Lighting the dark: Must you make your application wiretap-able?

Law enforcement has a problem, and you may be part of it.

If your company makes an Internet application that enables its users to communicate with each other and you do not have a way to hand over those communications in real time to law enforcement, then you are part of the problem. If one grants that there is a problem, as I do, the question becomes: "Is the solution worse than the problem?"

The U.S. House Committee on the Judiciary recently held a hearing on the general problems faced by law enforcement in today's Internet. They called the hearing "Going Dark: Lawful Electronic Surveillance in the Face of New Technologies."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Law enforcement has a problem, and you may be part of it.

If your company makes an Internet application that enables its users to communicate with each other and you do not have a way to hand over those communications in real time to law enforcement, then you are part of the problem. If one grants that there is a problem, as I do, the question becomes: "Is the solution worse than the problem?"

The U.S. House Committee on the Judiciary recently held a hearing on the general problems faced by law enforcement in today's Internet. They called the hearing "Going Dark: Lawful Electronic Surveillance in the Face of New Technologies."

BACKGROUND: FBI argues Web-based services hurting wiretapping efforts

During the hearing, FBI General Counsel Valerie Caproni clearly described the problems faced by law enforcement, noting that not all telecommunications providers were able to quickly meet their obligations under the Communications Assistance for Law Enforcement Act (CALEA). But she focused most of her testimony on the problem that law enforcement has in getting real-time communication among users of modern Internet applications.

Developers of these applications rarely consider that law enforcement might be interested in communications among their users. Some of those that do may decide that such interest would violate their users' privacy even if those users might be using the communication channel for evil purposes. Her testimony was backed up by Mark Marshall, president of the International Association of Chiefs of Police.

While Caproni specifically did not ask for any new laws to be enacted at this point, the implication was that it would be a good idea if the developers of Internet applications included the ability to wiretap the communications among their users.

But adding the ability to wiretap presents its own issues -- issues that were well covered by security and privacy expert Susan Landau. She pointed out that adding wiretap functionality is, by definition, adding an exploitable vulnerability. She also provided examples of such exploitation in current telecommunications systems.

The FBI's Caproni said that court orders for wiretaps are "the most difficult for investigating authorities to obtain and use" because of the protections in U.S. law. She did not suggest that these protections be lessened, but also did not mention that many other countries lack such protections. Since U.S.-developed technology is in use all over the world, wiretap back doors in U.S.-developed applications are likely to be exploited by governments far less interested in civil liberties than is the U.S. government.

Thus, application developers are placed in a quandary. On one hand, the law enforcement problems are very real -- there are some very bad people "out there." On the other hand, adding wiretap ability to your application may mean that some of those bad people, as well as bad governments, will be able to exploit your application in furtherance of their own aims.