Risk
5/1/2013
12:37 PM
Connect Directly
RSS
E-Mail
50%
50%

FBI Seeks Real-Time Facebook, Google Wiretaps

Government proposal would expand wiretap laws to cover not just service providers, but also the likes of Facebook and Google, backed by escalating fines for noncompliance.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Should Facebook, Google and similar sites be forced to adapt their infrastructure so that the FBI and other law enforcement agencies can easily tap suspects' communications in real time?

That's the impetus behind new wiretap guidelines being drawn up by a government panel, according to the Washington Post.

The draft guidelines, championed by the FBI, would allow courts to impose escalating fines on any business that didn't immediately comply with a court-ordered request for real-time communications interception, regardless of whether the Web service provider said such interception was technically feasible. Any business that fails to comply with the wiretap request could face fines that start at tens of thousands of dollars, then double daily after 90 days of noncompliance. The White House reportedly hasn't yet signed off on the proposals.

[ Questions about employee surveillance? Read Watching Workers: Where's The Line? ]

"Today, if you're a tech company that's created a new and popular way to communicate, it's only a matter of time before the FBI shows up with a court order to read or hear some conversation," Perkins Coie attorney Michael Sussmann, a former federal prosecutor, told the Post. "If the data can help solve crimes, the government will be interested."

In 2005, in an expansion of the Communications Assistance for Law Enforcement Act (CALEA), the Federal Communications Commission ruled that service providers, as well as VoIP providers, had to overhaul their networks to allow real-time interception. But that doesn't apply to businesses such as Facebook and Google. Accordingly, the FBI now tends to back off when those companies or their peers say they can't easily comply with an intercept request for technical reasons, rather than attempting to initiate contempt proceedings, reported the Post.

But the bureau would like that to change. "The importance to us is pretty clear," the FBI's general counsel, Andrew Weissmann, last month said in a speech to the American Bar Association's Standing Committee on Law and National Security. "We don't have the ability to go to court and say, 'We need a court order to effectuate the intercept.' Other countries have that. Most people assume that's what you're getting when you go to a court."

The bureau's push for expanded wiretapping powers is far from unexpected. Indeed, reports surfaced last year that the FBI was meeting with Facebook, Google, Microsoft and Yahoo, among other companies, to query how the bureau could best conduct surveillance of their services while causing minimal disruption.

In 2011, meanwhile, longtime FBI director Robert S. Mueller III urged Congress to give the bureau greater wiretapping capabilities, warning that to do otherwise meant there would be "a very real risk of the government 'going dark,' resulting in an increased risk to national security and public safety."

But civil rights groups have warned that the proposal to fine businesses that don't proactively aid FBI surveillance of their communications services risks wiretap capabilities being abused by attackers. "At the very time when the nation is concerned about cybersecurity, the FBI proposal has the potential to make our communications less secure," said Joe Hall, a senior staff technologist for the Center for Democracy and Technology, in a statement. "Once you build a wiretap capability into products and services, the bad guys will find a way to use it."

Another unanswered question is how new intercept capabilities would be tested or vetted. Would changes to popular services -- such as Facebook or Gmail -- first require a corresponding sign-off from IT staff at the FBI before they could be put into production?

"What the FBI is proposing sounds benign, but it comes with such onerous penalties that it would force developers to seek pre-approval from the FBI," said CDT president Leslie Harris in a statement. "No one is going to want to face fines that double every day, so they will go to the FBI and work it out in advance, diverting resources, slowing innovation, and resulting in less secure products."

In the wake of a zero-day vulnerability being exploited by multiple active attacks, IT teams wait for Oracle to respond. Again. Here's how to keep your systems safe. Get our Insecurity With Java report today. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
5/4/2013 | 1:26:02 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
Did you read the Washington Post article? If you did, you would find this quote - "The Obama administration has not yet signed off on the proposal. Justice Department, FBI and White House officials declined to comment."
Like I alluded too, and rather than blaming Obama, the Bush admin kicked off the steady erosion of our civil liberties to ostensibly asuage our "fears". What a legacy...
NJ Mike
50%
50%
NJ Mike,
User Rank: Apprentice
5/3/2013 | 12:19:41 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
Obama has been in office 4+ years, the "blame Bush" stategy is wearing thin.
"That's the impetus behind new wiretap guidelines being drawn up by a government panel, according to the Washington Post. " - "being drawn up" is present tense.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
5/2/2013 | 10:33:31 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
Right. Anyone paying attention will concur that our civil liberties began to disappear quickly back when your hero started two wars (one on questionable intel), created Home Land Invasion, err uhh, Security, and passed the Patriot Act. The current FBI push has what to do with Obama... I ask?
iNtHEmACHINE
50%
50%
iNtHEmACHINE,
User Rank: Apprentice
5/2/2013 | 9:58:29 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
Sweet! Now everything on the web will be as secure as java and flash. Hai, we gets all your stuffz losers.
NJ Mike
50%
50%
NJ Mike,
User Rank: Apprentice
5/2/2013 | 5:37:20 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
If the owners of a company supported President Obama in either of the last elections, they should follow these proposed guidelines without question.
ANON1234369798209
50%
50%
ANON1234369798209,
User Rank: Apprentice
5/2/2013 | 3:17:28 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
With so few citizens educated in the basic fundamentals of grammar, there is a good posibility our democracy will quickly devolve into communism after a brief dip in the warmer waters of socialism...
Guy Anderson
50%
50%
Guy Anderson,
User Rank: Apprentice
5/2/2013 | 12:13:00 AM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
So are we the knew China?
dufas_duck
50%
50%
dufas_duck,
User Rank: Apprentice
5/2/2013 | 12:03:32 AM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
Just think, the FBI, Police, HLS, etc, etc, etc, will have access passwords and user names for banks, businesses, all sorts of things. Credit card numbers, pin numbers, bank withdrawal numbers, checking accounts,...... Why not just have everyone do all their business through some government agency?? Last year, one of the British MPs tried to float a law that everyone's pay be diverted through a government office so that the government can take it's cut directly and then forward what the government thinks the working person deserved from what is left. I see a future somewhat similar to East Berlin ahead for us if these idiots keep forging ahead with their agendas..... Check points every few blocks...Let's see your papers,...What reason have you for being in this area????

I'm from the government and am just here to 'help' you...coming to an area near you.....
Guest
50%
50%
Guest,
User Rank: Apprentice
5/1/2013 | 9:27:47 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
I don't know why Facebook has a problem with privacy issues. Maybe this time they're not getting paid for it?
John Doe
50%
50%
John Doe,
User Rank: Apprentice
5/1/2013 | 6:44:49 PM
re: FBI Seeks Real-Time Facebook, Google Wiretaps
I am a lead developer in our group, let me approve the code coming from FBI. I promise I will not use it for my personal gain. Xross my heart!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.