Security guru: FBI Internet-Tapping Good for Criminals, Bad for Everyone Else

By Ted Samson
InfoWorld
May 31, 2013

If you're looking for more evidence that politicians don't get technology, look no further than the FBI's proposal to make Internet communications easier to wiretap. Specifically, the FBI wants to force companies to design their email, IM, VoIP, and other Internet-based communication products such that law-enforcement agents can eavesdrop on conversations—naturally, in the name of collecting evidence against evil-doers.

Although the plan reportedly has support from the Obama Administration, it doesn't have the backing of a guy who knows a thing or two about security: Bruce Schneier. By the renowned security pro's reckoning—clearly laid out at Foreign Policy—requiring companies to make their products "eavesdroppable" would render them vulnerable to anyone with a little tech savvy. As such, users would be at greater risk than before against cyber criminals, and American companies that make their money on Internet-communications products would lose business. (Those that refused to comply would be fined $25,000 a day.)

According to Schneier, adding the ability to eavesdrop on an email services such as Gmail is fairly easy. "The mail resides in Google's servers, and the company has an office full of people who respond to requests for lawful access to individual accounts from governments all over the world," he said.

However, companies that provide encrypted voice systems would have to add a backdoor to user software to meet the FBI's requirements. That would render such systems vulnerable to anyone with the right tools and know-how. "It's impossible to build a communications system that allows the FBI surreptitious access but doesn't allow similar access by others," Schneier said. "When it comes to security, we have two options: We can build our systems to be as secure as possible from eavesdropping, or we can deliberately weaken their security. We have to choose one or the other."

U.S. companies have already felt the adverse effects of meeting government's wire-tapping requirements, Schneier noted. For example, in the 1980s the feds weakened U.S. cryptography products to prevent foreign groups from accessing secure systems. "Two things resulted: fewer Internet products with cryptography, to the insecurity of everybody, and a vibrant foreign security industry based on the unofficial slogan 'Don't buy the U.S. stuff—it's lousy,'" Schneier said.

Although the proposed plan would hurt users and U.S. companies, it likely would have limited impact on stopping bad guys, Schneier observed. "The bad guys will be able to get around the eavesdropping capability, either by building their own security systems—not very difficult—or buying the more-secure foreign products that will inevitably be made available."

The exception would be governments in countries that monitor their citizens' communications in an Orwellian manner. "There are lots of foreign governments who want to use these sorts of systems to spy on their own citizens. Do we really want to be exporting surveillance technology to the likes of China, Syria, and Saudi Arabia?" he asked.

Schneier called the FBI's claim that "it's simply trying to maintain the status quo of being able to eavesdrop" as "disingenuous at best," and said the feds have more ways than ever to listen in on peoples' communications—not to mention tracking their moves on the Internet and in the outside world.

"Think of it this way: We don't hand the government copies of our house keys and safe combinations. If agents want access, they get a warrant and then pick the locks or bust open the doors, just as a criminal would do," Schneier said. "A similar system would work on computers. The FBI, with its increasingly non-transparent procedures and systems, has failed to make the case that this isn't good enough."

The answer, ultimately, is implementing good Internet security, rather than resorting to questionable tactics that could infringe on the privacy of countless citizens. "Both good guys and bad guys send emails, use Skype, and eat at all-night restaurants. But because society consists overwhelmingly of good guys, the good uses of these dual-use technologies greatly outweigh the bad uses," Schneier concluded. "Strong Internet security makes us all safer, even though it helps the bad guys as well. And it makes no sense to harm all of us in an attempt to harm a small subset of us."

earlier story: Interview: "It's Pretty Much Impossible" To Protect Online Privacy
later story: Security Experts Bruce Schneier and Mikko Hypponen on the NSA, PRISM and Why We Should Be Worried
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..