[NEWS] FBI To Require ISPs To Reconfigure E-mail Systems (fwd)

National Journal's Technology Daily

PM Edition

October 16, 2001

HEADLINE: PRIVACY: FBI To Require ISPs To Reconfigure E-mail Systems

PHOENIX -- The FBI is in the process of finalizing technical
guidelines that would require all Internet service providers (ISPS) to
reconfigure their e-mail systems so they could be more easily
accessible to law enforcers. The move, to be completed over the next
two months, would cause ISPs to act as phone companies do to comply
with a 1994 digital-wiretapping law. "They are in the process of
developing a very detailed set of standards for how to make packet
data" available to the FBI, said Stewart Baker, an attorney at Steptoe
& Johnson who was formerly the chief counsel to the National Security
Agency (NSA).

The proposal is not a part of the anti-terrorism legislation currently
before Congress because the agency is expected to argue that the
Communications Assistance for Law Enforcement Act (CALEA) already
grants it the authority to impose the requirement, Baker said. He
added that some ISPs already meet the requirements.

Baker, who frequently represents Internet companies being asked to
conduct electronic surveillance for the FBI, made the revelation
Tuesday in a panel discussion at the Agenda 2002 conference here on
how the Sept. 11 terrorist attacks are likely to affect the technology
industry and civil liberties. He elaborated on the plan in an
interview.

Such a stance could result in considerable cost to many ISPs, and it
would constitute a reversal of previous government policy, which held
that ISPs are not subject to CALEA's requirements. But Baker also said
"it has been a long-term goal of the FBI and is not just a reaction to
Sept. 11."

Mitchell Kapor, chairman of the Open Source Application Foundation and
a founder of Lotus Development, also spoke on the panel. Kapor also
started the Electronic Frontier Foundation (EFF) and has been a vocal
advocate of Internet privacy. EFF played a significant role in the
CALEA debate, and divisions over whether to support that law led to a
split of the organization.

"Under the cover of people's outrage [over the terrorist attacks] and
desire for revenge, lots of things that have been defeated before have
been brought back in [to the anti-terrorism legislation] without a
demonstration that the lack of appropriate law is a problem," Kapor
said in an interview. But on the whole, Kapor and Baker shared more
common ground on the acceptability of new electronic surveillance than
they had in the past, with both expressing the view that now is a time
for calm reconsideration of positions rather than butting horns over
the details of how civil liberties would be curtailed by an
anti-terrorism bill.

"I find myself more in the middle than I used to because my identity
in life is not as a civil liberties advocate," Kapor said. "Part is
being an American and a world citizen." Baker said it was entirely
appropriate for the FBI to conduct far more surveillance.

"What has changed [since Sept. 11] is the view of the technology
community," Baker said. "I used to get calls like, 'How can I beat the
NSA?'" said Baker. "Now, people call and say, 'I have this great idea
that would help NSA,' or, 'I want to go volunteer and do outreach on
behalf of the FBI or NSA.' There is a real change of people's view
about who the bad guys are."

.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Journal's Technology Daily
>
PM Edition

October 16, 2001

HEADLINE: PRIVACY: FBI To Require ISPs To Reconfigure E-mail Systems

What about people who operate their own email server? Do I have to make
sure
the FBI can wiretap myself?

What would wiretap laws be like if individuals had been able all along to
operate their own telco switch, if they so desired?

- ---
"The avalanche has already begun. It is too late for the pebbles to vote" -
Kosh

Let's consider the ramifications of this:

The FBI steps up the monitoring of law abiding citizens and great expense to
private industry.

Criminals, terrorists and other evildoers think about and say,
"Hmmm......since the FBI might monitor the email that passes through our
ISP, let's set up our own mail servers outside of our ISP and communicate
directly over VPN's and encrypted P2P networks. Yeah that should work. Or
gosh, let's use off shore email serves set up by our own criminal networks
posing as legitimate businesses. Or let's set up an little ISP and have
some out of band email servers who's traffic can't be spied on."

"Those who would trade freedom for security will wind up with neither." I
forget who said it and I don't feel like looking it up.

Criminals, terrorists and other evildoers think about and say,
"Hmmm......since the FBI might monitor the email that passes through our
ISP, let's set up our own mail servers outside of our ISP and communicate

And some people also believe that crypto with government back doors will
actually make a difference too....

"Those who would trade freedom for security will wind up with neither." I
forget who said it and I don't feel like looking it up.

Ben Franklin, I believe, and I think he said "deserve neither".

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

"Those who are willing to trade freedom for security deserve neither freedom nor security."
--- Benjamin Franklin

Who was, ironically, the first US Postmaster General. I'm sure he's rolling over in his grave.

:What would wiretap laws be like if individuals had been able all along to
:operate their own telco switch, if they so desired?

Funny you should mention that, as I think we are about to find out.

-)

Not picking on anyone in particular but just plucking an example at ~random:

Funny you should mention that, as I think we are about to find out.

It's possible that the feds are going about this in the wrong way. Rather
than seeking ways to expose that wrongness if any, we ought to be putting
our effort into figuring out what they're trying to do and then making a
recommendation (or several) as to how to actually get it done.

Put your shoulder to this wheel, folks. Or find someplace else to live.
(There's a four year sunset provision in the law they're passing tonight.)

> Funny you should mention that, as I think we are about to find out.

It's possible that the feds are going about this in the wrong way. Rather
than seeking ways to expose that wrongness if any, we ought to be putting
our effort into figuring out what they're trying to do and then making a
recommendation (or several) as to how to actually get it done.

I would if I could.

Some of it is confused by "we can't tell you," so no one can evaluate if
there is a less disruptive, less expensive and maybe even more effective
way to accomplish the same thing.

Some of my best friends work for the FBI I talk to them at
conferences, by e-mail, and so forth. They are all very reasonable
and intelligent people. They are very good at what they do, but
their expertise is focused in other areas. But something happens
between the meetings and the publishing of the "punchlist." I've
never met a person willing to admit they wrote any of the punchlist
items. They just seem to appear anonymously out of thin air.

The majority of the information law enforcement requests (court order,
subpoena, etc) is handed over without (much) argument by most ISPs.

The most pushback comes from items carriers/providers believe may
corrupt, disrupt or otherwise impact the service of other customers.
There are people very good at designing tools for building doors, and
people very good at designing tools for breaking down doors. While
you might use a hammer to do both, the mistake is thinking the same
hammer is always the best tool for every job. If you happen to use
screws instead of nails, I guess you are out of luck.

Unless law enforcement is willing to tell us what the problem is, we
can't engineer the correct hammer for their needs. Instead it appears
the FBI will design the hammer for us, and still not tell us what the
problem is.

Hey, FBI. Tell us what you are trying to build and maybe we can
design a cool tool to help you build it.

Put your shoulder to this wheel, folks. Or find someplace else to live.
(There's a four year sunset provision in the law they're passing tonight.)

I doubt the house is voting on any laws tonight.

Paul Vixie wrote:

Put your shoulder to this wheel, folks. Or find someplace else to live.

Gosh and Golly Gee, not another "my way or the highway" despot!

I'd never have guessed that Vixie was a supporter of a police state.

I'll stop supporting democracy when they pry my vote out of my cold dead
hands....

Meanwhile, where is it exactly that all ISPs should move?

(There's a four year sunset provision in the law they're passing tonight.)

Where? The US House has adjourned. (You might be referring to the
"pre-conference" committee that met before the "conference" committee
meets next week?)

It's all being done, probably illegally, by executive order.

Sean Donelan wrote:

Some of it is confused by "we can't tell you," so no one can evaluate if
there is a less disruptive, less expensive and maybe even more effective
way to accomplish the same thing.

Actually, they've already told us all we need to know:

1) NO cryptography was used.

2) Public library terminals were used.

3) Free accounts were used.

4) No suspicious international communications.

5) None of the terrorists was a suspect before the incident.

6) None would have been prevented from boarding an airplane.

Therefore, no amount of network monitoring would have prevented the
attacks!

This is just a police state power grab, trying to get facilities and
laws that a democracy would never give them otherwise, sought during a
time of concern.

So far, none of the "security" measures we've seen has actually
prevented anything, or even been designed to prevent anything that has
happened in the recent past.

Camouflaged guards in airports?

Secret searches?

All we have is an impotent executive seeking to expand its power.

I was refering to why something like Altivore wouldn't satisfy the unknown
requirements the FBI has.

Forty garbonzoes says even the sunset provisions will be mysteriously
absent from the final version, whenever it passes.

:I was refering to why something like Altivore wouldn't satisfy the unknown
:requirements the FBI has.

Do we know if specifications will have to be made public?

I can't imagine mail administrators and sysadmins all having to get
public trust (or higher) clearances.

Is there a definition of 'ISP' in the US, either in this proposed
legislation or other?

We could speculate forever about juristdiction (over trans-national
networks) and implications of these sort of things, but it would be
nice to have some solid info.

-j

p.s.

<short rant>

The first step in developing any security policy is to enumerate and
appraise the things that the policy will be designed to protect.
Evidently, there has been no public consultation on what the
recent legislation in various countries has been designed to
protect.

Most of the measures which have been demanded by our
leaders have the symptoms of a security policy, and use
technologies which would be used to enforce a policy, but
there has been no public discussioin of what they actually
think they are protecting.

Of all the new sources offering analysis, opinion and
their own brand of earnest reason, I'll take the Onion
over CNN any day.

"Freedoms Curtailed in Defense of Liberty".

Brilliant.

</short rant>

Not Tennessee where everything to do with the
internet is taxable.. or about to be.. --Mike--

Warning: dangerously irrelevant and completely off-topic for the NANOG list.

I'd never have guessed that Vixie was a supporter of a police state.

You've got me all wrong. I support the police in my state (country).

I'll stop supporting democracy when they pry my vote out of my cold dead
hands....

Right. When my kids and I line up for exercises at the local school most
mornings, you'll find me, hat in one hand and the other over my heart,
facing the flag, reciting the Pledge of Allegiance, and meaning every word
of it except maybe the part about God which I consider to be ambiguous.
And when paying taxes I am particularly glad that the cost of my family's
security comes at merely a cost measurable as a fraction of my income.
YMMV of course. If you don't like the deal you're being offered you should
find a better one.

Somewhere along with the power to vote particular politicians in or out
must come some respect for the laws those people create, even the ones we
don't think are perfect.

The FBI has a hellish job on their hands right now. Actually it's been a
hellish job for a long time but it seems like only recently we're all aware
of how hellish it is. I don't think that redefining what an ISP is in order
to blunt the obvious intent of Omnivore (or whatever) is a useful exercise
of democratic power.

Somewhere along with the power to vote particular politicians in or out
must come some respect for the laws those people create, even the ones we
don't think are perfect.

if i and others had followed your advice, african-americans would still
ride in the back of the bus, we would still have atmospheric atomic
testing, and we would probably still be losing american and viet namese
lives in viet nam and those on the streets and campuses of the country who
disagreed with a bunch of now-convicted felons.

you can take your amerika love it or leave it stuff and put it where the
sun don't shine. nothing is perfect. america, love it and fix those parts
of it that need it. and that's what's great about this country. we can!

randy

So you're saying, for instance, that the *proper* thing to do if you disagree
with the anti-circumvention rules that the DMCA added to 17 USC 1201 is to just
go ahead and break them, or that the proper thing to do is to lobby to get
the law fixed?

I'd suggest that the right thing to do is to lobby your congresscreatures,
unless you're a visiting Russian programmer who wants to be a test case....

Yes, sometimes breaking the law in order to force a test case so there's
a judicial review of the constitutionality is required. But unless you're
trying to be either a test case or a martyr, you're stuck with the law until
it's changed.

Yes, sometimes breaking the law in order to force a test case so there's
a judicial review of the constitutionality is required. But unless you're
trying to be either a test case or a martyr, you're stuck with the law until
it's changed.

not entirely true. civil disobedience straddles the line (or goes over it
and breaks the law) and is a very effective way to make a point. and is
often required in order to bring awareness about with respect to the problem
in the law. keep in mind that law enforcement can only arrest, process, and
convict so many people for a minor crime before people start taking notice
and asking themselves questions. there's a great tradition here of civil
disobedience, and it's important that it remain so. it's a very populist
way to get your point across, and does little to no harm.

i'm not suggesting sending terabytes of data at congressional offices, or
swamping them with forms to process, i'm just saying that being a good
doobie and staying the course and standing straight at attention in line
aren't your only options. and it's good that they shouldn't be.

anonymous email servers, anonymous web browsing services, etc., etc. are
all important to the healthy give and take between law enforcement's desire
to track every last thing that you do and say and a citizen's right to run
free code on their own data. if i write code, run it on my own data, and
ship that data around to other people, i'm not breaking a law. so why should
i be _forced_ to make it easier for the feds to, say, decrypt my data?

(a good isp would have anonymous/encrypted email, browsing, etc., services
available to their customers. if they all did, the feds wouldn't be able
to get access to the data they want without disrupting service to customers.
i'm pretty sure people wouldn't be too keen on that.)

there's a nice tension that has always existed between groups like the FBI
and groups like the ACLU. i'd hate to see that disappear into the misty
void of idealized gung-ho zealotry that seems to be enveloping otherwise
smart people these days.

s.

If it bothers you all so much, then put together a petition, circulate
it at NANOG, send the results to congress.

... petition the government for a redress of grievances.

Repeat at IETF.