I decided to actually read the article before commenting. I find it several things to be very interesting:
- The meat - "Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages."
- The cheese - "But law enforcement officials contend that imposing such a mandate is reasonable and necessary to prevent the erosion of their investigative powers.
“We’re talking about lawfully authorized intercepts,” said Valerie E. Caproni, general counsel for the Federal Bureau of Investigation. “We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.”". They want to preserve existing authority, but the technology has moved past their previous capabilities. Note that Valerie Caproni is a lawyer for the FBI. Just saying, I don't trust lawyers.
- The toppings - "Moreover, some services encrypt messages between users, so that even the provider cannot unscramble them."
- The special sauce - "Even with such a law, some gaps could remain. It is not clear how it could compel compliance by overseas services that do no domestic business, or from a “freeware” application developed by volunteers."
- The bun - "Susan Landau, a Radcliffe Institute of Advanced Study fellow and former Sun Microsystems engineer, argued that the proposal would raise costly impediments to innovation by small startups."
- You want fries with that? - "Moreover, providers of services featuring user-to-user encryption are likely to object to watering it down. Similarly, in the late 1990s, encryption makers fought off a proposal to require them to include a back door enabling wiretapping, arguing it would cripple their products in the global market.
But law enforcement officials rejected such arguments. They said including an interception capability from the start was less likely to inadvertently create security holes than retrofitting it after receiving a wiretap order.
They also noted that critics predicted that the 1994 law would impede cellphone innovation, but that technology continued to improve. And their envisioned decryption mandate is modest, they contended, because service providers — not the government — would hold the key.
“No one should be promising their customers that they will thumb their nose at a U.S. court order,” Ms. Caproni said. “They can promise strong encryption. They just need to figure out how they can provide us plain text.”" :shock:
Here is a list of the anticipated government requirements:
- Communications services that encrypt messages must have a way to unscramble them.
- Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
- Developers of software that enables peer-to-peer communication must redesign their service to allow interception.
Let me explain my interest in this. I am a software engineer who has been developing a freeware encrypted peer-to-peer network for the past 4 years, in my free time. If you have the right URL, you can communicate directly with a peer with no intervening provider. I do have a directory service which allows people to hook up with each other but after they hook up it does not involve the server. I use strong encryption and the message traffic is encoded making it very hard to break the encryption. I haven't spend any time thinking about how to slave a backdoor comm channel into my software. I wouldn't really want to do so either, which is why this quote: "
providers of services featuring user-to-user encryption are likely to object to watering it down." makes a hell of a lot of sense to me. As does this one: "It is not clear how it could compel compliance ...
from a “freeware” application developed by volunteers.".
Requirement 1 suggests I need to provide decryption capability - not sure how to do that.
Requirement 3 suggests it can no longer be peer-to-peer, destroying my capability.
This thing needs to be squashed.
ort you are interested in you can slave the traffic. But, as you point out, it is encrypted and difficult to break with modern publically available algorithms. I use RSA/SHA256 based Diffie Hellman key exchange, followed with TripleDES 192 bit symmetric encryption with IV vectors and CBC chaining. The more traffic you transmit in a given encryption the easier it is to crack it. Therefore, I renegotiate encryption every so often to refresh the ciphers. Also, I am encoding object communications, so it isn't just plain text I am sending but computational messages between objects in my language and those are referenced by local ID. Even if you look at it in plain text, it makes little sense. It is very very secure.