As the White House mulls it over, quietly winding its way through the interagency review process in Washington is a nondescript proposal known as CALEA II. This dangerous proposed set of new rules, designed by the FBI, will thwart technology innovation and compromise our national security at a time when cyber risks are reaching an all-time high.
CALEA stands for the Communications Assistance for Law Enforcement Act. Originally passed in 1994, it required telecommunications systems manufacturers to build in electronic surveillance capabilities so that law enforcement groups could tap in to phone conversations. The Federal Communications Commission reinterpreted and expanded CALEA in 2005 to include broadband Internet and Internet-telephone traffic.
Now, the FBI proposes that some or all mobile and desktop application developers make their applications wiretap ready, or “CALEA compliant.” In other words, the FBI wants broader authority to be able to “wiretap” any application on the wired or wireless Internet, and it wants the companies to build in the wiretap interface to make it easy for the FBI to use. This would include phone calls (Skype), e-mail (Gmail), social media (Facebook), photo sharing (Instagram), transient communications (SnapChat), peer-to-peer secure communications (Silent Circle). The list goes on.
I am not the first to point out what a bad idea this is. A group of 20 of the world’s leading computer security experts issued a great report called “CALEA II: Risks of Wiretap Modifications to Endpoints.”
After reading the report I drew three broad conclusions:
1. When you build a back door into a software product for the good guys, you can be assured that the bad guys will figure out how to use it as well.
2. If you are a software developer, to comply with the law, you will have to either staff a compliance department to respond to each law enforcement request or give the FBI direct access to the back door.
3. Back doors won’t work because the bad guys the FBI wants to track will use non-CALEA compliant products built overseas or will simply circumvent the built-in technology safeguards.
As a U.S. citizen who values basic civil liberties and as a venture capital investor in technology entrepreneurs who are the bedrock of our economy, I believe CALEA II will cripple innovation in this country. It will shift much innovation overseas, and will burden those that develop products domestically with new costs and needless bureaucracy.
Let me explain.
If law enforcement back doors are built in to U.S. technology products to give the FBI broad access, foreign adversaries and other bad actors will find ways to exploit them. I agree with the experts here. I want the companies that I invest in building the most secure products possible — and don’t want them intentionally weakened.
Along those same lines, while I am concerned about the ability of U.S. law enforcement to use software back doors, I am truly frightened at the thought of how more-authoritarian governments will use those same back doors against their own citizens. In some countries, this can be a matter of life or death.
I am a big believer in the ability of American entrepreneurs to build the best products in the world. If we shackle those innovators with requirements that ultimately make products more vulnerable, we are inviting international competition to make similar, yet more secure products.
Twenty-five years ago, our government prevented the export of U.S. products with “tough” encryption, worried that bad guys would use it and we couldn’t decipher it. We exported products with weak encryption hoping other countries would do the same. Instead, foreign companies made products with strong encryption with the full support of their governments. The bad guys knew not to buy exported American security products. The failure of that policy was finally acknowledged in 1996 when President Clinton signed an executive order to relax these exports controls.
The Washington area is a hotbed of innovation around security and privacy. Invincea, based in Fairfax, provides state-of-the-art protection against viruses, phishing and malware. Spotflux, started here as well, lets consumers surf safely and privately, away from the prying eyes of eavesdropping hackers, annoying advertisers, nosey employers and authoritarian governments. I want to keep that innovation going, but it will be thwarted if CALEA II is adopted.
The FBI argues that new technologies have made their electronic surveillance more difficult. After the revelations of the last few weeks, that is, frankly, hard to believe. We are in a golden age of surveillance where access to comprehensive databases with new data-mining capabilities already puts civil liberties at risk. We should not also put security and innovation at risk by burdening the entire application layer of the internet with dangerous and ineffective wiretapping mandates.
John Backus is a founder and managing partner at New Atlantic Ventures, an early stage venture capital firm based in Reston and Cambridge, Mass. He blogs at navfund.com/blog and is @jcbackus on Twitter.