BROOKE GLADSTONE:
This is On the Media. I'm Brooke Gladstone.
BOB GARFIELD:
And I'm Bob Garfield. Once upon a time, it was easy for officials to wiretap. An extra wire connected to the line between the phone company and the caller would easily do the trick.

There was a legal obstruction – the Fourth Amendment protection against unreasonable search and seizure – but that was easily removed with a warrant if officials could show probable cause. By the 1970s, secret warrants for wiretapping foreigners were obtained through a secret court.

But then the technology got a bit more complicated. Fiberoptic cable and computer switching made phones much harder to tap.
BROOKE GLADSTONE:
So in 1994, Congress passed the Communications Assistance for Law Enforcement Act, or CALEA, which required phone companies to build wiretapping capabilities into their systems, to “cooperate in the interception of communications for law enforcement purposes and for other purposes.”

But CALEA didn't apply to the Internet, and soon things got really complicated. Consider this hypothetical couple. Let's call them Alice and Bob. They're suspicious characters and they communicate using an Internet phone service. Bob calls Alice on his laptop from a Starbucks. She responds using her laptop from a hotel.

Susan Landau, a distinguished engineer with Sun Microsystems, writes about the perils of Internet eavesdropping in this month’s issue of Scientific American, but she does concede that Alice and Bob are a wiretapper’s nightmare.
SUSAN LANDAU:
When Alice and Bob want to talk to each other, have a telephone call, as it were, over the Internet, using what’s called Voice-over Internet Protocol, or Voice-over IP, or VoIP, their phone number - which is to say, their IP address - is changing all the time.

The government has no idea where Alice and Bob are going to be at any particular point, and that makes wiretapping on the Internet really hard.
BROOKE GLADSTONE:
Hard, but not impossible. A couple of years ago, the FBI, the Justice Department and the DEA sought and won the right to expand the wiretapping reach of the 1994 CALEA beyond its original scope.
SUSAN LANDAU:
The law applied only to what’s called digitally-switched telephones – telephones, you know, the one that sits on your desk, the one that you carry in your pocket. And at the time the FBI Director Louis Freeh, said that they weren't going to go after the Internet.

Recently, the FBI came to the Federal Communications Commission and said, we need the ability to wiretap Voice-over IP, VoIP. And the FCC gave it that ability in very, very narrow cases.

It said, we can require the telephone companies to build capability in for VoIP that looks pretty much like the telephone, so VoIP that looks like me sitting in my office using the same computer at the same IP connection every time, but not VoIP that has me taking my laptop hither and yon.
BROOKE GLADSTONE:
Now, you note in your Scientific American piece that expanding CALEA is just one of the ways that the government has tried to broaden its eavesdropping rights on the Net. Just this year, the President signed a national security directive that authorized something called the “Cyber Initiative,” and, according to The Washington Post, that initiative has 18 goals, most of which are secret – so secret, in fact, that the Senate Homeland Security Committee was forced to write the White House a letter begging for information.
But there are some things we know about it, right?
SUSAN LANDAU:
Right. There are a few pieces of that that are public. For example, the government is building a system to monitor all communications that people have with the government.

Now, in some sense, of course, the government has the right to check who’s communicating with it. On the other hand, there are certain places that people communicate with the U.S. government – AIDS patients, people with sexually-transmitted diseases - where anonymity is pretty important.

And if those people don't have anonymity, they're much less likely to access government resources and to give government the information it wants to know, like how many people have AIDS, what transmission is happening in STDs, and so on. So this kind of tracking of communications is of great concern.

But the Cyber Initiative seems to go much further because the government wants to protect the Internet and, in particular, critical infrastructure, like electric power grid, like water power, like health care, from cyber-attacks from outside. And that’s going to mean monitoring the entire networked communication system.
BROOKE GLADSTONE:
Is that even possible?
SUSAN LANDAU:
Well [LAUGHS] none of us on the outside have seen anything that we're able to evaluate, so it’s really hard to know what’s in mind.
BROOKE GLADSTONE:
These safeguards are not only there to protect us from potential terrorists but also to protect our whole Internet from cyber-terrorists. So how do you suggest the government safeguard our Internet security and keep track of evildoers?
SUSAN LANDAU:
Whether it’s new liability laws that make computer manufacturers responsible for security breaches in their equipment – we don't have those requirements now – or whether it is the government using its purchase power to start demanding increased security in the equipment it buys, it’s a large buyer and it would have an impact.

Traffic analysis – that is, watching who is talking with whom, when, more than the content of the communications, is much more valuable than it was 10 or 15 years ago.

So you want the government to work on securing the Internet as best it can, rather than increasing the surveillance capability, and you also want the government to look at this issue long-term. Short-term, if you do the surveillance you might catch some bad guys, some really bad guys, but what are you doing long-term to the security of U.S. communications?
BROOKE GLADSTONE:
You state in your article that it stifles growth and innovation.
SUSAN LANDAU:
We've seen tremendous economic growth in the last 15 years in Silicon Valley, and that came about because essentially the way the Internet works is it says, we'll let the applications decide what they're going to do, whether it’s VoIP or Google or search or MySpace, whatever it is, and we'll just provide a network that allows all those applications to innovate.

As soon as you start saying what the innovations can look like – for example, they have to be tapable in such-and-such a way – you have a real threat to U.S. innovation. That becomes a long-term problem for the United States.
BROOKE GLADSTONE:
So that’s your economic national security argument against this kind of government surveillance, but you also have a direct national security argument against it.
SUSAN LANDAU:
That's right, and that’s the one that really has not gotten any press. We know that there are certain members of the intelligence community that are concerned about this, but it certainly hasn't been discussed in public.

This is the whole idea that when you build surveillance capability into a communications network, you raise the threat that it can be put to nefarious purposes. One, of course, is the civil liberties-type purpose of, you know, what if government starts snooping inappropriately. But to us, the security risk, the real, serious security risk is we're building for our enemies something they couldn't afford to build for themselves.

If you think about the worst espionage case that the FBI has had to deal with in the last 30 years, it’s Aldrich Ames, an insider. Now, you build surveillance capability – what I like to think of as an architected security breach – you build a security breach into your communications infrastructure, wiretapping capability into the communications, and then who is going to use it?

What if a bad guy on the inside uses it? You’re creating a tremendous risk, a risk that I don't think has been properly discussed or evaluated on the inside or the outside.

BROOKE GLADSTONE:
Susan, thank you very much.
SUSAN LANDAU:
Brooke, thank you very much. I’m very glad to be able to talk about this.
BROOKE GLADSTONE:
Susan Landau is a distinguished engineer at Sun Microsystems Laboratories.