--- begin forwarded text X-Authentication-Warning: fma66.fma.com: majordomo set sender to owner-espam@lists.espace.net using -f X-Orig-From: rah-web <rah@shipwright.com> X-e$pam-source: Various X-Sender: rah@pop.sneaker.net Mime-Version: 1.0 Date: Sat, 20 Sep 1997 14:15:00 -0400 To: espam@intertrader.com From: Robert Hettinga <rah@shipwright.com> Subject: Guardian: Screw the Internet Sender: owner-espam@lists.espace.net Precedence: bulk Reply-To: e$@thumper.vmeng.com --------------------------------------------------------------------- This mail is brought to you by the e$pam mailing list --------------------------------------------------------------------- From: rah-web <rah@shipwright.com> Reply-To: rah@shipwright.com MIME-Version: 1.0 To: Robert Hettinga <rah@shipwright.com> Subject: Guardian: Screw the Internet http://go2.guardian.co.uk:80/theweb/874505219-crypt.html Content-Type: text/plain; charset=us-ascii; name="874505219-crypt.html" Content-Disposition: inline; filename="874505219-crypt.html" X-MIME-Autoconverted: from 8bit to quoted-printable by lbo.leftbank.com id LAA08197 [Image] Spooks on both sides of the Atlantic are intent on retaining their power to monitor the world's telecoms traffic, writes Duncan Campbell Screw the Internet INTELLIGENCE AGENCIES in the US have stepped up their campaign to control the flow of information over the Internet, counterattacking an unholy alliance of civil libertarians and business chiefs who back the introduction of secure encryption technologies to protect personal privacy and commercial data online. Last Thursday in Congress, lobbying by the FBI and the National Security Agency won amendments to a draft pro-encryption law known as Safe (Security and Freedom through Encryption). The House Intelligence Committee replaced rights to sell effective encryption systems to the world with regulations to ban even US citizens from using them. The agencies and their political backers are now demanding that any American whose electronic communications cannot immediately be read by US intelligence should, after January 2000, face up to five years imprisonment. Furthermore, they want the US to use its political and industrial power to force the rest of the world to follow suit. Battle resumes in Washington a week today, when the likely more sympathetic House Commerce Committee will provide its review of the Safe law for Congress to consider. That done, Congessional leaders and the White House will have to negotiate which version of the Safe bill is to be taken ahead. If the new version of the bill succeeds, it will be illegal in the US to make or sell encryption systems unless the government can break the code and have "immediate access" to the contents of messages or phone calls. In Britain, the new government has soon to decide what line to take in this little-understood war that has almost paralysed the development of electronic commerce. Under pressure to formulate standards, New Labour has to decide if it wants to face the economic penalties of giving in to the spooks. If the secret agencies win, the losers will also be ordinary users of electronic commerce or e-mail. Without encryption to scramble the contents of messages, reams of Internet traffic can be read easily, not just by intelligence agencies, but by miscreants with direct access to the Net through routers or local area networks. E-mail is less secure than an ordinary telephone call, since ordinary telephone calls are connected "point to point" by a precise route rather than being broadcast between routers and into networks. Without encryption, e-mail containing sensitive private information or financial details, such as credit card numbers, can be read at numerous points as messages pass through the Net. This complex but fundamental issue for everyone in the information society has been made politically more difficult by an initiative launched in the dying days of the last government. Just before the election was called, the Department of Trade and Industry unveiled its version of the US system for ensuring that the government could read everyone's private communications. The DTI's version is a network of licensed agencies that would provide (and keep copies of) everyone's encryption codes, or keys. If sent a warrant, these Trusted Third Parties, or TTPs, would hand over keys at one hour's notice - a less demanding requirement than the latest US plans, but no less absurd or impossible to engineer, say Internet specialists. Plans to hold everyone's keys in central registries have also been slammed for creating a huge security threat, because everyone would be at risk if crooks were able to get into the central database. DTI officials were unprepared for the torrent of protest, abuse and reasoned objection that has arrived on their desks since early this summer. The former government's proposals have, it is understood, attracted not a single unqualified supporter. They were condemned out of hand by industry leaders, academics and civil libertarians alike. David Svendsen, head of Microsoft in the UK, says that "the DTI's plans are unworkable, unwieldy and unacceptable. Setting up a bureaucratic structure to regulate encryption services will isolate the UK from global electronic commerce. It will force us all to look elsewhere for barrier-free encryption technology, while UK plc will foot the bill." The battle in the US Congress follows setbacks for the intelligence agencies, which have been fighting to stop effective encryption systems from being exported. Classifying encryption software as "munitions", the US government banned the export of systems with key lengths (see Cracking the code, opposite) long enough to make them uncrackable. Thus, while Americans who use Web software browsers to make "secure" credit card purchases benefit from built-in encryption with strong 128-bit keys, Europeans have until now been permitted to use only weakened and insecure 48-bit keys. In August, the US government gave in to commercial pressure to relax restrictions, and non-US users of software to browse the Internet are already being offered upgrades to provide full 128-bit security. The catch, which is not being advertised, is that the licencees must provide the US government with backdoor access to the new systems. The extent to which this area of information technology has been held back is already remarkable. It's now 20 years since fundamental advances in mathematics created unique but simple new ways of encoding messages, known as public key cryptography, that did away with the need to exchange keys or codebooks before encrypted messages could be sent. In 1977, long before the Net reached its modern form, three mathematicians - Rivest, Shamir and Adelman - showed how to implement this revolution. Their RSA algorithm allows users to create separate "public" and "private" keys. To use a public key crytopgraphy system to, say, send a private message to OnLine, you would first obtain OnLine's published key. Many Net users (but not yet OnLine) publish such keys on their Web sites or in directories. You then scramble the message using the public key, and send it. The message can be decoded using only a matching private key, which only Online would have. The RSA algorithm is available for use on the Net, or for file protection, using a program called Pretty Good Privacy, or PGP, whose inventor, Colorado computer consultant Phil Zimmermann, is a Net legend. His reward for inventing PGP was not scientific accolade, but arrest and prosecution by the FBI. For having created PGP, he was accused of exporting munitions. Charges against Zimmermann were dropped only last year. Recognising that there could never be uniform international agreement to lock away cryptography as nuclear weapons are locked away, governments and information acquisition agencies have tended instead to attempt covertly to regulate encryption. This has taken the form of patent secrecy orders, attacks on research funding, the undermining of the international standardisation of cryptography, the harassment of inventors and commercial organisations, and legislative campaigns to restrict their work. In the shadows behind these events hide communications intelligence agencies - the US National Security Agency and Britain's Government Communications Headquarters (GCHQ). For 50 years, they have harvested intelligence from monitoring the world's international communications network. This activity is threatened by large-scale encryption. Historically, huge codebreaking resources have been used to try to break the codes of hostile states. But to use the same methods and resources against the mass of ordinary international communications would be costly and futile. The scale of NSA operations is staggering. Tens of billions of messages are intercepted every year. All international communications by satellite or undersea cable, and many domestic communications can be collected by taps or via satellite interception stations. GCHQ's interception station at Morwenstow near Bude, Cornwall, was built almost 30 years ago to spy not on the Soviets but on the West's international communications satellites, Intelsat. NSA's and GCHQ's electronic tentacles still reach round the world, and into the heart of Western policy making. Within the DTI, the director of technology policy and innovation, David Hendon, makes no secret that a substantial input to his work comes from GCHQ. At the European Commission, a former official of GCHQ's Communications Electronic Security Group, David Herson, has been steering EU policy on information security. Critics such as Ross Anderson, the computer security specialist based at Cambridge university, have accused them of being stooges for NSA. The DTI has hired consultants to summarise the responses to their TTP proposals, and hope to publish a summary in the autumn, together with policy proposals. The risk is that officials are still locked into the same Neanderthal security agenda that once branded the Home Secretary a subversive threat to the nation. Advice to ministers trying to understand this most complex part of the IT brief will need to balance the UK's national economic interest against the concerns of security officials anxious to maintain the intelligence service's "special relationship" with the US. Until last week's events, US attempts to control strong encryption had faced setbacks. Three weeks ago, a federal judge in San Francisco ordered the US government not to take action against Chicago academic Daniel Bernstein if he published encryption software on the Net. Export restrictions, said Judge Marilyn Patel, violated Bernstein's constitutional right to free speech. And US attempts to lobby the European Union and the OECD into backing an international system of cryptographic controls have failed. Despite US support from Britain and France, both organisations have backed and encouraged open use of cryptography (albeit with qualifications). The continued campaign against effective cryptography is still being fuelled by the raising of alarms about the potentially antisocial use of the Net, including those which Net enthusiasts cynically dub the "Four Horsemen of the Infocalypse": terrorists, drug traffickers, paedophiles and organised crime. But the argument is specious. Forcing honest individuals and companies to turn over their keys or to use only licensed keys will not prevent criminals from using strong encryption outside of the mandatory system. Labour's policy, formulated before the election, had it right : "It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers." (http://www.labour.org.uk/views/info-highway/content.html) Last year, EU adviser and ex-GCHQ official David Herson was astonishingly candid about the real reason for playing on fears about the Net activities of terrorists and paedophiles. "Law enforcement is a protective shield for all the other governmental activities," he told two European journalists. "We're talking about foreign intelligence . . . that's what this is all about. Law enforcement is a smoke screen." If New Labour sticks to the policy adopted before the election, it should have little difficulty reaffirming its view that attempts to control the use of encryption technology are "wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks". But if intelligence agency dinosaurs get their way, they will jeopardise not just personal privacy but the economic rewards of Net commerce. The winners will be those countries, such as Germany and many of those in Asia, that by rule of law or through commercial instinct stay resistant to NSA's and GCHQ's intelligence imperatives. [Duncan Campbell is a freelance writer and broadcaster, and not the Guardian's crime correspondent of the same name] 17 September 1997 --------------------------------------------------------------------- Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info@hyperion.co.uk --------------------------------------------------------------------- Like e$? Help pay for it! See <http://www.shipwright.com/beg.html> Or, for e$/e$pam sponsorship, <mailto:rah@shipwright.com> --------------------------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/