Good News For Hackers

The U.S. government may soon require online communications services to water down its encryption techniques. The proposed legislation, which federal law enforcement and national security officials hope to present to Congress in 2011, would mandate that all services used for online communications be capable of providing transcripts of their users’ emails or chats to the government if asked. The benefits must intercept and decode all encrypted messages using their sites or software.

The rules would affect email transmitters like Blackberry, social networking sites like Facebook, and peer-to-peer messaging software like Skype. Officials hope to write the bill in general terms, without reference to specific technologies, so other, unimagined services would also fall under the regulations.

A 1994 law, the Communications Assistance for Law Enforcement Act(1), currently requires phone and broadband network providers to intercept messages for the benefit of the cops, but that does investigators little good if messages are sent through online services that add their encryption. Many online communications services allow users to send messages in ways that make it impossible for anyone, including the service providers, to intercept and unscramble the exchanges.


Law enforcement officials argue that the world of communications is “going dark” as criminals and terrorists increasingly turn to the Internet instead of telephones to communicate with one another. Officials don’t lack the authority to eavesdrop on online communications; they lack the ability.


The United States is not the only country asking communications services to turn on the lights so Big Brother can keep watching. India and the United Arab Emirates have pressured Research In Motion, the Canadian maker of Blackberry smartphones, to make it easier to monitor messages. Some officials in India have even voiced suspicions that Research In Motion is already working with the United States to help it spy on encrypted communications.

I am all for giving counter-terrorism agents and federal law enforcement officers the tools they need to do the job. Unlike many of those who are likely to speak out against this bill, I think the risk of large-scale government abuse of enhanced surveillance tools is pretty low. If the rules are implemented, law enforcement will probably be criticized more frequently for not using the tools at its disposal than for using them too broadly.

But I doubt the increased burdens on service providers would lead investigators to catch bad guys who otherwise would have eluded them. The agencies advocating the regulations, including the Federal Bureau of Investigation, already have ample tools to trap stupid crooks. And the new rules would do nothing to help detect and capture smart criminals and terrorists.

As an illustration of the need for the regulations, an official told the New York Times about an investigation into a drug cartel that was delayed because the smugglers were using peer-to-peer software, making it difficult to intercept their communications. The official’s statement implied that the smugglers would have been caught more quickly with the new regulations.

Chances are, the smugglers used that software precisely because they knew it would put them in law enforcement’s blind spot. If investigators shine a flashlight on these communications, smugglers will find other dark corners, physical or virtual, where they can negotiate their deals.

If the bad guys are forced to be more inventive, they won’t face a scarcity of resources or possibilities. One technology blogger explains in detail how to hide files in JPG images. (2) With his easy, step-by-step instructions, anyone can learn how to email a “lolcats” photo (that’s ‘laugh-out-loud-cats,’ meaning a picture of irresistibly adorable kitties) that also contains the time and place of a drug handoff. Computer users can also easily download free software to perform their encryption instead of relying on communications service providers who could be hit with a subpoena.

And as investigators become increasingly high-tech in their techniques, criminals can always respond by becoming more low-tech. After all, we don’t require Federal Express to copy all the correspondence it delivers so documents can be turned over upon government subpoena.

The intentions behind the wiretapping proposal are honorable. The threats are real, and the need for timely information is urgent. But if electronic intercepts were the magic bullet, we would have captured Osama bin Laden and Ayman al-Zawahiri years ago. Unfortunately, they and their conspirators are smart enough not to hold conversations where investigators are looking. By the way, if you’re a government agent who has been directed here because my use of those names raised a flag, welcome to the Current Commentary. I hope you enjoy looking around.

When it comes to tracking down dangerous individuals, detective work will have to be performed in other ways, most of which involve getting close enough to a suspect to bug him or talk to him.

But, while criminals and terrorists would go to great lengths not to communicate sensitive information through any means subject to the new regulations, others would not. Businesspeople would continue to tap away at their Blackberries, many of them without realizing their information had become less secure.

The changes allowing service providers to access encrypted communications would also make it easier for hackers to get that information. The proposal is “a disaster waiting to happen,” Steven M. Bellovin, a Columbia University computer science professor, told The New York Times. “If they start building in all these back doors, they will be exploited.”

Even those infamous figures without superior computer skills stand to benefit from the proposal. Suppose service providers must access users’ communications to comply with government requests. In that case, there is also the possibility that rogue employees will sell that information to corrupt corporations looking to crack industry secrets or even to hostile governments. Potential bribers and extortionists would have a guarantee that communications service providers could if adequately baited, retrieve whatever information they might want.

I hope Congress will reject the proposed rules, but I am not optimistic. No matter how many security measures we have in place, there will inevitably be breaches, some of which may be catastrophic. No politician wants to risk being blamed when something goes wrong.

While we wait for the proposal to make its way to the congressional halls, corporate technology managers and would-be entrepreneurial tycoons may want to study encryption techniques.


Alcohol scholar. Bacon fan. Internetaholic. Beer geek. Thinker. Coffee advocate. Reader. Have a strong interest in consulting about teddy bears in Nigeria. Spent 2001-2004 promoting glue in Pensacola, FL. My current pet project is testing the market for salsa in Las Vegas, NV. In 2008 I was getting to know birdhouses worldwide. Spent 2002-2008 buying and selling easy-bake-ovens in Bethesda, MD. Spent 2002-2009 marketing country music in the financial sector.