Encryption and wiretapping

| Comments (3) | COMSEC
Bellovin writes:
Those who remember the Crypto Wars of the 1990s will recall all of the claims about "we won't be able to wiretap because of encryption". In that regard, this portion of the latest DoJ wiretap report is interesting:
Public Law 106-197 amended 18 U.S.C. 2519(2)(b) to require that reporting should reflect the number of wiretap applications granted for which encryption was encountered and whether such encryption prevented law enforcement officials from obtaining the plain text of communications intercepted pursuant to the court orders. In 2006, no instances were reported of encryption encountered during any federal or state wiretap.

The situation may be different for national security wiretaps, but of course that's where compliance with any US anti-crypto laws are least likely. There was no mention of national security or terrorism-related wiretaps in the report, possibly because they've all been done with FISA warrants.

This is interesting data, but consider if you will the contrary interpretation: encrypted telephony has seen practically no deployment. During the crypto wars it was widely believed that if the government just got out of the way encryption would become ubiquitous. But export controls were loosened in 1999 and that still obviously hasn't happened. The one exception, of course, is that mobile communications are often encrypted for transmission over the air interface, but (1) they're not end-to-end encrypted so you can wiretap at the junction with the PSTN and (2) the algorithms have historically been quite weak. So, all this really does is impede wiretapping by RF collection, which is an issue for intelligence agencies but not really for law enforcement, which can just serve a warrant on the mobile provider. So, who won the crypto wars again?


That's easy--those of us who saw them as a pointless waste of time and energy, and sat them out.

Yeah, I was also convinced that wimpy processors too slow to do strong crypto at reasonable speeds and the RSA patent were preventing the widespread deployment of strong crypto. Geez, *that* sure worked out well. I feel like a member of a doomsday cult, a few years after the predicted doomsday.

The obsession with end-to-end and blocking the FBI was more expensive than people realized.

End to end email security is not what you want if you are concerned about spam or viruses and need to deploy an edge security measure to address them. Spam was unknown in the days when S/MIME was designed. The other major weakness was the user experience.

Perhaps the most devastating discovery post-9/11 was the fact that the FBI never had the ability to actually do anything with the information Freeh demanded. If he had spent even a few minutes listening to the MIT profs and others arguing against him he could have done his job far more effectively without mandatory escrow.

Leave a comment