***** Surveillance or Security: The Risks Posed by New Wiretapping Technologies. By Susan Landau. MIT Press, www.mitpress.mit.edu; 400 pages; $29.95.
The technologies of communications and eavesdropping are increasingly complicated, and public policy must keep up with those innovations. As the title implies, the author is concerned that establishing more surveillance capabilities can decrease security. The book highlights historical contrasts between the technologies of today and those of a few decades ago. The author reminds us that an international call—which not long ago needed help from phone company employees—now doesn’t even require a telephone.
One theme of this book relates to the misuse of wiretap hardware. This can involve investigators who abuse their authority as allegedly occurred with the members of Scotland Yard implicated in the continuing News of the World scandal. A less-apparent risk is criminal access to government-mandated wiretap tools. Organized crime could wiretap informant phones by spoofing an order from the FBI.
In addition to interception of phone calls, a significant investigative tool is a record of the connections between phones. This sort of information, often called traffic analysis, can help investigators uncover associations between individuals. With the advent of smartphones, an even more comprehensive combination of location, time, and activity can be constructed. The author does a good job of explaining the power and risks of this technique. In one police investigation, a check of cellphone tower logs for two different murder scenes at two different times led to catching the killer.
As government mandates that systems create the ability to give authorized agents packet-sniffing capabilities over the Internet, risk arises. Trusted insiders hold the keys to this capability and can deliver the same broad capabilities to foreign agents. The author argues that powerful interception systems should not be baked into digital networks until they are proven to be secure. This requires careful design of security, auditing, and procedures. Vulnerability analysis and penetration testing will be needed to validate systems.
The last section includes an unusually detailed list of references, comments, and definitions. It will be a valuable resource for anyone wanting to dive deeper into this interesting topic.
Reviewer: Gordon Mitchell, Ph.D., CPP, operates Future Focus, a Seattle firm that provides computer forensic investigations and network incident response. He enjoys the thrill of the hunt for clues in computers. He is a member of ASIS International.