New spy tools--for good or evil?

[InfoSec News <isn () c4i org>]

http://zdnet.com.com/2100-1107-997590.html

By Declan McCullagh 
CNET News.com
April 21, 2003

COMMENTARY -- Cisco Systems has created a more efficient and targeted
way for police and intelligence agencies to eavesdrop on people whose
Internet service provider uses their company's routers.

The company recently published a proposal that describes how it plans
to embed "lawful interception" capability into its products. Among the
highlights: Eavesdropping "must be undetectable," and multiple police
agencies conducting simultaneous wiretaps must not learn of one
another. If an Internet provider uses encryption to preserve its
customers' privacy and has access to the encryption keys, it must turn
over the intercepted communications to police in a descrambled form.

Cisco's decision to begin offering "lawful interception" capability as
an option to its customers could turn out to be either good or bad
news for privacy.

Because Cisco's routers currently aren't designed to target an
individual, it's easy for an Internet service provider (ISP) to comply
with a police request today by turning over all the traffic that flows
through a router or switch. Cisco's "lawful interception" capability
thus might help limit the amount of data that gets scooped up in the
process.

On the other hand, the argument that it hinders privacy goes like
this: By making wiretapping more efficient, Cisco will permit
governments in other countries--where court oversight of police
eavesdropping is even more limited than in the United States--snoop on
far more communications than they could have otherwise.

Marc Rotenberg, head of the Electronic Privacy Information Center,
says: "I don't see why the technical community should hardwire
surveillance standards and not also hardwire accountability standards
like audit logs and public reporting. The laws that permit 'lawful
interception' typically incorporate both components--the
(interception) authority and the means of oversight--but the (Cisco)  
implementation seems to have only the surveillance component. That is
no guarantee that the authority will be used in a 'lawful' manner."

U.S. history provides many examples of government and police agencies
conducting illegal wiretaps. The FBI unlawfully spied on Eleanor
Roosevelt, Martin Luther King Jr., feminists, gay rights leaders and
Catholic priests. During its dark days, the bureau used secret files
and hidden microphones to blackmail the Kennedy brothers, sway the
Supreme Court and influence presidential elections. Cisco's Internet
draft may be titled "lawful interception," but there's no guarantee
that the capability will always be used legally.

Still, if you don't like Cisco's decision, remember that they're not
the ones doing the snooping. Cisco is responding to its customers'
requests, and if they don't, other hardware vendors will. If you're
looking for someone to blame, consider Attorney General John Ashcroft,
who asked for and received sweeping surveillance powers in the USA
Patriot Act, along with your elected representatives in Congress, who
gave those powers to him with virtually no debate.

I talked with Fred Baker, a Cisco fellow and former chairman of the
Internet Engineering Task Force (IETF), about his work on the "lawful
interception" draft.


Q: Why did Cisco decide to build "lawful interception" into its
products? What prompted this?

A: Cisco's customers, not just in United States but in many countries,
are finding themselves served with subpoenas to mandate lawful
intercept functionality. Cisco received requests from its customers
for this capability.

When I found out about the project, I asked to be involved because I
wanted to ensure that it was done in a manner that was as close to
balanced as I could get. From an engineering perspective, the easiest
thing is to give everything to law enforcement and let them sort it
out. But I wanted to do better than that.


When was that?

The actual development of this document started probably seven to
eight months ago.


What was the reaction of the Internet community and the IETF after you
released the draft?

I've seen very little reaction so far. We have been contacted by
Verisign, with which we had an NDA relationship. They said, "We'd like
to work with you on this." That's about all we've had. John Gilmore
(of the Electronic Privacy Information Center) posted comments to an
IETF mailing list. He wanted to ensure that the capability would be as
difficult to use as possible.


When will Cisco's customers be able to buy "lawful interception"  
products or an upgrade?

We haven't yet announced anything. Any product that a service provider
is likely to purchase will have an option to provide lawful
interception. That's not for all of our products but for a fairly
broad subset.

We're in the process of doing early field trials on that capability.  
In most cases it's a software upgrade. What we're doing is putting the
capability in a separate image so you know what you're getting when
you get it. Under U.S. law, if you have that ability, you could be
required to use it. Our service provider customers have asked us not
to put it in the standard image, so that they can't be forced to use
it.


How much will it cost?

We haven't announced that. There was some discussion at some point
about putting in a nuisance fee.


What percentage of your customers who have asked for "lawful
interception" capability are within the United States?

We have service provider customers in a number of countries that have
asked us for it. Some have been more insistent than others.


Do you have any moral problems with helping to make surveillance
technology more efficient?

I have some moral and ethical issues, but I think quite frankly that
the place to argue this is in Congress and in the courtroom, not a
service provider's machine room when he's staring down the barrel of a
subpoena.

There are two sides. One is that Cisco as a company needs to let its
customers abide by the law. The other is the moral and ethical issues.  
There are two very separate questions.


The current draft does not include an audit trail. Could you do that
by having your equipment digitally sign a file that says who's been
intercepted and for how long? That could be turned over to a judge. It
could indicate whether the cops were or weren't staying within the
bounds of the law.

I'm not entirely sure that the machine we're looking at could make
that assurance... In fact, the way lawful interception works, a
warrant comes out saying, "We want to look at a person." That's the
way it works in Europe, the United States, Australia and in other
western countries. The quest then becomes figuring out which equipment
a person is reasonably likely to use, and it becomes law enforcement's
responsibility to discard any information that's irrelevant to the
warrant. That kind of a thing would probably be maintained on the
mediation device.


Who controls the mediation device?

The Internet provider. The mediation device picks out the subset that
relates to a particular warrant.


A few years ago (in RFC 2804) the IETF rejected the idea of building
eavesdropping capability into Internet protocols. The FBI supported
the idea, but the IETF said, no way. You were chair of the IETF at the
time. How do you reconcile your proposal with the decision made then?

I thought that what the IETF decided to do was actually the right
thing to decide. What it said is that the IETF would not modify
protocols that were designed for some other purpose in order to
support lawful interception.


Will you discuss this at the next IETF meeting in Austria in July?

We're hoping for community review. If people see any problems with
what we're doing on a technical level, we're all ears. We want to
produce the best possible capability in terms of security and the
capability required.


Have you had requests for this capability, directly or indirectly,
from government agencies?

Yes and no. We got the request from our customers. The laws relate to
the ISPs, which are our customers. Certainly, if we get a request from
our customers that we can't support, there are penalties that accrue.

We've had direct contact with the FBI and other agencies. When I was
in Holland I (spoke at a conference with the head of the equivalent of
the country's Central Intelligence Agency). The fact that he came out
and said something made the 8 o'clock news. I had a meeting with him
and some of his people a few days later to figure out what he wanted
and what he intended to do with this. As an engineer I wanted to
understand a customer's problem.

We've had discussions with government agencies, but (they're generally
not) asking us to build a product. They do that with ISPs, who then
come to us.


What other companies are going a similar route?

We're a little bit more open than everyone else. It really wouldn't be
appropriate for me to talk about other companies. It's not like we're
coming out and saying, "Hey, this is the reason you should buy a Cisco
router." This is something we're doing because our customers want it.


What do you think of governments with scant respect for privacy rights
using "lawful interception" technology to become more efficient
eavesdroppers? Do you ever stay up late at night worrying about what
they might do with it?

Of course I do. But that problem is the reason I got involved. We have
some capabilities in some of our equipment that will allow you to take
all the traffic that goes across an interface and send it to another
interface. Right now that is used in some cases as a lawful
interception technology.

When we first started talking, some engineers said, "Let's turn this
on and use that." I said, "Heavens no, if we can narrow the range of
information, let's do it." Let's let our customers meet their
requirements in as privacy-protecting a way as possible. So yes,
there's a conflict, but the conflict is why I got involved.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.