[FYI] (Fwd) Re: Computer hard disc scanning by HM Customs & Exci

[Horns@t-online.de (Axel H. Horns)]

------- Forwarded Message Follows -------
Date:          Sun, 23 Aug 1998 18:46:03 -0400
To:            e-commerc@www.ispo.cec.be, el-democracy@www.ispo.cec.be
From:          Vin McLellan <vin@shore.net>
Subject:       Re: Computer hard disc scanning by HM Customs & Excise
Cc:            Dave Farber <farber@cis.upenn.edu>

 Reading the comments of the UK Customs and Excise spokesfolk about
their new policy of routinely scanning the digital memories carried by
travellers, one is struck by their apparent naivete, e.g.:
<http://www.open.gov.uk/customs/discscan.htm>

 Nothing bad could be happening since it is all done in the presence
of the traveller. The traveller is allowed to watch.  It's only a
"scan" for appalling digital smut -- although the process, as
described, involves copying the disk (and almost any "scan" allows
that, overtly or covertly.) It makes me wonder if they had any idea of
what kind of Pandora's Box they were opening.

 Two years ago, a gentleman at Hewett-Packard Labs in California --
the former head of R&D at Apple, as I recall -- mentioned on one of
the Internet newsgroups that senior HP executives had been warned by
US intelligence agencies that big-number cash bounties that had been
posted (where and by whom, it was not clear) for anyone who could
obtain the travel laptop of particular US computer industry
executives. The targets were identified by name and position.

 I suspect that the UK bureaucrats who thought up this search for
illicit images never considered that the digital soup they were
straining for porn in this low-level bureaucratic process might be
worth $100K or $500K or $1M on the black market. (They may not have
thought about how useful and productive their data-trap might look to
Her Majesty's own intel chaps either, although many suspect C&E's
naivete in that regard was brief.)

 Such casually intrusive and randomized search procedures are used for
low-value valuables. (I suspect DeBeer's couriers don't get their
wares pawed by junior staff who can't tell a diamond from a
rhinestone.) Information has always had potentially high value, of
course -- but even the post-industrial societies are still adjusting
to the way computers concentrate and create such value in data.  HM
C&E is not likely on the cutting edge here.  C&E officials have
probably been amazed at anger and passionate resentment many
knowledge-workers have shown toward their new policy.

 The C&E baggage inspector who only barely computer-literate is not
likely to realize how profoundly a traveller may feel violated by a
process which, by it's nature, necessarily offers Her Majesty's
government an opportunity to copy one or two Gigabytes of personal and
professional memories -- with the traveller forced to open encrypted
files as it they were just another "locked suitcase."

 At least until this UK initiative raised the possibility of routine
data searches, many of us typically travelled with almost all our
personal messages, diaries, as well as all our professional work for
the past two or three years in a laptop hanging from a shoulder strap.
(With my RSA SecurPC, it seemed safe, as well as readily accessible.) 
My outrage at the invasiveness and indignity of such a search would
probably shock someone who doesn't live and work online, the way I and
many others do.

 Corporate execs and couriers may have far more valuable files:
business plans, negotiation options, strategic plans, industrial
plans, prototype products, competitive analyses, corporate records of
all types. (Old and deleted files -- even unsaved data like
remote-access passwords and encryption keys dropped in swap or temp
files on a PC -- are often retrievable from a copy of a hard disk.) A
business traveller planning to negotiate a deal in the City, offer a
contract to a British firm, or set up a plant or office in the UK, may
now risk corporate treasure, as well as personal indignity, in
subjecting himself to such a C&E search.

 For some of us, a strip search and sodium pentathol session at the
C&E post would be less invasive -- but even the British bureaucrats
who came up with this policy would probably consider routine
truth-serum interrogations of travellers over the top: unreasonable,
uncivil, disprespectful, and likely to drive off tourists, merchants,
bankers, and traders who bring money and jobs to the UK.

 Most of us, of course, will immediately jump to Cyberspace, where
ready access to encrypted files on a server or website anywhere in the
world leaves them available, but largely secure from government
eavesdroppers (even when the recipient of the data transfer is in a
London hotel!) It only will be a very very stupid smut merchant who
gets caught by C&E's memory trap. On the other hand, damage done to
the British economy by C&E's routine searches of travellers' digital
memories may be apparent rather quickly.

 I know of several large multinational corporations that have
regular couriers who (daily or several times a week) carry sensitive
material -- usually in digital form, on a laptop or Zip disks -- from
their Paris offices to London, where it is encrypted and transmitted
to their corporate offices around the world. These firms, and others
with similar requirements, restrict the size of their French
installations (and investments) too.

 This happens because French law forbids any firm, operating within
France, from using strong encryption for either domestic or
international data transfers... unless they give the French
authorities the crypto keys that would allow the SCSSI to access,
copy, and potentially exploit those messages or data files.

 (French intelligence agencies -- like their counterparts in most
governments today -- are widely suspected of trying to steal
commercial and industrial secrets from non-French businessmen, and
using them to benefit French industrial and commercial interests.
France, not being a beneficiary of the Echelon net like the US and UK,
maybe has to try a little harder. In recent years, rumors have also
led many international flyers to believe, rightly or wrongly, that the
first class seats on Air France are wired by those same French
agencies for commercial espionage.)

 Now, I wonder if those corporate couriers will be taking the
Eurostar through the Chunnel next week? The couriers may lug
briefcases full of paper (which C&E is unlikely to read, or Xerox) for
a few days.  I suspect, however, that many of those firms are even now
urgently reviewing their telecom alternatives.  As the recent GILC
survey <http://www.gilc.org/crypto/crypto-survey.html> and the EC's
Copenhagen Hearings <http://www.fsk.dk/fsk/div/hearing/krypt.html>
make clear, more business-sensitive governments abound, even in
Europe.

 For the past two years, the dominant policies of the OECD and the
European Commission have been to foster electronic commerce by
respecting the legitimate needs of consumers and businessmen for
crypto-enabled confidentiality.  Some correlations between policy and
investment have been reported. Ireland recently announced what appears
to be one of the most liberal national policies, allowing for the use
and trade in crypto-enhanced software, among the Wassenaar
signatories: <http://www.irlgov.ie:80/tec/html/signat.htm> At the
time, a senior Irish official noted that his government believes that
its progressive stance on corporate requirements for crypto-based
confidentiality has led over 700 foreign firms to set up plants and
offices in the Emerald Isle.

 It makes you wonder at the cost-benefits of this British government
campaign to nail a few closet perverts?

 Suerte,
  _Vin

-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege." _ A
Thinking Man's Creed for Crypto  _vbm.

 *     Vin McLellan + The Privacy Guild + <vin@shore.net>    *
      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548