[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
TEMPEST Paper by Former Civilian (2/2)
- To: [email protected]
- Subject: TEMPEST Paper by Former Civilian (2/2)
- From: [email protected] (Anonymous)
- Date: Sat, 11 Feb 95 16:40:03 PST
- Comments: This message did not originate from the above address. It was automatically remailed by an anonymous mail service. Please report inappropriate use to <[email protected]>
- Sender: [email protected]
IV. CANADIAN LAW
Canada has taken direct steps to limit eavesdropping on
computers. The Canadian Criminal Amendment Act of 1985
_____________________
22. Interception of Communications Act 1985 1, Prohibition on
Interception:
(1) Subject to the following provisions of this section, a
person who intentionally intercepts a communication in the
course of its transmission by post or by means of a public
telecommunications system shall be guilty of an offence and
liable--
(a) on summary conviction, to a fine not exceeding the
statutory maximum;
(b) on conviction on indictment, to imprisonment for a
term not exceeding two years or to a fine or to both.
***
23. Tapping (aka trespassatory eavesdropping) is patently in
violation of the statute. "The offense created by section 1 of
the Interception of Communications Act 1985 covers those forms of
eavesdropping on computer communications which involve "tapping"
the wires along which messages are being passed. One problem
which may arise, however, is the question of whether the
communication in question was intercepted in the course of its
transmission by means of a public telecommunications system. It
is technically possible to intercept a communication at several
stages in its transmission, and it may be a question of fact to
decide the stage at which it enters the "public" realm. THE LAW
COMMISSION,WORKING PAPER NO. 110: COMPUTER MISUSE, 3.30 (1988).
24. "There are also forms of eavesdropping which the Act does
not cover. For example. eavesdropping on a V.D.U. [referred to
in this text as a CRT] screen by monitoring the radiation field
which surrounds it in order to display whatever appears on the
legitimate user's screen on the eavesdropper's screen. This
activity would not seem to constitute any criminal offence..."
THE LAW COMMISSION, WORKING PAPER NO. 110: COMPUTER MISUSE, 3.31
(1988).
<New Page>
criminalized indirect access to a computer service.[25] The
specific reference to an "electromagnetic device" clearly
shows the intent of the legislature to include the use of
TEMPEST ELINT equipment within the ambit of the legislation.
The limitation of obtaining "any computer service" does
lead to some confusion. The Canadian legislature has not
made it clear whether "computer service" refers to a
computer service bureau or merely the services of a
computer. If the Canadians had meant access to any
computer, why did they refer to any "computer service".
This is especially confusing considering the al-
encompassing language of (b) 'any function of a computer
system'.
Even if the Canadian legislation criminalizes
eavesdropping on all computers, it does not solve the
problem of protecting the privacy of information. The
purpose of criminal law is to control crime.[26] Merely
making TEMPEST ELINT illegal will not control its use.
First, because it is an inherently passive crime it is
impossible to detect and hence punish. Second, making this
form of eavesdropping illegal without taking a proactive
stance in controlling compromising emanations gives the
public a false sense of security. Third, criminalizing the
possession of a TEMPEST ELINT device prevents public sector
research into countermeasures. Finally, the law will not
prevent eavesdropping on private information held in company
computers unless disincentives are given for companies that
do not take sufficient precautions against eavesdropping and
simple, more common, information crimes.[27]
_____________________
25. 301.2(1) of the Canadian criminal code states that anyone
who:
... without color of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electromagnetic ... or other device,
intercepts or causes to be intercepted, either directly or
indirectly, any function of a computer system ... [is guilty of
an indictable offence].
26. UNITED STATES SENTENCING COMM'N, FEDERAL SENTENCING
GUIDELINES MANUAL (1988) (Principles Governing the Redrafting of
the Preliminary Guidelines "g." (at an unknown page))
27. There has been great debate over what exactly is a computer
crime. There are several schools of thought. The more
articulate school, and the one to which the author adheres holds
that the category computer crime should be limited to crimes
directed against computers; for example, a terrorist destroying a
computer with explosives would fall into this category. Crimes
such as putting ghost employees on a payroll computer and
<New Page>
V. SOLUTIONS
TEMPEST ELINT is passive. The computer or terminal
emanates compromising radiation which is intercepted by the
TEMPEST device and reconstructed into useful information.
Unlike conventional ELINT there is no need to physically
trespass or even come near the target. Eavesdropping can be
performed from a nearby office or even a van parked within a
reasonable distance. This means that there is no classic
scene of the crime; and little or no chance of the criminal
being discovered in the act.[28]
If the crime is discovered it will be ancillary to some
other investigation. For example, if an individual is
investigated for insider trading a search of his residence
may yield a TEMPEST ELINT device. The device would explain
how the defendant was obtaining insider information; but it
was the insider trading, not the device, that gave away the
crime.
This is especially true for illegal TEMPEST ELINT
performed by the state. Unless the perpetrators are caught
in the act there is little evidence of their spying. A
trespassatory bug can be detected and located; further, once
found it provides tangible evidence that a crime took place.
A TEMPEST ELINT device by its inherent passive nature leaves
nothing to detect. Since the government is less likely to
commit an ancillary crime which might be detected there is a
very small chance that the spying will ever be discovered.
The only way to prevent eavesdropping is to encourage the
use of countermeasures: TEMPEST Certified[29] computers and
_____________________
collecting their pay are merely age-old accounting frauds; today
the fraud involves a computer because the records are kept on a
computer. The computer is merely ancillary to the crime. This
has been mislabeled computer crime and should merely be referred
to as a fraud perpetrated with the aid of a computer. Finally,
there are information crimes. These are crimes related to the
purloining or alteration of information. These crimes are more
common and more profitable due to the computer's ability to hold
and access great amounts of information. TEMPEST ELINT can best
be categorized as a information crime.
28. Compare, for example, the Watergate breakin in which the
burglars were discovered when they returned to move a poorly
placed spread spectrum bug.
29. TEMPEST Certified refers to the equipment having passed a
testing and emanations regime specified in NACSIM 5100A. This
classified document sets forth the emanations levels that the NSA
believes digital equipment can give off without compromising the
information it is processing. TEMPEST Certified equipment is
theoretically secure against TEMPEST eavesdropping.
<New Page>
terminals.
In merely making TEMPEST ELINT illegal the public is
given the false impression of security; they lulled into
believing the problem has been solved. Making certain
actions illegal does not prevent them from occurring. This
is especially true for a TEMPEST ELINT because it is
undetectable. Punishment is an empty threat if there is no
chance of being detected; without detection there can be no
apprehension and conviction. The only way to prevent some
entity from eavesdropping on one's computer or computer
terminal is for the equipment not to give off compromising
emanation; it must be TEMPEST Certified.
The United States can solve this problem by taking a
proactive stance on compromising emanations. The National
Institute of Standards and Technology (NIST[30]) is in charge
of setting forth standards of computer security for the
private sector. NIST is also charged with doing basic
research to advance the art of computer security. Currently
NIST does not discuss TEMPEST with the private sector. For
privacy's sake, this policy must be changed to a proactive
one. The NIST should publicize the TEMPEST ELINT threat to
computer security and should set up a rating system for
level of emanations produced by computer equipment.[31]
Further, legislation should be enacted to require the
labeling of all computer equipment with its level of
emanations and whether it is TEMPEST Certified. Only if the
public knows of the problem can it begin to take steps to
solve it.
Title III makes possession of a surveillance device a
crime, unless it is produced under contract to the
government. This means that research into surveillance and
counter-surveillance equipment is monopolized by the
government and a few companies working under contract with
_____________________
NACSIM 5100A is classified, as are all details of TEMPEST.
To obtain access to it, contractor must prove that there is
demand within the government for the specific type of equipment
that intend to certify. Since the standard is classified, the
contractors can not sell the equipment to non-secure governmental
agencies or the public. This prevents reverse engineering of the
standard for its physical embodiment, the Certified equipment.
By preventing the private sector from owning this anti-
eavesdropping equipment, the NSA has effectively prevented the
them from protecting the information in their computers.
30. Previously the Bureau of Standards. The NIST is a division
of the Commerce Department.
31. In this case computer equipment would include all peripheral
computer equipment. There is no use is using a TEMPEST Certified
computer if the printer or the modem are not Certified.
<New Page>
the government. If TEMPEST eavesdropping is criminalized,
then possession of TEMPEST ELINT equipment will be criminal.
Unfortunately,this does not solve the problem. Simple
TEMPEST ELINT equipment is easy to make. For just a few
dollars many older television sets can be modified to
receive and reconstruct EMR. For less than a hundred
dollars a more sophisticated TEMPEST ELINT receiver can be
produced[32].
The problem with criminalizing the possession of
TEMPEST ELINT equipment is not just that the law will have
little effect on the use of such equipment, but that it will
have a negative effect on counter-measures research. To
successfully design counter-measures to a particular
surveillance technique it is vital to have a complete
empirical understanding of how that technique works.
Without the right to legally manufacture a surveillance
device there is no possible way for a researcher to have the
knowledge to produce an effective counter-measures device.
It is axiomatic: without a surveillance device, it is
impossible to test a counter-measures device.
A number of companies produce devices to measure the
emanations from electrical equipment. Some of these devices
are specifically designed for bench marking TEMPEST
Certified equipment. This does not solve the problem. The
question arises: how much radiation at a particular
frequency is compromising? The current answer is to refer
_____________________
32. The NSA has tried to limit the availability of TEMPEST
information to prevent the spread of the devices.
For a discussion of the First Amendment and prior restraint
See, e.g. The United States of America v. Progressive, Inc. 467
F.Supp 990 (1979, WD Wis.)(magazine intended to publish plans for
nuclear weapon; prior restraint injunction issued), reh. den.
United States v. Progressive Inc. 486 F.Supp 5 (1979, WD Wis.),
motion den Morland v. Sprecher 443 US 709 (1979)(mandamus),
motion denied United States v. Progressive, Inc. 5 Media L R
(1979, 7th Cir.), dismd. without op. U.S. v. Progressive, Inc 610
F.2d 819 (1979, 7th Cir.); New York Times, Co. v. United States,
403 U.S. 713 (1971)(per curium)(Pentagon Papers case: setting
forth prior restraint standard which government was unable to
meet); T. EMERSON, THE SYSTEM OF FREEDOM OF EXPRESSION (1970);
Balance Between Scientific Freedom and NAtional Security, 23
JURIMETRICS J. 1 (1982)(current laws and regulations limiting
scientific and technical expression exceed the legitimate needs
of national security); Hon. M. Feldman, Why the First Amendment
is not Incompatible with National Security, HERITAGE FOUNDATION
REPORTS (Jan. 14, 1987). Compare Bork, Neutral Principles and
Some First Amendment Problems, 47 IND. L. J. 1 (First Amendment
applies only to political speech); G. Lewy, Can Democracy Keep
Secrets, 26 POLICY REVIEW 17 (1983)(endorsing draconian secrecy
laws mirroring the English system).
<New Page>
to NACSIM 5100A. This document specifies the emanations
levels suitable for Certification. The document is only
available to United States contractors having sufficient
security clearance and an ongoing contract to produce
TEMPEST Certified computers for the government. Further,
the correct levels are specified by the NSA and there is no
assurance that, while these levels are sufficient to prevent
eavesdropping by unfriendly operatives, equipment certified
under NACSIM 5100A will have levels low enough to prevent
eavesdropping by the NSA itself.
The accessibility of supposedly correct emanations
levels does not solve the problem of preventing TEMPEST
eavesdropping. Access to NACSIM 5100A limits the
manufacturer to selling the equipment only to United States
governmental agencies with the need to process secret
information.[33] Without the right to possess TEMPEST ELINT
equipment manufacturers who wish to sell to the public
sector cannot determine what a safe level of emanations is.
Further those manufacturers with access to NACSIM 5100A
should want to verify that the levels set out in the
document are, in fact, low enough to prevent interception.
Without an actual eavesdropping device with which to test,
no manufacturer will be able to produce genuinely
uncompromising equipment.
Even if the laws allow ownership of TEMPEST Certified
equipment by the public, and even if the public is informed
of TEMPEST's threat to privacy, individuals' private
information will not necessarily by protected. Individuals
may choose to protect their own information on their own
computers. Companies may choose whether to protect their
own private information. But companies that hold the
private information of individuals must be forced to take
steps to protect that information.
In England the Data Protection Act 1984[34] imposes
sanctions against anyone who stores the personal
information[35] on a computer and fails to take reasonable
_____________________
33. For example, the NSA has just recently allowed the Drug
Enforcement Agency (DEA) to purchase TEMPEST Certified computer
equipment. The DEA wanted secure computer equipment because
wealthy drug lords had were using TEMPEST eavesdropping
equipment.
34. An Act to regulate the use of automatically processed
information relating to individuals and the provision of services
in respect of such information.
-Data Protection Act 1984, Long Title.
35. "Personal data" means data consisting of information which
relates to a living individual who can be identified from that
<New Page>
measures to prevent disclosure of that information. The act
mandates that personal data may not be stored in any
computer unless the computer bureau or data user[36] has
registered under the act.[37] This provides for a central
registry and the tracking of which companies or persons
maintain databases of personal information. Data users and
bureaux must demonstrate a need and purpose behind their
possession of personal data.
The act provides tort remedies to any person who is
damaged by disclosure of the personal data.[38] Reasonable
care to prevent the disclosure is a defense.[39] English
_____________________
information (or from that and other information in the possession
of the data user), including any expression of opinion about the
individual but not any indication of the intentions of the data
user in respect of that individual.
-Data Protection Act 1984 1(3)
36. "Data user" means a person who holds data, and a persons
"Holds" data if --
(a) the data form part of a collection of data processed or
intended to be processed by or on behalf of that person as
mentioned in subsection (2) above; [subsection (2) defines
"data"] and
(b) that person (either alone or jointly or in common with
other persons) controls the contents and use of the data
comprised in the collection; and
(c) the data are in the form in which they have been or are
intended to be processed as mentioned in paragraph (a) above
or (though not for the time being in that form) in a form
into which they have been converted after being so processed
and with a view to being further so processed on a
subsequent occasion.
- Data Protection Act 1(5).
37. Data Protection Act 1984, 4,5.
38. An individual who is the subject of personal data held by a
data user... and who suffers damage by reason of (1)(c) ... the
disclosure of the data, or access having been obtained to the
data without such authority as aforesaid shall be entitled to
compensation from the data user... for any distress which the
individual has suffered by reason of the ... disclosure or
access.
- Data Protection Act 1984 23.
39. ... it shall be a defense to prove that ... the data user
... had taken such care as in all the circumstances was
reasonably required to prevent the... disclosure or access in
question.
Data Protection Act 1984 23(3)
<New Page>
courts have not yet ruled what level of computer security
measures constitute reasonable care. Considering the
magnitude of invasion possible with TEMPEST ELINT it should
be clear by now that failure to use TEMPEST Certified
equipment is prima facie unreasonable care.
The Remedies section of the act provides incentive for
these entities to provide successful protection of person
data from disclosure or illicit access. Failure to protect
the data will result in monetary loss. This may be looked
at from the economic efficiency viewpoint as allocating the
cost of disclosure the persons most able to bear those
costs, and also most able to prevent disclosure. Data users
that store personal data would use TEMPEST Certified
equipment as part of their computer security plan, thwarting
would-be eavesdroppers.
The Data Protection Act 1984 allocates risk to those
who can bear it best and provides an incentive for them to
keep other individuals' data private. This act should be
adopted by the United States as part of a full-spectrum plan
to combat TEMPEST eavesdropping. Data users are in the best
position to prevent disclosure through proper computer
security. Only by making them liable for failures in
security can we begin to rein in TEMPEST ELINT.
VII
Recommendations
Do not criminalize TEMPEST ELINT. Most crimes that
TEMPEST ELINT would aid, such a insider trading, are already
illegal; the current laws are adequate.
The National Institute of Standards and Technology
should immediately begin a program to educate the private
sector about TEMPEST. Only if individuals are aware of the
threat can they take appropriate precautions or decide
whether any precautions are necessary.
Legislation should be enacted to require all
electronic equipment to prominently display its level of
emanations and whether it is TEMPEST Certified. If
individuals are to choose to protect themselves they must be
able to make a informed decision regarding how much
protection is enough.
TEMPEST Certified equipment should be available to
the private sector. The current ban on selling to non-
governmental agencies prevents individuals who need to
protect information from having the technology to do so.
Possession of TEMPEST ELINT equipment should not be
made illegal. The inherently passive nature and simple
design of TEMPEST ELINT equipment means that making its
possession illegal will not deter crime; the units can be
easily manufactured and are impossible to detect. Limiting
their availability serves only to monopolize the
countermeasures research, information, and equipment for the
government; this prevents the testing, design and
<New Page>
manufacture of counter-measures by the private sector.
Legislation mirroring England's Data Protection Act
1984 should be enacted. Preventing disclosure of personal
data can only be accomplished by giving those companies
holding the data a reason to protect it. If data users are
held liable for their failure to take reasonable security
precautions they will begin to take reasonable security
precautions, including the use of TEMPEST Certified
equipment.
-------------------------------------------------------------------------
To find out more about the anon service, send mail to [email protected].
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to [email protected].