[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Guardian: Screw the Internet
--- begin forwarded text
X-Authentication-Warning: fma66.fma.com: majordomo set sender to
[email protected] using -f
X-Orig-From: rah-web <[email protected]>
X-Sender: [email protected]
Date: Sat, 20 Sep 1997 14:15:00 -0400
To: [email protected]
From: Robert Hettinga <[email protected]>
Subject: Guardian: Screw the Internet
Sender: [email protected]
Reply-To: [email protected]
This mail is brought to you by the e$pam mailing list
From: rah-web <[email protected]>
Reply-To: [email protected]
To: Robert Hettinga <[email protected]>
Subject: Guardian: Screw the Internet
Content-Type: text/plain; charset=us-ascii; name="874505219-crypt.html"
Content-Disposition: inline; filename="874505219-crypt.html"
X-MIME-Autoconverted: from 8bit to quoted-printable by lbo.leftbank.com id
Spooks on both sides of the Atlantic are intent on retaining their
power to monitor the world's telecoms traffic, writes Duncan Campbell
Screw the Internet
INTELLIGENCE AGENCIES in the US have stepped up their campaign to
control the flow of information over the Internet, counterattacking
an unholy alliance of civil libertarians and business chiefs who back
the introduction of secure encryption technologies to protect
personal privacy and commercial data online. Last Thursday in
Congress, lobbying by the FBI and the National Security Agency won
amendments to a draft pro-encryption law known as Safe (Security and
Freedom through Encryption). The House Intelligence Committee
replaced rights to sell effective encryption systems to the world
with regulations to ban even US citizens from using them. The
agencies and their political backers are now demanding that any
American whose electronic communications cannot immediately be read
by US intelligence should, after January 2000, face up to five years
imprisonment. Furthermore, they want the US to use its political and
industrial power to force the rest of the world to follow suit.
Battle resumes in Washington a week today, when the likely more
sympathetic House Commerce Committee will provide its review of the
Safe law for Congress to consider. That done, Congessional leaders
and the White House will have to negotiate which version of the Safe
bill is to be taken ahead. If the new version of the bill succeeds,
it will be illegal in the US to make or sell encryption systems
unless the government can break the code and have "immediate access"
to the contents of messages or phone calls.
In Britain, the new government has soon to decide what line to take
in this little-understood war that has almost paralysed the
development of electronic commerce. Under pressure to formulate
standards, New Labour has to decide if it wants to face the economic
penalties of giving in to the spooks. If the secret agencies win, the
losers will also be ordinary users of electronic commerce or e-mail.
Without encryption to scramble the contents of messages, reams of
Internet traffic can be read easily, not just by intelligence
agencies, but by miscreants with direct access to the Net through
routers or local area networks.
E-mail is less secure than an ordinary telephone call, since ordinary
telephone calls are connected "point to point" by a precise route
rather than being broadcast between routers and into networks.
Without encryption, e-mail containing sensitive private information
or financial details, such as credit card numbers, can be read at
numerous points as messages pass through the Net.
This complex but fundamental issue for everyone in the information
society has been made politically more difficult by an initiative
launched in the dying days of the last government. Just before the
election was called, the Department of Trade and Industry unveiled
its version of the US system for ensuring that the government could
read everyone's private communications.
The DTI's version is a network of licensed agencies that would
provide (and keep copies of) everyone's encryption codes, or keys. If
sent a warrant, these Trusted Third Parties, or TTPs, would hand over
keys at one hour's notice - a less demanding requirement than the
latest US plans, but no less absurd or impossible to engineer, say
Internet specialists. Plans to hold everyone's keys in central
registries have also been slammed for creating a huge security
threat, because everyone would be at risk if crooks were able to get
into the central database.
DTI officials were unprepared for the torrent of protest, abuse and
reasoned objection that has arrived on their desks since early this
summer. The former government's proposals have, it is understood,
attracted not a single unqualified supporter. They were condemned out
of hand by industry leaders, academics and civil libertarians alike.
David Svendsen, head of Microsoft in the UK, says that "the DTI's
plans are unworkable, unwieldy and unacceptable. Setting up a
bureaucratic structure to regulate encryption services will isolate
the UK from global electronic commerce. It will force us all to look
elsewhere for barrier-free encryption technology, while UK plc will
foot the bill."
The battle in the US Congress follows setbacks for the intelligence
agencies, which have been fighting to stop effective encryption
systems from being exported. Classifying encryption software as
"munitions", the US government banned the export of systems with key
lengths (see Cracking the code, opposite) long enough to make them
uncrackable. Thus, while Americans who use Web software browsers to
make "secure" credit card purchases benefit from built-in encryption
with strong 128-bit keys, Europeans have until now been permitted to
use only weakened and insecure 48-bit keys.
In August, the US government gave in to commercial pressure to relax
restrictions, and non-US users of software to browse the Internet are
already being offered upgrades to provide full 128-bit security. The
catch, which is not being advertised, is that the licencees must
provide the US government with backdoor access to the new systems.
The extent to which this area of information technology has been held
back is already remarkable. It's now 20 years since fundamental
advances in mathematics created unique but simple new ways of
encoding messages, known as public key cryptography, that did away
with the need to exchange keys or codebooks before encrypted messages
could be sent. In 1977, long before the Net reached its modern form,
three mathematicians - Rivest, Shamir and Adelman - showed how to
implement this revolution.
Their RSA algorithm allows users to create separate "public" and
"private" keys. To use a public key crytopgraphy system to, say, send
a private message to OnLine, you would first obtain OnLine's
published key. Many Net users (but not yet OnLine) publish such keys
on their Web sites or in directories. You then scramble the message
using the public key, and send it. The message can be decoded using
only a matching private key, which only Online would have.
The RSA algorithm is available for use on the Net, or for file
protection, using a program called Pretty Good Privacy, or PGP, whose
inventor, Colorado computer consultant Phil Zimmermann, is a Net
legend. His reward for inventing PGP was not scientific accolade, but
arrest and prosecution by the FBI. For having created PGP, he was
accused of exporting munitions. Charges against Zimmermann were
dropped only last year.
Recognising that there could never be uniform international agreement
to lock away cryptography as nuclear weapons are locked away,
governments and information acquisition agencies have tended instead
to attempt covertly to regulate encryption. This has taken the form
of patent secrecy orders, attacks on research funding, the
undermining of the international standardisation of cryptography, the
harassment of inventors and commercial organisations, and legislative
campaigns to restrict their work.
In the shadows behind these events hide communications intelligence
agencies - the US National Security Agency and Britain's Government
Communications Headquarters (GCHQ). For 50 years, they have harvested
intelligence from monitoring the world's international communications
network. This activity is threatened by large-scale encryption.
Historically, huge codebreaking resources have been used to try to
break the codes of hostile states. But to use the same methods and
resources against the mass of ordinary international communications
would be costly and futile.
The scale of NSA operations is staggering. Tens of billions of
messages are intercepted every year. All international communications
by satellite or undersea cable, and many domestic communications can
be collected by taps or via satellite interception stations. GCHQ's
interception station at Morwenstow near Bude, Cornwall, was built
almost 30 years ago to spy not on the Soviets but on the West's
international communications satellites, Intelsat.
NSA's and GCHQ's electronic tentacles still reach round the world,
and into the heart of Western policy making. Within the DTI, the
director of technology policy and innovation, David Hendon, makes no
secret that a substantial input to his work comes from GCHQ. At the
European Commission, a former official of GCHQ's Communications
Electronic Security Group, David Herson, has been steering EU policy
on information security. Critics such as Ross Anderson, the computer
security specialist based at Cambridge university, have accused them
of being stooges for NSA.
The DTI has hired consultants to summarise the responses to their TTP
proposals, and hope to publish a summary in the autumn, together with
policy proposals. The risk is that officials are still locked into
the same Neanderthal security agenda that once branded the Home
Secretary a subversive threat to the nation.
Advice to ministers trying to understand this most complex part of
the IT brief will need to balance the UK's national economic interest
against the concerns of security officials anxious to maintain the
intelligence service's "special relationship" with the US. Until last
week's events, US attempts to control strong encryption had faced
Three weeks ago, a federal judge in San Francisco ordered the US
government not to take action against Chicago academic Daniel
Bernstein if he published encryption software on the Net. Export
restrictions, said Judge Marilyn Patel, violated Bernstein's
constitutional right to free speech. And US attempts to lobby the
European Union and the OECD into backing an international system of
cryptographic controls have failed. Despite US support from Britain
and France, both organisations have backed and encouraged open use of
cryptography (albeit with qualifications).
The continued campaign against effective cryptography is still being
fuelled by the raising of alarms about the potentially antisocial use
of the Net, including those which Net enthusiasts cynically dub the
"Four Horsemen of the Infocalypse": terrorists, drug traffickers,
paedophiles and organised crime. But the argument is specious.
Forcing honest individuals and companies to turn over their keys or
to use only licensed keys will not prevent criminals from using
strong encryption outside of the mandatory system. Labour's policy,
formulated before the election, had it right : "It is not necessary
to criminalise a large section of the network-using public to control
the activities of a very small minority of law-breakers."
Last year, EU adviser and ex-GCHQ official David Herson was
astonishingly candid about the real reason for playing on
fears about the Net activities of terrorists and paedophiles. "Law
enforcement is a protective shield for all the other governmental
activities," he told two European journalists. "We're talking about
foreign intelligence . . . that's what this is all about. Law
enforcement is a smoke screen."
If New Labour sticks to the policy adopted before the election, it
should have little difficulty reaffirming its view that attempts to
control the use of encryption technology are "wrong in principle,
unworkable in practice, and damaging to the long-term economic value
of the information networks". But if intelligence agency dinosaurs
get their way, they will jeopardise not just personal privacy but the
economic rewards of Net commerce.
The winners will be those countries, such as Germany and many of
those in Asia, that by rule of law or through commercial instinct
stay resistant to NSA's and GCHQ's intelligence imperatives.
[Duncan Campbell is a freelance writer and broadcaster, and not the
Guardian's crime correspondent of the same name]
17 September 1997
Where people, networks and money come together: Consult Hyperion
http://www.hyperion.co.uk [email protected]
Like e$? Help pay for it! See <http://www.shipwright.com/beg.html>
Or, for e$/e$pam sponsorship, <mailto:[email protected]>
--- end forwarded text
Robert Hettinga ([email protected]), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/