[IP] Inside Cisco's eavesdropping apparatus

[Dave Farber <dave@farber.net>]

------ Forwarded Message
From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 03 May 2003 16:09:09 -0700 (PDT)
To: risks@csl.sri.com
Subject: Risks Digest 22.71


Date: Tue, 22 Apr 2003 02:26:16 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Inside Cisco's eavesdropping apparatus (from Declan McCullagh)

By Declan McCullagh, 21 Apr 2003

Cisco Systems has created a more efficient and targeted way for police and
intelligence agencies to eavesdrop on people whose Internet service provider
uses their company's routers.

The company recently published a proposal that describes how it plans to
embed "lawful interception" capability into its products. Among the
highlights: Eavesdropping "must be undetectable," and multiple apolice
agencies conducting simultaneous wiretaps must not learn of one another. If
an Internet provider uses encryption to preserve its customers' privacy and
has access to the encryption keys, it must turn over the intercepted
communications to police in a descrambled form.

Cisco's decision to begin offering "lawful interception" capability as an
option to its customers could turn out to be either good or bad news for
privacy.

Because Cisco's routers currently aren't designed to target an individual,
it's easy for an Internet service provider (ISP) to comply with a police
request today by turning over all the traffic that flows through a router or
switch. Cisco's "lawful interception" capability thus might help limit the
amount of data that gets scooped up in the process.

On the other hand, the argument that it hinders privacy goes like this: By
making wiretapping more efficient, Cisco will permit governments in other
countries -- where court oversight of police eavesdropping is even more
limited than in the United States -- snoop on far more communications than
they could have otherwise.

Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I
don't see why the technical community should hardwire surveillance standards
and not also hardwire accountability standards like audit logs and public
reporting. The laws that permit 'lawful interception' typically incorporate
both components -- the (interception) authority and the means of
oversight -- but the (Cisco) implementation seems to have only the
surveillance component. That is no guarantee that the authority will be used
in a 'lawful' manner."

U.S. history provides many examples of government and police agencies
conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt,
Martin Luther King Jr., feminists, gay rights leaders and Catholic
priests. During its dark days, the bureau used secret files and hidden
microphones to blackmail the Kennedy brothers, sway the Supreme Court and
influence presidential elections. Cisco's Internet draft may be titled
"lawful interception," but there's no guarantee that the capability will
always be used legally.

Still, if you don't like Cisco's decision, remember that they're not the
ones doing the snooping. Cisco is responding to its customers' requests, and
if they don't, other hardware vendors will.

If you're looking for someone to blame, consider Attorney General John
Ashcroft, who asked for and received sweeping surveillance powers in the USA
Patriot Act, along with your elected representatives in Congress, who gave
those powers to him with virtually no debate.

I talked with Fred Baker, a Cisco fellow and former chairman of the Internet
Engineering Task Force (IETF), about his work on the "lawful interception"
draft.  ...

http://news.com.com/2010-1071-997528.html

----------

------ End of Forwarded Message

-------------------------------------
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/