Friday, November 16, 2007

Potential Hazards of the "Protect America Act"

Via EPIC, a who's who of security experts, including Steve Bellovin, Susan Landau, Whitfield Diffie, Matt Blaze, Peter Neumann and Jennifer Rexford released an important report in October on the Congressional rubber stamping, via the "Protect America Act", of the Bush administration's mass telephone and internet wiretapping programme. EPIC says:
"Security Experts Report on Hazards of New Surveillance Architecture

This summer's Protect America Act (PAA) temporarily authorized
warrantless surveillance of communications that Americans have with
individuals abroad. The use of this authority will require the
deployment of new interception technologies. These new technologies
raise several significant security risks.

The report identified the three most serious security risks. The experts
pointed to the danger that the system could be exploited by unauthorized
users. A Greek wiretapping system was exploited by an as yet unknown
party to listen in on government conversations. FBI documents of the DCS
3000 telephone wiretap system revealed several problems in the system's
implementation. This risk turns a surveillance system on its head.

Another risk is the misuse by a trusted insider. Someone with access to
the system could use it for improper purposes. Robert Hanssen abused his
access to FBI systems to steal information and to track investigations
of him. Recently a treasury agent was indicted for using the Treasury
Enforcement Communications System (TECS) in order to stalk his former

The third major risk is misuse by the US government. Watergate era
investigations revealed wiretaps of Congressional staff, supreme court
justices. These abuses also targeted non-violent activists such as
Martin Luther King, the American Friends Service Committee and the
National Association for the Advancement of Colored People.

The security experts provide key recommendations to guard against these
risks. First is minimization. Decreasing the number of interception
points simplifies security problems. Experts also recommend that
architecture be developed with communications carriers, maintaining them
as a check on government activity. Finally they recommend independent
oversight, with regular detailed reporting.

Risking Communications Security: Potential Hazards of the "Protect
America Act" (pdf):

A Gateway For Hackers -- Susan Landau:

Privacy On the Line: The Politics of Wiretapping and Encryption, Updated
and Expanded Edition:"

From the report itself:

"1 Introduction
The Protect America Act passed in August 2007 changes U.S. law to allow warrantless foreignintelligence
wiretapping from within the U.S. of any communications believed to include one party
located outside the United States. U.S. systems for foreign intelligence surveillance located outside
the United States minimize access to the traffic of U.S. persons by virtue of their location. The
new law does not—and could lead to surveillance on a unprecedented scale that will unavoidably
pick up some purely domestic communications. The civil-liberties concern is whether the new
law puts Americans at risk of spurious — and invasive — surveillance by their own government.
The security concern is whether the new law puts Americans at risk of illegitimate surveillance
by others. We focus on security. If the system is to work, it is important that the surveillance
architecture not decrease the security of the U.S. communications networks.
The choice of architecture matters; minor changes can have significant effects, particularly with
regard to limiting the scope of inadverdent interception. In attempting to collect communications
with one end outside the United States, the new law allows the development of a system that
will probably pick up many purely domestic communications. How will the collection system
determine that communications have one end outside the United States? How will the surveillance
be secured?
We examine security risks posed by the new law and put forth recommendations to address
them. We begin by presenting background, first legal and policy, and then technical. Next we examine the difficulties in monitoring international Internet traffic. We follow with a general discussion
of risks in communications surveillance systems and then an analysis of those we fear may
result from implementing the Protect America Act. We conclude with a set of recommendations
regarding design and implementation...

5 Recommendations
The change from a system that wiretaps particular lines upon receipt of a wiretap order specifying
those lines to one that sorts through transactional data in real time and selects communications of
interest is massive. Where interception occurs and how the data sources — CDRs, traffic, other
information— are combined and used — will not only affect how powerful a tool the warrantless
wiretapping is, it will affect how likely the system is to pick up purely domestic communications.
In building a communications surveillance system itself — and saving its enemies the effort —
the U.S. government is creating three distinct serious security risks: danger of exploitation of the
system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse
by U.S. government agents. How should the U.S. mitigate the risks?
Minimization matters. Allowing collection of calls on U.S. territory necessarily entails greater
access to the communications of U.S. persons. An architecture that minimizes the collection of
communications lowers the risk of exploitation by outsiders and exposure to insider attacks. Traf-
fic should be collected at international cableheads rather than at tandem switches or backbone
routers, which also carry purely domestic traffic. Surveilling at the cableheads will help minimize
collection but it is not sufficient in and of itself. Intercepted traffic should be studied (by
geo-location and any other available techniques) to determine whether it comes from non-targeted
U.S. persons and if so, discarded before any further processing is done. It should be fundamental
to the design of the system that the combination of interception location and selection methods
minimizes the collection of purely domestic traffic.
Architecture matters. Using real-time transactional information to intercept high volume traffic
makes architectural choices critical. Robust auditing and logging systems must be part of the
system design. Communication providers, who have technical expertise and decades of experience
protecting the security and privacy of their customers’ communications, should have an active
role in both design and operation. “Two-person control” is applicable to organizations as well as
Oversight matters. The new system is likely to operate differently from previous wiretapping
regimes, and likely to be using new technologies for purposes of targeting wiretaps. There should
be appropriate oversight by publicly accountable bodies. While the details of problems may remain
classified, there should be a publicly known system for handling situations when “mistakes
are made.” To assure independence the overseeing authority should be as far removed from the
intercepting authority as practical. To guarantee that electronic surveillance is effective and free
of abuse and that minimization is in place and working appropriately, it is necessary that there be
frequent, detailed reports on the functioning of the system. Of particular concern is the real-time
use of CDR for targeting content, which must neither be abused by the U.S. government nor allowed
to fall into unauthorized hands. For full oversight, such review should be done by a branch
of government different from the one conducting the surveillance. We recommend frequent ex post
facto review of the CDR-based real-time targeting. The oversight mechanism must include outside
reviewers who regularly ask, “What has gone wrong lately—regardless of whether you recovered
— that you have not yet told us about?”
Security of U.S. communications has always been fundamental to U.S. national security. The
surveillance architecture implied by the Protect America Act will, by its very nature, capture some
purely domestic communications, risking the very national security that the act is supposed to
protect. In an age so dependent on communication, the loss may be greater than the gain. To
prevent greater threats to U.S. national security, it is imperative that proper security — including
minimization, robust control, and oversight — be built into the system from the start. If security
cannot be assured, then any surveillance performed using that system will be inherently fraught
with risks that may be fundamentally unacceptable."

No comments: