Government proposal would expand wiretap laws to cover not just service providers, but also the likes of Facebook and Google, backed by escalating fines for noncompliance.

Mathew J. Schwartz, Contributor

May 1, 2013

4 Min Read

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013


Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)

Should Facebook, Google and similar sites be forced to adapt their infrastructure so that the FBI and other law enforcement agencies can easily tap suspects' communications in real time?

That's the impetus behind new wiretap guidelines being drawn up by a government panel, according to the Washington Post.

The draft guidelines, championed by the FBI, would allow courts to impose escalating fines on any business that didn't immediately comply with a court-ordered request for real-time communications interception, regardless of whether the Web service provider said such interception was technically feasible. Any business that fails to comply with the wiretap request could face fines that start at tens of thousands of dollars, then double daily after 90 days of noncompliance. The White House reportedly hasn't yet signed off on the proposals.

[ Questions about employee surveillance? Read Watching Workers: Where's The Line? ]

"Today, if you're a tech company that's created a new and popular way to communicate, it's only a matter of time before the FBI shows up with a court order to read or hear some conversation," Perkins Coie attorney Michael Sussmann, a former federal prosecutor, told the Post. "If the data can help solve crimes, the government will be interested."

In 2005, in an expansion of the Communications Assistance for Law Enforcement Act (CALEA), the Federal Communications Commission ruled that service providers, as well as VoIP providers, had to overhaul their networks to allow real-time interception. But that doesn't apply to businesses such as Facebook and Google. Accordingly, the FBI now tends to back off when those companies or their peers say they can't easily comply with an intercept request for technical reasons, rather than attempting to initiate contempt proceedings, reported the Post.

But the bureau would like that to change. "The importance to us is pretty clear," the FBI's general counsel, Andrew Weissmann, last month said in a speech to the American Bar Association's Standing Committee on Law and National Security. "We don't have the ability to go to court and say, 'We need a court order to effectuate the intercept.' Other countries have that. Most people assume that's what you're getting when you go to a court."

The bureau's push for expanded wiretapping powers is far from unexpected. Indeed, reports surfaced last year that the FBI was meeting with Facebook, Google, Microsoft and Yahoo, among other companies, to query how the bureau could best conduct surveillance of their services while causing minimal disruption.

In 2011, meanwhile, longtime FBI director Robert S. Mueller III urged Congress to give the bureau greater wiretapping capabilities, warning that to do otherwise meant there would be "a very real risk of the government 'going dark,' resulting in an increased risk to national security and public safety."

But civil rights groups have warned that the proposal to fine businesses that don't proactively aid FBI surveillance of their communications services risks wiretap capabilities being abused by attackers. "At the very time when the nation is concerned about cybersecurity, the FBI proposal has the potential to make our communications less secure," said Joe Hall, a senior staff technologist for the Center for Democracy and Technology, in a statement. "Once you build a wiretap capability into products and services, the bad guys will find a way to use it."

Another unanswered question is how new intercept capabilities would be tested or vetted. Would changes to popular services -- such as Facebook or Gmail -- first require a corresponding sign-off from IT staff at the FBI before they could be put into production?

"What the FBI is proposing sounds benign, but it comes with such onerous penalties that it would force developers to seek pre-approval from the FBI," said CDT president Leslie Harris in a statement. "No one is going to want to face fines that double every day, so they will go to the FBI and work it out in advance, diverting resources, slowing innovation, and resulting in less secure products."

In the wake of a zero-day vulnerability being exploited by multiple active attacks, IT teams wait for Oracle to respond. Again. Here's how to keep your systems safe. Get our Insecurity With Java report today. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights