[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Guardian: Screw the Internet

--- begin forwarded text

X-Authentication-Warning: fma66.fma.com: majordomo set sender to
[email protected] using -f
X-Orig-From: rah-web <[email protected]>
X-e$pam-source: Various
X-Sender: [email protected]
Mime-Version: 1.0
Date: Sat, 20 Sep 1997 14:15:00 -0400
To: [email protected]
From: Robert Hettinga <[email protected]>
Subject: Guardian: Screw the Internet
Sender: [email protected]
Precedence: bulk
Reply-To: [email protected]

This mail is brought to you by the e$pam mailing list

From: rah-web <[email protected]>
Reply-To: [email protected]
MIME-Version: 1.0
To: Robert Hettinga <[email protected]>
Subject: Guardian: Screw the Internet


 Content-Type: text/plain; charset=us-ascii; name="874505219-crypt.html"
 Content-Disposition: inline; filename="874505219-crypt.html"
 X-MIME-Autoconverted: from 8bit to quoted-printable by lbo.leftbank.com id


   Spooks on both sides of the Atlantic are intent on retaining their
   power to monitor the world's telecoms traffic, writes Duncan Campbell
   Screw the Internet

      INTELLIGENCE AGENCIES in the US have stepped up their campaign to
      control the flow of information over the Internet, counterattacking
      an unholy alliance of civil libertarians and business chiefs who back
      the introduction of secure encryption technologies to protect
      personal privacy and commercial data online. Last Thursday in
      Congress, lobbying by the FBI and the National Security Agency won
      amendments to a draft pro-encryption law known as Safe (Security and
      Freedom through Encryption). The House Intelligence Committee
      replaced rights to sell effective encryption systems to the world
      with regulations to ban even US citizens from using them. The
      agencies and their political backers are now demanding that any
      American whose electronic communications cannot immediately be read
      by US intelligence should, after January 2000, face up to five years
      imprisonment. Furthermore, they want the US to use its political and
      industrial power to force the rest of the world to follow suit.

      Battle resumes in Washington a week today, when the likely more
      sympathetic House Commerce Committee will provide its review of the
      Safe law for Congress to consider. That done, Congessional leaders
      and the White House will have to negotiate which version of the Safe
      bill is to be taken ahead. If the new version of the bill succeeds,
      it will be illegal in the US to make or sell encryption systems
      unless the government can break the code and have "immediate access"
      to the contents of messages or phone calls.

      In Britain, the new government has soon to decide what line to take
      in this little-understood war that has almost paralysed the
      development of electronic commerce. Under pressure to formulate
      standards, New Labour has to decide if it wants to face the economic
      penalties of giving in to the spooks. If the secret agencies win, the
      losers will also be ordinary users of electronic commerce or e-mail.
      Without encryption to scramble the contents of messages, reams of
      Internet traffic can be read easily, not just by intelligence
      agencies, but by miscreants with direct access to the Net through
      routers or local area networks.

      E-mail is less secure than an ordinary telephone call, since ordinary
      telephone calls are connected "point to point" by a precise route
      rather than being broadcast between routers and into networks.
      Without encryption, e-mail containing sensitive private information
      or financial details, such as credit card numbers, can be read at
      numerous points as messages pass through the Net.

      This complex but fundamental issue for everyone in the information
      society has been made politically more difficult by an initiative
      launched in the dying days of the last government. Just before the
      election was called, the Department of Trade and Industry unveiled
      its version of the US system for ensuring that the government could
      read everyone's private communications.

      The DTI's version is a network of licensed agencies that would
      provide (and keep copies of) everyone's encryption codes, or keys. If
      sent a warrant, these Trusted Third Parties, or TTPs, would hand over
      keys at one hour's notice - a less demanding requirement than the
      latest US plans, but no less absurd or impossible to engineer, say
      Internet specialists. Plans to hold everyone's keys in central
      registries have also been slammed for creating a huge security
      threat, because everyone would be at risk if crooks were able to get
      into the central database.

      DTI officials were unprepared for the torrent of protest, abuse and
      reasoned objection that has arrived on their desks since early this
      summer. The former government's proposals have, it is understood,
      attracted not a single unqualified supporter. They were condemned out
      of hand by industry leaders, academics and civil libertarians alike.
      David Svendsen, head of Microsoft in the UK, says that "the DTI's
      plans are unworkable, unwieldy and unacceptable. Setting up a
      bureaucratic structure to regulate encryption services will isolate
      the UK from global electronic commerce. It will force us all to look
      elsewhere for barrier-free encryption technology, while UK plc will
      foot the bill."

      The battle in the US Congress follows setbacks for the intelligence
      agencies, which have been fighting to stop effective encryption
      systems from being exported. Classifying encryption software as
      "munitions", the US government banned the export of systems with key
      lengths (see Cracking the code, opposite) long enough to make them
      uncrackable. Thus, while Americans who use Web software browsers to
      make "secure" credit card purchases benefit from built-in encryption
      with strong 128-bit keys, Europeans have until now been permitted to
      use only weakened and insecure 48-bit keys.

      In August, the US government gave in to commercial pressure to relax
      restrictions, and non-US users of software to browse the Internet are
      already being offered upgrades to provide full 128-bit security. The
      catch, which is not being advertised, is that the licencees must
      provide the US government with backdoor access to the new systems.

      The extent to which this area of information technology has been held
      back is already remarkable. It's now 20 years since fundamental
      advances in mathematics created unique but simple new ways of
      encoding messages, known as public key cryptography, that did away
      with the need to exchange keys or codebooks before encrypted messages
      could be sent. In 1977, long before the Net reached its modern form,
      three mathematicians - Rivest, Shamir and Adelman - showed how to
      implement this revolution.

      Their RSA algorithm allows users to create separate "public" and
      "private" keys. To use a public key crytopgraphy system to, say, send
      a private message to OnLine, you would first obtain OnLine's
      published key. Many Net users (but not yet OnLine) publish such keys
      on their Web sites or in directories. You then scramble the message
      using the public key, and send it. The message can be decoded using
      only a matching private key, which only Online would have.

      The RSA algorithm is available for use on the Net, or for file
      protection, using a program called Pretty Good Privacy, or PGP, whose
      inventor, Colorado computer consultant Phil Zimmermann, is a Net
      legend. His reward for inventing PGP was not scientific accolade, but
      arrest and prosecution by the FBI. For having created PGP, he was
      accused of exporting munitions. Charges against Zimmermann were
      dropped only last year.

      Recognising that there could never be uniform international agreement
      to lock away cryptography as nuclear weapons are locked away,
      governments and information acquisition agencies have tended instead
      to attempt covertly to regulate encryption. This has taken the form
      of patent secrecy orders, attacks on research funding, the
      undermining of the international standardisation of cryptography, the
      harassment of inventors and commercial organisations, and legislative
      campaigns to restrict their work.

      In the shadows behind these events hide communications intelligence
      agencies - the US National Security Agency and Britain's Government
      Communications Headquarters (GCHQ). For 50 years, they have harvested
      intelligence from monitoring the world's international communications
      network. This activity is threatened by large-scale encryption.
      Historically, huge codebreaking resources have been used to try to
      break the codes of hostile states. But to use the same methods and
      resources against the mass of ordinary international communications
      would be costly and futile.

      The scale of NSA operations is staggering. Tens of billions of
      messages are intercepted every year. All international communications
      by satellite or undersea cable, and many domestic communications can
      be collected by taps or via satellite interception stations. GCHQ's
      interception station at Morwenstow near Bude, Cornwall, was built
      almost 30 years ago to spy not on the Soviets but on the West's
      international communications satellites, Intelsat.

      NSA's and GCHQ's electronic tentacles still reach round the world,
      and into the heart of Western policy making. Within the DTI, the
      director of technology policy and innovation, David Hendon, makes no
      secret that a substantial input to his work comes from GCHQ. At the
      European Commission, a former official of GCHQ's Communications
      Electronic Security Group, David Herson, has been steering EU policy
      on information security. Critics such as Ross Anderson, the computer
      security specialist based at Cambridge university, have accused them
      of being stooges for NSA.

      The DTI has hired consultants to summarise the responses to their TTP
      proposals, and hope to publish a summary in the autumn, together with
      policy proposals. The risk is that officials are still locked into
      the same Neanderthal security agenda that once branded the Home
      Secretary a subversive threat to the nation.

      Advice to ministers trying to understand this most complex part of
      the IT brief will need to balance the UK's national economic interest
      against the concerns of security officials anxious to maintain the
      intelligence service's "special relationship" with the US. Until last
      week's events, US attempts to control strong encryption had faced

      Three weeks ago, a federal judge in San Francisco ordered the US
      government not to take action against Chicago academic Daniel
      Bernstein if he published encryption software on the Net. Export
      restrictions, said Judge Marilyn Patel, violated Bernstein's
      constitutional right to free speech. And US attempts to lobby the
      European Union and the OECD into backing an international system of
      cryptographic controls have failed. Despite US support from Britain
      and France, both organisations have backed and encouraged open use of
      cryptography (albeit with qualifications).

      The continued campaign against effective cryptography is still being
      fuelled by the raising of alarms about the potentially antisocial use
      of the Net, including those which Net enthusiasts cynically dub the
      "Four Horsemen of the Infocalypse": terrorists, drug traffickers,
      paedophiles and organised crime. But the argument is specious.
      Forcing honest individuals and companies to turn over their keys or
      to use only licensed keys will not prevent criminals from using
      strong encryption outside of the mandatory system. Labour's policy,
      formulated before the election, had it right : "It is not necessary
      to criminalise a large section of the network-using public to control
      the activities of a very small minority of law-breakers."

      Last year, EU adviser and ex-GCHQ official David Herson was
      astonishingly candid about the real reason for playing on

      fears about the Net activities of terrorists and paedophiles. "Law
      enforcement is a protective shield for all the other governmental
      activities," he told two European journalists. "We're talking about
      foreign intelligence . . . that's what this is all about. Law
      enforcement is a smoke screen."

      If New Labour sticks to the policy adopted before the election, it
      should have little difficulty reaffirming its view that attempts to
      control the use of encryption technology are "wrong in principle,
      unworkable in practice, and damaging to the long-term economic value
      of the information networks". But if intelligence agency dinosaurs
      get their way, they will jeopardise not just personal privacy but the
      economic rewards of Net commerce.

      The winners will be those countries, such as Germany and many of
      those in Asia, that by rule of law or through commercial instinct
      stay resistant to NSA's and GCHQ's intelligence imperatives.

      [Duncan Campbell is a freelance writer and broadcaster, and not the
      Guardian's crime correspondent of the same name]

      17 September 1997

Where people, networks and money come together: Consult Hyperion
http://www.hyperion.co.uk                    [email protected]
Like e$? Help pay for it!  See <http://www.shipwright.com/beg.html>
Or, for e$/e$pam sponsorship, <mailto:[email protected]>

--- end forwarded text

Robert Hettinga ([email protected]), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/