The debate over changes to the Foreign Intelligence Surveillance Act—the legal framework governing how agencies like the NSA conduct wiretaps—is typically framed as a contest between the competing values of security and privacy. But in an article published in the latest issue of IEEE Security & Privacy, a team of top network security experts argue that large-scale digital surveillance creates new security risks and vulnerabilities as well. "The US," the authors warn, "could build for its opponents something that would be too expensive for them to build for themselves: a system that lets them see the US’s intelligence interests, a system that could tell them how to thwart those interests, and a system that might be turned to intercept the communications of American citizens and institutions."

The legal changes being fought out in Congress are meant to facilitate a series of architectural changes in the way foreign intel surveillance is conducted. As strictly foreign communications increasingly pass over American fiber on their way to their destinations, intel professionals hope that intercepts once carried out abroad can now be performed from the convenience of a domestic switching office. And while the word "wiretap" may evoke images out of the film The Lives of Others—headphone-clad Ulrich Mühe sitting in an attic fastening alligator clips to copper wire—modern surveillance will increasingly entail not targeting particular lines of communication, but rather sifting through vast amounts of telecom data by computer in order to flag calls and e-mails of potential interest. This may mean, among other things, using databases of information-rich Call Data Records to identify target calling patterns, so that subjects can be pinpointed even if they change phones.

The problem, the authors argue, is that everything that makes an electronic surveillance system convenient for intel agencies also makes it a more attractive target for hostile outsiders or corrupt insiders. Surveillance systems located, not at the border or at international cable heads, but at U.S. telecom hubs—systems like the one retired AT&T engineer Mark Klein describes seeing at the company's San Francisco office—can also more easily pick up the purely domestic communications apt to be valuable to intruders. And where once intel agencies working with domestic telecom firms would have been presenting specific requests to acquire particular communications, they are now themselves likely to be doing not only the analysis of recorded conversations, but the filtering as well, which will involve aggregating still more juicy, info-rich databases. And more centralized storage of sensitive data creates both powerful incentives to attempt a breach and the risk of serious harm if one occurs.

A realistic threat

The threat of enemy hackers gaining control of lawful wiretap architecture may sound like fodder for a Hollywood thriller, but in fact, it has already happened. In Greece in 2004, parties still unknown gained access to legitimately-installed surveillance software on the country's Vodafone cell network. For ten months, the intruders were able to listen in on "cell phones belonging to the prime minister and ministers of defense, foreign affairs, justice, and public order—as well as opposition members in the Greek parliament." It would be nice to believe U.S. security is tighter, but the authors point to some cause for concern even in the little publicly available information about intel surveillance: They describe the auditing system for the FBI's DCS-3000 wiretap system as "primitive," noting that it relies on passwords for authentication, uses shared rather than user-specific logins, and employs the outdated MD5 hashing algorithm.

The authors offer a series of recommendations to reduce the security risks posed by surveillance. Intercepts should be carried out at locations less likely to gather purely-domestic traffic, even when this is less convenient than picking up communications at backbone routers, and irrelevant information should be screened out before any more centralized processing is done. Telecom providers should, when possible, act as intermediaries between intel analysts and data. And independent oversight should be imposed to reduce the likelihood of both abuse and error.