Matt Blaze's
Science, Security, Curiosity
Wiretapping and Cryptography Today
Report from the sky didn't fall department.

The 2010 U.S. Wiretap Report was released a couple of weeks ago, the latest in a series of puzzles published annually, on and off, by congressional mandate since the Nixon administration. The report, as its name implies, summarizes legal wiretapping by federal and state law enforcement agencies. The reports are puzzles because they are notoriously incomplete; the data relies on spotty reporting, and information on "national security" (FISA) taps is excluded altogether. Still, it's the most complete public picture of wiretapping as practiced in the US that we have, and as such, is of likely interest to many readers here.

We now know that there were at least 3194 criminal wiretaps last year (1207 of these were by federal law enforcement and 1987 were done by state and local agencies). The previous year there were only 2376 reported, but it isn't clear how much of this increase was due to improved data collection in 2010. Again, this is only "Title III" content wiretaps for criminal investigations (mostly drug cases); it doesn't include "pen registers" that record call details without audio or taps for counterintelligence and counterterrorism investigations, which presumably have accounted for an increasing proportion of intercepts since 2001. And there's apparently still a fair bit of underreporting in the statistics. So we don't really know how much wiretapping the government actually does in total or what the trends really look like. There's a lot of noise among the signals here.

But for all the noise, one interesting fact stands out rather clearly. Despite dire predictions to the contrary, the open availability of cryptography has done little to hinder law enforcement's ability to conduct investigations.  

Since 2002, the annual wiretap report has included a curious statistic: the number of times law enforcement encountered encryption on an authorized tap, along with the number of times that this prevented them from getting the evidence they were seeking.

Those who followed the politics of wiretapping in the 1990's can be forgiven for assuming that the number of investigations thwarted by criminal cryptography today should be large and growing. We were repeatedly warned throughout that decade, after all, that the unfettered availability of crypto in private hands would sound the death knell for the government's ability to investigate all manner of serious crime. And for the last ten years of the twentieth century -- the period when much of the architecture of the modern Internet was created -- US policy actively discouraged the incorporation of basic security technology in our computing infrastructure, lest it might help some future criminal conspiracy cover its tracks. It also meant that the computers, phones, and other gadgets used by the rest of us used would have to remain exposed to other criminals -- those who might want to illegally exploit the very same surveillance techniques that the government hoped to preserve for itself. The results for cyber-security, you might recall, weren't very pretty. We effectively gave the bad guys a big head start before we started securing things.

But cryptography has recently been catching up. In 2000, government policy finally reversed course, acknowledging that encryption needed to become a critical part of security in modern networks, something that deserved to be encouraged, even if it might occasionally cause some trouble for law enforcement wiretappers. And since that time the transparent use of cryptography by everyday people (and criminals) has, in fact, exploded. Crypto software and algorithms, once categorized for arms control purposes as a "munition" alongside rocket launchers and nuclear triggers, can now be openly discussed, improved and incorporated into products and services without the end user even knowing that it's there. Virtually every cellular telephone call is today encrypted and effectively impervious to unauthorized over-the-air eavesdropping. Web transactions, for everything from commerce to social networking, are now routinely encrypted end-to-end. (A few applications, particularly email and wireline telephony, remain stubbornly unencrypted, but they are increasingly the exception rather than the rule.)

So, with this increasing proliferation of eavesdrop-thwarting encryption built in to our infrastructure, we might expect law enforcement wiretap rooms to have become quiet, lonely places.

But not so fast: the latest wiretap report identifies a total of just six (out of 3194) cases in which encryption was encountered, and that prevented recovery of evidence a grand total of ... (drumroll) ... zero times. Not once. Previous wiretap reports have indicated similarly minuscule numbers.

What's going on here? Shouldn't all this encryption be affecting government eavesdroppers at least a little bit more than the wiretap report suggests? Do the police know something about cryptanalysis that the rest of us don't, enabling them to effortlessly decrypt criminal messages in real time without batting an eye? Is AES (the federally-approved algorithm that won an open international competition for a new standard block cipher in 2001) part of an elaborate conspiracy to lull us into a sense of complacency while enabling the government to secretly spy on us? Perhaps, but the likely truth is far less exciting, and ultimately, probably more comforting.

The answer is that faced with encryption, capable investigators in federal and local law enforcement have done what they have always done when new technology comes around: they've adapted their methods in order to get their work done. Widespread encryption, rather than shutting down police wiretaps, has actually pushed them in a more reliable -- and accountable -- direction.

This is because while traffic encryption is highly effective at preventing wholesale, un-targeted interception, it does surprisingly little to prevent targeted government eavesdropping in the complex architectures of modern computing and communication technologies. Today's encryption algorithms are believed to be effectively secure in practice, in the sense that they make it infeasible for even an adversary with the resources of a government to obtain cleartext from ciphertext without access to the key. But a government eavesdropper doesn't have to limit itself to that scenario for a wiretap target. They can instead exploit the fact that the cleartext (or the keys to decrypt it) for almost all encrypted traffic today is typically available, somewhere, on a general-purpose computer that is exposed to government access, either explicitly or through surreptitious means. And as systems become more sophisticated and incorporate more features, the exposure of cleartext and keys to third party access tends to increase correspondingly.

Take, for example, that most ubiquitous instrument of criminal (and legitimate) communication, the cellular phone. In the 1990's, most cellular calls were transmitted over the air as unencrypted analog signals, easily intercepted, by police and curious neighbor alike, with an inexpensive radio receiver. Today cellular signals are almost always encrypted, making over-the-air interception a losing proposition. But the 2010 wiretap reports tells us that the majority of law enforcement wiretaps were for cellular calls, and that encryption was not a barrier. This is because, by 2010, investigators had moved on from over-the-air interception. They found ways instead to tap cellphones at the endpoint where plaintext is available (in the cellular phone company where the call connects to the wireline network).

Did the move to encrypted cellphones cause inconvenience and worry to investigators accustomed to intercepting their targets' calls over the air and without needing help from the phone company? No doubt. But the result is that legal wiretap evidence is now much more reliable (it doesn't depend on the listening post being in range of the target's phone), and, at the same time, illegal cellular intercepts are now much harder to perform or hide, ssince taps now require help from the phone company. (There are stll active over-the-air attacks possible against some cellular systems, though law enforcement taps don't typically exploit them.) And your nosey neighbor has been cut out of the picture almost entirely.

Targeted tapping remains possible even in systems where the endpoint might not willingly cooperate with an investigation or where encryption is end-to-end (such as with encrypted web traffic). In such systems, the endpoints that hold the cleartext or keys are almost always general purpose computers, with all the complexity that makes them susceptible to other kinds of targeted interception. For better or for worse, the sad state of the security art today is that a sophisticated eavesdropper -- a government spy -- can almost always find and exploit a vulnerability that lets them take control of a modern computing platform (have you updated your anti-virus software lately? It probably doesn't matter). But again, it's hard to do this wholesale against everyone; it requires sustained effort aimed at each particular target. Law enforcement can -- and does -- exploit this in conducting investigations. In a famous example from 2001, suspected mobster Nicodemo Scarfo encrypted his computer files using PGP software. Clever FBI agents quietly -- and successfully -- installed a keystroke monitor that captured his passphrase and allowed them to decrypt his files, evidence obtained. Today, these agents would have even more options available.

What does all this mean for today? Periodically, government eavesdroppers in law enforcement and intelligence agencies, worried that their ability to intercept will soon "go dark" because of some technological advance on the horizon, sound the alarm to urge that new technology be designed to accommodate their wiretapping needs. And, to be sure, their concerns are as genuine as the work they do is vital. But as we saw from the 1990's crypto debate, the eavesdroppers proved far more resilient than they themselves predicted. Yet the resulting delay in deploying encryption and related technologies yielded disastrous results for the security of the Internet from which we are only now beginning to recover.

We're hearing similar alarms raised today about new communication services, such as VoIP and peer-to-peer networking, that cannot be intercepted with current techniques. To be sure, many of the crimes that will be investigated by intercepting these services will be serious, and the concerns of the agents about their ability to gather evidence genuine and heartfelt. And some of these new systems, today and going forward, will definitely present challenges to wiretappers.

But the appropriate, time tested response to predictions that law enforcement will soon "go dark", whether now or in the 1990's, is healthy skepticism. Investigators have shown themselves, again and again, to be remarkably adaptable when faced with new technology. And absent a major (and unforeseen) breakthrough in computer security, technology will remain, for good or evil, increasingly on the side of the eavesdropper.

The issues and tradeoffs in modern wiretapping are complex and subtle, and understanding them well requires a breadth and depth of knowledge across technology, law, history, and public policy. I can think of no better place to start (or end up) than Susan Landau's excellent new book Surveillance or Security: The Risks Posed by New Wiretapping Technologies (MIT Press, 2011).