties concern is whether the new law puts Americans at risk of spurious—and invasive—surveillance by their own government. The security concern is whether the new law puts Americans at risk of illegitimate surveillance by others. We focus on security. How will the collection system determine that communications have one end outside the United States? How will the surveillance be secured? We examine the risks and put forth recommendations to address them.
Not surprising, the risks are considerable. And difficult to address.
We see three serious security risks that have not been adequately addressed (or perhaps not even addressed at all): the danger that the system can be exploited by unauthorized users, the danger of criminal misuse by a trusted insider, and the danger of misuse by the U.S. government. Our recommendations are based on these concern.
The group has two basic recommendations: data minimization, and oversight:
Minimization is critical. Allowing collection of calls on U.S. territory necessarily entails greater access to the communications of U.S. persons; the architecture must minimize collection of both the call details and the content of these communications. The best way to prevent problems is to intercept as early as possible: at the cableheads; such a solution, by decreasing the number of interception points will simplify the security problem. Surveilling at the cableheads will help minimize collection but it is not sufficient. Intercepted traffic should be studied (by geo-location and any other available techniques) to determine whether it comes from non-targeted U.S. persons and if so, discarded before any further processing is done.
Oversight is necessary to prevent abuse and ensure information assurance. Independent oversight of operations is also essential and is a fundamental tenet of security. To assure independence the overseeing authority should be as far removed from the intercepting authority as practical.
More in the report, of course.
EDITED TO ADD (2/4/08): Here’s the final report.