News broke this weekend that China-backed hackers have compromised the wiretap systems of several U.S. telecom and internet providers, likely in an effort to gather intelligence on Americans.
The wiretap systems, as mandated under a 30-year-old U.S. federal law, are some of the most sensitive in a telecom or internet provider’s network, typically granting a select few employees nearly unfettered access to information about their customers, including their internet traffic and browsing histories.
But for the technologists who have for years sounded the alarm about the security risks of legally required backdoors, news of the compromises are the “told you so” moment they hoped would never come but knew one day would.
“I think it absolutely was inevitable,” Matt Blaze, a professor at Georgetown Law and expert on secure systems, told TechCrunch regarding the latest compromises of telecom and internet providers.
The Wall Street Journal first reported Friday that a Chinese government hacking group dubbed Salt Typhoon broke into three of the largest U.S. internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, to access systems they use for facilitating customer data to law enforcement and governments. The hacks reportedly may have resulted in the “vast collection of internet traffic” from the telecom and internet giants. CNN and The Washington Post also confirmed the intrusions and that the U.S. government’s investigation is in its early stages.
The goals of the Chinese campaign are not yet fully known, but the WSJ cited national security sources who consider the breach “potentially catastrophic.” Salt Typhoon, the hackers in question, is one of several related Chinese-backed hacking units thought to be laying the groundwork for destructive cyberattacks in the event of an anticipated future conflict between China and the United States, potentially over Taiwan.
Blaze told TechCrunch that the Chinese intrusions into U.S. wiretap systems are the latest example of malicious abuse of a backdoor ostensibly meant for lawful and legal purposes. The security community has long advocated against backdoors, arguing that it is technologically impossible to have a “secure backdoor” that cannot also be exploited or abused by malicious actors.
“The law says your telecom must make your calls wiretappable (unless it encrypts them), creating a system that was always a target for bad actors,” said Riana Pfefferkorn, a Stanford academic and encryption policy expert, in a thread on Bluesky. “This hack exposes the lie that the U.S. [government] needs to be able to read every message you send and listen to every call you make, for your own protection. This system is jeopardizing you, not protecting you.”
“The only solution is more encryption,” said Pfefferkorn.
The 30-year-old law that set the stage for recent backdoor abuse is the Communications Assistance for Law Enforcement Act, or CALEA, which became law in 1994 at a time when cell phones were a rarity and the internet was still in its infancy.
CALEA requires that any “communications provider,” such as a phone company or internet provider, must provide the government all necessary assistance to access a customer’s information when presented with a lawful order. In other words, if there is a means to access a customer’s data, the phone companies and internet providers must provide it.
Wiretapping became big business in the post-2000 era, following the September 11 attacks in 2001. The subsequent introduction of post-9/11 laws, such as the Patriot Act, vastly expanded U.S. surveillance and intelligence gathering, including on Americans. CALEA and other surveillance laws around this time gave rise to an entire industry of wiretapping companies that helped phone and internet companies comply with the law by wiretapping on their behalf.
Much of how those expanded wiretapping laws and provisions worked in practice — and what access the government had to Americans’ private data — were kept largely a secret until 2013, when former NSA contractor Edward Snowden leaked thousands of U.S. classified documents, broadly exposing the government’s surveillance techniques and practices over the past decade, including the vast collection of Americans’ private data.
While much of the Snowden surveillance scandal focused on how the U.S. government and its closest allies collected secret data on its top foreign intelligence targets, such as overseas terrorists and adversarial government hackers, the revelations of the U.S. government’s spying led to an uproar by Silicon Valley technology giants, whose systems in some cases had been unknowingly tapped by U.S. intelligence agencies. Silicon Valley collectively fought back, which led in part to the peeling back of the years of government-mandated wiretapping secrecy and general obscurity.
In the years that followed, tech giants began encrypting as much customer data as they could, realizing that the companies could not be compelled to turn over customer data that they could not access themselves (although some untested legal exceptions still exist). The tech giants, who were once accused of facilitating U.S. surveillance, began publishing “transparency reports” that detailed how many times the companies were forced to turn over a customer’s data during a certain period of time.
While the tech companies began locking down their products so that outside snoops (and in some cases, even the tech companies themselves) could not access their customers’ data, phone and internet companies did little to encrypt their own customers’ phone and internet traffic. As such, much of the United States’ internet and phone traffic remains available to wiretaps under CALEA.
It’s not just the United States that has an appetite for backdoors. Around the world, there remains an ongoing and persistent effort by governments to push legislation that undermines, skirts, or otherwise compromises encryption. Across the European Union, member states are working to legally require messaging apps to scan their citizens’ private communications for suspected child abuse material. Security experts maintain that there is no technology capable of achieving what the laws would demand without risking nefarious abuse by malicious actors.
Signal, the end-to-end encrypted messaging app, has been one of the most vocal critics of encryption backdoors, and cited the recent breach at U.S. internet providers by the Chinese as a reason why the European proposals pose a serious cybersecurity threat.
“There’s no way to build a backdoor that only the ‘good guys’ can use,” said Signal president Meredith Whittaker, writing on Mastodon.
Speaking of some of the more advanced proposals for backdoors that have come up in recent years, “CALEA should be regarded as a cautionary tale, not a success story, for backdoors,” said Blaze.