Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

Posted by Soulskill on from the part-and-parcel dept.

An anonymous reader sends this quote from TechDirt: As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation's incumbent phone companies was all-but obliterated long ago. As such, it's relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers "end-to-end" encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.

Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.

10 of 170 comments (clear)

  1. It's required by LynnwoodRooster · · Score: 2, Informative

    See the CALEA Act passed in 1994. Telecom providers HAVE to provide that backdoor. If not - they are subject to fines of up to $10,000 per day per connection not in compliance, and having their network shut down until it comes into compliance.

    Your indignation should not be directed at Verizon - it should be directed at Washington, DC.

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    1. Re:It's required by mythosaz · · Score: 4, Informative

      False.

      CALEA only requires the backdoor to exist if it's technically possible. TFA is pretty clear that other manufacturers and carriers have chosen to implement end-to-end encryption that doesn't have the ability to be backdoored, and as such, there's no need to provide the (non-existent) backdoor to the feds.

    2. Re:It's required by blueg3 · · Score: 3, Informative

      And the ARPA guys didn't consider that, because that first 'A' stands for "Army"

      The "A" stands for "Advanced". I think they were more interested in a research network than a tactical (battlefield) network. I think it's still true that "one organization controls all the infrastructure between two points on the Internet" was *not* the model of the Internet they were envisioning at the time.

  2. Re:This should be free by dunkindave · · Score: 4, Informative

    Aren't our calls supposed to be encrypted anyway? I mean, so some jack ass with a radio can't listen to them?

    Cellular communications are encrypted between the handset and the tower to prevent the radio buff from listening in. How effective that encryption is is up for debate. This means any end-to-end encryption would actually be double encrypting the data as it passed between handsets and towers, once for the cellular signal, and once for the end-to-end system.

    Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.

    Also I believe the summary is misleading. This probably is an end-to-end encryption system, meaning the call is encrypted at one handset and the encrypted data travels to the other handset before being decrypted for the purpose of the call. If there is a backdoor that compromises the encryption key, that doesn't change that the system is end-to-end encrypted, just that a snooper would be able to decrypt the traffic.

  3. Re: Actually, not free of charge by Anonymous Coward · · Score: 2, Informative

    Why wouldn't you just install Signal?

    It's free, open-source, and the team is headed by someone respected in the security industry. (Moxie)

    Better yet, with TextSecure integration into Signal -- coming soon to IOS (beta) already available for Android as standalone app -- one's text messages are also protected.

  4. Re:Depends... by schnell · · Score: 4, Informative

    Nobody is being "backdoored" here except as required by law. The linked story summary is a troll for mentioning the NSA - it has nothing to do with them, but either the writer doesn't know what they're talking about or they just figured that would get more clicks.

    Telecom providers are required to make sure that any voice service they sell is compliant with CALEA. There is no direct CALEA equivalent today for data services, interestingly - this is how far behind the times the Feds can be. And yes everything in LTE is data but for the purposes of the law, anything where you are talking - for example VoIP - is considered a voice service.

    CALEA basically means that if you (the telecom) get a wiretap order - signed by a judge - from a law enforcement agency, you need to wiretap and record that user's calls for the specified time period, decrypt them if necessary, and then turn them over to the law enforcement agency. Verizon had to make this service CALEA compliant, or they couldn't have offered it. And remember that CALEA is not about mass wireless surveillance a la NSA but is actually about targeted recordings of specific individuals where there is probable cause enough to get a judge to sign off on the wiretap order. Very different things. You can dislike CALEA but you can't blame Verizon for putting in some magical backdoor - that has absolutely zero to do with the NSA - which they are required by law to have.

    However for the privacy-minded it should be noted that the way things work, CALEA only applies to telecom providers. If you bought the same software from a non-telecom source (e.g. the software OEM themselves) and put it on your phone, then CALEA won't help law enforcement because Verizon wouldn't have the key to decrypt your calls with and could only turn over the encrypted stream. So if you are worried about being wiretapped by the police, don't buy your encryption service from your phone company.

    --
    "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
  5. Re:Depends... by Kvathe · · Score: 5, Informative

    From TFA:

    "...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."

  6. Re:Depends... by jeffmeden · · Score: 3, Informative

    From TFA:

    "...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."

    TFA is a plain ol' troll. CALEA indeed requires any switching systems used for voice traffic (land lines and cell phones) to allow for electronic eavesdropping of all calls going through them. The only caveat is that replacing/upgrading every switching system is completely impractical, even in decades-long time frames, so the FCC has been granting extensions for non-compliance. If Verizon went to the FCC saying that they were going to put software in that started to roll back CALEA compliance from any call that happened to be made using a pair of their cellphones running their provided encryption software, they would have thrown the book at them. New systems *do* have to be CALEA compliant.

  7. Re:Depends... by schnell · · Score: 4, Informative

    An unconstitutional law is actually not a law at all.

    What's unconstitutional about CALEA? It requires police to show probable cause and have a judge sign off on a request, just as if it were a warrant for arrest or any other search and seizure of personal records. Whether it does so in practice is a different question, but in theory the law itself is at least designed to be fully compatible with the Fourth Amendment.

    NSA warrantless wiretapping? Almost certainly unconstitutional, by any reading other than Dick Cheney's. CALEA? Probably not so much.

    And BTW an unconstitutional law is still a law. Not sure where you learned your legal theory. A law that's unconstitutional should in theory be overturned by the courts so that it's not a law anymore - that's how "checks and balances" work - but until such time, it is most definitely a law and entirely enforceable!

    --
    "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
  8. Re:This should be free by blueg3 · · Score: 4, Informative

    The issuer generally doesn't have a copy of your private key. You make a public-private keypair, put the public key into a certificate request, send the request to a CA, and the CA generates a signed certificate from it that includes the public key. The private key is not seen by the CA at any point.

    You of course *could* have the CA generate both parts and then send you both the public and private key, but that's not nearly as good a solution and is much less common. Most of the CAs I've seen that provide "easy to use" interfaces generate the keypair in the Web browser so that the private key doesn't have to be transmitted.