[ISN] New spy tools--for good or evil?

From: InfoSec News (isnat_private)
Date: Mon Apr 21 2003 - 22:45:13 PDT

  • Next message: InfoSec News: "[ISN] Hyderabad institute to train ethical hackers"

    http://zdnet.com.com/2100-1107-997590.html
    
    By Declan McCullagh 
    CNET News.com
    April 21, 2003
    
    COMMENTARY -- Cisco Systems has created a more efficient and targeted
    way for police and intelligence agencies to eavesdrop on people whose
    Internet service provider uses their company's routers.
    
    The company recently published a proposal that describes how it plans
    to embed "lawful interception" capability into its products. Among the
    highlights: Eavesdropping "must be undetectable," and multiple police
    agencies conducting simultaneous wiretaps must not learn of one
    another. If an Internet provider uses encryption to preserve its
    customers' privacy and has access to the encryption keys, it must turn
    over the intercepted communications to police in a descrambled form.
    
    Cisco's decision to begin offering "lawful interception" capability as
    an option to its customers could turn out to be either good or bad
    news for privacy.
    
    Because Cisco's routers currently aren't designed to target an
    individual, it's easy for an Internet service provider (ISP) to comply
    with a police request today by turning over all the traffic that flows
    through a router or switch. Cisco's "lawful interception" capability
    thus might help limit the amount of data that gets scooped up in the
    process.
    
    On the other hand, the argument that it hinders privacy goes like
    this: By making wiretapping more efficient, Cisco will permit
    governments in other countries--where court oversight of police
    eavesdropping is even more limited than in the United States--snoop on
    far more communications than they could have otherwise.
    
    Marc Rotenberg, head of the Electronic Privacy Information Center,
    says: "I don't see why the technical community should hardwire
    surveillance standards and not also hardwire accountability standards
    like audit logs and public reporting. The laws that permit 'lawful
    interception' typically incorporate both components--the
    (interception) authority and the means of oversight--but the (Cisco)  
    implementation seems to have only the surveillance component. That is
    no guarantee that the authority will be used in a 'lawful' manner."
    
    U.S. history provides many examples of government and police agencies
    conducting illegal wiretaps. The FBI unlawfully spied on Eleanor
    Roosevelt, Martin Luther King Jr., feminists, gay rights leaders and
    Catholic priests. During its dark days, the bureau used secret files
    and hidden microphones to blackmail the Kennedy brothers, sway the
    Supreme Court and influence presidential elections. Cisco's Internet
    draft may be titled "lawful interception," but there's no guarantee
    that the capability will always be used legally.
    
    Still, if you don't like Cisco's decision, remember that they're not
    the ones doing the snooping. Cisco is responding to its customers'
    requests, and if they don't, other hardware vendors will. If you're
    looking for someone to blame, consider Attorney General John Ashcroft,
    who asked for and received sweeping surveillance powers in the USA
    Patriot Act, along with your elected representatives in Congress, who
    gave those powers to him with virtually no debate.
    
    I talked with Fred Baker, a Cisco fellow and former chairman of the
    Internet Engineering Task Force (IETF), about his work on the "lawful
    interception" draft.
    
    
    Q: Why did Cisco decide to build "lawful interception" into its
    products? What prompted this?
    
    A: Cisco's customers, not just in United States but in many countries,
    are finding themselves served with subpoenas to mandate lawful
    intercept functionality. Cisco received requests from its customers
    for this capability.
    
    When I found out about the project, I asked to be involved because I
    wanted to ensure that it was done in a manner that was as close to
    balanced as I could get. From an engineering perspective, the easiest
    thing is to give everything to law enforcement and let them sort it
    out. But I wanted to do better than that.
    
    
    When was that?
    
    The actual development of this document started probably seven to
    eight months ago.
    
    
    What was the reaction of the Internet community and the IETF after you
    released the draft?
    
    I've seen very little reaction so far. We have been contacted by
    Verisign, with which we had an NDA relationship. They said, "We'd like
    to work with you on this." That's about all we've had. John Gilmore
    (of the Electronic Privacy Information Center) posted comments to an
    IETF mailing list. He wanted to ensure that the capability would be as
    difficult to use as possible.
    
    
    When will Cisco's customers be able to buy "lawful interception"  
    products or an upgrade?
    
    We haven't yet announced anything. Any product that a service provider
    is likely to purchase will have an option to provide lawful
    interception. That's not for all of our products but for a fairly
    broad subset.
    
    We're in the process of doing early field trials on that capability.  
    In most cases it's a software upgrade. What we're doing is putting the
    capability in a separate image so you know what you're getting when
    you get it. Under U.S. law, if you have that ability, you could be
    required to use it. Our service provider customers have asked us not
    to put it in the standard image, so that they can't be forced to use
    it.
    
    
    How much will it cost?
    
    We haven't announced that. There was some discussion at some point
    about putting in a nuisance fee.
    
    
    What percentage of your customers who have asked for "lawful
    interception" capability are within the United States?
    
    We have service provider customers in a number of countries that have
    asked us for it. Some have been more insistent than others.
    
    
    Do you have any moral problems with helping to make surveillance
    technology more efficient?
    
    I have some moral and ethical issues, but I think quite frankly that
    the place to argue this is in Congress and in the courtroom, not a
    service provider's machine room when he's staring down the barrel of a
    subpoena.
    
    There are two sides. One is that Cisco as a company needs to let its
    customers abide by the law. The other is the moral and ethical issues.  
    There are two very separate questions.
    
    
    The current draft does not include an audit trail. Could you do that
    by having your equipment digitally sign a file that says who's been
    intercepted and for how long? That could be turned over to a judge. It
    could indicate whether the cops were or weren't staying within the
    bounds of the law.
    
    I'm not entirely sure that the machine we're looking at could make
    that assurance... In fact, the way lawful interception works, a
    warrant comes out saying, "We want to look at a person." That's the
    way it works in Europe, the United States, Australia and in other
    western countries. The quest then becomes figuring out which equipment
    a person is reasonably likely to use, and it becomes law enforcement's
    responsibility to discard any information that's irrelevant to the
    warrant. That kind of a thing would probably be maintained on the
    mediation device.
    
    
    Who controls the mediation device?
    
    The Internet provider. The mediation device picks out the subset that
    relates to a particular warrant.
    
    
    A few years ago (in RFC 2804) the IETF rejected the idea of building
    eavesdropping capability into Internet protocols. The FBI supported
    the idea, but the IETF said, no way. You were chair of the IETF at the
    time. How do you reconcile your proposal with the decision made then?
    
    I thought that what the IETF decided to do was actually the right
    thing to decide. What it said is that the IETF would not modify
    protocols that were designed for some other purpose in order to
    support lawful interception.
    
    
    Will you discuss this at the next IETF meeting in Austria in July?
    
    We're hoping for community review. If people see any problems with
    what we're doing on a technical level, we're all ears. We want to
    produce the best possible capability in terms of security and the
    capability required.
    
    
    Have you had requests for this capability, directly or indirectly,
    from government agencies?
    
    Yes and no. We got the request from our customers. The laws relate to
    the ISPs, which are our customers. Certainly, if we get a request from
    our customers that we can't support, there are penalties that accrue.
    
    We've had direct contact with the FBI and other agencies. When I was
    in Holland I (spoke at a conference with the head of the equivalent of
    the country's Central Intelligence Agency). The fact that he came out
    and said something made the 8 o'clock news. I had a meeting with him
    and some of his people a few days later to figure out what he wanted
    and what he intended to do with this. As an engineer I wanted to
    understand a customer's problem.
    
    We've had discussions with government agencies, but (they're generally
    not) asking us to build a product. They do that with ISPs, who then
    come to us.
    
    
    What other companies are going a similar route?
    
    We're a little bit more open than everyone else. It really wouldn't be
    appropriate for me to talk about other companies. It's not like we're
    coming out and saying, "Hey, this is the reason you should buy a Cisco
    router." This is something we're doing because our customers want it.
    
    
    What do you think of governments with scant respect for privacy rights
    using "lawful interception" technology to become more efficient
    eavesdroppers? Do you ever stay up late at night worrying about what
    they might do with it?
    
    Of course I do. But that problem is the reason I got involved. We have
    some capabilities in some of our equipment that will allow you to take
    all the traffic that goes across an interface and send it to another
    interface. Right now that is used in some cases as a lawful
    interception technology.
    
    When we first started talking, some engineers said, "Let's turn this
    on and use that." I said, "Heavens no, if we can narrow the range of
    information, let's do it." Let's let our customers meet their
    requirements in as privacy-protecting a way as possible. So yes,
    there's a conflict, but the conflict is why I got involved.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 00:48:11 PDT