In a way, the hackers’ strategy makes perfect sense. Communications networks are generally designed to restrict outside access to their users’ private information. But the goal of government surveillance is to create a breach‐by‐design, a deliberate backdoor into otherwise carefully secured systems. The appeal to an intruder is obvious: Why waste time with retail hacking of many individual targets when you can break into the network itself and spy wholesale?
The Google hackers are scarcely the first to exploit such security holes. In the summer of 2004, unknown intruders managed to activate wiretapping software embedded in the systems of Greece’s largest cellular carrier. For ten months, the hackers eavesdropped on the cellphone calls of more than 100 prominent citizens — including the prime minister, opposition members of parliament, and high cabinet officials.
It’s hard to know just how many other such instances there are, because Google’s decision to go public is quite unusual: companies typically have no incentive to spook customers (or invite hackers) by announcing a security breach. But the little we know about the existing surveillance infrastructure does not inspire great confidence.
Consider the FBI’s Digital Collection System Network, or DCSNet. Via a set of dedicated, encrypted lines plugged directly into the nation’s telecom hubs, DCSNet is designed to allow authorized law enforcement agents to initiate a wiretap or gather information with point‐and‐click simplicity. Yet a 2003 internal audit, released several years later under a freedom‐of‐information request, found a slew of problems in the system’s setup that appalled security experts. Designed with external threats in mind, it had few safeguards against an attack assisted by a Robert Hanssen‐style accomplice on the inside. We can hope those problems have been resolved by now. But if new vulnerabilities are routinely discovered in programs used by millions, there’s little reason to hope that bespoke spying software can be rendered airtight.
Of even greater concern, though, are the ways the government has encouraged myriad private telecoms and Internet providers to design for breach.
The most obvious means by which this is happening is direct legal pressure. State‐sanctioned eavesdroppers have always been able to demand access to existing telecommunications infrastructure. But the Communications Assistance for Law Enforcement Act of 1994 went further, requiring telephone providers to begin building networks ready‐made for easy and automatic wiretapping. Federal regulators recently expanded that requirement to cover broadband and many voice‐over‐Internet providers. The proposed SAFETY Act of 2009 would compound the security risk by requiring Internet providers to retain users’ traffic logs for at least two years, just in case law enforcement should need to browse through them.
A less obvious, but perhaps more serious factor is the sheer volume of surveillance the government now engages in. If government data caches contain vast quantities of information unrelated to narrow criminal investigations — routinely gathered in the early phases of an investigation to identify likely targets — attackers will have much greater incentive to expend time and resources on compromising them. The FBI’s database now contains billions of records from a plethora of public and private sources, much of it gathered in the course of broad, preliminary efforts to determine who merits further investigation. The sweeping, programmatic NSA surveillance authorized by the FISA Amendments Act of 2008 has reportedly captured e‐mails from the likes of former President Bill Clinton.
The volume of requests from both federal and state law enforcement has also put pressure on telecoms to automate their processes for complying with government information requests. In a leaked recording from the secretive ISS World surveillance conference held back in October, Sprint/Nextel’s head of surveillance described how the company’s L‐Site portal was making it possible to deal with the ballooning demand for information: