Net path upsurge thwarts wiretaps

Online tools lack backdoor entries

WASHINGTON -- Federal law enforcement and intelligence authorities said they are increasingly struggling to conduct court-ordered wiretaps on suspects because of a surge in chat services, instant-messaging and other online communications that lack the technical means to be intercepted.

A "large percentage" of wiretap orders to pick up the communications of suspected spies and foreign agents are not being fulfilled, FBI officials said. Law enforcement agents are citing the same challenge in criminal cases. Agents, they say, often decline to even seek orders when they know firms lack the means to tap into a suspect's communications in real time.

"It's a significant problem, and it's continuing to get worse," said Amy Hess, executive assistant director of the FBI's Science and Technology Branch.

One former U.S. official said that each year "hundreds" of individualized wiretap orders for foreign intelligence are not being fully executed because of a growing gap between the government's legal authority and its practical ability to capture communications -- a problem bureau officials have called "going dark."

Officials have expressed alarm for several years about the expansion of online communication services that -- unlike traditional landlines and cellphone communications -- lack intercept capabilities because they are not required by law to build them in.

But the proliferation of these services and a greater wariness -- if not hostility -- toward government agencies in the wake of revelations about broad National Security Agency surveillance have become a double-whammy for law enforcement and intelligence agencies, according to FBI officials and others.

Today, at least 4,000 companies in the United States provide some form of communication service, and a "significant portion" are not required by law to make sure their platforms are wiretap-ready, Hess said. Among the types of services that were unthinkable not long ago are photo-sharing services that allow users to send photos that are automatically deleted and peer-to-peer Internet phone calls, for which there are no practical means for interception.

Meanwhile, the disclosures by former NSA contractor Edward Snowden have fostered a widespread view that the government is excessively sweeping up all manner of Americans' communications. That impression, FBI officials argue, has unfairly extended to the investigations of law enforcement and intelligence agencies that obtain individual warrants to intercept the calls, chats and instant messages of criminals and spies.

Industry officials, security experts and others counter that the government already has many tools available to get the information it needs, that officials brought the predicament on themselves by failing to protect the secrecy around surveillance programs and that forcing companies to build wiretap solutions will make systems more insecure.

"I do think that more and more they'll see less and less," said Albert Gidari, a partner at Perkins Coie law firm who represents tech firms, referring to the government's quandary. "But it's their own fault. No one now believes they were ever going dark. It's just that they had the lights off so you couldn't see what they were collecting."

Last year, the Obama administration readied legislation aimed at enhancing the government's ability to enforce court-issued wiretap orders. But the fallout from the Snowden revelations derailed the effort.

"Politically, it's plutonium now for a member of Congress in this environment to be supporting something that would enhance the government's ability to conduct electronic surveillance," said Jason Weinstein, a former deputy assistant attorney general for the Justice Department's criminal division and now a partner at Steptoe & Johnson.

Although online communication services are not required to build in intercept capabilities, the law requires them to provide "technical assistance" to an official with a valid intercept order, which requires a judge to find probable cause that the surveillance will yield evidence of a crime. But the phrase "technical assistance" is vague, permitting different interpretations.

Some companies draw out the process of negotiating with the government. Others provide suspects' Internet-based messages hours after they are sent or offer minimal forms of compliance -- weekly screenshots of a suspect's communications, for instance -- and argue they have fully complied, government officials said.

One industry official, who spoke on condition of anonymity, acknowledged the trend. "No company wants to be doing more surveillance than its neighbor," he said.

Last year, judges authorized 3,600 federal and state criminal wiretaps and 1,588 foreign intelligence surveillance orders. In many of them, law enforcement said, the inability to fully execute the orders hampered their investigations.

In one recent case, Las Vegas police couldn't identify and gain evidence against a suspect in a burglary, robbery and kidnapping investigation because he was using an Internet phone service that lacked an intercept capability, according to FBI officials.

More than a dozen Internet-based instant messaging applications commonly used in child-exploitation networks lack a full capability to provide real-time intercepts.

Often a company might be asked to provide several types of communications but furnish only one, said Rich Littlehale, a Tennessee Bureau of Investigation special agent speaking on behalf of the Association of State Criminal Investigative Agencies. "They'll say, 'We can give you X, but we can't give you Y,'" he said.

In 1994, Congress mandated that all phone companies make their systems wiretap-ready. In later years, broadband and some Internet phone services also were covered under the law, known as the Communications Assistance for Law Enforcement Act. At issue now is whether companies that provide communications that traverse the Internet ought to be required to build such a wiretap capability.

Security experts -- including some former NSA officials -- say a wiretap mandate poses security risks. Building a wiretap solution requires a backdoor into a system, one that foreign adversaries and others may be able to exploit.

"When you're building in a backdoor, you're building in an ability to give away information that's supposed to be protected," said Richard George, former technical director at NSA.

In one notable example in 2004, an unidentified hacker or hackers broke into the phone network of Vodafone Greece and modified the intercept capability to eavesdrop on the conversations of at least 100 high-ranking Greek officials, including the prime minister.

FBI officials said that developing intercept solutions during a product's design phase allows the designer to minimize risk from the outset.

Industry officials, however, are also wary of government regulation that they say would stifle innovation.

"I just don't think you should go out and tell every technology company that it has to build surveillance capability into whatever it's doing," said Michael Sussmann, a Perkins Coie partner who represents tech firms. "I realize the government prefers that to having companies retrofit their systems, but you know what? Too bad."

Opponents of further regulation say authorities can obtain evidence using traditional means, whether through the use of informants, undercover operations, video cameras or physical surveillance -- options that the FBI is quick to point out entail higher risk.

"The reality is law enforcement and governments have a dozen methods other than wiretaps to get the investigation material they need," said Mike Janke, chief executive and cofounder of Silent Circle, a firm that provides encrypted phone and instant message services, and a former Navy SEAL. "They don't need to have access to everything in the world."

One compliance tool the government has, but rarely uses, is the ability to ask a judge to find a company in contempt of court for failure to comply with an order. "That's more and more of a discussion these days because of the lack of cooperation that we're getting," Hess said.

As the FBI presses tech companies to comply with wiretap orders, many firms are making it harder for investigators by encrypting more of their communications. Janke said his two-year-old firm, with offices in Switzerland and Oxon Hill, Md., has no central server to hold decrypted content, and decryption keys are destroyed at the termination of each call and text.

In one well-publicized case, Lavabit, a secure email service Snowden used, furnished his stored encrypted emails to the FBI under a court order. But it shut its business last August rather than hand over its encryption keys to the FBI.

The bureau is sometimes able to crack encryption, Hess said, but acknowledged that it is "a big challenge."

Despite the obstacles to passing a bill in Congress to address the "going dark" problem, lawmakers elsewhere have shown a willingness to pass similar legislation.

Last week, the British Parliament passed a bill that will not only ensure that British companies store customer data for the government but give the government the right to require non-British companies outside the country to build in wiretap capabilities if directed.

When it was drafting legislation in 2012, the FBI wanted to include an analogous provision, requiring non-U.S. firms with U.S. customers to be able to provide a wiretap capability inside the country, former officials said, but it was dropped after strenuous objections from the State and Commerce departments.

In the end, government officials said, the issue is one that requires broad public debate.

"All we're trying to say is, in the world today, we're facing this problem," FBI General Counsel James Baker said. "We don't have a solution. We have a problem that is real and is impacting the lives of real people, of victims of crime on a daily basis."

A Section on 07/26/2014

Upcoming Events