Robert X. Cringeley on unintended consequences of trying to help law enforcement with digital technologies.
The Federal Bureau of Investigation administers the Communications Assistance to Law Enforcement Act (CALEA), which was passed by Congress in 1994. CALEA was a response to advances in digital communications. It was a way for law enforcement and intelligence agencies to go beyond old-fashioned phone taps and listen in on mobile phone calls, pagers, the Internet and any other form of electronic messaging that might be used by enemies of the state. CALEA made the phone companies and pager companies and Internet companies responsible for building into their equipment the capability to tap all types of communications on the order of a judge or -- in the case of foreign surveillance -- of the U.S. Attorney General. Every telephone switch installed in the U.S. since 1995 is supposed to have this surveillance capability, paid for, by the way, with $500 million of your tax dollars. Not only can the authorities listen to your phone calls, they can follow those phone calls back upstream and listen to the phones from which calls were made. They can listen to what you say while you think you are on hold. This is scary stuff.For those non-Latin scholars out there, the title of this item translates roughly to "Who watches the watchmen?" It was, among (many) other things, the genesis of a wonderful comic book miniseries by Alan Moore and Dave Gibbons in 1985.
But not nearly as scary as the way CALEA's own internal security is handled. The typical CALEA installation on a Siemens ESWD or a Lucent 5E or a Nortel DMS 500 runs on a Sun workstation sitting in the machine room down at the phone company. The workstation is password protected, but it typically doesn't run Secure Solaris. It often does not lie behind a firewall. Heck, it usually doesn't even lie behind a door. It has a direct connection to the Internet because, believe it or not, that is how the wiretap data is collected and transmitted. And by just about any measure, that workstation doesn't meet federal standards for evidence integrity.
And it can be hacked.
And it has been.