Why the FBI's plan to require weak security in all American technology is a terrible, terrible idea

Bruce Schneier's editorial on CALEA-II is right on. In case you missed it, CALEA II is the FBI's proposal to require all American computers, mobile devices, operating systems, email programs, browsers, etc, to have weak security so that they can eavesdrop on them (as a side note, a CALEA-II rule would almost certainly require a ban on free/open source software, since code that can be modified is code that can have the FBI back-doors removed).

The FBI believes it can have it both ways: that it can open systems to its eavesdropping, but keep them secure from anyone else's eavesdropping. That's just not possible. It's impossible to build a communications system that allows the FBI surreptitious access but doesn't allow similar access by others. When it comes to security, we have two options: We can build our systems to be as secure as possible from eavesdropping, or we can deliberately weaken their security. We have to choose one or the other.

This is an old debate, and one we've been through many times. The NSA even has a name for it: the equities issue. In the 1980s, the equities debate was about export control of cryptography. The government deliberately weakened U.S. cryptography products because it didn't want foreign groups to have access to secure systems. Two things resulted: fewer Internet products with cryptography, to the insecurity of everybody, and a vibrant foreign security industry based on the unofficial slogan "Don't buy the U.S. stuff -- it's lousy."

In 1994, the Communications Assistance for Law Enforcement Act mandated that U.S. companies build eavesdropping capabilities into phone switches. These were sold internationally; some countries liked having the ability to spy on their citizens. Of course, so did criminals, and there were public scandals in Greece (2005) and Italy (2006) as a result.

In 2012, we learned that every phone switch sold to the Department of Defense had security vulnerabilities in its surveillance system. And just this May, we learned that Chinese hackers breached Google's system for providing surveillance data for the FBI.

The Problems with CALEA-II


  1. I suppose a ban on open-source software would have to go one step further and involve a ban on programming in general. My skillz are about 20 years out of date, but I could still put together a decent encryption utility in a day or so. Maybe the FBI will have to crack down on compilers, and require that students below the PhD level learn only BASIC.

    At least it would boost the value of your Bitcoins, and also make them contraband.

      1. But then we’d be able to identify the primes with the gaps. Game over, man. Game over.

  2. Everyone email your congressperson! Or just type up a letter and save it on your desktop so they can read it there.

  3. Don’t you get it? It’s working perfectly. CALEA* mandates poor security. Foreign hackers intrude into insecure systems. OMGCYBERWAR, can I have more of that tasty federal funding pie to launch cyber-retaliatory strikes against the world plz?

  4. Hmmm, perhaps we should request that all border fences should have a door every 100 meters so that authorized individuals can cross if needed for an emergency…  The fence will be just as secure since the latch will only be accessible from the US side…

    1. We might also install remote-controlled pacemakers on all live births. Just in case.

  5. This will open the door for quasi-governmental corporatists to peek into small business computers en masse and steal secrets.

    What a great way for large corporations to finally kill off many small businesses for good?

    Welp, the can dumb down my computers after they get past the bullets.

  6. Awesome. They’re taking notes from China and then being backward about how to impliment even that level of jackboot policy.

  7. So, they freak out about non-existent cyber-terrorism and real electronic espionage, but want to cripple the defences against electronic attacks?

  8. It would be enough, to forbid any home made encryption. Since Ip-adresses are stored. But, even children use steganos. It could lead to the rule, that every picture
    could become superimposed by noise in the networks. If it is not already done!? 

Comments are closed.