Internet wiretapping

A story about impending U.S. legislation has hit the news in the last few days: Senator Patrick Leahy, along with ten co-sponsors that include Dianne Feinstein and my own senator, Chuck Schumer), has introduced S. 3804, the Combating Online Infringement and Counterfeits Act (link to PDF).

There’s a log of blog outcry about it, of course, and rightly so. I’m less worried about it than many, but I do think it’s a bad idea. Here’s why:

First, we’re meant to be a democracy, different from the totalitarian states we group together with terms such as Axis of Evil and whatnot. That means that, in general, we fit our surveillance and law enforcement into the technology, rather than limiting the technology and building it specifically to enable surveillance and law enforcement. Those who say that this is only paralleling what’s in the telephone system already are missing that the telephone system grew up from a much lower-tech starting point. Wiretaps used to be literally that: wires clipped into wired systems. And it didn’t used to be easy at all.

There’s a lot about surveillance and intelligence gathering that’s hard, and it stands to reason that those tasked with doing it should want to make it easier. Keeping it hard is actually a useful check on nascent authoritarian tendencies, and the temptation for abuse. We’ve recently had court decisions, for example, declaring it a fourth-amendment violation to use GPS tracking without a warrant. These sorts of checks are important.

There’s no saying that the sort of surveillance that S. 3804 proposes will be warrantless — and the bill does specify that a court has to approve it — but we have to remember the warrantless electronic surveillance of the Bush administration, where they bypassed no only the regular courts but also the FISA court, specifically set up to deal with monitoring terrorist action. Official abuse is a real danger.

Further, this bill doesn’t even address terrorism, nor even racketeering or other such crimes. It’s aimed at copyright infringement. Not to put too fine a point on it, but that’s a ridiculous focus for such a broad and risky remedy. There are better ways to address the problem of illegal distribution of copyrighted material, and this is an attempt to shortcut things with a blunt instrument. At least, though, it’s not as bad as the insane French HADOPI law.

Apart from official abuse, though, there’s the issue of abuse by the Bad Guys themselves, who can fool with such a system in two ways:

1. They can take advantage of the holes themselves. Any system that allows authorized intrusion implicitly allows unauthorized intrusion as well, and we should not be so naïve as to think that won’t happen. People are corruptible, security systems are compromised all the time, and if we set it up so that any Internet communication is tappable, malefactors will make their way in and tap it.
2. They can skirt it entirely. It will only be the normal communication channels that will have their encryption compromised, allowing officials to get the unencrypted version. If what gets put on those wires is itself encrypted beforehand — if the unencrypted version is separately encrypted — we’ve gained nothing. Once requiring specialized, high-tech, expensive machines, encryption is now easy, and any ten-year-old with a copy of PGP can do it. And anyone can create a self-signed TLS certificate to secure communication with their web site. There’s nothing the service providers can do to tap into any of that.

The result will be, as often happens with these sorts of things, that private citizens and companies that are trying to abide by the law will have their privacy and liberty compromised, while the real criminals will be able to hide as easily as they do today. If passed, this law will have some effect in the area it’s intended to... but that effect will be limited, and probably short-term.

Finally, there’s the law itself: it actually seems pretty good in its inclusion of safeguards and court involvement. There are two issues I have with it:

1. Sec. 2324(a)(2)(B) is too vague:

   [For purposes of this section, an Internet site is dedicated to infringing activities if such site is] engaged in the activities described in subparagraph (A), and when taken together, such activities are central to the activity of the Internet site or sites accessed through a specific domain name.

   Subparagraph (A) specifies that the site must be specifically designed for these activities, be marketed for these activities, or have no significant purpose other than these activities. That provides a reasonable limitation on the Internet sites that may be targeted here. But then subparagraph (B) opens it back up in a vague way, by saying that any other site might qualify if when taken together such activities are central to the site. Subparagraph (A) clearly does not include such sites as YouTube and Facebook, but subparagraph (B) arguably could. The threat of bringing such an argument to court could exert a severely chilling effect on web sites devoted to social activities and legitimate media sharing.
2. Sec. 2324(j) provides for a public list of sites that are alleged, without any real evidence or court involvement.

   (1) IN GENERAL- The Attorney General shall maintain a public listing of domain names that, upon information and reasonable belief, the Department of Justice determines are dedicated to infringing activities but for which the Attorney General has not filed an action under this section.

   There are mechanisms to ask to be removed from the list, and for judicial review of the case only after the Justice Department refuses the petition for removal. This amounts to an unregulated blacklist of Internet sites, and strikes me as ill advised, and possibly dangerous. There will clearly be such a list held at the Justice Department; the list should not be public. Any public list must be vetted by a court, as a necessary check on law enforcement.

I plan to write to Senator Schumer with a brief version of this post, and a pointer to the full one.