Wiretapping in a Hosted VoIP World
You may think that expanded FBI powers won't affect the enterprise. Don't be so sure.
Wiretapping exists, legally, for the benefit of law enforcement to protect the citizens of the U.S. But what if the wiretapping rules are extended so far that technology innovators must first get approval from the federal government BEFORE offering new technologies that affect wiretapping capabilities? How will the requirements affect hosted/cloud based service providers?
The U.S. promotes a free [from intrusion and government content control] Internet but criticizes countries that operate with a poor human rights record. How can the U.S. be a leader in this case while the FBI does a similar intrusion of communications? Will the changes force cloud providers to only locate their sites in the U.S? What are the ramifications for multi-national enterprises with sites outside the U.S?
Gregory T. Nojeim, who is the senior counsel for the Center for Democracy & Technology posted at The Hill’s Congress Blog, a piece entitled, “New wiretapping mandates could harm privacy, innovation and security". I think the blog is worth reading because it highlights the possible ramifications that may emerge if the FBI gets its way. The following is an excerpt from that blog--the entire thing is worth reading.
The Federal Bureau of Investigation wants statutory authority to control Internet technologies to make them even more intrusive and easier to intercept. According to a New York Times [article], the FBI wants to be able to force innovators to design their communications applications to be wiretap-friendly. The proposal has not yet been made public and is still under discussion among federal agencies, so it is not clear who or what would be covered or what changes the FBI desires. Among other companies, the FBI has mentioned Skype, which provides encrypted VOIP (voice over Internet Protocol) services, and RIM, which makes the popular BlackBerry. Taking the FBI claims at face value, they would be compelled to design their services to ensure government access to unscrambled communications. [Hosted/cloud services will likely be affected as well as enterprise based systems]
If enacted in law, the FBI plan would likely expand electronic surveillance that is already at record levels. In 2009, 2,376 federal and state wiretaps were placed for criminal purposes--more than in any prior year. (And that’s not counting the 1,320 intelligence intercepts in 2009.) On average in 2009, 3,763 communications were intercepted in every criminal wiretap, yet 82 percent of monitored calls were non-incriminating, according to the government’s own data. At the same time, the legal restraints on surveillance have been steadily relaxed--especially since the September 11 attacks. Examples include the 2001 PATRIOT Act, the 2008 FISA Amendments Act, and the steady addition of relatively minor crimes to the list of offenses for which wiretapping is permitted. If the legal standards are weak and the technology of wiretapping is friction-free, where are the limits on government power?
The government already has control over the facilities connecting people to the Internet. In 1994, Congress adopted the Communications Assistance for Law Enforcement Act (CALEA), requiring traditional telephone companies and cellular providers to design their switching equipment to a government-approved standard to facilitate wiretapping. In 2005, those requirements were extended to all providers of broadband Internet access. The latest proposal, however, focuses on the most dynamic parts of the Internet: the diverse services and applications that ride on top of the Internet.... The U.S. has been a global leader. To require government pre-clearance for the innovator making the next great communications application in his garage or dorm room [could block new innovations]. Some current applications would have to change so drastically that they would become unrecognizable to current users. Others might be outlawed altogether.
In essence, the FBI is asking that applications have a built in back door to facilitate government wiretapping. However, such back doors can also be exploited by hackers and identity thieves. This will exacerbate the cyber security challenges we already face.... More back doors means less-secure networks.
The FBI proposal faces an uncertain path. Legislators of both parties already concerned with the size and intrusiveness of government should insist that the FBI fully document not only the problem but also how they expect their solution to work without opening new security vulnerabilities or forcing the redesign of some widespread and valuable services. And those who want the government to facilitate rather than impede job creation among small businesses should not overlook the uncertainty that these proposed mandates would create and the drag they would put on innovation and on the development of new services.
You may think this FBI effort will not impact the enterprise. But consider the VoIP communications that occurs in the financial industry, healthcare and state and local government agencies. Will they have to revise their security and privacy rules to satisfy the FBI? Even if these organizations accept the FBI's changes, what will be the financial costs to comply?