Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

Posted by Soulskill on from the part-and-parcel dept.

An anonymous reader sends this quote from TechDirt: As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation's incumbent phone companies was all-but obliterated long ago. As such, it's relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers "end-to-end" encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.

Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.

13 of 170 comments (clear)

  1. Depends... by TWX · · Score: 5, Funny

    ...on which 'end' they're backdooring you in apparently.

    --
    Do not look into laser with remaining eye.
    1. Re:Depends... by schnell · · Score: 4, Informative

      Nobody is being "backdoored" here except as required by law. The linked story summary is a troll for mentioning the NSA - it has nothing to do with them, but either the writer doesn't know what they're talking about or they just figured that would get more clicks.

      Telecom providers are required to make sure that any voice service they sell is compliant with CALEA. There is no direct CALEA equivalent today for data services, interestingly - this is how far behind the times the Feds can be. And yes everything in LTE is data but for the purposes of the law, anything where you are talking - for example VoIP - is considered a voice service.

      CALEA basically means that if you (the telecom) get a wiretap order - signed by a judge - from a law enforcement agency, you need to wiretap and record that user's calls for the specified time period, decrypt them if necessary, and then turn them over to the law enforcement agency. Verizon had to make this service CALEA compliant, or they couldn't have offered it. And remember that CALEA is not about mass wireless surveillance a la NSA but is actually about targeted recordings of specific individuals where there is probable cause enough to get a judge to sign off on the wiretap order. Very different things. You can dislike CALEA but you can't blame Verizon for putting in some magical backdoor - that has absolutely zero to do with the NSA - which they are required by law to have.

      However for the privacy-minded it should be noted that the way things work, CALEA only applies to telecom providers. If you bought the same software from a non-telecom source (e.g. the software OEM themselves) and put it on your phone, then CALEA won't help law enforcement because Verizon wouldn't have the key to decrypt your calls with and could only turn over the encrypted stream. So if you are worried about being wiretapped by the police, don't buy your encryption service from your phone company.

      --
      "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
    2. Re:Depends... by Kvathe · · Score: 5, Informative

      From TFA:

      "...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."

    3. Re:Depends... by schnell · · Score: 4, Informative

      An unconstitutional law is actually not a law at all.

      What's unconstitutional about CALEA? It requires police to show probable cause and have a judge sign off on a request, just as if it were a warrant for arrest or any other search and seizure of personal records. Whether it does so in practice is a different question, but in theory the law itself is at least designed to be fully compatible with the Fourth Amendment.

      NSA warrantless wiretapping? Almost certainly unconstitutional, by any reading other than Dick Cheney's. CALEA? Probably not so much.

      And BTW an unconstitutional law is still a law. Not sure where you learned your legal theory. A law that's unconstitutional should in theory be overturned by the courts so that it's not a law anymore - that's how "checks and balances" work - but until such time, it is most definitely a law and entirely enforceable!

      --
      "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
  2. This should be free by Karmashock · · Score: 4, Insightful

    Aren't our calls supposed to be encrypted anyway? I mean, so some jack ass with a radio can't listen to them? So what are they charging me for here?

    Sounds like a reasonable product for the government.

    For the consumer though, you have to ask yourself what you're actually getting with this? Doesn't appear to be anything. After all, the only people that could normally break into your communications would be the government anyway.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    1. Re:This should be free by dunkindave · · Score: 4, Informative

      Aren't our calls supposed to be encrypted anyway? I mean, so some jack ass with a radio can't listen to them?

      Cellular communications are encrypted between the handset and the tower to prevent the radio buff from listening in. How effective that encryption is is up for debate. This means any end-to-end encryption would actually be double encrypting the data as it passed between handsets and towers, once for the cellular signal, and once for the end-to-end system.

      Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.

      Also I believe the summary is misleading. This probably is an end-to-end encryption system, meaning the call is encrypted at one handset and the encrypted data travels to the other handset before being decrypted for the purpose of the call. If there is a backdoor that compromises the encryption key, that doesn't change that the system is end-to-end encrypted, just that a snooper would be able to decrypt the traffic.

    2. Re:This should be free by blueg3 · · Score: 4, Informative

      The issuer generally doesn't have a copy of your private key. You make a public-private keypair, put the public key into a certificate request, send the request to a CA, and the CA generates a signed certificate from it that includes the public key. The private key is not seen by the CA at any point.

      You of course *could* have the CA generate both parts and then send you both the public and private key, but that's not nearly as good a solution and is much less common. Most of the CAs I've seen that provide "easy to use" interfaces generate the keypair in the Web browser so that the private key doesn't have to be transmitted.

  3. Re:It's required by mythosaz · · Score: 4, Informative

    False.

    CALEA only requires the backdoor to exist if it's technically possible. TFA is pretty clear that other manufacturers and carriers have chosen to implement end-to-end encryption that doesn't have the ability to be backdoored, and as such, there's no need to provide the (non-existent) backdoor to the feds.

  4. Sell the key by jamesl · · Score: 4, Funny

    Verizon sells you end-to-end encryption and then sells NSA the key.

  5. Re:It's required by mean+pun · · Score: 4, Insightful

    If you are right, then Verizon should not offer the product, since they can't legally deliver what they promise.

  6. Re:It's required by jc42 · · Score: 5, Insightful

    Your indignation should not be directed at Verizon - it should be directed at Washington, DC.

    A fun part of this is that the government employees at ARPA back in the 1960s explained it all to us. They firmly rejected building any sort of encryption into the network itself, on the grounds that such software would always be controlled by the "middlemen" who supplied the physical connectivity, and they would always build what we now call backdoors into the encryption. They concluded that secure communication between two parties could only be done via encryption that they alone controlled. Any encryption at a lower level was a pure waste of computer time, and shouldn't even be attempted, because it will always be compromised.

    This doesn't seem to have gotten through to many people today, though. We hear a lot about how "the Internet" should supply secure, encrypted connections. Sorry; that's never feasible, unless you own and control access to every piece of hardware along the data's route. And the ARPA guys didn't consider that, because that first 'A' stands for "Army", and they wanted a maximally-redundant, "mesh" type network that would be usable in battle conditions. They went with the approach that you use any kind of data equipment that's available, including the enemy's, and you build in sufficient error detection to ensure that the bits get through undamaged,. Then you use encryption that your team knows how to install on their machines and use. And you probably change the encryption software at irregular intervals.

    Anyway, the real people to direct your anger at are the PR folks in both industry and government, who keep trying to convince you that they can supply encryption that's secure. Yeah, maybe they can do that, but they never have and they never will. And the odd chance that they've actually done so in some specific case doesn't change this. The next (silent, automatic;-) upgrade will introduce the backdoor.

    Unless you have all the code, compile it yourself, and have people who can understand its inner workings, you don't have secure encryption; you have encryption that delivers your text to some unknown third parties. It's the US government's own security folks who explained this to us nearly half a century ago.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  7. Re: How is this different than the clipper chip? by ogdenk · · Score: 4, Interesting

    It's simple: you can't. They won, let's face it. There's nothing anyone can do.

    Unless they make the same mistake the Nazis did and start persecuting the rich, no one will have the funds or manpower to organize an effective resistance. And due to very effective media manipulation techniques, anyone else who tried to rise would be labelled a lone, kiddie murdering, child molesting, atheist, serial rapist that preys on cute rich white girls.... and boys. And the cops will obviously be in fear for their lives as they shoot you in handcuffs.

    They aren't making the same mistake the Nazis did. This is not race warfare. This is not religious warfare. This is CLASS warfare. And you aren't part of their class but they will never truly admit this to you directly. They'll just have you pulled over for your car being too old, shoot your dog in the backseat, and tell you to stop resisting as they cave your face in with onlookers doing nothing because you dared look them in the eye. And the perpetrators of the violence will investigate and clear themselves. Welcome to 21st century America.

  8. There is no "law enforcement only" backdoor by Opportunist · · Score: 4, Insightful

    Any backdoor is by definition available to everyone. Some may have a key, the others have lockpicks.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.