[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] (Fwd) Article: Year-End Worldwide Round-Up on Internet Surveil
- To: debate@fitug.de
- Subject: [FYI] (Fwd) Article: Year-End Worldwide Round-Up on Internet Surveil
- From: "Axel H Horns" <horns@ipjur.com>
- Date: Tue, 26 Dec 2000 17:47:06 +0100
- Comment: This message comes from the debate mailing list.
- Organization: NONE
- Sender: owner-debate@fitug.de
------- Forwarded message follows -------
Date sent: Tue, 26 Dec 2000 09:03:46 -0500 (EST)
From: Andy Oram <andyo@oreilly.com>
Subject: Article: Year-End Worldwide Round-Up on Internet Surveillance
To: gilc-plan@gilc.org
Send reply to: gilc-plan@gilc.org
http://www.oreilly.com/~andyo/ar/roundup_surveillance.html
December 23, 2000
Year-End Worldwide Round-Up on Internet Surveillance
by Andy Oram
American Reporter Correspondent
CAMBRIDGE, MASS.--Government surveillance was the most pressing policy
issue in cyberspace this past year. (Intellectual property issues,
which I will consider in an upcoming article, come in for a close
second.) The wildly divergent proposals popping up around the world
make it hard to tease out a trend, but a long-range historical look
suggests that a shift in strategy is underway globally.
A public debate has finally begun over Echelon, a global tracking
system that seems right out of a spy novel, and whose very existence
was denied by the people running it up until this year. In another
trend showing the reach of the law, numerous governments are imposing
requirements on Internet service providers to preserve information on
users and help law enforcement track their meanderings online.
On the other hand, the Clinton Administration has removed almost all
the old restrictions on the export of encryption (a fundamental tool
for hiding communications). FCC regulations extending wiretap
technology to digital telephones were partly rejected last August by a
court that said the FCC had given the FBI too much leeway for
snooping.
I can see a direction in all the current developments by dividing
policies into those that have failed and those that hold out new
promise. In general, the more ambitious technological solutions have
failed, while legal solutions are still being explored.
The failed surveillance solutions include:
Key escrow.
This proposal would require users of computer encryption to store
the keys decrypting their data in a central location (a "trusted
third party") where they could be obtained by the government (and
hopefully no one else) following careful legal procedures to
prevent abuse, or so the story goes. The concept behind key
escrow is a veritable Maginot Line of bad planning. The
technology to make it work doesn't exist, the central store would
be vulnerable to numerous technical and human attacks, and--most
damning to the proposal--criminals would simply ignore it and use
keys obtained in other ways. Still, key escrow become law
enforcement's main Internet-related proposal in the U.S.,
Britain, and elsewhere for most of a decade, and hung around in
various forms from 1993 till the past year. It has never formally
been renounced, but government officials are notably silent about
it as they debate newer surveillance systems.
Controlling the spread of encryption.
For half a century the U.S. Department of Commerce has classified
computer encryption as a form of munitions and limited its export
to forms that are easy to crack. This bit of bureaucratic
blindness has proved amazingly effective in discouraging
corporations from creating mass-market products using
cryptography, and its significance has been recognized by leading
forces on both sides of the debate over privacy. The restrictions
were challenged in court on the grounds that computer code is a
form of speech--successfully in one case (Bernstein v. US Dept.
of State) and unsuccessfully in another (Junger v. US Dept. of
State). As recently as 1998, Western governments were trying to
generalize this Luddite approach to security in an international
treaty. But as businesses argue the importance of privacy to
policy-makers, the moat of export restrictions in the U.S. has
gradually been reduced to a puddle over the past year and a half,
and it looks likely to dry up entirely the next time the sun
comes out.
Total surveillance.
Rumors that the NSA was checking all Internet traffic go back
more than 30 years and have become a standing joke. Yet this is
precisely the solution Echelon attempts to provide, and more:
every phone conversation, every email, every fax, every microwave
transmission, is trapped by a satellite or routing hub and
checked for suspicious content. The resources required to carry
this off are mind-boggling, and there's no evidence it's very
successful. As with key escrow, the system has not been formally
renounced, and many readers will disagree with my hunch that it's
being abandoned. But a telescreen in the middle of the wall is a
lot less useful than a hidden microphone: a tracking system like
Echelon loses much of its value if everybody knows it's there.
Furthermore, because Echelon is controlled by the U.S. in
collaboration with other English-speaking nations around the
world, and because they have already admitted that material
picked up by Echelon has been used to promote the interests of at
least one U.S. corporation, so-called allies in Europe are
furious.
So those are my guesses concerning surveillance systems that are
dying. Now for the new ones that seem to replacing them.
Tapping the Internet like a phone wire.
That's the principle behind the FBI Carnivore system that has
been in the news a lot recently.
Requiring Internet service providers to collect information.
What you can't achieve on a global scale from 22,000 feet above
the ground, you might be able to accomplish on a more intimate
level by pressing ISPs into service. Numerous countries have
proposed or legislated schemes to make ISPs preserve information
for, or provide information to, law enforcement. Some proposals
would have each ISP hold email for months after it passes through
their hubs (that's a lot of disk space!). Some assume a wire
going directly from the ISP's hub to the police station, so that
police forces addicted to secret information can mainline it at a
whim. A recent controversial initiative from the European Union
(the "cybercrime" treaty,
<http://conventions.coe.int/treaty/EN/projets/cybercrime24.htm>)
would force ISPs to cooperate not only with local governments but
with foreign ones. These surveillance proposals are related to
another interesting trend: that of making ISPs (or anyone else
hosting content on their systems) maintain information on the
people who put up content.
Requiring suspects to give law enforcement their encryption keys.
While this court-based strategy is much more transparent and
technically feasible than key escrow, it places serious risks on
anyone who dares to use encryption. As numerous critics pointed
out when the British parliament put this controversial policy in
their Regulation of Investigatory Powers Act 2000, what if
somebody deletes a key by mistake and is later considered a
criminal because he can't surrender it?
Making hardware and software illegal.
The attempt to define certain devices as having a "primary
purpose" that is illegal goes back many years. The arrogance of
such a definition becomes even greater when it is applied to
software, which is much more malleable and offers greater
potential for development than physical devices. The clause of
the 1998 U.S. Copyright Act that makes it illegal to "circumvent
a technological measure" installed by copyright holders is
notorious.
As you can see, the new trend is toward much more modest goals and
technical requirements. Ironically, it seems that one of the central
doctrines of my organization, Computer Professionals for Social
Responsibility, has sunk in to the skulls of the cops and the spies:
don't count on technology to solve a social problem.
A look at technology, however, often sheds light on legal issues. What
makes modern Internet surveillance so hard is that the tools and
techniques used by criminals are precisely the same as those used by
those trying to stop the criminals (both the police and the civilians
trying to go about their everyday business). Technology wears neither
a black hat nor a white one, but lets its hair grow out all frizzy. So
entwined are the technologies of surveillance and the technologies of
law enforcement that one of the common objections law enforcement
proposals receive from security experts is, "The system you want to
put in place could be subverted by an intruder and put to criminal
use."
Echelon seems to be unshaken by all the controversy surrounding it,
but it hangs over the world like the ethereal ghost of the Cold War.
The U.S. has simply marshaled its old team of allies to send bits to
its number-crunchers instead of troops to Vietnam.
European protests (even though motivated more by envy than by
disapproval) shed light on the key tension brought by today's
globalization. On the one hand, international investment and trade
requires trust and a certain willingness to accept foreigners as one's
allies. Nobody gets away for long with the kind of xenophobia that led
the U.S. government to persecute Los Alamos researcher Wen Ho Lee; it
has already cost us some talented East Asian scientists.
On the other hand, businesses in each country can't resist trying to
gain advantage over foreign competitors, and enlisting all levels of
government in that cause, including spy agencies. Thus, the
communications infrastructure has joined such traditional resources as
food and energy in the fears felt by many countries over ceding
control to foreigners. The U.S. government hesitated this past summer
before letting a Japanese phone company buy an American ISP, and there
were anti-foreign rumblings in Congress against Deutsche Telekom's
purchase of an American wireless phone provider.
Still, the new world order is represented less by Echelon than by the
cybercrime treaty currently being drafted by the Council of Europe. It
requires or points to a need for all the new measures I listed in this
article: tapping the Internet, requiring ISPs to provide traffic and
content data, requiring users to surrender keys, and making certain
hardware and software illegal.
If this treaty is adopted, one might well see the British government
compel an ISP to preserve all the content of one of its customers
because that customer is a suspected supporter of a Basque separatist
group, for example, and to hand the content over to the Spanish
government. One might argue that only the Spanish authorities can
determine the best way to handle the violence produced by the Basque
conflict, but the chain of responsibilities opens up many questions
about how broad a category of suspects can become for the purposes of
surveillance. Not much time has passed since a scandal involving
Spanish government assassination of Basque politicians.
The Council of Europe and the United States lead the way in prying
open the Internet to police, but they are joined by many other
countries:
* Japan passed a wiretap law in 1999 covering email and faxes as
well as
voice calls.
* India has considered a law allowing police access to Internet
traffic
without a warrant.
* Russia passed a law requiring all ISPs to let police look at any
data
they want in real-time, but a court declared it had gone too far.
* An Israeli court also ruled that military authorities require a
court
order before checking email.
Nobody trusts law enforcement in any country, of course. Police have
consorted with and protected criminals in places around the world from
Boston to Karachi. Since the COINTELPRO scandal of the 1970s it's been
widely understood in the U.S. that "it can happen here." And
assurances by the FBI that Internet tapping will be restricted just
like phone wiretaps by the courts fall flat as details of their
Carnivore system are gradually uncovered.
Traditional telephone technology allows specific devices to be
installed by a phone company to record particular data about a
particular phone. The packetized homogeneity of the Internet, by
contrast, has an all-or-nothing quality. So Carnivore devices check
all traffic, simply picking out particular user addresses and
protocols according to the device's configuration. The FBI's promise
that Carnivore reads only email, and only targets a particular
court-authorized user, is just that: a promise. In fact, the
descriptions leaking out of Carnivore make it sound like a
sophisticated filtering device that offers tantalizing possibilities
for increasing the effective surveillance capabilities of police, not
restricting them.
Sometimes the Internet, as the new boy on the block, just provides a
convenient scapegoat. On December 15, the Clinton administration
released a report detailing the international spread of crime. The
Internet was implicated in such problems as money laundering, illegal
drug deals, and the transport of illegal immigrants (sometimes for the
purposes of slavery). Why is it easier to place controls on the
Internet than to follow drugs, immigrants, and other illegal
activities in the real world? The Internet is a powerful tool for
organizing people and for trading, but it will cease that role if it
becomes instead a tool for surveillance.
--------------------------------------------------------------------
----
This opinion piece was originally printed at the American Reporter
site:
http://www.american-reporter.com/
The article can be reposted in full for non-profit use.
----------------------------------------------------------------------
Andy Oram O'Reilly & Associates, Inc. email: andyo@oreilly.com
Editor 90 Sherman Street phone: (617) 499-7479
Cambridge, MA 02140-3233 fax: (617) 661-1116
USA http://www.oreilly.com/~andyo/
Stories at Web site:
The Bug in the Seven Modules Code the Obscure The Disconnected
----------------------------------------------------------------------
------- End of forwarded message -------