[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Article: Year-End Worldwide Round-Up on Internet Surveil

------- Forwarded message follows -------
Date sent:      	Tue, 26 Dec 2000 09:03:46 -0500 (EST)
From:           	Andy Oram <andyo@oreilly.com>
Subject:        	Article: Year-End Worldwide Round-Up on Internet Surveillance
To:             	gilc-plan@gilc.org
Send reply to:  	gilc-plan@gilc.org


December 23, 2000

Year-End Worldwide Round-Up on Internet Surveillance

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.--Government surveillance was the most pressing policy
issue in cyberspace this past year. (Intellectual property issues,
which I will consider in an upcoming article, come in for a close
second.) The wildly divergent proposals popping up around the world
make it hard to tease out a trend, but a long-range historical look
suggests that a shift in strategy is underway globally.

A public debate has finally begun over Echelon, a global tracking
system that seems right out of a spy novel, and whose very existence
was denied by the people running it up until this year. In another
trend showing the reach of the law, numerous governments are imposing
requirements on Internet service providers to preserve information on
users and help law enforcement track their meanderings online.

On the other hand, the Clinton Administration has removed almost all
the old restrictions on the export of encryption (a fundamental tool
for hiding communications). FCC regulations extending wiretap
technology to digital telephones were partly rejected last August by a
court that said the FCC had given the FBI too much leeway for

I can see a direction in all the current developments by dividing
policies into those that have failed and those that hold out new
promise. In general, the more ambitious technological solutions have
failed, while legal solutions are still being explored.

The failed surveillance solutions include:

Key escrow.

     This proposal would require users of computer encryption to store
     the keys decrypting their data in a central location (a "trusted
     third party") where they could be obtained by the government (and
     hopefully no one else) following careful legal procedures to
     prevent abuse, or so the story goes. The concept behind key
     escrow is a veritable Maginot Line of bad planning. The
     technology to make it work doesn't exist, the central store would
     be vulnerable to numerous technical and human attacks, and--most
     damning to the proposal--criminals would simply ignore it and use
     keys obtained in other ways. Still, key escrow become law
     enforcement's main Internet-related proposal in the U.S.,
     Britain, and elsewhere for most of a decade, and hung around in
     various forms from 1993 till the past year. It has never formally
     been renounced, but government officials are notably silent about
     it as they debate newer surveillance systems.

Controlling the spread of encryption.

     For half a century the U.S. Department of Commerce has classified
     computer encryption as a form of munitions and limited its export
     to forms that are easy to crack. This bit of bureaucratic
     blindness has proved amazingly effective in discouraging
     corporations from creating mass-market products using
     cryptography, and its significance has been recognized by leading
     forces on both sides of the debate over privacy. The restrictions
     were challenged in court on the grounds that computer code is a
     form of speech--successfully in one case (Bernstein v. US Dept.
     of State) and unsuccessfully in another (Junger v. US Dept. of
     State). As recently as 1998, Western governments were trying to
     generalize this Luddite approach to security in an international
     treaty. But as businesses argue the importance of privacy to
     policy-makers, the moat of export restrictions in the U.S. has
     gradually been reduced to a puddle over the past year and a half,
     and it looks likely to dry up entirely the next time the sun
     comes out.

Total surveillance.

     Rumors that the NSA was checking all Internet traffic go back
     more than 30 years and have become a standing joke. Yet this is
     precisely the solution Echelon attempts to provide, and more:
     every phone conversation, every email, every fax, every microwave
     transmission, is trapped by a satellite or routing hub and
     checked for suspicious content. The resources required to carry
     this off are mind-boggling, and there's no evidence it's very
     successful. As with key escrow, the system has not been formally
     renounced, and many readers will disagree with my hunch that it's
     being abandoned. But a telescreen in the middle of the wall is a
     lot less useful than a hidden microphone: a tracking system like
     Echelon loses much of its value if everybody knows it's there.
     Furthermore, because Echelon is controlled by the U.S. in
     collaboration with other English-speaking nations around the
     world, and because they have already admitted that material
     picked up by Echelon has been used to promote the interests of at
     least one U.S. corporation, so-called allies in Europe are

So those are my guesses concerning surveillance systems that are
dying. Now for the new ones that seem to replacing them.

Tapping the Internet like a phone wire.

     That's the principle behind the FBI Carnivore system that has
     been in the news a lot recently.

Requiring Internet service providers to collect information.

     What you can't achieve on a global scale from 22,000 feet above
     the ground, you might be able to accomplish on a more intimate
     level by pressing ISPs into service. Numerous countries have
     proposed or legislated schemes to make ISPs preserve information
     for, or provide information to, law enforcement. Some proposals
     would have each ISP hold email for months after it passes through
     their hubs (that's a lot of disk space!). Some assume a wire
     going directly from the ISP's hub to the police station, so that
     police forces addicted to secret information can mainline it at a
     whim. A recent controversial initiative from the European Union
     (the "cybercrime" treaty,
     would force ISPs to cooperate not only with local governments but
     with foreign ones. These surveillance proposals are related to
     another interesting trend: that of making ISPs (or anyone else
     hosting content on their systems) maintain information on the
     people who put up content.

Requiring suspects to give law enforcement their encryption keys.

     While this court-based strategy is much more transparent and
     technically feasible than key escrow, it places serious risks on
     anyone who dares to use encryption. As numerous critics pointed
     out when the British parliament put this controversial policy in
     their Regulation of Investigatory Powers Act 2000, what if
     somebody deletes a key by mistake and is later considered a
     criminal because he can't surrender it?

Making hardware and software illegal.

     The attempt to define certain devices as having a "primary
     purpose" that is illegal goes back many years. The arrogance of
     such a definition becomes even greater when it is applied to
     software, which is much more malleable and offers greater
     potential for development than physical devices. The clause of
     the 1998 U.S. Copyright Act that makes it illegal to "circumvent
     a technological measure" installed by copyright holders is

As you can see, the new trend is toward much more modest goals and
technical requirements. Ironically, it seems that one of the central
doctrines of my organization, Computer Professionals for Social
Responsibility, has sunk in to the skulls of the cops and the spies:
don't count on technology to solve a social problem.

A look at technology, however, often sheds light on legal issues. What
makes modern Internet surveillance so hard is that the tools and
techniques used by criminals are precisely the same as those used by
those trying to stop the criminals (both the police and the civilians
trying to go about their everyday business). Technology wears neither
a black hat nor a white one, but lets its hair grow out all frizzy. So
entwined are the technologies of surveillance and the technologies of
law enforcement that one of the common objections law enforcement
proposals receive from security experts is, "The system you want to
put in place could be subverted by an intruder and put to criminal

Echelon seems to be unshaken by all the controversy surrounding it,
but it hangs over the world like the ethereal ghost of the Cold War.
The U.S. has simply marshaled its old team of allies to send bits to
its number-crunchers instead of troops to Vietnam.

European protests (even though motivated more by envy than by
disapproval) shed light on the key tension brought by today's
globalization. On the one hand, international investment and trade
requires trust and a certain willingness to accept foreigners as one's
allies. Nobody gets away for long with the kind of xenophobia that led
the U.S. government to persecute Los Alamos researcher Wen Ho Lee; it
has already cost us some talented East Asian scientists.

On the other hand, businesses in each country can't resist trying to
gain advantage over foreign competitors, and enlisting all levels of
government in that cause, including spy agencies. Thus, the
communications infrastructure has joined such traditional resources as
food and energy in the fears felt by many countries over ceding
control to foreigners. The U.S. government hesitated this past summer
before letting a Japanese phone company buy an American ISP, and there
were anti-foreign rumblings in Congress against Deutsche Telekom's
purchase of an American wireless phone provider.

Still, the new world order is represented less by Echelon than by the
cybercrime treaty currently being drafted by the Council of Europe. It
requires or points to a need for all the new measures I listed in this
article: tapping the Internet, requiring ISPs to provide traffic and
content data, requiring users to surrender keys, and making certain
hardware and software illegal.

If this treaty is adopted, one might well see the British government
compel an ISP to preserve all the content of one of its customers
because that customer is a suspected supporter of a Basque separatist
group, for example, and to hand the content over to the Spanish
government. One might argue that only the Spanish authorities can
determine the best way to handle the violence produced by the Basque
conflict, but the chain of responsibilities opens up many questions
about how broad a category of suspects can become for the purposes of
surveillance. Not much time has passed since a scandal involving
Spanish government assassination of Basque politicians.

The Council of Europe and the United States lead the way in prying
open the Internet to police, but they are joined by many other

   * Japan passed a wiretap law in 1999 covering email and faxes as
   well as
     voice calls.

   * India has considered a law allowing police access to Internet
     without a warrant.

   * Russia passed a law requiring all ISPs to let police look at any
     they want in real-time, but a court declared it had gone too far.

   * An Israeli court also ruled that military authorities require a
     order before checking email.

Nobody trusts law enforcement in any country, of course. Police have
consorted with and protected criminals in places around the world from
Boston to Karachi. Since the COINTELPRO scandal of the 1970s it's been
widely understood in the U.S. that "it can happen here." And
assurances by the FBI that Internet tapping will be restricted just
like phone wiretaps by the courts fall flat as details of their
Carnivore system are gradually uncovered.

Traditional telephone technology allows specific devices to be
installed by a phone company to record particular data about a
particular phone. The packetized homogeneity of the Internet, by
contrast, has an all-or-nothing quality. So Carnivore devices check
all traffic, simply picking out particular user addresses and
protocols according to the device's configuration. The FBI's promise
that Carnivore reads only email, and only targets a particular
court-authorized user, is just that: a promise. In fact, the
descriptions leaking out of Carnivore make it sound like a
sophisticated filtering device that offers tantalizing possibilities
for increasing the effective surveillance capabilities of police, not
restricting them.

Sometimes the Internet, as the new boy on the block, just provides a
convenient scapegoat. On December 15, the Clinton administration
released a report detailing the international spread of crime. The
Internet was implicated in such problems as money laundering, illegal
drug deals, and the transport of illegal immigrants (sometimes for the
purposes of slavery). Why is it easier to place controls on the
Internet than to follow drugs, immigrants, and other illegal
activities in the real world? The Internet is a powerful tool for
organizing people and for trading, but it will cease that role if it
becomes instead a tool for surveillance.


This opinion piece was originally printed at the American Reporter


The article can be reposted in full for non-profit use.

Andy Oram  O'Reilly & Associates, Inc.        email: andyo@oreilly.com
Editor     90 Sherman Street                     phone: (617) 499-7479
           Cambridge, MA 02140-3233                fax: (617) 661-1116
           USA                          http://www.oreilly.com/~andyo/
Stories at Web site:
The Bug in the Seven Modules     Code the Obscure     The Disconnected

------- End of forwarded message -------