Tag: surveillance software

Designing an Insecure Internet

If there were any doubt that the 90s are back in style, witness the Obama administration’s attempt to reignite the Crypto Wars by seeking legislation that would force Internet services to redesign their networks and products to provide a centralized mechanism for decrypting user communications. It cannot be stressed enough what a radical—and terrible—idea this is.  I’ll be writing on this at greater length this week, but a few quick points.

First, while the Communications Assistance for Law Enforcement Act (CALEA) already requires phone and broadband providers to build in interception capacity at their network hubs, this proposed requirement—at least going on the basis of the press description, since there’s no legislative text yet—is both broader and more drastic. It appears that it would apply to the whole panoply of online firms offering secure communication services, not just big carriers, imposing a greater relative burden. More importantly, it’s not just mandating that already-centralized systems install a government backdoor. Rather, if I understand it correctly, the proposal would insist on a centralized (and therefore less secure) architecture for secure communications, as opposed to an end-to-end model where encryption is handled client-side. In effect, the government is insisting on the right to make a macro-design choice between competing network models for thousands of companies.

Second, they are basically demanding that providers design their systems for breach. This is massively stupid from a security perspective.  In the summer of 2004, still unknown hackers exploited surveillance software built in to one of Greece’s major cell networks to eavesdrop on high government officials, including the prime ministers. The recent hack of Google believed to originate in China may have used a law-enforcement portal to acquire information about dissidents. More recently, we learned of a Google engineer abusing his access to the system to spy on minors.

Third, this demand has implications beyond the United States. Networks designed for interception by U.S. authorities will also be more easily tapped by authoritarian governments looking to keep tabs on dissidents. And indeed, this proposal echoes demands from the likes of Saudi Arabia and the United Arab Emirates that their Blackberry system be redesigned for easier interception. By joining that chorus, the U.S. makes it more difficult for firms to resist similar demands from unlovely regimes.

Finally, this demand highlights how American law enforcement and intel agencies have been circumventing reporting requirements designed to provide information on this very problem. As the Crypto Wars of the 90s drew to a close, Congress amended the Wiretap Act, which creates strong procedural protections when the government wants to use intrusive electronic surveillance, to add a requirement that agencies report each instance in which they’d encountered encryption.  The idea was to get an objective measure of how serious a problem this posed. The most recent report, however, cited only one instance in which encryption was encountered, out of 2,376 wiretap orders. Why, then, are we now being told encryption is a huge problem? Almost certainly because law enforcement and intelligence agencies aren’t using the Wiretap Act to intercept electronic communications—preferring, instead, to avail themselves of the far more lax standards—and spare reporting requirements—provided by the Stored Communications Act.  It’s always easier to claim you need sweeping new powers from Congress when you’ve managed to do an end-run around the provisions Congress put in place to keep itself informed about how you’re using your existing powers, after all.

School Webcams and Strange Gaps in Surveillance Law

Last week, I noted the strange story of a lawsuit filed by parents who allege that their son was spied on by school officials who used security software capable of remotely activating the webcams in laptops distributed to students. A bit more information on that case has since come out. The school district has issued a statement which doesn’t get into the details of the case, but avers that the remote camera capability has only ever been used in an effort to locate laptops believed to have been lost or stolen. (That apparently includes a temporary “loaner computer that, against regulations, might be taken off campus.”)  They do, however, acknowledge that they erred in failing to notify parents about this capability.  The lawyer for the student plaintiff is now telling reporters that school officials called his client in to the vice principal’s office when they mistook his Mike and Ike candies for illegal drugs.

Perhaps most intriguingly, a security blogger has done some probing into the technical capabilities of the surveillance software used by the school district. The blogger also rounds up comments from self-identified students of the high school, many of whom claim that they noticed the webcam light on their school-issued laptops flickering on and off—behavior they were told was a “glitch”—which may provide some reason to question the school’s assertion that this capability was only activated in a handful of cases to locate lost laptops. The FBI, meanwhile, has reportedly opened an investigation to see whether any federal wiretap laws may have been violated.

It’s this last item I want to call attention to. The complaint against the school district states a number of causes of action.  The most obvious one—which sounds to me like a slam dunk—is a Fourth Amendment claim. But there are also a handful of claims under federal wiretapping statutes, specifically the Electronic Communications Privacy Act and the Stored Communications Act. These are more dubious, and rest on the premise that the webcam image was an “electronic communication” that school officials “intercepted” (as those terms are used in the statute), or alternatively that  the activation of the security software involved “unauthorized” access by the school to its own laptop. The trouble is that courts considering similar claims in the past have held that federal electronic surveillance law does not cover silent video surveillance—or rather, the criminal wiretap statutes don’t.

That leads to a strange asymmetry in a couple of different ways. First, intelligence surveillance covered by the Foreign Intelligence Surveillance Act does include silent video monitoring. Second, it seems to provide less protection for a type of monitoring that is arguably still more intrusive. If officials had turned on the laptop’s microphone, that would fall under ECPA’s prohibition on intercepts of “oral communications.” And if the student had been engaged in a video chat using software like Skype, that would clearly constitute an “electronic communication,” even if the audio were not intercepted. But at least in the cases I’m familiar with, the courts have declined to apply that label to surreptitiously recorded silent video—which one might think would be the most invasive of all, given that the target is completely unaware of being observed by anybody.

One final note: The coverage I’m seeing is talking about this as though it involves one school doing something highly unusual. It’s not remotely clear to me that this is the case. We know that at least one other school district employs similar monitoring software, and a growing number of districts are experimenting with issuing laptops to students. I’d like to see reporters start calling around and find out just how many schools are supplying kids with potential telescreens.