Spooks on the 'net

By Keith Parkins

A major battle is taking place in cyberspace for control of the 'net. In one corner the massed ranks of the intelligence services, in the other corner the public.

Electronic monitoring and eavesdropping pre-dates the 'net. In the US NSA, in the UK its smaller cousin GCHQ trawl the ether and tap into telephone lines. Major listening centres are around the world, within the UK Morwenstow in Cornwall, Menwith Hill in the Yorkshire Dales. At independence, the UK retained parts of Cyprus as UK Sovereign Territory, so important was the strategic position of Cyprus for eavesdropping.

The game has now changed. Internet facilitates an unprecedented level of monitoring, and yet simultaneous with this unexpected bonanza for the intelligence services the public now has access to powerful computers, and more importantly powerful encryption software, previous the preserve of the intelligence agencies, that enables the public to cloak itself in secrecy.

Governments around the world fear the 'net for two reasons - the public has unfettered access to information, if hard encryption is in use governments can not see what is going on. Both of which engender government paranoia. Put simply, governments do not, can not control the 'net. Governments have awoken to this one simple fact rather late in the day and my God does it hurt.

All sorts of scare stories and disinformation are fed to the media about the 'net. The media has been only too happy to repeat and add gloss to this disinformation as they too are losing control. The net is full of paedophiles, who can't wait to get stuck into your little kiddies; pornographers hang out in deep and dank corners; terrorists, drug traffickers, bombmakers and all other sorts of social miscreants are making full use of the 'net, poised to destroy life as we now know it.

Each of these stories has a small grain of truth, making them all the more believable to the computer illiterate. What is interesting is that they vary from country to country, each placing their own little spin to play on that country's phobias. In the US terrorists and bomb plotters, in the UK pornographers, especially child pornographers, in Malaysia (and don't laugh too loud) impure and incorrect thoughts. The real truth is that governments fear the 'net and will plant any scare story to justify their own desire for control.

This desire to control is because governments are losing control. It has nothing to do with crime, it has everything to do with controlling what we do, see and hear and monitoring our every thought and movement.

Crude attempts at controlling what we can see and read were tried in the US (Computer Decency Act) and fell at the first hurdle when the CDA was found to be unconstitutional. Attempts to invade our privacy have also failed.

In the US, where the 'net ironically started life as a military project to avoid control, there have been numerous crude and to date failed attempts to outlaw personal use of encryption. These have ranged from bans on encryption, other than that approved by the government and to which the government has a back-door key, to rather weak encryption systems for domestic use and extremely weak encryption systems for export. The latter to unable the US to spy with relative ease on its allies.

The rather poor encryption system for Web browsers allows a 128-bit key for domestic use, 40-bit key for export. A test message with a 40-bit key was broken by a student within hours of the message being released.

Recently the US has backed down under commercial pressure and allowed the export of browsers with a 128-bit key, but these have a US back-door.

The infamous attempts to introduce a mandatory encryption system met with universal ridicule and condemnation.

Not that any experienced 'net user would use anything as insecure as the above systems. 1024-bit keys are seen as the absolute minimum, with many users having much larger keys. This is all thanks to one pioneer, nay folk hero, Phil Zimmermann and his revolutionary package PGP.

Do we live in a free society or not? The experience of Phil Zimmermann indicates not. On the release of PGP, which spread around the world faster than a brush fire, he felt the full wrath of the totalitarian state. For three and a half very long years he was under investigation by the US Assistant Attorney General.

A major felony had been committed, or so it would appear. What was Zimmermann's crime? He took publicly available algorithms and turned them into a very powerful software encryption package. Worse than that, he placed hard encryption, previously the sole preserve of the state security apparatus into the hands of the people to protect them from the prying eyes of the state.

To the people Phil Zimmermann was a hero, to the state public enemy number one.

The situation in other countries is not much better. Several countries have banned the use of encryption. But I will concentrate on the situation I know best, the UK.

Following various leaks, the government finally published a paper on encryption. The paper itself was a disaster, it was badly written, extremely muddled in its thinking, and clearly written by person or persons who had not a clue either about the 'net, electronic commerce or encryption. The natural response to the paper was widespread ridicule, but it had to be stopped, just in case some dumb minister decided to enact legislation in its support.

Lessons were learnt, a second paper was published. Far better written, and clearly lessons had been learnt from the previous escapade. But it again was fundamentally flawed and questions had to be asked as to whether the government fully understood the Internet and how it worked.

The second paper assumed that it was possible to regulate the Internet by decree, forgetting that the Internet was designed to route around danger. It also made the fundamental flaw of assuming that there could be a compromise on encryption, good enough for commerce, but weak enough to allow surveillance.

In encryption there can be no compromise, either hard encryption and real security, or weak encryption and no security.

Possibly learning from the US fiasco with attempts to impose a government encryption system with a back-door key the UK tried a much more subtle approach. Use whatever encryption system you liked, but the government would have a copy of your key. If government can read your secret traffic then anyone can.

The UK paper had a second danger that most commentators overlooked. The government was going to move into the regulation of the encryption business. Anyone signing a PGP key would be offering an encryption service, as they would unlikely to be a government approved service, they would henceforth be guilty of a criminal offence.

The response to the second government attempt at regulation of encryption indicated it had been a universal failure. The response had been a resounding no. The government is now considering its next move.

In the US things just went from bad to worse, at least as seen from the government's viewpoint. Phil Zimmermann released PGP 5.0.

Encryption was now a doddle, all you had to do was hit an encrypt button, before the send button, the package would even download the recipient's key of the 'net if it was not already attached to your keyring. Worse was to come. Export bans were still in force, but these mean nothing on the 'net (cyberspace has no frontiers), further heightening government paranoia. The release of PGP 5.0 exactly followed the initial release of PGP, only now the world knew what to expect, PGP 5.0 appeared all over the world. To add to the farce the the source code was legally exported from the US and recompiled in Europe.

It is illegal to export PGP 5.0, illegal to export the electronic source code, but not illegal to export the source code in printed form. Nor is it illegal to actually place PGP 5.0 on the 'net, that is free speech under the US First Amendment. Ståle Schumacher took full advantage of this opportunity to ridicule the US by ordering a copy of the PGP source code, 12 volumes, 6000 pages, then spending the next two months with a scanner. By mid-1997 he had a UNIX version available.

Other people simply took PGP 5.0 from the US, and made it available on sites around the world.

The reaction of the US to being made a laughing stock around the world has been to propose Draconian legislation. It will be a criminal offence to encrypt, to use encryption the intelligence services do not have immediate access to, to design, sell or import effective encryption. These measures are currently being forced through Congress by the FBI in cahoots with NSA. No longer is the FBI (Federal Bureau of Incompetence) seen as the federal crime busting agency, for many Americans it is seen in the same light as Russians viewed the KGB at the height of the Cold War. Both were a threat to the individual and a free society, the FBI still is.

The US FBI/NSA bill is called SAFE - Security and Freedom through Encryption. Like all Big Brother acts it uses newspeak. It offers neither security nor freedom, and it would be difficult to imagine a more oppressive piece of legislation. Trials may be held in secret (disclosure of proceedings would be held to be contempt of court), the President is to be granted executive powers to waive any part of the act and to punish non-compliant governments.

The US is aiming to use its muscle to force governments around the world to enact the same legislation.

The US may find it has a fight on its hands. The US joined the Oslo Conference on a Global Landmine Ban, with the sole intention of destroying the treaty. The US bullied, and got nowhere. Eventually it had to withdraw with its tail between its legs when it found it had no support.

As the Oslo Conference showed, the world will no longer be bullied by the US and its security apparatus.

The Soviet Union and the Eastern Bloc collapsed, not because of an internal armed uprising or because the West had a vastly superior military advantage, it collapsed because it proved impossible to stop the free flow of information.

References

Duncan Campbell, Screw the Internet, Online, The Guardian, 17 September 1997

Duncan Campbell, Cops call the shots, Online, The Guardian, 25 September 1997

DTI, Licencing of Trusted Third Parties for the Provision of Encryption Services, March 1997

Paul Eddy, True detective stories, The Sunday Times Magazine, 10 August 1997

Ivo Dawnay, FBI comes under fire for fatal blunders, International News, The Sunday Telegraph, 14 September 1997

Wendy Grossman, DTI threatens privacy, The Daily Telegraph, 1 April 1997

Declan McCullagh, Building In Big Brother, 10 September 1997

Keith Parkins, UK Proposals for a Key Escrow System, July 1996, rev 6

Keith Parkins, Privacy in an Electronic Age, November 1996 rev 13

Keith Parkins, Why Use Pretty Good Privacy?, April 1997 rev 9

Keith Parkins, UK DTI Proposals for Licencing Third Party Encryption Services, May 1997 rev 1

Michael Smith, Tales of fear and loathing in the service, The Daily Telegraph, 25 August 1997

Mark Ward, The secret is out, New Scientist, 6 September 1997

Lauren Weinstein (Moderator), PRIVACY Forum Digest, Vol06 #13, 21 September 1997