Schneier: CALEA Update Makes Us Less Secure
And Drives Business Overseas to More Secure Products
As I've been discussing
, law enforcement and intelligence agencies are making a strong new push to mandate backdoors in e-mail, cloud storage services, social networking websites and other encrypted services to make real-time wiretapping easier. As part of this effort to overhaul CALEA, the DOJ has even gone so far as to propose that ISPs be fined for failure to comply
Security legend Bruce Schneier has penned a good blog post
examining how "CALEA 2" makes things less secure, and is effectively repeating bad policy ad infinitum. He references a long line of attempts by the government to build backdoors into absolutely everything, and the long history of resulting problems that ensued from having less secure networks and hardware:
The FBI believes it can have it both ways: that it can open systems to its eavesdropping, but keep them secure from anyone else's eavesdropping. That's just not possible. It's impossible to build a communications system that allows the FBI surreptitious access but doesn't allow similar access by others. When it comes to security, we have two options: We can build our systems to be as secure as possible from eavesdropping, or we can deliberately weaken their security. We have to choose one or the other.
This is an old debate, and one we've been through many times. The NSA even has a name for it: the equities issue. In the 1980s, the equities debate was about export control of cryptography. The government deliberately weakened U.S. cryptography products because it didn't want foreign groups to have access to secure systems. Two things resulted: fewer Internet products with cryptography, to the insecurity of everybody, and a vibrant foreign security industry based on the unofficial slogan "Don't buy the U.S. stuff -- it's lousy."
In short, Schneier argues that by weakening encrypted services so they're intentionally less secure, you're simply forcing the "bad guys" to either build their own more secure systems or buy more secure systems from overseas vendors who'll happily respond to demand for such products. Worse, like we've seen time and time again, while you're creating backdoors for law enforcement, you're also creating new backdoors that absolutely will be exploited by everyone else.