Law enforcement: you can’t always have what you want

This article on how the FBI is seeking expanded surveillance powers for “cloud”-hosted Internet communication services reiterates the frustration of law enforcement agencies feel at the way technological evolution has caused many interception capabilities hitherto taken for granted to slip from their grasp.

First, let’s get something out of the way: people who are at least somewhat technologically aware understand and take for granted that security services and intelligence agencies have the means to intercept almost anything you do on the Internet–at least, if your means of doing it are even remotely conventional. I assume this is not a novel thesis to most readers. The difference is that this type of interception activity is rarely subject to the same kind of restrictions as evidence-gathering operations whose product must be admissible in court. So, we’re not talking about interception here per se; we’re talking about lawful interception”.

Essentially, what the police are mad about is that CALEA, the last big legislative initiative, passed in 1994 to force technical cooperation from service providers and provide standardised data interfaces for streamlined tapping, simply doesn’t keep pace with modernity in the way they would like. It originally applied only to phone companies. It has been expanded to VoIP providers and ISPs, of course, but it’s still a mechanism that was fundamentally designed with a view to the state of the telecommunications world in the early nineties. CALEA proceeds from a PSTN-oriented view of communications networks, which is one in which they are hierarchical, highly centralised, despotically controlled by a very limited cadre of individuals and entities, and meticulously standardised.

That paradigm doesn’t begin to cover all the diffuse packet-switched, federated, multi-jurisdictional, and above all, increasingly distributed and peer-to-peer communication transports that the world has diverged into since then.  Essentially, they’re upset that there’s no conveyor belt on which your Gtalk (XMPP) messages or your World of Warcraft voice-over conversations can be fed straight into a large-scale FBI tap, in real time, on demand.

Worse yet, this multi-protocol, multi-service, multi-topology landscape is only getting more complex and diverse, not less.  Fifteen years ago, how many different ways did you have to communicate person-to-person online? AIM, ICQ, e-mail? I could list dozens of mainstream methods now, and the list is only growing.

Of course, the technically minded among us have done these agencies a huge favour by opting for the convenience of “cloud”-hosted e-mail (Gmail), documents (Google Docs, Dropbox, etc.), messaging (Gtalk, Facebook Messenger, etc.). Those of us who have the knowledge and capability to run our own IM and e-mail servers, as we used to have to do, are, in my opinion, quite irresponsible for opting not to do so in the name of economics. However, this was never even a point of discussion for most people; most ordinary Internet users have always been stuck with whatever services some large company (AOL, Mirabilis, Google, Facebook, Twitter) fed them.

Certainly, the police and the FBI can–and do–subpoena your data from these companies. Their complaint here is really that the process is not streamlined or real-time. It’s not enough that they can, in principle, get at the data.  They want to get at it quicker, better, faster. In other words, they want to reap some of the same efficiency increases that you’re reaping. Why should you get to send encrypted IMs through dozens of services straight from a burner phone with a 3G data plan, while they have to chase their tail and jump through antiquated, time-consuming legal hoops to try to piece some of what you’ve just done together?

The only effective strategy for bolstering public support for increased surveillance ventures is through scare-mongering, invoking the usual bogeymen of terrorism, identify theft–pick your fashion of the hour.  Law enforcement asks you the rhetorical question: Do we really want IT to provide an unprecedentedly untraceable and profoundly effective mechanism for the next 9/11 hijackers to collaborate?

My view: yes, we do.

They government just needs to get over it. The march of technological progress often brings unpleasant realities for certain institutions. A significant and growing portion of the population of the developed world has an Internet-connected 1+ GHz multi-core computer in their left pocket. That’s going to put unprecedentedly powerful encryption and encapsulation capabilities in the hands of everyday people–capabilities that have increased by several orders of magnitude in just two or three decades.

For the most part, this is all good news for information privacy, civil rights, freedom of expression, and financial data protection. I am convinced that the net social benefit of being able to send information in ways that are not trivially interceptible greatly outweighs the downside of criminals also doing so.  On the whole, I feel much better about having a conversation with a friend now about politics, confidential family problems, and sensitive financial details than I did ten or fifteen years ago.

From a technical point of view, I don’t see a realistic way for government agencies to keep up with the magnitudinal increases in communication complexity.  It is starkly at odds with the way the distributed way the Internet and its constituent layers of abstraction are organised–even if it is more centralised at the physical layer than most of us think or would like to admit. Yes, I’ve heard of the Bluffdale Data Centre, but I cannot imagine how one would need to reorganise the Internet, topologically, or what kind of tentacular monstrosity one would need to build, in order to have a reasonable chance of actually tapping all of its communications.  The biggest obstacles are not physical, but rather the sheer diversity of protocols and applications that would need to be understood by The Behemoth in order to make this process anything like scalable, which is the real problem for law enforcement.  The resources already exist to spin their wheels on wiretapping someone as an expensive one-off.  As I mentioned above, what the government wants is something closer to the economies of scale that have been reaped everywhere else.  It stands to reason that in their ideal world, they’d want to force everyone to take their data, in all its heterogenous patchwork, and massage it into a standard format and spoon-feed it to them.  They want wiretapping to be easier, and are upset that instead, it’s gotten harder.

In an adversarial court system with a judicial presumption of innocence, they want you to make their job easier.

I don’t any reason why it would be socially desirable to allow law enforcement to try to move this immovable object.  I can’t see what good results can come from it, even if we completely sidestep the issue of massive abuses of law enforcement power and grant that there is a morally legitimate application of wiretapping by state agencies in at least some cases.

It seems to me that the greatest danger in all this is not that money launderers might use Tor to plot and scheme or that professional clubgoers might buy ecstasy on Silk Road, but rather the drag that costly bureaucratic boondoggles impose on economies and livelihoods. Anyone aware of the true state of CALEA compliance in the VoIP industry–or, to be precise, the elaborate motions of compliance–knows that there is no hope of achieving full compliance with such initiatives, and no hope that they will, in the grand scheme, achieve their ostensible goals.

Impossible boondoggles not only cost money, but have the effect of turning everyone into criminals or civil defendants, since nobody is actually in compliance. And, as usual, small companies suffer the most, since they don’t have the resources of large companies to put on elaborate charades of complying with Byzantine requirements. And, as usual, the big companies buy their way out, while the small companies are shaken down in the great cosmic lottery of selective enforcement.  It all starts to be reminiscent of the cynical “we pretend to work and they pretend to pay us” mantra in my native USSR. 

As progress moves forward, some institutions adapt, but some certain legal and civil artifacts of previous historical frames fall away. Sometimes they just have to. Maybe you can’t trivially tap one or two ubiquitous methods of communication anymore, but so what? You can’t own slaves or torture people anymore, either.