Enemies of the State

--------------------------------------------------------------------------------

By James P. Lucier --------------------------------------------------------------------------------

In a clash between the authoritarian state and the libertarian vision, the Clinton administration is seeking draconian control of computers and encryption.

Virginia's soft-spoken four-term Republican congressman, Rep. Bob Goodlatte, may come out of a no-nonsense town in the Blue Ridge, but he has taken on virtually the entire defense establishment, the intelligence community and even the FBI with his bill HR850, the Security and Freedom through Encryption Act, or SAFE. It is a simple concept, and it has 258 cosponsors in the House. What SAFE would do is guarantee every American the freedom to use any type of cryptography anywhere in the world and allow the sale of any type of encryption domestically. Not such a big deal, is it? How many Americans go around writing secret messages in disappearing ink after they grow up?

. . . . Actually, it is one of those edge-defying, generation-splitting, turn-the-world-upside-down moments in history. It is a struggle between two different visions of American society. One side sees the private use of encryption as a way to safeguard the records and property of U.S. citizens from the prying eyes of computer hackers, thieves, terrorists and the U.S. government. The other side is the U.S. government, which sees itself as the guarantor of security in the newly discovered land of cyberspace. And to provide that security the government says it has to have the power, at any given moment, to look into anyone's e-mail, bank accounts, financial transactions, information exports and dangerous ideas. Our whole practice of governing is based on geographic concepts -- jurisdiction in delineated districts, authority flowing from citizens voting by precinct, taxes based on property in a given place or on salaries reported to and scrutinized by powerful agencies.

. . . . But the Internet is everywhere and nowhere. If people slip into cyberspace covered in the stealth garment of encryption to perform transactions, express their ideas, transfer payments and export technology, who's to know what is happening? How will taxes be assessed and collected? How will commerce be measured? How will the professions be regulated if everyone has access to legal or medical information? What will bureaucrats do without people to boss around? How will ideas be controlled? For those who believe that strong government should be the molder and protector of its citizens -- well then, citizens acting behind the cloak of encryption could be a fundamental threat to government. They are enemies of the state.

. . . . Encryption has been around since the earliest times. Elizabethan poets and spies were versed in "cypher." Samuel Pepys wrote his famous diaries in cypher to hide his accounts of his dalliances. William Byrd of Westover wrote the first major literary work in North America -- his diaries -- in his own code. Thomas Jefferson and his protigi, James Monroe, corresponded in cypher and continually were complaining that the key was mislaid or gone astray.

. . . . Modern encryption is based on the use of a unique, private numeric "key" which opens a "public key" that even may be published in the marketplace of the Internet. The length of the string of numbers, or "bits," in the private key determines how difficult it is to crack the code. The Clinton administration has decreed that persons in the United States can export encryption products that use up to 56 bits in the key's algorithm; to export a longer and stronger product, the user must agree to put the key "in escrow" where it can be subpoenaed by law-enforcement authorities. But foreign users understandably do not want to place their keys in escrow available to U.S. authorities. And 56-bit encryption is not as secure as the federal government has claimed: In a recent test, a group of private computer experts with desktop computers cracked the 56-bit code in less than 24 hours. More secure 128-bit encryption is widely available around the world, including the United States, but it is illegal to export any product that uses it (see sidebar, below).

. . . . The SAFE bill would modernize U.S. export controls to permit the export of generally available software and create criminal penalties for the knowing and willful use of encryption to conceal evidence of a crime, but specifies that the use of encryption by itself is not probable cause of a crime. "The reasons why they have insisted on those export controls is to attempt to force the software industry to devise a key-recovery or key-escrow system whereby everybody's computer has a back door that law enforcement can access without their knowledge," Goodlatte tells Insight. American citizens "are not as secure as they could be because encryption has not grown to the strength that it should be to protect the actions of law-abiding citizens."

. . . . The use of encryption by private individuals and business enterprises is a good way to fight crime, Goodlatte believes, by stopping crime before it happens. "Because encryption is already widely available, [law-enforcement authorities] will still have a problem whether my bill passes or not," he says. "Individuals bent on using encryption to cover up their activities for criminal purposes can buy it from literally hundreds of sources. To cite an adage that applies in another area: If you outlaw encryption, only outlaws will have encryption." Indeed, a recent study by the George Washington University School of Engineering and Applied Science backs up Goodlatte. It found good encryption programs available outside the United States on more than 800 Websites.

. . . . Of course, robust encryption available to any citizen might thwart the special vision of an administration that believes that government must be the protector of its citizens.

. . . . It may be a touch exaggerated, but many citizens feel like the eager young criminal lawyer played by Will Smith last year in the movie Enemy of the State. When Smith unknowingly comes into possession of evidence that a secret federal agency is committing criminal acts, he finds himself targeted in a bizarre night-and-day chase through streets, markets and high-rise buildings -- all with the obligatory black helicopters hovering overhead.

. . . . Dramatic license aside, there are signs in that events are inching toward that fantastic scenario. Most disturbing were the detailed revelations by a panel of the European Parliament that the United Kingdom and the United States, joined by Canada, Australia and New Zealand, have been engaged in international surveillance of the communications of each other's citizens for years in a joint signals-intelligence consortium code-named ECHELON (see sidebar; for an earlier report, see news alert!, Aug. 17, 1998). Although Attorney General Janet Reno and other officials assert that encryption must be controlled to stop terrorists and child pornography -- two powerful, but demagogic arguments -- it appears the real reasons lie elsewhere. After all, as Reno admits, international terrorist Osama bin Laden already has cryptography and child pornographers are best caught the old-fashioned way: by baiting them into their own trap. The fact is that routine use of strong encryption by law-abiding citizens and enterprises would shut down citizen-surveillance projects such as

ECHELON.

. . . . The battle to block widespread use of private encryption and to extend government surveillance has emerged on many fronts in the last few months:

The administration has put on a full-court press to block the SAFE bill. Goodlatte and his 258 cosponsors are on one side; on the other are the president, the secretaries of state and defense, the directors of the CIA and FBI and the attorney general, who all have risen up to attempt to defeat the legislation. And they have corralled a few of the GOP's old bull elephants --including House Armed Services Committee Chairman Floyd Spence of South Carolina and House Permanent Select Intelligence Committee Chairman Porter Goss of Florida -- to run interference on Capitol Hill. But HR850 safely has run the gauntlet of three House committees in sequential referral -- Judiciary, Commerce and International Relations. It ran aground, however, in Spence's and Goss' panels. Both committees stood the bill on its head, adopting the administration's position that SAFE would abet terrorists and child pornographers. No matter. "They are, in effect, sending alternative suggestions to the [House] Rules Committee; they don't amend my language," says Goodlatte. Judiciary is the main committee of jurisdiction, and its bill now is before the Rules Committee, chaired by Rep. David Dreier of California, for possible action in September. Sources in the Rules Committee tell Insight that the cards are being held close to the chairman's vest, but Dreier happens to be a cosponsor of the Goodlatte version. The Justice Department has sought the "cooperation" of private industry to exchange security data in eight areas of "critical infrastructure," including telecommunications, transportation, water supply, oil and gas production, banking and finance, electrical generation, emergency services and essential government. "The NIPC [National Infrastructure Protection Center] was established to deter, detect, analyze, investigate and provide warnings of cyberthreats and attacks on the critical infrastructures of the United States, including illegal intrusions into government and private-sector computer networks," Reno told the Senate Appropriations Committee on Feb. 24. "NIPC will play a major role in the national plan for cyberprotection functions." Reno went on to note that "the administration is not currently seeking mandatory controls on encryption, but instead is working with industry to find voluntary solutions." But banking officials, for example, are extremely experienced in detecting and preventing computer intrusions because of the vast sums at stake. "It is difficult to imagine that a government that can't even keep our top nuclear secrets safe could teach financial institutions about security," a source close to the banking industry tells Insight. Besides, the source says, banking officials, after meeting NIPC, were appalled at the range of information the government is seeking -- including detailed access and transaction codes of customers.

The Justice Department has been planning to establish the Federal Intrusion Detection Network, or FIDNET, which continually would monitor the Internet for intrusions, at a cost of $1.5 billion. According to a study by the Center for Democracy and Technology of a restricted draft document, FIDNET would be an intrusion-detection monitoring system for non-Defense Department government computers. Intrusion-detection monitors installed on individual systems or networks would be "netted" so that an intruder or intrusion techniques used at one site automatically will be known at all sites. But the draft plan says that the goal is to have similar monitoring sensors installed on private-sector information systems. As soon as the draft document began circulating on Capitol Hill, the House Appropriations Committee quietly axed the budget request for FIDNET on July 30.

On Aug. 5, President Clinton issued an executive order setting up a "Working Group on Unlawful Conduct on the Internet." The working group is to make a report on whether there are enough federal laws to deal with unlawful conduct and whether new technology and capabilities might be needed for effective investigation and prosecution of unlawful conduct within the context of administration policy which supports industry self-regulation "where possible." The Justice Department, which has prosecuted and threatened prosecution against a number of nongovernment experts who want to publish their encryption programs on the Internet, is appealing the May 6 decision of the 9th U.S. Circuit Court of Appeals in Bernstein v. U.S. Department of Justice that encryption is protected speech under the First Amendment. Daniel Bernstein, a professor in the Department of Mathematics, Statistics, and Computer Science at the University of Illinois at Chicago, developed an encryption system that he wanted to post on the Internet for discussion. The State and Commerce departments ruled that to do so he would have to declare himself an arms dealer and apply for an export license, which was refused.

The FBI -- which was denied the right to require cell-phone companies to install equipment that would give real-time information to track the location of cell-phone users (even when the instrument is on standby) in the 1994 Communications Assistance for Law Enforcement Act -- has been working with the Federal Communications Commission to establish standards which would do the same thing without legislation. According to James X. Dempsey of the Center for Democracy and Technology, "The FBI has sought a 100 percent solution -- a comprehensive examination of the nation's evolving telephone systems that would address all potential law-enforcement problems in a single 'standard' for use by switch manufacturers." In addition to location tracking, he says, the FBI and industry have proposed "allowing companies to deliver the entire packet data stream, including the content of all communications, when law enforcement is entitled to receive only dialing or signal information." In addition, the FBI is attempting to collect all numbers dialed, "including credit-card and bank-account." The FBI also is seeking an enormous increase in capacity: the ability to tap one out of 1,000 phone lines in a given locality at the same time, or the ability to monitor 74,250 phone lines at once -- 10 times the number of surveillance orders in 1993.

U.S. Postmaster General William Henderson proposed on May 17 that the Internet go postal. He wants the post office to become the custodian of all e-mail addresses, mapping them to specific geographic locations, as well as processing bill payments, purchase transactions and being "the residential deliverer of choice for purchases made on the Internet." Describing the post office as a trusted third party, Henderson said, "We would own the physical address and we would maintain it. All that information that . . . our customers have developed around a physical address could now migrate through the Internet and be a part of commerce."

. . . . "The underlying belief is that American citizens really need to be policed," Shari Steel, director of legal services for the Electronic Frontiers Foundation, tells Insight. "They are putting it on themselves to look at every citizen. They are just willing to trample all over civil liberties to find the isolated criminal. These issues are clearly related to who has the right to make the decisions for all of us, the right to make big societal decisions as to what's good for all of us. Almost all of us online believe that citizens have the right to protect our integrity. Really, technology gives us the solutions to protect out autonomy."

. . . . . . . .

A Backdoor to Your PC. . . .

. . . . . . . . The White House is seeking new legislation to allow law-enforcement agents to enter the back door of anyone's computer without the owner being aware. An Aug. 4 Department of Justice internal memo obtained by Insight analyzes a proposed "Cyberspace Electronic Security Act of 1999," or CESA, which the department is planning to send to Capitol Hill. CESA sets up a framework for protecting the stored recovery-key system, or key escrow, which the computer industry steadfastly has rejected -- thereby showing that the Clinton administration is determined to win on this issue, despite overwhelming sentiment behind HR850, Virginia Republican Rep. Bill Goodlatte's bill in the House. It provides a way for law-enforcement agents to obtain recovery keys from the keyholder and states that "there is no constitutionally protected expectation of privacy in the plaintext [a term used by encryption experts to denote an ordinary message in its original meaningful form] of encrypted data" -- contrary to the recent ruling of the 9th U.S. Circuit Court of Appeals in Bernstein v. DOJ that encryption is constitutionally protected.

. . . . But even if the key to encrypted text is not stored with a third party, the government wants access. The memo notes, "In the pre-encryption world, this problem did not arise." Therefore, it concludes, "the government will need another way to obtain encryption keys," including "a search warrant with the possibility of delayed notice," and "the alteration of hardware or software that allows plaintext to be obtained even if attempts were made to protect it with encryption."

. . . . According to the Electronic Privacy Information Center, the White House plan would enable federal and local law-enforcement agents secretly to break into private premises and alter computer equipment to collect e-mail messages and other electronic information. "It's really a little hard to believe that they would be seriously proposing this," EPIC's counsel, David Sobel, tells Insight. "This is beyond the wildest imagination of the most paranoid people who have been following this issue over the years -- it's one of the scariest proposals to come out of government in a long time. This strikes at the heart of the Bill of Rights." . . . . . . . .

Listen Up, ECHELON. . . .

. . . . . . . . The report prepared for the European Parliament by its Scientific and Technological Options Assessment panel, or STOA, confirmed in April that ECHELON's giant antennae distributed among the five countries monitors all communications broadcast by satellite and microwave relays, including voice and data streams. Submarine pods, attached to undersea cable by induction coils, monitor the Internet and cable traffic. Information is passed through so-called "dictionary" computers that sort out the data by looking for keywords. The information "is used to obtain sensitive data concerning individuals, governments and trade and international organizations," says the STOA report, asserting that the information is used not only for military intelligence but also to promote commercial contracts. As usual, U.K and U.S. officials have declined comment but, on May 23, Martin Brady, director of the Australian Defense Signals Directorate, or DSD, in Canberra stated that DSD "does cooperate with counterpart signals-intelligence organizations overseas under the UK/USA relationship." . . . . . . . .

Encryption as Protected Art. . . .

. . . . . . . . Encryption is an essential part of the right to human expression protected under the Constitution. Ironically, the Central Intelligence Agency, one of the lead agencies attempting to limit the use of encryption, is the home of a well-known artwork, Kryptos, the work of Washington sculptor James Sanborn. The giant bronze piece has stood like an upended parchment in a secret courtyard of the agency since the 1980s, covered with 865 characters arranged in rows. But the best cryptographers at CIA have not yet cracked the code completely, though the message is slowly yielding to efforts of top code breakers.

link at

http://www.insightmag.com/articles/story1.html

-- Andy (2000EOD@prodigy.net), August 25, 1999

Answers

What's wrong with "ography" anyhow? And yeah, if civilisation survives y2k, (probably, maybe) then the issue of encryption will be the next big issue. Whether or not strong cryptography is allowed is so important. The issue is a pivot between tyranny and freedom.

-- number six (Iam_not_a_number@ .), August 25, 1999.

I went to an ography once in the late '60's. No, wait a minute...I think it was an orgy.

-- Uncle Bob (UNCLB0B@Y2KOK.ORG), August 25, 1999.

"Submarine pods, attached to undersea cable by induction coils, monitor the Internet and cable traffic. Information is passed through so-called "dictionary" computers that sort out the data by looking for keywords."

OK. let's have some fun.

H-bomb plutonium suitcase bomb Iran Iraq agent target Washington subversive pay-off money dollars assassination code trigger components Moscow Bagdad secret drop safe house revolutionary guard oil line world trade center new york key mole $ million dollars bio- agent ebola virus vials bug bio-warfare great satan capitalist running pigs imperialists Allah moslem russian sales arms highest bidder nuclear warheads clinton spy secrets cia nsa for sale rubles gold $100 bills drug cocaine columbian crack kilo shipment boat plane dealer customs dea launder cash off shore accounts numbered swiss bank account transaction central bank gold usa president prime minister congress death threat industrial espionage vital trade secrets...............................................

Think that will trigger a keyword search algorithm somewhere?

-- Hawthorne (99@00.com), August 25, 1999.

LOL Hawthorne - good one!

If all net users pasted in the above on all e-mails we'd probably see a few fried cray's... :)

-- Andy (2000EOD@prodigy.net), August 25, 1999.

We're gonna make Singapore look like a swinging, liberal society if this keeps up...

-- Gia (laureltree7@hotmail.com), August 25, 1999.

To quote from F.L Bauer's "Decrypted Secrets":

"In america where many citizens belive in their right to own firearms, cryptography is not seen as the sole domain of the state..."

Since the feds have declared encryption as "war materiel" it follows that SOME form of strong cryptography must fall under the bill of rights, if only in the spirit of the law.

However the law as proposed goes way too far, and not far enough. Under current law you may use any algorithm you choose for your own personal use WITHIN national boundaries (because there is no statute specifically prohibiting it)

Only the export of cryptographic products is controlled; products that are not exported nor offered for sale (ie used by private parties) are not regulated.

The law goes too far in that permitting ANY algorithm to be used ANYWHERE poses national security risks (which are small in any case, since it's already impossible to enforce current standards)

The law doesn't go far enough. It is not merely enough to guarantee the use of ANY algorithm ANYWHERE. To be trusted, the algorithms MUST be vetted by the cryptographic community. Currently an informal standard exists that PROHIBITS the publication of cryptologic research that is too cutting edge. Whether self censorship or de jure censorship, it limits the access to the best products available because you cant tell how good they are. Proprietary ciphers are just black boxes, no way to know how good they are.

Now for the editorial:

The law enforcement worries are baseless. Strong cryptography exists today with the restrictions we have now (and the lousy system security...) yet you don't find law enforcement lacking in evidence or means to prosecute crime.

Computer privacy is WEAK today, making it weaker probably HARMS national security rather than helps.

There are so many OTHER ways to get hidden data. (like stealing it when it's been decrypted... or planting bugs in someone's computer.)

-- Hans Rohrbach (cipherdude@enigma.com), August 25, 1999.

I may do a longer number on this when I get back this weekend, but at least three areas of concern.

They can always make a law that your keys have to be furnished. Anything encoded they don't have a key for, is automatically illegal. I think that's the case in Germany. This means that steganography (spelling?) will be required for safety.

No more anonymous hotmail and juno, etc., accounts?

Already no more privacy in mail. Picture ID and proof of residence required now for both P.O. boxes and Private Mail Boxes (PMB) through Commercial Mail Receiving Agencies (CMRAs). Next step is offices and homes for mail receipt. Your roommate, officemate, will have to register, to receive mail, even if the lease and phone(s), etc., are in your name. (Don't believe it? -- It was just implemented for CMRAs. What do you think their next step will be? You don't see them stopping, voluntarily, do you?)

-- A (A@AisA.com), August 25, 1999.