Earlier this year a group of researchers published a controversial idea for giving law enforcement access to suspicious electronic communications. Instead of forcing tech companies like Facebook and Google to build backdoors into their software, the researchers suggested law enforcement simply exploit existing vulnerabilities in Web software to plant their digital wiretaps.

This approach would turn security-compromising software bugs—a bane of software companies and their customers for the past couple of decades—into a tool for gathering evidence against criminals communicating via voice-over-IP (VoIP) calls, instant messaging, some video game systems and other Internet-based channels. Although the researchers made clear that the FBI and other agencies should obtain a court order before placing their digital wiretaps, the proposal raises more than a few thorny legal questions. For example, would law enforcement be obligated to report the presence of software vulnerabilities it finds to software companies prior to exploiting those flaws?

The authors of this proposal are now working on a new paper examining the appropriate policy and legal framework for the approach they first described in the January/February issue of IEEE Security & Privacy. On June 7 Steven Bellovin, Matt Blaze and Susan Landau will present their latest research to the Privacy Law Scholars Conference, hosted by the University of California, Berkeley, School of Law and The George Washington University Law School. Their workshop session is entitled “Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet.” (Sandy Clark, a PhD candidate in the University of Pennsylvania’s Distributed Systems Laboratory, also contributed to the research as a co-author but will not attend the conference.)

Reaction to the original paper, entitled “Going Bright: Wiretapping without Weakening Communications Infrastructure,” (pdf) has been mixed as law enforcement and Internet companies wait to see whether the White House or Congress acts on the idea that spawned the researchers’ proposal. The FBI, concerned that criminals will go “dark” by hiding their communications using VoIP via Skype and other decentralized Internet services, has since 2010 advocated that Congress expand the scope of the 1994 Communications Assistance for Law Enforcement Act (CALEA). Whereas CALEA requires that switches in digital telephone networks be built wiretap-enabled, the FBI wants to extend such requirements to Internet Protocol (IP)–based communications. The feds also want the companies that provide those IP communications to offer easy access for implementing wiretaps or face a fine for not doing so.

“Going Bright” points out that outdated interception schemes such as CALEA won’t translate well to the Internet because the law was written with centralized phone switching networks in mind. The Internet, however, relies on a much more distributed, complicated peer-to-peer architecture that requires a rethinking of how communications are intercepted. The paper concludes that asking software companies to give law enforcement easy access to their code would create backdoors that criminals could use to pilfer information or infect network software with malware.

As an alternative, law enforcement should search for vulnerabilities that already exist in the most popular Web browsers, operating systems and other software. These vulnerabilities would serve as the means to insert wiretapping software onto a suspect’s computer or mobile device. Landau points out that Web wiretapping would likely be a two-step process. Law enforcement would first obtain a court order for permission to probe a suspect’s devices to find out what software they’re running and what might be exploitable. A second court order would then be needed for permission to actually find a way in and install the wiretap. Even if the flaw in the browser or OS is later fixed, the wiretap would already be in place. Friday’s legal workshop is a way of determining the legality and feasibility of such an approach.

As it stands, the FBI will not likely back the “going bright” strategy while an expansion to CALEA is on the table, says Landau, a former Sun Microsystems distinguished engineer who now consults in the areas of cybersecurity, privacy and public policy. She likewise acknowledges that Internet communications providers are not likely to embrace her team’s plan “because it would mean acknowledging they have problems in the software they write.” Such problems are inevitable, however. “Of course, no large, complex program is without vulnerabilities,” she adds.

Skeptics say that much more scrutiny is necessary for a proposal as unorthodox as “Going Bright.” The idea appears to be trading the deliberate and controlled access that the FBI has been proposing for an approach that is much less predictable and more difficult to control, says Stewart Baker, a partner at Steptoe & Johnson, LLP, and former assistant secretary for policy at the U.S. Department of Homeland Security. “They’re saying, if the stuff is already insecure, than what’s one more insecurity?”

Baker notes a few areas that need clarification: Would the FBI buy black market software—much like cyber criminals already do—to carry out their Web wiretaps? Should the FBI share the software exploits it buys or develops with other federal agencies—such as the Secret Service—that also do wiretapping? And at what point does the government inform the software companies about any vulnerabilities discovered?

Another issue that Baker says needs to be examined: What happens when the bad guys under surveillance find the government’s malware, reverse engineer it and use it for their own purposes? “It’s almost as though [the researchers are] saying that to avoid one or two law enforcement–generated private hacks, we want a world full of them,” he says.