SCN: Surveillance

[Steve]

x-no-archive: yes

======================


(J. William Gurley, Fortune Magazine)---In the weeks following the 
World Trade Center tragedy, many government officials were 
actively lobbying for increased Internet surveillance as a method of 
restricting terrorist activity. No surprise: Numerous reports detailed 
the ways Osama bin Laden and his many supporters use the 
Internet to help organize and share information. 

Senator Judd Gregg of New Hampshire called for "a global 
prohibition on encryption products without backdoors for 
government surveillance"--a request that presumably would enable 
the government to decode any message sent across the Net. 

Many large ISPs, including AOL, Earthlink, and @Home, reported 
that the FBI approached them after the tragedy and served them 
with Federal Intelligence Surveillance Act orders to search for 
possible communications that may have aided in the attacks.  

This type of activity sends shivers down the spines of many pro-
privacy technology activists. Of course, these outspoken and 
knowledgeable people are not pro-terrorist, and surely they were 
as disturbed by the terrorist action as the rest of us. That said, 
they do not believe that you can protect freedom by restricting or 
destroying it. Their sentiments tend to reflect a quote from 
Benjamin Franklin: "They that give up essential liberty to obtain 
temporary safety, deserve neither liberty nor safety."  

But putting aside any debate on civil liberties, a stronger case 
against the government's Internet surveillance attempts is that 
there may well be huge problems in both implementation and 
effectiveness. One predicament is just how much of the genie is 
already out of the bottle. 

So called "strong" encryption techniques--those that are nearly 
impossible to decipher--are broadly available on the Internet. 
Moreover, those tools are cataloged and archived in many forms: 
from ready-to-run software to source code to simple algorithms that 
describe the general concepts. Also, importantly, many of these 
algorithms have been developed outside the United States.  

Another disturbing development is the increased use and 
availability of steganography--the act of embedding or hiding a 
message inside a seemingly innocent digital vessel. Several 
programs on the Internet, many of which are shareware or free to 
download, make it easy to embed one file in another. Typically the 
transport file is large and dense, such as a JPEG photo or an MP3 
file. 

These encoding techniques are so slick that the resulting file is 
indistinguishable to the human eye or ear. As a result, a covert 
communication may appear as innocent as two parties sharing a 
Britney Spears song over the Internet. USA Today has reported 
that Osama bin Laden and his followers are heavy users of 
steganography.  

Proposals like Senator Gregg's are unlikely to filter out much of the 
steganography. But what about his demands for "backdoor" 
access to encryption techniques? Couldn't that give the U.S. a 
huge new tool in tracking the progress of terrorists? Proposals like 
these--and other attempts to make the Net less accessible to 
terrorists--certainly sound good, but they raise more questions 
than they answer:  

Whom do we trust? We're having a hard enough time getting a 
majority of leading countries to join a coalition against terrorism. 
How realistic is it to think we can line everyone up in an organized 
assault on encryption? Many countries have much stronger 
feelings about personal privacy and are therefore unlikely to 
participate. Other less industrialized countries are going to have a 
hard time considering this a relevant priority. 

More important, how will we implement the dissemination of 
government keys that would unlock messages? Do we trust all 
governments that join the effort? Who gets to see cross-border 
communication?  

What do we ban? Many in the scientific community have pointed 
out the silliness in outlawing an algorithm (basically a flow chart of 
how the code works). First, any good programmer can convert a 
detailed algorithm into software code, and as such, the algorithm 
(or formula) is the tersest representation of the offending material. 
Second, these algorithms are everywhere. They're on the Internet, 
they're on hard drives all over the world, they're in books, and they 
have even been printed on T-shirts to highlight the free-speech 
implications of such an attempted prohibition. There is absolutely 
no way to rein in all the copies of these ideas or to restrict their 
trade among those determined to do so.  

With steganography, the problem is even worse. As Muhammad Ali 
used to say, referring to his lightning-fast moves, "Your hands can't 
hit what your eyes can't see." The same statement is true for 
messages embedded via steganography. How will the government 
identify potentially hazardous communications if every photo, 
music, and video file on the Internet is an unidentifiable transport? 
And even if you found the transport and decoded it, the message 
could still be encrypted using "strong" encryption.  

Who would obey? The only people I know who actually use 
encryption products are those who loathe or at the very least 
mistrust the government. Government-vetted encryption programs 
will see about as much use as a sauna in the desert.  

Is it too late? Many have suggested that the terrorists are more 
intelligent than we think, pointing out their clever use of these 
technologies. Another Senator, Jon Kyl of Arizona, has commented 
frequently on the "sophistication" of the terrorists for this very 
reason. This isn't sophistication; it's more likely ignorance on the 
part of the accusers. Encryption tools and the like are ridiculously 
easy to obtain. Go to Google, type "steganography program," and 
start downloading. You will be able to put an e-mail message into a 
family photograph within five minutes.  

Where do we start? There are an increasing number of ways to 
move files on the Internet. To name a few: e-mail, FTP, instant 
messenger, chat, file lockers, Napster, and Gnutella. In the next 
few years the annual number of e-mails and instant messages will 
be measured in the trillions--for each. Peer-to-peer file transfers 
will easily number in the billions. How do you monitor all of this? 
Where could you even store the log data? The pin is small, the 
haystack is large, and astute cryptographers can use 
steganography to increase the size of the haystack.  

The government should not give up on computer surveillance. In 
fact, as a tool that is used to track down a particular offender after 
isolation and identification, these technologies can be extremely 
effective. However, we should not be unrealistic about what type of 
"magic" spy technologies are at our disposal. We are only going to 
spend a lot of money, waste a lot of time, and create a false sense 
of security.  

Copyright 2001 Time Inc.





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *