Abstract

http://ssrn.com/abstract=2312107
 


 



Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet


Steven M. Bellovin


Columbia University - Department of Computer Science

Matt Blaze


University of Pennsylvania - School of Engineering & Applied Science

Sandy Clark


University of Pennsylvania - School of Engineering & Applied Science

Susan Landau


Harvard University; Sun Microsystems, Inc.

August 18, 2013

Privacy Legal Scholars Conference, June 2013

Abstract:     
For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, though, the changing structure of telecommunications — there was no longer just “Ma Bell” to talk to — and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which mandated a standardized lawful intercept interface on all local phone switches. Technology has continued to progress, and in the face of new forms of communication — Skype, voice chat during multi-player online games, many forms of instant messaging, etc.— law enforcement is again experiencing problems. The FBI has called this “Going Dark”: their loss of access to suspects’ communication. According to news reports, they want changes to the wiretap laws to require a CALEA-­like interface in Internet software.

CALEA, though, has its own issues: it is complex software specifically intended to create a security hole — eavesdropping capability — in the already-­complex environment of a phone switch. It has unfortunately made wiretapping easier for everyone, not just law enforcement. Congress failed to heed experts’ warnings of the danger posed by this mandated vulnerability, but time has proven the experts right. The so-­called “Athens Affair”, where someone used the built-­in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, including the Prime Minister, is but one example. In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including the security problems it has visited on the phone system.

In this paper, we explore the viability and implications of an alternative method for addressing law enforcement's need to access communications: legalized hacking of target devices through existing vulnerabilities in end-­user software and platforms. The FBI already uses this approach on a small scale; we expect that its use will increase, especially as centralized wiretapping capabilities become less viable.

Relying on vulnerabilities and hacking poses a large set of legal and policy questions, some practical and some normative. Among these are:

• Will it create disincentives to patching?

• Will there be a negative effect on innovation? (Lessons from the so-­called “Crypto Wars” of the 1990s, and, in particular, the debate over export controls on cryptography, are instructive here.)

• Will law enforcement’s participation in vulnerabilities purchasing skew the market?

• Do local and even state law enforcement agencies have the technical sophistication to develop and use exploits? If not, how should this be handled? A larger FBI role?

• Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals?

• What happens if these tools are captured and re-purposed by miscreants?

• Should we sanction otherwise-­illegal network activity to aid law enforcement?

• Is the probability of success from such an approach too low for it to be useful?

As we will show, though, these issues are indeed challenging. We regard them, on balance, as preferable to adding more complexity and insecurity to online systems.

Number of Pages in PDF File: 70

Keywords: wiretap, CALEA, surveillance, hacking, vulnerabilities, cyber-security, law enforcement

working papers series


Download This Paper

Date posted: August 19, 2013  

Suggested Citation

Bellovin, Steven M. and Blaze, Matt and Clark, Sandy and Landau, Susan, Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet (August 18, 2013). Privacy Legal Scholars Conference, June 2013. Available at SSRN: http://ssrn.com/abstract=2312107 or http://dx.doi.org/10.2139/ssrn.2312107

Contact Information

Steven M. Bellovin
Columbia University - Department of Computer Science ( email )
New York, NY 10027
United States
Matt Blaze
University of Pennsylvania - School of Engineering & Applied Science ( email )
Philadelphia, PA
United States
Sandy Clark
University of Pennsylvania - School of Engineering & Applied Science ( email )
Philadelphia, PA
United States
Susan Landau (Contact Author)
Harvard University ( email )
1875 Cambridge Street
Cambridge, MA 02138
United States
HOME PAGE: http://www.privacyink.org
Sun Microsystems, Inc. ( email )
United States
HOME PAGE: http://research.sun.com/people/slandau/
Feedback to SSRN


Paper statistics
Abstract Views: 5,618
Downloads: 756
Download Rank: 16,921

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo4 in 0.891 seconds