There is currently a government task force that is working on proposed legislation that would give the FBI the ability to ‘wiretap’ data. This is very different from what is available today. Today, ISPs are required to comply with the ability to turn over electronic records by a series of laws referred to as CALEA, which is from the Communications Assistance for Law Enforcement Act. Under a CALEA an ISP might turn over emails or a list of the web sites that a given customer has visited. ISPs generally retain such data for 60 – 90 days for all customers and it is then automatically deleted unless law enforcement requests it. But CALEA requests generally are for historical data and are not ‘wiretaps’ when it comes to data usage. This new proposal would give law enforcement live access to a customer’s data in the same way that phones have been historically wiretapped. And this is a law with teeth. The proposal includes a $25,000 per day fine for companies who aren’t wiretap capable, with those fines doubling after 90 days for non-compliance. There are a number of issues with this idea.
It Goes Against the Direction of the Industry
The business world is rapidly heading to the cloud with data. There is a long list of benefits of using the cloud and businesses get it. But before a business will send sensitive data out of their control into the cloud they generally encrypt it (or they should). Companies are not going to put sensitive financial data, trade secrets and things like legal correspondence into the cloud if there is any chance that other parties can somehow crack and read the data. The whole point of encryption is that only the parties involved can unencrypt it.
It seems like the FBI law would forbid this kind of encryption. This would have a ton of ramifications on the industry. Businesses are going to refuse to put sensitive information into the cloud if it can’t be encrypted. This means that they will probably continue to use company-specific LAN storage rather than the more efficient cloud. Further, company lawyers are going to advise companies to not use the cloud if everything there can be wiretapped. Today a subpoena is required to get information that a company keeps on their own servers. But a wiretap at an ISP could be done without the knowledge of the person or company being investigated. No corporate attorney is going to agree to let a company expose themselves to being investigated through the back door just to gain the advantages of using a cloud service.
The FBI’s idea will also put all of the companies that supply encryption out of business. There are a number of businesses that sell encryption to cell phones such as Cryptocat, Silent Circle, Red Phone and Wickr. There are many software packages that can be used to encrypt data files such as Folder Lock, SensiGuard, Safehouse, SecureIT, Cryptoforge and many others. And almost every maker of carrier class transmission equipment, servers and related software has an encryption product.
One of the biggest issues with the proposed bill is that it casts a far wider net of companies who must comply with a wiretap than who must comply today with CALEA. Today CALEA applies to the companies that supply a basic data pipe to a customer, to whoever is the physical ISP. This may be a telephone company, cable company, wireless ISP or cellular provider. But every firm who must meet CALEA today is a carrier of some sort. They have a physical hub where they perform ISP functions. These hubs are the sort of places where CALEA makes sense.
But the proposed law would impose a more complex obligation on other web-based platforms like Facebook, Google, Yahoo and AOL. Those are all big companies and one might assume that they can all afford to do this, and you might be right. But the same requirements would apply to much smaller firms and start-ups who store and or process customer data. It’s going to be technically challenging for a web-based platform to give live access to data. They just are not configured that way. And the cost to design a system to enable that is going to be costly and inefficient.
The cost of compliance will deter future small start-ups. And if you don’t think that is true, let me give you a real life example of when CALEA costs became an issue for a small carrier. It is very difficult for a small ISP to comply with CALEA on their own, so there are companies who sell CALEA compliance. If you get a CALEA request they overnight you a black box that rides next to your core servers and captures the data that law enforcement wants. This kind of service costs about $600 per month. I have a small City client who wanted to become an ISP just to serve themselves, some other local government agencies and some non-profits. Since they were facility-based using their own servers then CALEA applied to them. They almost decided against doing this since the CALEA fees ate up most of the monthly savings they were trying to bring to their town. I know that is a very tiny dollar example, but I foresee the new requirement to be much more costly than CALEA. Small firms will have a very difficult time creating the ability of live data wiretaps and this is going to stifle small web firms.
It Goes Against the Basic Premise of the Internet
The main premise of the Internet is that it is a decentralized network. The wiretap proposal relies on some of centralized hub in order to implement a wiretap. There has to be a place where you can guarantee that the data the government wants to see will flow. That is a whole lot harder than it sounds and it would end up resulting in some fundamental changes in the way that Internet traffic flows. And that could be the costliest impact of all.
The traffic on the Internet keeps growing at nearly exponential rates. Carriers have been able to keep up with the bandwidth demands because they have upgraded the networks to be more and more efficient over time. This change would go in the opposite direction and would make the network more inefficient.
I fully understand and appreciate the needs of law enforcement. But this could be one of the biggest unfunded mandates ever if it ends up impeding the efficiency of the Internet. The Internet is now a fundamental part of everyday life and is a lifeline for most businesses.
It just seems like a colossally bad idea to me to impose a costly change on everybody that is intended to only catch a few bad guys. Particularly when the smart criminals will avoid these wiretaps. They will find a black market way to self-encrypt their data or they will avoid the web altogether. So this is really just a proposal to catch the dumb criminals. It seems like too great a cost for such a paltry goal.