[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Crypto use to foil law enforcement?
I ran across this entry in the Congressional Record which discusses several
examples where encryption was discovered in the course of a law enforcement
investigation.
[Congressional Record: September 18, 1996 (Senate)][Page S10882-S10886]
[...]
Mr. GRASSLEY. Mr. President, I'm pleased that the Senate has passed
the eonomic espionage bill. This is an important measure that I believe
will save American business significant amounts of money. The theft of
confidential information from American businesses is a serious problem,
and this bill takes important steps in the right direction.
I am particularly pleased that the Senate has accepted the amendment
I offered with Senator Kyl. This amendment commissions the first-ever
study on the criminal misuse of encryption technologies. Under the
Grassley-Kyl amendment, court officers who prepare pre-sentencing
reports will include information on the use of encryption to conceal
criminal conduct, obstruct investigations, and commit crimes. The
sentencing commission will then collect and collate this information
and include it in its annual report to congress.
In this way, I am hopeful that Congress and executive branch will
have reliable data on whether the criminal misuse of encryption is
actually a problem and, if so, what response to this problem would be
appropriate.
As chairman of the Oversight Subcommittee on the Judiciary Committee,
I did an informal survey of state-level law enforcement concerning the
criminal misuse of encryption. This informal survey, while not
scientific, provides valuable insights into the actions of the criminal
element in our society.
Here are just some of the responses my subcommittee received.
In one case involving John Lucich of the New Jersey attorney
general's office was involved, a computer was seized pursuant to a
warrant in a serious assault case. Examination revealed that
approximately 20 percent of the hard drive files were encrypted.
Investigators sought the assistance of two different Federal agencies.
Both of these agencies were unsuccessful in decrypting the files.
Finally, a third Federal agency was successful in decrypting the files
after expending considerable resources. The Decrypted files did not
contain evidence of the assault but rather contained evidence of child
pornography. The encryption type likely used was ``DES.''
And Officer Tim O'Neill of the Roseville, California Police
Department reported to the subcommittee that he participated in a
search involving a complaint against a subject who was on probation for
solicitation/annoyance of minors. The subject had a hidden encrypted
file on his personal computer. In the ``slack'' area at the end of the
file the officer found names, addresses, school, grade, and phone
numbers of 4-5 young teen girls. The encryption type used was known as
``pincrypt.''
Officer Mike Menz of the same department advised the subcommittee
that he was working on a joint State/Federal major check fraud case
where part of the potential evidence was encrypted.
Ivan Ortman, a senior prosecutor in Seattle, Washington, encountered
some encrypted files and password protection in a cellular phone fraud
investigation. For a number of files the popular and inexpensive
``PGP'' type of encryption was used. Orton indicated that no effort was
even made to examine the files as the police could not locate any
method for ``cracking that encryption.''
In other words, why try since such an effort is certain to be futile.
Surely a rational society should look long and hard at this situation.
Agent Chuck Davis of the Colorado Bureau of Investigation reported to
the subcommittee that he has encountered encryption as well as password
protection problems. In one embezzlement case, a computer system has
seized. Examination revealed that files on the hard disk were
encrypted. The software manufacturers were contacted and the technical
personnel who wrote the program advised that, ``they had left no `back
door' access to the product as this would adversely impact sales. The
hallmark of the program's appeal is that it cannot be broken, even by
those who created it.'' Agent Davis advised that his investigation was
``halted'' due to the time and expense of a ``brute force attack''. The
encryption program used was entitled ``watchdog.''
Agent Davis also advised the subcommittee that password protection
also presents problems for other types of investigators. In cases
involving theft of drugs from an emergency room by a doctor, bribery/
extortion by a police officer, and the suicide by an 11 year-old boy
after telling friends that he had been molested by a family friend,
investigators encountered password protection. The first two cases were
successfully resolved through assistance from the manufacturer of the
software.
The third case, however, especially illustrates the seriousness of
decryption problems--determining the unique key or in this case,
password from a large number of possibilities. According to Agent
Davis, a mere 4 character password has 1.9 million possibilities due to
the number of keyboard characters. Can you imagine how difficult it
must be to figure a short, 4 character password. What if the password
were 10 characters or 20 or more? It's easy to see why criminals are
moving toward password protection for their records.
--
Greg Broiles
[email protected]
510-986-8779 voice
510-986-8777 fax