TEMPEST - Electronic eavesdropping
Transient Electromagnetic Pulse Emanation Standard (TEMPEST) is the US standard defining the amount of electromagnetic radiation that a device may emit without compromising the information it is processing. In the US it not illegal to posess TEMPEST-surveillance equipment but it is illegal to take appropriate counter-measures to prevent surveillance. The US government has refused to release details of its TEMPEST research and has restricted the dissemination of independent research by classifying it. The US Drug Enforcement Agency (DEA) makes use of TEMPEST secured electronics and computers as they believe that the drug cartels may possess surveillance equipment. I am interested in gathering comments on the social, legal, ethical, and technical aspects of use of TEMPEST surveillance equipment in the US and Europe with the aim of including it in a discussion of the threats to computer/digital systems. Please reply by E-mail. I will provide a summary to anybody who requests one. thanks, - Rob Jackson (more information on TEMPEST can be found in the paper "Eavesdropping On the Electromagnetic Emanations of Digital Equipment: The Laws of Canada, England, and the US" by Cristopher Seline - available on FTP from csrc.ncsl.nist.gov)
R.O.Jackson-SE1@computer-science.birmingham.ac.uk says:
In the US it not illegal to posess TEMPEST-surveillance equipment but it is illegal to take appropriate counter-measures to prevent surveillance.
This is not true. This is an urban legend that doesn's of fools keep posting over and over again. There is nothing illegal against shielding your equipment -- in fact you are legally obliged to reduce emmissions so as not to interfere with radio and TV signals. Perry
In the US it not illegal to posess TEMPEST-surveillance equipment but it is illegal to take appropriate counter-measures to prevent surveillance.
Can we get the urban folklore set clued into this one? Electromagnetic shielding is not illegal. On the contrary, in the USA, the FCC finds shielding highly desirable. Eric
In the US it not illegal to posess TEMPEST-surveillance equipment but it is illegal to take appropriate counter-measures to prevent surveillance. The US government has refused to release details of its
Please provide a reference for this. We've discussed this _many_ times on this List, and the consensus is that no such law exists, nor is it plausible that folks could be told they cannot "shield" their computers. (In fact, FCC regulations call for various levels of RF shielding, as we all know. Is there a law which says "You must shield--but not _too_ much"? Of course not.) I don't want to sound rude, but saying it is illegal to take appropriate counter-measures to prevent surveillance is a serious statement, requiring some support. (I'll look for the ftp paper you cite later...do you have a pathname handy in the nist ftp site?) I can believe that _certain_ countermeasures, like active jamming with RF signals, may be somewhat restricted, but mainly for FCC reasons. I cannot believe that shielding a keyboard or computer, or using LCD displays to reduce Van Eck emissions, or even putting one's computer in a Faraday cage, could be illegal.
TEMPEST research and has restricted the dissemination of independent research by classifying it.
Parts of the TEMPEST spec (and TEMPEST is not an acronym for anything, I understand) are classified, for various reasons, but this does not mean shielding or other countermeasures are forbidden. In fact, shielding supplies and TEMPEST-related supplies can be bought from several companies. Every time this thread comes up, someone cites the suppliers.
The US Drug Enforcement Agency (DEA) makes use of TEMPEST secured electronics and computers as they believe that the drug cartels may possess surveillance equipment.
I'll phone Pablo Escobar and ask him.
I am interested in gathering comments on the social, legal, ethical, and technical aspects of use of TEMPEST surveillance equipment in the US and Europe with the aim of including it in a discussion of the threats to computer/digital systems.
thanks, - Rob Jackson
(more information on TEMPEST can be found in the paper "Eavesdropping On the Electromagnetic Emanations of Digital Equipment: The Laws of Canada, England, and the US" by Cristopher Seline - available on FTP from csrc.ncsl.nist.gov)
Lots of interesting stuff there. But where is the paper you cite? A pathname would be appreciated. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power:2**859433 | Public Key: PGP and MailSafe available.
OK, I've just reread the Seline paper Rob Jackson was referring to (available by ftpat csrc.ncls.nist.gov::/pub/secpubs/tempest.txt--my thanks to Rob for providing the pathname to me). I say "reread" because this is the same 1990 paper that's been reposted several times to sci.crypt and here to the Cypherpunks list. Earlier I said, quoting Rob:
In the US it not illegal to posess TEMPEST-surveillance equipment but it is illegal to take appropriate counter-measures to prevent surveillance. The US government has refused to release details of its
Please provide a reference for this. We've discussed this _many_ times on this List, and the consensus is that no such law exists, nor is it plausible that folks could be told they cannot "shield" their computers.
...stuff elided... Indeed, most of the Seline paper is devoted to the fact that the TEMPEST spec itself is classified, which is undoubtedly true. And the (unconfirmed) assertion that mere possession of RF intercepting gear that could be used to defeat TEMPEST is illegal. (I have doubts about this, given the various types of RF receivers, old television sets with manual tuners, etc. I suppose that if one were caught with an antenna, a tunable CRT able to "tune in" the emissions of a nearby--or distant--computer or CRT and display them the way the NSA's ELINT gadgets undoubtedly do, then this might be considered evidence of criminal intent--like burglar tools, password-cracking tools, etc. [And we've had this debate many times as well, with some saying possession of lockpicking tools is legal, others saying it's not, etc.]) However, nothing in the Seline report, flawed as it is (IMO), says "it is illegal to take appropriate counter-measures to prevent surveillance." That is, go ahead and shield away! What I think the government is saying is this, and I have no idea if this is in fact law or if it would hold up in court: * First, we (the government) have a TEMPEST spec we use to build equipment to. It tells our vendors how good their stuff has to be. We don't tell the public this spec, because this would help the Russkies and the Yellow Hordes, not to mention the French. * Second, we (your public servants) have our own tricks and techniques and dislosing the TEMPEST specs would provide damaging information to our opponents (the Mob, the Serbs, the Cypherpunks, and the Republicans)--so we aren't talking. And we insist TEMPEST contractors also keep their mouths shut. * Third, we (us again) will not allow _eavesdropping_ equipment to be publically sold, whether for intercepting cellular phone calls, CRT emissions, whatever. You may find loopholes (telephoto lenses and giant parabolic mikes, so beloved of dicks), but we've basically outlawed this stuff. (sorry if my irreverent tone and change of point of view is confusing here) So, nothing about shielding or monitoring emissions (commercial RF leakage equipment is widely available and measures stuff down many dB from the unshielded level). Just don't build a Van Eck gadget and let others know about it (though, again, it's not clear how the courts would rule on this). And don't disclose TEMPEST specs. For Cypherpunks, not too much to worry about. We don't want or need to play at being spooks by monitoring nearby systems, and shielding is available. That it's not used much, that we are "soft targets" for determined surveillance teams, and that we use PGP on insecure machines, etc., is all well-known. Everything has a cost, and most of us don't perceive a direct enough threat to our communications and computers to warrant working inside a local, Faraday-caged machine, keeping passwords in a separate laptop we carry with us at all times, etc. What's important for us is to get crypto tools spread ubiquitously. The rest can come later. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power:2**859433 | Public Key: PGP and MailSafe available.
participants (4)
-
hughes@ah.com -
Perry E. Metzger -
R.O.Jackson-SE1@computer-science.birmingham.ac.uk -
tcmay@netcom.com