. . . . Actually, it is one of those edge-defying, generation-splitting, turn-the-world-upside-down moments in history. It is a struggle between two different visions of American society. One side sees the private use of encryption as a way to safeguard the records and property of U.S. citizens from the prying eyes of computer hackers, thieves, terrorists and the U.S. government. The other side is the U.S. government, which sees itself as the guarantor of security in the newly discovered land of cyberspace. And to provide that security the government says it has to have the power, at any given moment, to look into anyone's e-mail, bank accounts, financial transactions, information exports and dangerous ideas. Our whole practice of governing is based on geographic concepts -- jurisdiction in delineated districts, authority flowing from citizens voting by precinct, taxes based on property in a given place or on salaries reported to and scrutinized by powerful agencies.

. . . . But the Internet is everywhere and nowhere. If people slip into cyberspace covered in the stealth garment of encryption to perform transactions, express their ideas, transfer payments and export technology, who's to know what is happening? How will taxes be assessed and collected? How will commerce be measured? How will the professions be regulated if everyone has access to legal or medical information? What will bureaucrats do without people to boss around? How will ideas be controlled? For those who believe that strong government should be the molder and protector of its citizens -- well then, citizens acting behind the cloak of encryption could be a fundamental threat to government. They are enemies of the state.

. . . . Encryption has been around since the earliest times. Elizabethan poets and spies were versed in "cypher." Samuel Pepys wrote his famous diaries in cypher to hide his accounts of his dalliances. William Byrd of Westover wrote the first major literary work in North America -- his diaries -- in his own code. Thomas Jefferson and his protégé, James Monroe, corresponded in cypher and continually were complaining that the key was mislaid or gone astray.

. . . . Modern encryption is based on the use of a unique, private numeric "key" which opens a "public key" that even may be published in the marketplace of the Internet. The length of the string of numbers, or "bits," in the private key determines how difficult it is to crack the code. The Clinton administration has decreed that persons in the United States can export encryption products that use up to 56 bits in the key's algorithm; to export a longer and stronger product, the user must agree to put the key "in escrow" where it can be subpoenaed by law-enforcement authorities. But foreign users understandably do not want to place their keys in escrow available to U.S. authorities. And 56-bit encryption is not as secure as the federal government has claimed: In a recent test, a group of private computer experts with desktop computers cracked the 56-bit code in less than 24 hours. More secure 128-bit encryption is widely available around the world, including the United States, but it is illegal to export any product that uses it (see sidebar, below).

. . . . The SAFE bill would modernize U.S. export controls to permit the export of generally available software and create criminal penalties for the knowing and willful use of encryption to conceal evidence of a crime, but specifies that the use of encryption by itself is not probable cause of a crime. "The reasons why they have insisted on those export controls is to attempt to force the software industry to devise a key-recovery or key-escrow system whereby everybody's computer has a back door that law enforcement can access without their knowledge," Goodlatte tells Insight. American citizens "are not as secure as they could be because encryption has not grown to the strength that it should be to protect the actions of law-abiding citizens."

. . . . The use of encryption by private individuals and business enterprises is a good way to fight crime, Goodlatte believes, by stopping crime before it happens. "Because encryption is already widely available, [law-enforcement authorities] will still have a problem whether my bill passes or not," he says. "Individuals bent on using encryption to cover up their activities for criminal purposes can buy it from literally hundreds of sources. To cite an adage that applies in another area: If you outlaw encryption, only outlaws will have encryption." Indeed, a recent study by the George Washington University School of Engineering and Applied Science backs up Goodlatte. It found good encryption programs available outside the United States on more than 800 Websites.

. . . . Of course, robust encryption available to any citizen might thwart the special vision of an administration that believes that government must be the protector of its citizens.

. . . . It may be a touch exaggerated, but many citizens feel like the eager young criminal lawyer played by Will Smith last year in the movie Enemy of the State. When Smith unknowingly comes into possession of evidence that a secret federal agency is committing criminal acts, he finds himself targeted in a bizarre night-and-day chase through streets, markets and high-rise buildings -- all with the obligatory black helicopters hovering overhead.

. . . . Dramatic license aside, there are signs in that events are inching toward that fantastic scenario. Most disturbing were the detailed revelations by a panel of the European Parliament that the United Kingdom and the United States, joined by Canada, Australia and New Zealand, have been engaged in international surveillance of the communications of each other's citizens for years in a joint signals-intelligence consortium code-named ECHELON (see sidebar; for an earlier report, see news alert!, Aug. 17, 1998). Although Attorney General Janet Reno and other officials assert that encryption must be controlled to stop terrorists and child pornography -- two powerful, but demagogic arguments -- it appears the real reasons lie elsewhere. After all, as Reno admits, international terrorist Osama bin Laden already has cryptography and child pornographers are best caught the old-fashioned way: by baiting them into their own trap. The fact is that routine use of strong encryption by law-abiding citizens and enterprises would shut down citizen-surveillance projects such as ECHELON.

. . . . The battle to block widespread use of private encryption and to extend government surveillance has emerged on many fronts in the last few months:

• The administration has put on a full-court press to block the SAFE bill. Goodlatte and his 258 cosponsors are on one side; on the other are the president, the secretaries of state and defense, the directors of the CIA and FBI and the attorney general, who all have risen up to attempt to defeat the legislation. And they have corralled a few of the GOP's old bull elephants --including House Armed Services Committee Chairman Floyd Spence of South Carolina and House Permanent Select Intelligence Committee Chairman Porter Goss of Florida -- to run interference on Capitol Hill. But HR850 safely has run the gauntlet of three House committees in sequential referral -- Judiciary, Commerce and International Relations. It ran aground, however, in Spence's and Goss' panels. Both committees stood the bill on its head, adopting the administration's position that SAFE would abet terrorists and child pornographers. No matter. "They are, in effect, sending alternative suggestions to the [House] Rules Committee; they don't amend my language," says Goodlatte. Judiciary is the main committee of jurisdiction, and its bill now is before the Rules Committee, chaired by Rep. David Dreier of California, for possible action in September. Sources in the Rules Committee tell Insight that the cards are being held close to the chairman's vest, but Dreier happens to be a cosponsor of the Goodlatte version.
• The Justice Department has sought the "cooperation" of private industry to exchange security data in eight areas of "critical infrastructure," including telecommunications, transportation, water supply, oil and gas production, banking and finance, electrical generation, emergency services and essential government. "The NIPC [National Infrastructure Protection Center] was established to deter, detect, analyze, investigate and provide warnings of cyberthreats and attacks on the critical infrastructures of the United States, including illegal intrusions into government and private-sector computer networks," Reno told the Senate Appropriations Committee on Feb. 24. "NIPC will play a major role in the national plan for cyberprotection functions." Reno went on to note that "the administration is not currently seeking mandatory controls on encryption, but instead is working with industry to find voluntary solutions." But banking officials, for example, are extremely experienced in detecting and preventing computer intrusions because of the vast sums at stake. "It is difficult to imagine that a government that can't even keep our top nuclear secrets safe could teach financial institutions about security," a source close to the banking industry tells Insight. Besides, the source says, banking officials, after meeting NIPC, were appalled at the range of information the government is seeking -- including detailed access and transaction codes of customers.
• The Justice Department has been planning to establish the Federal Intrusion Detection Network, or FIDNET, which continually would monitor the Internet for intrusions, at a cost of $1.5 billion. According to a study by the Center for Democracy and Technology of a restricted draft document, FIDNET would be an intrusion-detection monitoring system for non-Defense Department government computers. Intrusion-detection monitors installed on individual systems or networks would be "netted" so that an intruder or intrusion techniques used at one site automatically will be known at all sites. But the draft plan says that the goal is to have similar monitoring sensors installed on private-sector information systems. As soon as the draft document began circulating on Capitol Hill, the House Appropriations Committee quietly axed the budget request for FIDNET on July 30.
• On Aug. 5, President Clinton issued an executive order setting up a "Working Group on Unlawful Conduct on the Internet." The working group is to make a report on whether there are enough federal laws to deal with unlawful conduct and whether new technology and capabilities might be needed for effective investigation and prosecution of unlawful conduct within the context of administration policy which supports industry self-regulation "where possible."
• The Justice Department, which has prosecuted and threatened prosecution against a number of nongovernment experts who want to publish their encryption programs on the Internet, is appealing the May 6 decision of the 9th U.S. Circuit Court of Appeals in Bernstein v. U.S. Department of Justice that encryption is protected speech under the First Amendment. Daniel Bernstein, a professor in the Department of Mathematics, Statistics, and Computer Science at the University of Illinois at Chicago, developed an encryption system that he wanted to post on the Internet for discussion. The State and Commerce departments ruled that to do so he would have to declare himself an arms dealer and apply for an export license, which was refused.
• The FBI -- which was denied the right to require cell-phone companies to install equipment that would give real-time information to track the location of cell-phone users (even when the instrument is on standby) in the 1994 Communications Assistance for Law Enforcement Act -- has been working with the Federal Communications Commission to establish standards which would do the same thing without legislation. According to James X. Dempsey of the Center for Democracy and Technology, "The FBI has sought a 100 percent solution -- a comprehensive examination of the nation's evolving telephone systems that would address all potential law-enforcement problems in a single 'standard' for use by switch manufacturers." In addition to location tracking, he says, the FBI and industry have proposed "allowing companies to deliver the entire packet data stream, including the content of all communications, when law enforcement is entitled to receive only dialing or signal information." In addition, the FBI is attempting to collect all numbers dialed, "including credit-card and bank-account." The FBI also is seeking an enormous increase in capacity: the ability to tap one out of 1,000 phone lines in a given locality at the same time, or the ability to monitor 74,250 phone lines at once -- 10 times the number of surveillance orders in 1993.
• U.S. Postmaster General William Henderson proposed on May 17 that the Internet go postal. He wants the post office to become the custodian of all e-mail addresses, mapping them to specific geographic locations, as well as processing bill payments, purchase transactions and being "the residential deliverer of choice for purchases made on the Internet." Describing the post office as a trusted third party, Henderson said, "We would own the physical address and we would maintain it. All that information that . . . our customers have developed around a physical address could now migrate through the Internet and be a part of commerce."

. . . . "The underlying belief is that American citizens really need to be policed," Shari Steel, director of legal services for the Electronic Frontiers Foundation, tells Insight. "They are putting it on themselves to look at every citizen. They are just willing to trample all over civil liberties to find the isolated criminal. These issues are clearly related to who has the right to make the decisions for all of us, the right to make big societal decisions as to what's good for all of us. Almost all of us online believe that citizens have the right to protect our integrity. Really, technology gives us the solutions to protect out autonomy."

A Backdoor to Your PC

. . . . The White House is seeking new legislation to allow law-enforcement agents to enter the back door of anyone's computer without the owner being aware. An Aug. 4 Department of Justice internal memo obtained by Insight analyzes a proposed "Cyberspace Electronic Security Act of 1999," or CESA, which the department is planning to send to Capitol Hill. CESA sets up a framework for protecting the stored recovery-key system, or key escrow, which the computer industry steadfastly has rejected -- thereby showing that the Clinton administration is determined to win on this issue, despite overwhelming sentiment behind HR850, Virginia Republican Rep. Bill Goodlatte's bill in the House. It provides a way for law-enforcement agents to obtain recovery keys from the keyholder and states that "there is no constitutionally protected expectation of privacy in the plaintext [a term used by encryption experts to denote an ordinary message in its original meaningful form] of encrypted data" -- contrary to the recent ruling of the 9th U.S. Circuit Court of Appeals in Bernstein v. DOJ that encryption is constitutionally protected.

. . . . But even if the key to encrypted text is not stored with a third party, the government wants access. The memo notes, "In the pre-encryption world, this problem did not arise." Therefore, it concludes, "the government will need another way to obtain encryption keys," including "a search warrant with the possibility of delayed notice," and "the alteration of hardware or software that allows plaintext to be obtained even if attempts were made to protect it with encryption."

. . . . According to the Electronic Privacy Information Center, the White House plan would enable federal and local law-enforcement agents secretly to break into private premises and alter computer equipment to collect e-mail messages and other electronic information. "It's really a little hard to believe that they would be seriously proposing this," EPIC's counsel, David Sobel, tells Insight. "This is beyond the wildest imagination of the most paranoid people who have been following this issue over the years -- it's one of the scariest proposals to come out of government in a long time. This strikes at the heart of the Bill of Rights."

Listen Up, ECHELON

. . . . The report prepared for the European Parliament by its Scientific and Technological Options Assessment panel, or STOA, confirmed in April that ECHELON's giant antennae distributed among the five countries monitors all communications broadcast by satellite and microwave relays, including voice and data streams. Submarine pods, attached to undersea cable by induction coils, monitor the Internet and cable traffic. Information is passed through so-called "dictionary" computers that sort out the data by looking for keywords. The information "is used to obtain sensitive data concerning individuals, governments and trade and international organizations," says the STOA report, asserting that the information is used not only for military intelligence but also to promote commercial contracts. As usual, U.K and U.S. officials have declined comment but, on May 23, Martin Brady, director of the Australian Defense Signals Directorate, or DSD, in Canberra stated that DSD "does cooperate with counterpart signals-intelligence organizations overseas under the UK/USA relationship."

Encryption as Protected Art

. . . . Encryption is an essential part of the right to human expression protected under the Constitution. Ironically, the Central Intelligence Agency, one of the lead agencies attempting to limit the use of encryption, is the home of a well-known artwork, Kryptos, the work of Washington sculptor James Sanborn. The giant bronze piece has stood like an upended parchment in a secret courtyard of the agency since the 1980s, covered with 865 characters arranged in rows. But the best cryptographers at CIA have not yet cracked the code completely, though the message is slowly yielding to efforts of top code breakers.

Copyright © 1999 News World Communications, Inc.