[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NewMedia article, April 1994
Just got this in the mail, and flipping through it I saw a decent article
(with quotes from our own prolific Tim May!). Any mistakes are probably
OCR errors -- it's 3am and time to go to bed. _You_ proof it!
Privacy in the Digital Age
by Curtis Lang
NewMedia, April 1994
Welcome to the digital frontier, where network by network, metaphor by
metaphor, a splendid, global, multimedia palace is being built through
trial and error. You won't need to take a long and winding road to this
frontier, though, it's coming soon to your home. You'll know it has arrived
when you can read messages on your telephone, have a dialogue with your
television and watch beautiful movies on your PC.
AT&T has already established a giant encampment on this digital frontier,
and it is now concentrating on building a virtual community. In
advertisements, the company paints seductive pictures of fully wired--and
wireless--consumers interacting in the cyberspace equivalent of
Hemingway's dean, well-lighted place. A happy couple in a jumbo kitchen
uses a computerized telephone to take and receive electronic messages and
make reservations for the ball game. A nomadic businessman in an airport
shuttle bus tells his PDA how much he's willing to spend on a used car for
his son, what makes he prefers and the maximum acceptable mileage. He
sends his PDA on a shopping trip around the region with a single touch. It
all sounds thrilling--empowering for consumers and businesses alike. But
in the 21st-century world of interactive television, broadband Internet
access and ubiquitous multipurpose communications gizmos, every
message you send and each dollar you spend could be an unbidden
messenger as well. Electronic traces of your passage will remain in data
banks of cable, telephone and on-line service providers. And the
government wants to install a trap door in software and hardware used to
encrypt messages and data from medical smart cards, IRS records, digital
cash transfers and plain old e-mail. These databases will be digital gold in
the world of direct marketing, where vendors and advertisers will tailor
special offers to individuals based upon this information and deliver
coupons that will issue from your smart cable TV set-top box What's to
prevent unscrupulous third parties--or underpaid government workers with
access to the software trap door--from obtaining information that could be
used to harm consumers? Not much, judging from stories like that of
black-data buccaneer Al Schweitzer, who bought and sold confidential
government files for a living (see "Penetrating Uncle Sam's Data," page
68). Unless government agencies, infrastructure suppliers, software
wizards and producers of programming can guarantee privacy in the
rapidly expanding web of cyberspace, it may be impossible for the trust
upon which a virtual community depends to develop sufficiently to make
the grand digital experiment a success. Without this assurance there will
be no secure business communications, and the kind of transactional data
that is currently gathered by insurance firms, credit companies and banks
might fall into the hands of anyone with the skills to track it across the
global network Security of transactions over cable networks is already a
concern to American consumers, according to surveys by Viacom Cable
and others. And the lack of secure transaction methods may already be
hampering buying and selling via modem. Consumer's unwillingness to
put it on their Visa when traveling in cyberspace has slowed public
acceptance of such services as American Airlines' Easy Sabre ticket
service, available on Prodigy, America Online and other on-line services.
Consumers, like businesses, are eager to take advantage of the digital
highway, but they are leery of financial data and other sensitive
information falling into the wrong hands.
ENCRYPTION MAY BE THE KEY
When you make a phone call or send a letter, you can be fairly certain that
the contents of your communications will remain private. Such trust
makes our postal and phone systems possible. AT&T hopes to give
customers that same sense of security about wireless communications. It is
the first company to implement General Magic's new Telescript
communications software in its PersonaLink Services, which will be the
foundation for AT&T's multimedia web of services that include smart
messaging, electronic shopping and custom news delivery. "Telescript. .is
a technology which creates something called agent-based
communication," explained Marc Porat, chairman and CEO of General
Magic, at a winter conference on electronic consumer appliances in New
York Such software agents will be able to travel throughout wired and
wireless networks searching for information, like-minded individuals or
bargain prices on PCs. Agents will act as your virtual doorman, your
e-mail bozo filter, tossing mail on subjects you nix into the trash. "General
Magic is a really good idea," contends Jerry Michalski of the industry
newsletter, Release l.a "You can create a little agent that .[will] go out
there and look for things for you. Let's say you're a stamp collector--it can
look for a particular kind of stamp, or a bubble-gum card or whatever, and
maybe even buy the thing for you automatically. Now, gosh, you're
putting that up on AT&T's network. They could find out within very small
fractions of activity what you're doing, what your preferences are, what
kind of agents you've decided to broadcast into the world. So you're only
going to do that if you have some kind of confidence that they're not
going to misuse that information." To that end, AT&T and General Magic
intend to set up "trusted spaces," secure virtual meeting rooms where your
agent can meet with another agent, representing a vendor or an individual,
and communicate, shop, cut deals or consummate business transactions
free from prying software. But what about the security of these networks?
And how will you know the identity of the entity lurking behind the vir-
tual agent that your virtual agent is schmoozing up in supposedly secure
cyberspace? "Most wireless communications systems are security
nightmares," says Jim Bidzos, president of RSA Data Security Inc., a
giant in the global cryptography business. "They have no real encryption,
no authentication.... General Magic realized that for a lot of people,
wireless services of any kind simply can't be trusted. So they built RSA
encryption and authentication services right into the foundation of
Telescript and Magic Cap [the interface for General Magic's PDA]."
A DIFFERENT VIEW
Advocates of civil liberties such as the cypherpunks, the grassroots
encryption experts who have developed widely distributed personal
encryption shareware for e-mail, worry that even in such a
security-conscious system, the government will find a way to snoop. They
see alternatives to AT&T's vision of tomorrow. "The issue of digital
money is going to be key," argues Tim May, "so that people can buy
access codes." May, formerly a physicist with Intel and one of the most
visible cypherpunks, envisions a future in which digital cash is used for
most transactions. In such a system encryption schemes would be floating
through the computer community that could make most financial
transactions virtually untraceable. "Imagine a satellite dish on your roof,"
he continues. "You decide to buy an X-rated movie, and you don't want
records kept of that on your monthly bill. [There will be] mechanisms by
which you can buy 'coupons' that are usable on a one-time basis to decrypt
a packet, and the vendor of the service--say, the seller of the X-rated
movie--has no idea that you, in particular, are decrypting his packet. I
think that'll be essential."
DO YOU TRUST UNCLE SAM?
After months of review, during which a torrent of digital complaints
flooded the White House from multinational corporations, the Software
Publishers Association, cypherpunks and civil libertarians, President
Clinton announced that he wants the National Security Agency (NSA) to
implement secret standards for encryption to be used in computerized
communications systems to facilitate e-mail surveillance. The
Computer Security Act of 1987 mandated that the National Institute of
Standards and Technology (NIST), a civilian agency, develop appropriate
standards for digital communications networks. At the time it was clear
that there would be a need for digital envelopes (cryptography), digital
signatures and other technologies to provide security and enable legally
enforceable digital transactions on the Internet, and eventually across
fiber-optic cables and wireless systems connected to telephones,
computers, TVs and PDAs. However, during the Bush administration, a
series of executive orders placed authority for developing those standards
in the hands of the NSA, America's largest and most secretive spy
organization, which has a checkered history that includes large-scale
illegal surveillance of Americans. Thus it was no surprise that the agency's
proposal to provide digital encryption systems focused on easy wiretap
surveillance rather than privacy, security and other civilian needs. The
NSA produced a 64-bit encryption algorithm, classified "Secret" and
called Skipjack The NSA declined to make the algorithm public,
prompting concern that, given the NSA's track record, there might be a
"trap door" in Skipjack that would allow secret surveillance of all
Skpjack-encoded messages. In April 1993, the White House outlined
plans for a microcircuit called the Clipper chip, which would scramble
telephone conversations. Each chip, encoded with Skipjack, would
generate an encryption session key, a chip unique key and a chip family
key, all of which are sent to the receiver. The White House asks users to
register their chip unique key with the government, which will then split
each key into two parts and "escrow" the parts with two different
agencies, so that law enforcement agencies can unscramble suspects'
messages.
SURVEILLANCE ON THE UPSWING
The White House claims that the system would be used by government
officials with legal authorization to conduct wiretaps and thus represents
no intensification of government surveillance. But in NIST's letter inviting
five hand-picked cryptography experts to do a quick survey of Skipjack,
the agency says that key components will be made available "only to
authorized government officials under proper legal authorizations, usually
a court order." They said usually, not always. The distinction was not
accidental. For the last several years, the FBI has been increasing its
surveillance of all Americans at a dizzying pace as part of a
mind-boggling expansion of its powers and activities. This includes
increased access to computerized data on Americans, which now often no
longer requires a court order to be accessed. The Bush average of 332
wiretap applications per year was double that of the Reagan
administration, and state agencies' wiretaps also increased during the Bush
years. Despite the rapid increase of such requests, wiretaps are far from
widespread, and according to the June 1993 issue of the Privacy Journal,
the FBI has publicized no instances in which its investigations were
hampered because a suspect had used encrypted e-mail or other digital
security devices. The Clinton administration asked for an amendment to
the Fair Credit Reporting Act that would allow the FBI to obtain credit
information, without a court order, by issuing a "national security letter."
The rationale is that although the FBI has access to your bank records, it
will not know which banks' records to obtain without ready access to your
credit reports, as David MacMichael reports in the National Security
Alumni Association Magazine, Unclassified (October/November 1993).
OPERATION ROOT CANAL
Meanwhile, the FBI continues to move forward with "Operation Root
Canal," also known as the 1992 Digital Telephony Proposal, which
encourages service and equipment providers to design their computerized
systems in such a way that the government can easily "obtain the plain
text contents of voice, data and other communications," according to FBI
memoranda obtained by the nonprofit Computer Professionals for Social
Responsibility (CPSR) from the Commerce Department in November of
last year. The threat of the Digital Telephony Proposal to
telecommunications companies is very real. CPSR reported that Rep. Jack
Brooks, a Texas Democrat, said that Root Canal "could obstruct or distort
telecommunications technology development by limiting fiber optic
transmission, ISDN, digital cellular services and other technologies until
they are modified...and could impair the security of business
communications. .could facilitate not only lawful government
interception, but unlawful interception by others [and] could impose on
industries' ability to offer new services and technologies." And the NSA,
which oversees export-control regulations of weapons of war--including
encryption products--has signaled its intent to prevent grassroots
cryptography from enlisting enough users to constitute a de facto standard.
Recently Phil Zimmerman, the creator of Pretty Good Privacy, a popular
and widely available piece of encryption shareware, was busted for
export-control violations (see "Penetrating Uncle Sam's Data," below).
After all, if everyone has access to encryption techniques, when law
enforcement agencies decrypt the Skipper algorithm on someone's
intercepted message, they'll find a secondary layer of encryption that
could be more difficult to crack That would render Skipjack pointless;
some Clinton critics worry that the logical outcome of Skipjack
implementation will be the criminalization of other forms of encryption.
Never mind the implications for secure business communications. With a
government-imposed Skpjack standard, the feds would be able to do
something they have never been able to do before--easily conduct mass
surveillance.
THE RIGHT TO PRIVACY
"No right of private conversation was enumerated in the Constitution,"
said Sun Microsystems' Whitfield Diffie, one of the pioneers of modern
civilian encryption, in June 1993 testimony before the House
Subcommittee on Telecommunications and Finance. "I don't suppose it
occurred to anyone at the time that it could be prevented. Now, however,
we are on the verge of a world in which electronic communication is both
so good and so inexpensive that intimate business and personal
relationships will flourish between parties who can, at most, occasionally
afford the luxury of traveling to visit each other. If we do not accept the
right of these people to protect the privacy of their communication, we
take a long step in the direction of a world in which privacy will belong
only to the rich."Canada and most European countries regulate public and
private data collection. By contrast, direct marketers and credit and
insurance companies in the United States are able to obtain large amounts
of data about the buying habits and lifestyles of most citizens. U.S. Law
provides no redress for the individual who complains of privacy
violations, other than the right to sue the violator. That great amounts of
information are being gathered about each of us is hardly news. And the
evidence that privacy has become a commodity has been accumulating for
years. Want an unlisted number? You pay for it. Want to restrict direct
marketers' ability to target you over cable TV? You may pay again. "If
you don't want to be intruded on at home, don't have a home phone,"
advises Esther Dyson, a policy consultant on all things digital for the
Clinton administration. "Which is what I do. If you really are worried
about this, take action. That's very difficult on a lot of things, but people
sort of act like they're helpless, and they're not." Or, in the immortal
words of Count Niccolo Machiavelli, counselor of princes: "Only those
means of security are good, are certain, are lasting, that depend on
yourself and your own vigor." We have seen the future, where everyone
plays James Bond in the palatial network that composes tomorrow's
worldwide digital web. In such a world, the Count could become a best-
selling author again.
Matt Thomlinson Say no to the Wiretap Chip!
University of Washington, Seattle, Washington.
Internet: [email protected] phone: (206) 548-9804
PGP 2.2 key available via email or finger [email protected]