The FBI, Content Monitoring, Backdoors and Going Dark

Wednesday, May 09, 2012

Plagiarist Paganini


(Translated from the original Italian)

Social Networks represent a rich mine of information that is of great interest for researchers, cyber criminals and government agencies.

By analyzing the networks is possible to create a detailed profile of users, their relationships and his habits, and the possibility to exercise this control over social networks is an actual form of power - the power of knowledge.

We have all read news regarding the efforts by law enforcement and government agencies in the development of new tools and applications for the monitoring of social networks.

The FBI is one of the most active in this sense, and in the last months has publicly requested the design of a system for real time monitoring of social networks that would have to be ability to identify suspect behaviors that could be interpreted as an indicator for an ongoing crime.

According to CNET, the FBI is working to obtain a sort of backdoor for major social networks like Facebook, and also for some of the most used communications platforms such as Skype and Instant Messaging. The agency is interested in maintaining a backdoor for government surveillance, and for this reason it is collaborating with companies like Microsoft, Google and Yahoo.

The FBI has been lobbying these top Internet companies to support a proposal that would force them to provide these backdoors for government surveillance, according to CNET. The purpose of the collaboration between the FBI and major IT companies and Internet Services Providers (ISPs) is tied to the desire of the agency to have legislation passed that allows law enforcement to have this kind of access.

The FBI desires the collaboration of the major players in the IT sector to implement specific backdoor stubs inside their products with intent to make them wiretap-friendly, and the request is targeted at all communications platforms, social networks, email providers, chats and instant messaging.

On more than one occasion, government agencies have highlighted the difficulties related to the monitoring new communications channels based on the Internet.

Let's remember that CALEA (Communications Assistance for Law Enforcement Act), passed in 1994, requires every communication provider to make their system  wiretap-friendly, and in 2004 the concept was extended also to ISPs by the Federal Communications Commission despite a non-application de facto of the major web companies.

Starting with the CALEA Act, the FBI is interested to extending the regulation to any kind of communications made using Internet channels, and this means that there will be a direct impact on VoIP communications used by famous platforms like Skype and Xbox Live. 

Regarding Xbox, let me remind you that US Government has already committed to  a project to spy on the communication made through gaming platforms, confirming the great interest of the current administration to monitor any kind of networks and any kind of information circulating on them.

In February 2011, CNET reported that then-FBI general counsel Valerie Caproni was planning to warn Congress of what the bureau calls its "Going Dark" problem, illustrating how the wiretapping capabilities were being reduced with the progress of privacy technology.

"Caproni singled out "Web-based e-mail, social-networking sites, and peer-to-peer communications" as problems that have left the FBI "increasingly unable" to conduct the same kind of wiretapping it could in the past."

“Going Dark” is the FBI’s code name for its project to extend its ability to real time wiretap communications, it is born inside the bureau, now employing 107 full-time expert starting in 2009.

What are law enforcement's capabilities?

According to the declaration by Electronic Frontier Foundation attorney Kevin Bankston, the FBI already can intercept messages on social-networking sites and Web-based e-mail services  with a system used is known as Carnivore, later renamed DCS1000. 

The interception is possible because Facebook messages and Gmail messages travel in plain text over those same broadband wires for which the FBI demanded wiretapping capability.

The main problem is related to rapid technological evolution that makes surveillance systems obsolescent in a short amount of time, and this is the reason for the request by the FBI to include a backdoor in any product that could be involved in communications, like social networks and online game consoles.

Security and compromises

Of course, the presence of a backdoor in the products available on the market used for communications purposes could give a great advantage to law enforcement in the fight against cyber crime, but we cannot forget two fundamental aspects:

  • Who and how will they manage the acquired data. The line between monitoring and censorship is thin, and we have observed in several countries questionable behavior with regards to this kind of information.
  • The presence of a backdoor proposes a vulnerability from a security perspective. What would happen if a hostile government or group of cyber criminals could exploit it? It would be an unprecedented disaster.

The problem therefore lies in the ability to manage such a critical feature, and this issue is extremely complex. Are we ready to address these issues? I'm afraid not, unfortunately...

Cross-posted from Security Affairs

Possibly Related Articles:
Information Security
Government FBI Social Media internet Monitoring Surveillance Law Enforcement backdoor CALEA
Post Rating I Like this!
Michael Johnson It's not a matter of if such a backdoor is exploited, but a matter of when. If this daft proposal goes ahead, people will already know of the critical 'feature's (vulnerability's) existence from day one, and will go looking for it. If the proposal is implemented, webmail, Live Office, Google Docs, etc. should be considered totally compromised.

The only thing that's not certain is whether the exploits would be sold to criminals, or made available to every script kiddy the world over. The results could be disastrous.
Plagiarist Paganini What you say is worrying but true.
I agree
Sal Tuzzo IMHO - I consider many of the applications (webmail, Live Office, Google Docs, etc.) and especially the OS's already compromised as we have seen over the years. Even without "back doors" the vulnerabilities of the current technology is exploited. Then the questions become - 1. require due process protocol to be used to obtain the information as with the Cell Phone companies GPS issue that is being discussed. 2. Insure accountability for the information with proper recourse when released without due process.

The government's history of accountability speaks for itself.

Any time you have back doors to networks you risk the exploitation of information. In this case also a lack of accountability and public recourse.
Plagiarist Paganini Hi Sal, it's possible but not yet demonstrated. Consider that hide a backdoor inside a product (sw or hw) it's not simple. Remember that for a company the discovery of a beckdoors in their product could means the business stop.
It's also true that the presence of backdoors could be locally pushed by government ... don't forget the Rinoa Project in India.
thank for the comment
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.