[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
TEMPEST Paper by Former Civilian (1/2)
- To: [email protected]
- Subject: TEMPEST Paper by Former Civilian (1/2)
- From: [email protected] (Anonymous)
- Date: Sat, 11 Feb 95 17:00:14 PST
- Comments: This message did not originate from the above address. It was automatically remailed by an anonymous mail service. Please report inappropriate use to <[email protected]>
- Sender: [email protected]
For those interested in TEMPEST, below is a draft paper written 5 years ago
by Christopher Seline. Mr Seline's new E-mail address ends with
"DOCKMASTER.NCSC.MIL", so any attempts to query him about TEMPEST are
guaranteed to go unanswered. I hope he still feels the same about TEMPEST
now that he has changed employers.
Date: Fri, 19 Jan 90 19:13:44 -0500
From: cjs%[email protected] (Christopher J. Seline ([email protected]))
The following is a prepublication draft of an article on TEMPEST. I am posting
it to this news group in the hope that it will:
(1) stimulate discussion of this issue;
(2) expose any technical errors in the document;
(3) solicit new sources of information;
(4) uncover anything I have forgotten to cover.
I will be unable to monitor the discussions of the article. Therefore, PLEASE
post your comments to the news group BUT SEND ME A COPY AT THE ADDRESS LISTED
BELOW.
I have gotten a number of mail messages about the format of this
article. Some explanation is in order: The numbered paragraphs
following "____________________" on each page are footnotes. I suggest
printing out the document rather than reading it on your CRT.
Thanks you in advance.
Christopher Seline
[email protected]
[email protected]
(c) 1990 Christopher J. Seline
=============================================================================
<Start Print Job>
<New Page>
Eavesdropping On
the Electromagnetic Emanations
of Digital Equipment:
The Laws of Canada,
England and the United States
This document is a rough
draft. The Legal
Sections are overviews.
T h e y w i l l b e
significantly expanded in
the next version.
We in this country, in this generation, are -- by
destiny rather than choice -- the watchmen on the
walls of world freedom.[1]
-President John F.
Kennedy
_____________________
1. Undelivered speech of President John F. Kennedy, Dallas
Citizens Council (Nov. 22, 1963) 35-36.
<New Page>
In the novel 1984, George Orwell foretold a future
where individuals had no expectation of privacy because the
state monopolized the technology of spying. The government
watched the actions of its subjects from birth to death. No
one could protect himself because surveillance and counter-
surveillance technology was controlled by the government.
This note explores the legal status of a surveillance
technology ruefully known as TEMPEST[2]. Using TEMPEST
technology the information in any digital device may be
intercepted and reconstructed into useful intelligence
without the operative ever having to come near his target.
The technology is especially useful in the interception of
information stored in digital computers or displayed on
computer terminals.
The use of TEMPEST is not illegal under the laws of the
United States[3], or England. Canada has specific laws
criminalizing TEMPEST eavesdropping but the laws do more to
hinder surveillance countermeasures than to prevent TEMPEST
surveillance. In the United States it is illegal for an
individual to take effective counter-measures against
TEMPEST surveillance. This leads to the conundrum that it
is legal for individuals and the government to invade the
privacy of others but illegal for individuals to take steps
to protect their privacy.
The author would like to suggest that the solution to
this conundrum is straightforward. Information on
_____________________
2. TEMPEST is an acronym for Transient Electromagnetic Pulse
Emanation Standard. This standard sets forth the official views
of the United States on the amount of electromagnetic radiation
that a device may emit without compromising the information it is
processing. TEMPEST is a defensive standard; a device which
conforms to this standard is referred to as TEMPEST Certified.
The United States government has refused to declassify the
acronym for devices used to intercept the electromagnetic
information of non-TEMPEST Certified devices. For this note,
these devices and the technology behind them will also be
referred to as TEMPEST; in which case, TEMPEST stands for
Transient Electromagnetic Pulse Surveillance Technology.
The United States government refuses to release details
regarding TEMPEST and continues an organized effort to censor the
dissemination of information about it. For example the NSA
succeeded in shutting down a Wang Laboratories presentation on
TEMPEST Certified equipment by classifying the contents of the
speech and threatening to prosecute the speaker with revealing
classified information. [cite coming].
3. This Note will not discuses how TEMPEST relates to the
Warrant Requirement under the United States Constitution. Nor
will it discuss the Constitutional exclusion of foreign nationals
from the Warrant Requirement.
<New Page>
protecting privacy under TEMPEST should be made freely
available; TEMPEST Certified equipment should be legally
available; and organizations possessing private information
should be required by law to protect that information
through good computer security practices and the use of
TEMPEST Certified equipment.
I. INTELLIGENCE GATHERING
Spying is divided by professionals into two main types:
human intelligence gathering (HUMINT) and electronic
intelligence gathering (ELINT). As the names imply, HUMINT
relies on human operatives, and ELINT relies on
technological operatives. In the past HUMINT was the sole
method for collecting intelligence.[4] The HUMINT operative
would steal important papers, observe troop and weapon
movements[5], lure people into his confidences to extract
secrets, and stand under the eavesdrip[6] of houses,
eavesdropping on the occupants.
As technology has progressed, tasks that once could
only be performed by humans have been taken over by
machines. So it has been with spying. Modern satellite
technology allows troop and weapons movements to be observed
with greater precision and from greater distances than a
human spy could ever hope to accomplish. The theft of
documents and eavesdropping on conversations may now be
performed electronically. This means greater safety for the
human operative, whose only involvement may be the placing
of the initial ELINT devices. This has led to the
ascendancy of ELINT over HUMINT because the placement and
_____________________
4. HUMINT has been used by the United States since the
Revolution. "The necessity of procuring good intelligence is
apparent & need not be further urged -- All that remains for me
to add is, that you keep the whole matter as secret as possible.
For upon Secrecy, Success depends in Most Enterprises of the
kind, and for want of it, they are generally defeated, however
well planned & promising a favorable issue." Letter of George
Washington (Jul. 26, 1777).
5. "... I wish you to take every possible pains in your powers,
by sending trusty persons to Staten Island in whom you can
confide, to obtain Intelligence of the Enemy's situation &
numbers -- what kind of Troops they are, and what Guards they
have -- their strength & where posted." Id.
6. Eavesdrip is an Anglo-Saxon word, and refers to the wide
overhanging eaves used to prevent rain from falling close to a
house's foundation. The eavesdrip provided "a sheltered place
where one could hide to listen clandestinely to conversation
within the house." W. MORRIS & M. MORRIS, MORRIS DICTIONARY OF
WORD AND PHRASE ORIGINS, 198 (1977).
<New Page>
monitoring of ELINT devices may be performed by a technician
who has no training in the art of spying. The gathered
intelligence may be processed by an intelligence expert,
perhaps thousands of miles away, with no need of field
experience.
ELINT has a number of other advantages over HUMINT. If
a spy is caught his existence could embarrass his employing
state and he could be forced into giving up the identities
of his compatriots or other important information. By its
very nature, a discovered ELINT device (bug) cannot give up
any information; and the ubiquitous nature of bugs provides
the principle state with the ability to plausibly deny
ownership or involvement.
ELINT devices fall into two broad categories:
trespassatory and non-trespassatory. Trespassatory bugs
require some type of trespass in order for them to function.
A transmitter might require the physical invasion of the
target premises for placement, or a microphone might be
surreptitiously attached to the outside of a window. A
telephone transmitter can be placed anywhere on the phone
line, including at the central switch. The trespass comes
either when it is physically attached to the phone line, or
if it is inductive, when placed in close proximity to the
phone line. Even microwave bugs require the placement of
the resonator cone within the target premises.[7]
Non-trespassatory ELINT devices work by receiving
electromagnetic radiation (EMR) as it radiates through the
aether, and do not require the placement of bugs. Methods
include intercepting[8] information transmitted by satellite,
microwave, and radio, including mobile and cellular phone
transmissions. This information was purposely transmitted
with the intent that some intended person or persons would
receive it.
Non-trespassatory ELINT also includes the interception
of information that was never intended to be transmitted.
All electronic devices emit electromagnetic radiation. Some
of the radiation, as with radio waves, is intended to
transmit information. Much of this radiation is not
intended to transmit information and is merely incidental to
_____________________
7. Pursglove, How Russian Spy Radios Work, RADIO ELECTRONICS,
89-91 (Jan 1962).
8. Interception is an espionage term of art and should be
differentiated from its more common usage. When information is
intercepted, the interceptor as well as the intended recipient
receive the information. Interception when not used as a term of
art refers to one person receiving something intended for someone
else; the intended recipient never receives what he was intended
to receive.
<New Page>
whatever work the target device is performing.[9] This
information can be intercepted and reconstructed into a
coherent form. With current TEMPEST technology it is
possible to reconstruct the contents of computer video
display terminal (VDU) screens from up to a kilometer
distant[10]; reconstructing the contents of a computer's
_____________________
9. There are two types of emissions, conducted and radiated.
Radiated emissions are formed when components or cables act as
antennas for transmit the EMR; when radiation is conducted along
cables or other connections but not radiated it is referred to as
"conducted". Sources include cables, the ground loop, printed
circuit boards, internal wires, the power supply to power line
coupling, the cable to cable coupling, switching transistors, and
high-power amplifiers. WHITE & M. MARDIGUIAN, EMI CONTROL
METHODOLOGY AND PROCEDURES, 10.1 (1985).
"[C]ables may act as an antenna to transmit the signals
directly or even both receive the signals and re-emit them
further away from the source equipment. It is possible that
cables acting as an antenna in such a manner could transmit the
signals much more efficiently than the equipment itself...A
similar effect may occur with metal pipes such as those for
domestic water supplies. ... If an earthing [(grounding)] system
is not installed correctly such that there is a path in the
circuit with a very high resistance (for example where paint
prevents conduction and is acting as an insulator), then the
whole earthing system could well act in a similar fashion to an
antenna. ... [For a VDU] the strongest signals, or harmonics
thereof, are usually between 60-250 MHz approximately. There
have however been noticeable exception of extremely strong
emissions in the television bands and at higher frequencies
between 450-800 MHz. Potts, Emission Security, 3 COMPUTER LAW
AND SECURITY REPORT 27 (1988).
10. The TEMPEST ELINT operator can distinguish between different
VDUs in the same room because of the different EMR
characteristics of both homo and heterogeneous units. "[T]here
is little comparison between EMR characteristics from otherwise
comparable equipment. Only if the [VDU] was made with exactly
the same components is there any similarity. If some of the
components have come from a different batch, have been updated in
some way, and especially if they are from a different
manufacturer, then completely different results are obtained. In
this way a different mark or version of the same [VDU] will emit
different signals. Additionally because of the variation of
manufacturing standards between counties, two [VDUs] made by the
same company but sourced from different counties will have
entirely different EMR signal characteristics...From this it way
be thought that there is such a jumble of emissions around, that
it would not be possible to isolate those from any one particular
source. Again, this is not the case. Most received signals have
<New Page>
memory or the contents of its mass storage devices is more
complicated and must be performed from a closer distance.[11]
The reconstruction of information via EMR, a process for
which the United States government refuses to declassify
either the exact technique or even its name[12], is not
limited to computers and digital devices but is applicable
to all devices that generate electromagnetic radiation.[13]
TEMPEST is especially effective against VDUs because they
produce a very high level of EMR.[14]
_____________________
a different line synchronization, due to design, reflection,
interference or variation of component tolerances. So that if
for instance there are three different signals on the same
frequency ... by fine tuning of the RF receiver, antenna
manipulation and modification of line synchronization, it is
possible to lock onto each of the three signals separately and so
read the screen information. By similar techniques, it is
entirely possible to discriminate between individual items of
equipment in the same room." Potts, supra note 9.
For a discussion of the TEMPEST ELINT threat See e.g.,
Memory Bank, AMERICAN BANKER 20 (Apr 1 1985); Emissions from Bank
Computer Systems Make Eavesdropping Easy, Expert Says, AMERICAN
BANKER 1 (Mar 26 1985); CRT spying: a threat to corporate
security, PC WEEK (Mar 10 1987).
11. TEMPEST is concerned with the transient electromagnetic
pulses formed by digital equipment. All electronic equipment
radiates EMR which may be reconstructed. Digital equipment
processes information as 1's and 0's--on's or off's. Because of
this, digital equipment gives off pulses of EMR. These pulses
are easier to reconstruct at a distance than the non-pulse EMR
given off by analog equipment. For a thorough discussion the
radiation problems of broadband digital information see e.g.
military standard MIL-STD-461 REO2; White supra note 9, 10.2.
12. See supra note 2.
13. Of special interest to ELINT collectors are EMR from
computers, communications centers and avionics. Schultz,
Defeating Ivan with TEMPEST, DEFENSE ELECTRONICS 64 (June 1983).
14. The picture on a CRT screen is built up of picture
elements (pixels) organized in lines across the screen. The
pixels are made of material that fluoresces when struck with
energy. The energy is produced by a beam of electrons fired from
an electron gun in the back of the picture tube. The electron
beam scans the screen of the CRT in a regular repetitive manner.
When the voltage of the beam is high then the pixel it is focused
upon emits photons and appears as a dot on the screen. By
selectively firing the gun as it scans across the face of the
CRT, the pixels form characters on the CRT screen.
<New Page>
ELINT is not limited to governments. It is routinely
used by individuals for their own purposes. Almost all
forms of ELINT are available to the individual with either
the technological expertise or the money to hire someone
with the expertise. Governments have attempted to
criminalize all use of ELINT by their subjects--to protect
the privacy of both the government and the population.
II. UNITED STATES LAW
In the United States, Title III of the Omnibus Streets
and Crimes Act of 1968[15] criminalizes trespassatory ELINT as
the intentional interception of wire communications.[16] As
originally passed, Title III did not prohibit non-
_____________________
The pixels glow for only a very short time and must be
routinely struck by the electron beam to stay lit. To maintain
the light output of all the pixels that are supposed to be lit,
the electron beam traverses the entire CRT screen sixty times a
second. Every time the beam fires it causes a high voltage EMR
emission. This EMR can be used to reconstruct the contents of
the target CRT screen. TEMPEST ELINT equipment designed to
reconstruct the information synchronizes its CRT with the target
CRT. First, it uses the EMR to synchronize its electron gun with
the electron gun in the target CRT. Then, when the TEMPEST ELINT
unit detects EMR indicating that the target CRT fired on a pixel,
the TEMPEST ELINT unit fires the electron gun of its CRT. The
ELINT CRT is in perfect synchronism with the target CRT; when the
target lights a pixel, a corresponding pixel on the TEMPEST ELINT
CRT is lit. The exact picture on the target CRT will appear on
the TEMPEST ELINT CRT. Any changes on the target screen will be
instantly reflected in the TEMPEST ELINT screen.
TEMPEST Certified equipment gives off emissions levels that
are too faint to be readily detected. Certification levels are
set out in National Communications Security Information
Memorandum 5100A (NACSIM 5100A). "[E]mission levels are
expressed in the time and frequency domain, broadband or narrow
band in terms of the frequency domain, and in terms of conducted
or radiated emissions." White, supra, note 9, 10.1.
For a thorough though purposely misleading discussion of
TEMPEST ELINT see Van Eck, Electromagnetic Radiation from Video
Display units: An Eavesdropping Risk?, 4 Computers & Security 269
(1985).
15. Pub. L. No. 90-351, 82 Stat. 197. The Act criminalizes
trespassatory ELINT by individuals as well as governmental
agents. cf. Katz v. United States, 389 U.S. 347 (1967) (Fourth
Amendment prohibits surveillance by government not individuals.)
16. 18 U.S.C. 2511(1)(a).
<New Page>
trespassatory ELINT,[17] because courts found that non-wire
communication lacked any expectation of p2IIIrivacy.[18] The
Electronic Communications Privacy Act of 1986[19] amended
Title III to include non-wire communication. ECPA was
specifically designed to include electronic mail, inter-
computer communications, and cellular telephones. To
accomplish this, the expectation of privacy test was
eliminated.[20]
As amended, Title III still outlaws the electronic
interception of communications. The word "communications"
indicates that someone is attempting to communicate
something to someone; it does not refer to the inadvertent
transmission of information. The reception and
reconstruction of emanated transient electromagnetic pulses
(ETEP), however, is based on obtaining information that the
target does not mean to transmit. If the ETEP is not
intended as communication, and is therefore not transmitted
in a form approaching current communications protocols, then
it can not be considered communications as contemplated by
Congress when it amended Title III. Reception, or
interception, of emanated transient electromagnetic pulses
is not criminalized by Title III as amended.
III. ENGLISH LAW
In England the Interception of Communications Act
1985[21] criminalizes the tapping of communications sent over
_____________________
17. United States v. Hall, 488 F.2d 193 (9th Cir. 1973) (found
no legislative history indicating Congress intended the act to
include radio-telephone conversations). Further, Title III only
criminalized the interception of "aural" communications which
excluded all forms of computer communications.
18. Willamette Subscription Television v. Cawood, 580 F.Supp
1164 (D. Or. 1984) (non-wire communications lacks any expectation
of privacy).
19. Pub. L. No. 99-508, 100 Stat. 1848 (codified at 18 U.S.C.
2510-710) [hereinafter ECPA].
20. 18 U.S.C. 2511(1)(a) criminalizes the interception of "any
wire, oral or electronic communication" without regard to an
expectation of privacy.
21. Interception of Communications Act 1985, Long Title, An Act
to make new provision for and in connection with the interception
of communications sent by post or by means of public
telecommunications systems and to amend section 45 of the
Telecommunications Act 1984.
<New Page>
public telecommunications lines.[22] The interception of
communications on a telecommunication line can take place
with a physical tap on the line, or the passive interception
of microwave or satellite links.[23] These forms of passive
interception differ from TEMPEST ELINT because they are
intercepting intended communication; TEMPEST ELINT
intercepts unintended communication. Eavesdropping on the
emanations of computers does not in any way comport to
tapping a telecommunication line and therefore falls outside
the scope of the statute.[24]
-------------------------------------------------------------------------
To find out more about the anon service, send mail to [email protected].
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to [email protected].