New spy tools--for good or evil?

By Declan McCullagh
April 21, 2003, 5:13 AM PT

COMMENTARY--Cisco Systems has created a more efficient and targeted way for police and intelligence agencies to eavesdrop on people whose Internet service provider uses their company's routers.

The company recently published a proposal that describes how it plans to embed "lawful interception" capability into its products. Among the highlights: Eavesdropping "must be undetectable," and multiple police agencies conducting simultaneous wiretaps must not learn of one another. If an Internet provider uses encryption to preserve its customers' privacy and has access to the encryption keys, it must turn over the intercepted communications to police in a descrambled form.

Cisco's decision to begin offering "lawful interception" capability as an option to its customers could turn out to be either good or bad news for privacy.

Because Cisco's routers currently aren't designed to target an individual, it's easy for an Internet service provider (ISP) to comply with a police request today by turning over all the traffic that flows through a router or switch. Cisco's "lawful interception" capability thus might help limit the amount of data that gets scooped up in the process.

On the other hand, the argument that it hinders privacy goes like this: By making wiretapping more efficient, Cisco will permit governments in other countries--where court oversight of police eavesdropping is even more limited than in the United States--snoop on far more communications than they could have otherwise.

Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I don't see why the technical community should hardwire surveillance standards and not also hardwire accountability standards like audit logs and public reporting. The laws that permit 'lawful interception' typically incorporate both components--the (interception) authority and the means of oversight--but the (Cisco) implementation seems to have only the surveillance component. That is no guarantee that the authority will be used in a 'lawful' manner."

U.S. history provides many examples of government and police agencies conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt, Martin Luther King Jr., feminists, gay rights leaders and Catholic priests. During its dark days, the bureau used secret files and hidden microphones to blackmail the Kennedy brothers, sway the Supreme Court and influence presidential elections. Cisco's Internet draft may be titled "lawful interception," but there's no guarantee that the capability will always be used legally.

Still, if you don't like Cisco's decision, remember that they're not the ones doing the snooping. Cisco is responding to its customers' requests, and if they don't, other hardware vendors will. If you're looking for someone to blame, consider Attorney General John Ashcroft, who asked for and received sweeping surveillance powers in the USA Patriot Act, along with your elected representatives in Congress, who gave those powers to him with virtually no debate.

I talked with Fred Baker, a Cisco fellow and former chairman of the Internet Engineering Task Force (IETF), about his work on the "lawful interception" draft.

Q: Why did Cisco decide to build "lawful interception" into its products? What prompted this?
A: Cisco's customers, not just in United States but in many countries, are finding themselves served with subpoenas to mandate lawful intercept functionality. Cisco received requests from its customers for this capability.

When I found out about the project, I asked to be involved because I wanted to ensure that it was done in a manner that was as close to balanced as I could get. From an engineering perspective, the easiest thing is to give everything to law enforcement and let them sort it out. But I wanted to do better than that.

When was that?
The actual development of this document started probably seven to eight months ago.

What was the reaction of the Internet community and the IETF after you released the draft?
I've seen very little reaction so far. We have been contacted by Verisign, with which we had an NDA relationship. They said, "We'd like to work with you on this." That's about all we've had. John Gilmore (of the Electronic Frontier Foundation) posted comments to an IETF mailing list. He wanted to ensure that the capability would be as difficult to use as possible.

When will Cisco's customers be able to buy "lawful interception" products or an upgrade?
We haven't yet announced anything. Any product that a service provider is likely to purchase will have an option to provide lawful interception. That's not for all of our products but for a fairly broad subset.

We're in the process of doing early field trials on that capability. In most cases it's a software upgrade. What we're doing is putting the capability in a separate image so you know what you're getting when you get it. Under U.S. law, if you have that ability, you could be required to use it. Our service provider customers have asked us not to put it in the standard image, so that they can't be forced to use it.

How much will it cost?
We haven't announced that. There was some discussion at some point about putting in a nuisance fee.

What percentage of your customers who have asked for "lawful interception" capability are within the United States?
We have service provider customers in a number of countries that have asked us for it. Some have been more insistent than others.

Do you have any moral problems with helping to make surveillance technology more efficient?
I have some moral and ethical issues, but I think quite frankly that the place to argue this is in Congress and in the courtroom, not a service provider's machine room when he's staring down the barrel of a subpoena.

There are two sides. One is that Cisco as a company needs to let its customers abide by the law. The other is the moral and ethical issues. There are two very separate questions.

The current draft does not include an audit trail. Could you do that by having your equipment digitally sign a file that says who's been intercepted and for how long? That could be turned over to a judge. It could indicate whether the cops were or weren't staying within the bounds of the law.
I'm not entirely sure that the machine we're looking at could make that assurance... In fact, the way lawful interception works, a warrant comes out saying, "We want to look at a person." That's the way it works in Europe, the United States, Australia and in other western countries. The quest then becomes figuring out which equipment a person is reasonably likely to use, and it becomes law enforcement's responsibility to discard any information that's irrelevant to the warrant. That kind of a thing would probably be maintained on the mediation device.

Who controls the mediation device?
The Internet provider. The mediation device picks out the subset that relates to a particular warrant.

A few years ago (in RFC 2804) the IETF rejected the idea of building eavesdropping capability into Internet protocols. The FBI supported the idea, but the IETF said, no way. You were chair of the IETF at the time. How do you reconcile your proposal with the decision made then?
I thought that what the IETF decided to do was actually the right thing to decide. What it said is that the IETF would not modify protocols that were designed for some other purpose in order to support lawful interception.

Will you discuss this at the next IETF meeting in Austria in July?
We're hoping for community review. If people see any problems with what we're doing on a technical level, we're all ears. We want to produce the best possible capability in terms of security and the capability required.

Have you had requests for this capability, directly or indirectly, from government agencies?
Yes and no. We got the request from our customers. The laws relate to the ISPs, which are our customers. Certainly, if we get a request from our customers that we can't support, there are penalties that accrue.

We've had direct contact with the FBI and other agencies. When I was in Holland I (spoke at a conference with the head of the equivalent of the country's Central Intelligence Agency). The fact that he came out and said something made the 8 o'clock news. I had a meeting with him and some of his people a few days later to figure out what he wanted and what he intended to do with this. As an engineer I wanted to understand a customer's problem.

We've had discussions with government agencies, but (they're generally not) asking us to build a product. They do that with ISPs, who then come to us.

What other companies are going a similar route?
We're a little bit more open than everyone else. It really wouldn't be appropriate for me to talk about other companies. It's not like we're coming out and saying, "Hey, this is the reason you should buy a Cisco router." This is something we're doing because our customers want it.

What do you think of governments with scant respect for privacy rights using "lawful interception" technology to become more efficient eavesdroppers? Do you ever stay up late at night worrying about what they might do with it?
Of course I do. But that problem is the reason I got involved. We have some capabilities in some of our equipment that will allow you to take all the traffic that goes across an interface and send it to another interface. Right now that is used in some cases as a lawful interception technology.

When we first started talking, some engineers said, "Let's turn this on and use that." I said, "Heavens no, if we can narrow the range of information, let's do it." Let's let our customers meet their requirements in as privacy-protecting a way as possible. So yes, there's a conflict, but the conflict is why I got involved.