The following text is copyright 2011 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Lighting the dark: do you have to make your application tapable?

 

By Scott Bradner

 

Law enforcement has a problem, and you may be part of that problem.  If your company makes an Internet application that enables its users to communicate with each other and you do not have a way to hand over those communications in real time to law enforcement then you are part of the problem.  If one grants that there is a problem, as I do, the question becomes "is the solution worse than the problem?"

 

The US House Committee on the Judiciary recently held a hearing on the general problems faced by law enforcement in today's Internet  - they called the hearing " “Going Dark: Lawful Electronic Surveillance in the Face of New Technologies”  (http://judiciary.house.gov/hearings/hear_02172011.html)   FBI General Counsel Valerie Caproni clearly described the problems faced by law enforcement.  (http://judiciary.house.gov/hearings/pdf/Caproni02172011.pdf)    She noted that not all telecommunications providers were able to quickly meet their obligations under the Communications Assistance for Law Enforcement Act (CALEA) (http://www.fcc.gov/calea) but focused most of her testimony on the problem that law enforcement has in getting real time communication between users of modern Internet applications.  Developers of these applications rarely consider that law enforcement might be interested in communications between their users.  Some of those that do may decide that such interest would violate their user's privacy even if their users might be using the communication channel for evil purposes. Her testimony was backed up by Mark Marchall, President of the International Association of Chiefs of Police. (http://judiciary.house.gov/hearings/pdf/Marshall02172011.pdf)

 

While Ms. Caproni specifically did not ask for any new laws to be enacted at this point the implication was that it would be a good idea if the developers of Internet applications included the ability wiretap the communication between their users.

 

But adding the ability to wiretap presents its own issues, issues that were well covered by security and privacy expert Susan Landau.  (http://judiciary.house.gov/hearings/pdf/Landau02172011.pdf)  She pointed out that adding wiretap functionality is, by definition, adding an exploitable vulnerability.  She also provided examples of such exploitation in current telecommunications systems. 

 

The FBI's Ms. Caproni said that court orders for wiretaps are "the most difficult for investigate authorities to obtain and use" because of the protections in US law.  She did not suggest that these protections be lessened but did not mention that many other countries do not have such protections.  Since US developed technology is in use all over the world, wiretap back doors in US developed applications are likely to exploited by governments far les interested in civil liberties than is the US government.

 

Thus, application developers are placed in a quandary.  On one hand the law enforcement problems are very real ones -- there are some very bad people 'out there'.  On the other hand, adding wiretap ability to your application may mean that some of those bad people, as well as bad governments, will be able to exploit your application in furtherance of their own aims. 

 

If you are in the application writing business and your applications permit the users to directly communicate with each other you may be inadvertently developing a communication vehicle for terrorists, or for dissidents fighting a corrupt government.  Adding wiretap functionality may help use by fight bad guys while the same functionality may put good guys in danger.  At this point adding such functionality is still your choice, in the future it may not be.

 

disclaimer: While a few Harvard dropouts have done OK in developing applications or systems that enable user communication, and Harvard itself has developed a few systems that do the same I know of no University position on including wiretap functions in such applications.  Thus the above discussion is my own, not Harvard's.