There's been considerable discussion of the impact of the "Protect America" Act on civil rights, security, privacy, and other legal/political areas. Less-explored, but perhaps as important, is the technical impact. Building and operating the infrastructure required to support its provisions will have consequences, no doubt many of them unintended. A soon-to-be-published paper explores some of those consequences.
The paper is entitled "Risking Communications Security: Potential Hazards of the Protect America Act". Its authors are a who's who of data security: Steve Bellovin of Columbia, Matt Blaze of UPenn, Whitfield Diffie and Susan Landau of Sun, Peter Neumann of SRI, and Jennifer Rexford of Princeton.
The paper may be found here in PDF format. It is scheduled to be published in the Jan/Feb 2008 issue of the IEEE Journal on Security and Privacy.
It's a very readable paper -- in part because it explains terminology as it goes, and in part because it uses many examples to illustrate the concepts it explores. So don't expect an abstract, mathematical treatise; expect something that looks at the issues in a very practical way.
The authors begin by noting:
Building surveillance technologies into communication networks is risky. The Greeks learned this lesson the hard way; two years ago, they discovered that legally installed wiretapping software in a cellphone network had been surreptitiously enabled by parties unknown, resulting in the wiretapping of more than 100 senior members of the government for almost a year.
They go on to cite other, similar examples and note that their focus is not on civil liberties (explored elsewhere) but on the security issues involved in setting up and running an operation of this nature. Their point, if I might try not to slight them too badly by condensing it to a phrase, is that there are a lot of ways this can go badly wrong and end up reducing security...rather than increasing it.
One of the authors, Matt Blaze, has also commented in his blog and I suggest reading his comments as a prelude to the paper. He writes, in part:
As someone who began his professional career in the Bell System (and who stayed around through several of its successors), the push for telco immunity represents an especially bitter disillusionment for me. Say what you will about the old Phone Company, but respect for customer privacy was once a deeply rooted point of pride in the corporate ethos.
My suggestion is that after reading it, that you consider bringing this paper to the attention of your elected representatives. It's important that they understand that there are risks involved in any effort like this - it's not at all guaranteed to be a complete "success" even for an Orwellian definition of "success". I think...I hope...that even the most ardent supporter of a surveilled society would pause for moment once they realized that -- and of course those of us who don't think that's a good idea even in the abstract need to be just as aware of the risks.