SCN: Surveillance
Steve
steve at advocate.net
Thu Oct 4 09:28:12 PDT 2001
x-no-archive: yes
======================
(J. William Gurley, Fortune Magazine)---In the weeks following the
World Trade Center tragedy, many government officials were
actively lobbying for increased Internet surveillance as a method of
restricting terrorist activity. No surprise: Numerous reports detailed
the ways Osama bin Laden and his many supporters use the
Internet to help organize and share information.
Senator Judd Gregg of New Hampshire called for "a global
prohibition on encryption products without backdoors for
government surveillance"--a request that presumably would enable
the government to decode any message sent across the Net.
Many large ISPs, including AOL, Earthlink, and @Home, reported
that the FBI approached them after the tragedy and served them
with Federal Intelligence Surveillance Act orders to search for
possible communications that may have aided in the attacks.
This type of activity sends shivers down the spines of many pro-
privacy technology activists. Of course, these outspoken and
knowledgeable people are not pro-terrorist, and surely they were
as disturbed by the terrorist action as the rest of us. That said,
they do not believe that you can protect freedom by restricting or
destroying it. Their sentiments tend to reflect a quote from
Benjamin Franklin: "They that give up essential liberty to obtain
temporary safety, deserve neither liberty nor safety."
But putting aside any debate on civil liberties, a stronger case
against the government's Internet surveillance attempts is that
there may well be huge problems in both implementation and
effectiveness. One predicament is just how much of the genie is
already out of the bottle.
So called "strong" encryption techniques--those that are nearly
impossible to decipher--are broadly available on the Internet.
Moreover, those tools are cataloged and archived in many forms:
from ready-to-run software to source code to simple algorithms that
describe the general concepts. Also, importantly, many of these
algorithms have been developed outside the United States.
Another disturbing development is the increased use and
availability of steganography--the act of embedding or hiding a
message inside a seemingly innocent digital vessel. Several
programs on the Internet, many of which are shareware or free to
download, make it easy to embed one file in another. Typically the
transport file is large and dense, such as a JPEG photo or an MP3
file.
These encoding techniques are so slick that the resulting file is
indistinguishable to the human eye or ear. As a result, a covert
communication may appear as innocent as two parties sharing a
Britney Spears song over the Internet. USA Today has reported
that Osama bin Laden and his followers are heavy users of
steganography.
Proposals like Senator Gregg's are unlikely to filter out much of the
steganography. But what about his demands for "backdoor"
access to encryption techniques? Couldn't that give the U.S. a
huge new tool in tracking the progress of terrorists? Proposals like
these--and other attempts to make the Net less accessible to
terrorists--certainly sound good, but they raise more questions
than they answer:
Whom do we trust? We're having a hard enough time getting a
majority of leading countries to join a coalition against terrorism.
How realistic is it to think we can line everyone up in an organized
assault on encryption? Many countries have much stronger
feelings about personal privacy and are therefore unlikely to
participate. Other less industrialized countries are going to have a
hard time considering this a relevant priority.
More important, how will we implement the dissemination of
government keys that would unlock messages? Do we trust all
governments that join the effort? Who gets to see cross-border
communication?
What do we ban? Many in the scientific community have pointed
out the silliness in outlawing an algorithm (basically a flow chart of
how the code works). First, any good programmer can convert a
detailed algorithm into software code, and as such, the algorithm
(or formula) is the tersest representation of the offending material.
Second, these algorithms are everywhere. They're on the Internet,
they're on hard drives all over the world, they're in books, and they
have even been printed on T-shirts to highlight the free-speech
implications of such an attempted prohibition. There is absolutely
no way to rein in all the copies of these ideas or to restrict their
trade among those determined to do so.
With steganography, the problem is even worse. As Muhammad Ali
used to say, referring to his lightning-fast moves, "Your hands can't
hit what your eyes can't see." The same statement is true for
messages embedded via steganography. How will the government
identify potentially hazardous communications if every photo,
music, and video file on the Internet is an unidentifiable transport?
And even if you found the transport and decoded it, the message
could still be encrypted using "strong" encryption.
Who would obey? The only people I know who actually use
encryption products are those who loathe or at the very least
mistrust the government. Government-vetted encryption programs
will see about as much use as a sauna in the desert.
Is it too late? Many have suggested that the terrorists are more
intelligent than we think, pointing out their clever use of these
technologies. Another Senator, Jon Kyl of Arizona, has commented
frequently on the "sophistication" of the terrorists for this very
reason. This isn't sophistication; it's more likely ignorance on the
part of the accusers. Encryption tools and the like are ridiculously
easy to obtain. Go to Google, type "steganography program," and
start downloading. You will be able to put an e-mail message into a
family photograph within five minutes.
Where do we start? There are an increasing number of ways to
move files on the Internet. To name a few: e-mail, FTP, instant
messenger, chat, file lockers, Napster, and Gnutella. In the next
few years the annual number of e-mails and instant messages will
be measured in the trillions--for each. Peer-to-peer file transfers
will easily number in the billions. How do you monitor all of this?
Where could you even store the log data? The pin is small, the
haystack is large, and astute cryptographers can use
steganography to increase the size of the haystack.
The government should not give up on computer surveillance. In
fact, as a tool that is used to track down a particular offender after
isolation and identification, these technologies can be extremely
effective. However, we should not be unrealistic about what type of
"magic" spy technologies are at our disposal. We are only going to
spend a lot of money, waste a lot of time, and create a false sense
of security.
Copyright 2001 Time Inc.
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list