German Police Defeated by Skype Encryption
German Police Defeated by Skype Encryption
November 27, 2007: German police have been foiled in their efforts to wiretap VoIP communications, saying that the encryption used by Skype’s Internet telephony software makes it impossible for them to monitor the conversations of criminal suspects.
Wiretapping has been routine for police around the world since the days of the rotary phone and earlier. Law enforcement agencies have always worked with courts and telecommunications providers to ensure that lawful wiretapping is possible, however, with the advent of VoIP the surveillance landscape is changing.
“The encryption with Skype telephone software ... creates grave difficulties for us,” said Joerg Ziercke, president of Germany's Federal Police Office to reporters at an annual gathering of security and law enforcement officials. “We can't decipher it. That's why we're talking about source telecommunication surveillance - that is, getting to the source before encryption or after it's been decrypted.”
With a normal voice call, all the information flows down a single path enabling it to be easily listened in to. With a VoIP call, however, the data is broken up into packets, encrypted, then sent over a variety of channels to find the best possible route to the destination – making it virtually impossible to eavesdrop on unless there is a back door built into the system, or a company like Skype divulges its encryption keys. Ziercke claims there are no discussions underway with Skype for either of these scenarios, and he concedes that he doesn’t “think that any provider would go for that.”
Communication encryption immediately causes problems for those trying to listen in, but beyond this, as VoIP providers are often based in countries other than where they offer voice services they are not bound to the same laws as traditional telcos, and cannot be forced to comply with local authorities in surveillance matters.
Getting at the source before encryption is a reference to controversial plans in Germany to develop specialised “remote forensic software”, basically “white hat” malware that could be deployed on suspect computers to gather evidence.
This method has, of course, attracted a fiery debate over privacy and it appears that this method is unlikely to get off the ground – at least in Germany where people are quite protective of their right to privacy.
Ziercke claims these kinds of remote searches would only happen in an extremely small number of cases, noting that “currently [we] have 230 proceedings related to suspected Islamists, I can imagine that in two or three of those we would like to do this.”
How the police would actually get the Trojan onto criminal computers is another matter of course. Odds are the average paranoid crim would be one of the last people to click on a spam email attachment, and they could always be using Linux...
Comment on this story