December 23, 2000


by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Government surveillance was the most pressing policy issue in cyberspace this past year. (Intellectual property issues, which I consider in an upcoming article, come in for a close second.) The wildly divergent proposals popping up around the world make it hard to tease out a trend, but a long-range historical look suggests that a shift in strategy is underway globally.

A public debate has finally begun over Echelon, a global tracking system that seems right out of a spy novel, and whose very existence was denied by the people running it up until this year. In another trend showing the reach of the law, numerous governments are imposing requirements on Internet service providers to preserve information on users and help law enforcement track their meanderings online.

On the other hand, the Clinton Administration has removed almost all the old restrictions on the export of encryption (a fundamental tool for hiding communications). FCC regulations extending wiretap technology to digital telephones were partly rejected last August by a court that said the FCC had given the FBI too much leeway for snooping.

I can see a direction in all the current developments by dividing policies into those that have failed and those that hold out new promise. In general, the more ambitious technological solutions have failed, while legal solutions are still being explored.

The failed surveillance solutions include:

Key escrow.

This proposal would require users of computer encryption to store the keys decrypting their data in a central location (a “trusted third party”) where they could be obtained by the government (and hopefully no one else) following careful legal procedures to prevent abuse, or so the story goes. The concept behind key escrow is a veritable Maginot Line of bad planning. The technology to make it work doesn’t exist, the central store would be vulnerable to numerous technical and human attacks, and—most damning to the proposal—criminals would simply ignore it and use keys obtained in other ways. Still, key escrow become law enforcement’s main Internet-related proposal in the U.S., Britain, and elsewhere for most of a decade, and hung around in various forms from 1993 till the past year. It has never formally been renounced, but government officials are notably silent about it as they debate newer surveillance systems.

Controlling the spread of encryption.

For half a century the U.S. Department of Commerce has classified computer encryption as a form of munitions and limited its export to forms that are easy to crack. This bit of bureaucratic blindness has proved amazingly effective in discouraging corporations from creating mass-market products using cryptography, and its significance has been recognized by leading forces on both sides of the debate over privacy. The restrictions were twice challenged in court (Bernstein v. US Dept. of State; Junger v. US Dept. of State) on the grounds that computer code is a form of speech, both cases winning successful rulings so far . As recently as 1998, Western governments were trying to generalize this Luddite approach to security in an international treaty. But as businesses argue the importance of privacy to policy-makers, the moat of export restrictions in the U.S. has gradually been reduced to a puddle over the past year and a half, and it looks likely to dry up entirely the next time the sun comes out.

Total surveillance.

Rumors that the NSA was checking all Internet traffic go back more than 30 years and have become a standing joke. Yet this is precisely the solution Echelon attempts to provide, and more: every phone conversation, every email, every fax, every microwave transmission, is trapped by a satellite or routing hub and checked for suspicious content. The resources required to carry this off are mind-boggling, and there’s no evidence it’s very successful. As with key escrow, the system has not been formally renounced, and many readers will disagree with my hunch that it’s being abandoned. But a telescreen in the middle of the wall is a lot less useful than a hidden microphone: a tracking system like Echelon loses much of its value if everybody knows it’s there. Furthermore, because Echelon is controlled by the U.S. in collaboration with other English-speaking nations around the world, and because they have already admitted that material picked up by Echelon has been used to promote the interests of at least one U.S. corporation, so-called allies in Europe are furious.

So those are my guesses concerning surveillance systems that are dying. Now for the new ones that seem to replacing them.

Tapping the Internet like a phone wire.

That’s the principle behind the FBI Carnivore system that has been in the news a lot recently.

Requiring Internet service providers to collect information.

What you can’t achieve on a global scale from 22,000 feet above the ground, you might be able to accomplish on a more intimate level by pressing ISPs into service. Numerous countries have proposed or legislated schemes to make ISPs preserve information for, or provide information to, law enforcement. Some proposals would have each ISP hold email for months after it passes through their hubs (that’s a lot of disk space!). Some assume a wire going directly from the ISP’s hub to the police station, so that police forces addicted to secret information can mainline it at a whim. A recent controversial initiative from the European Union (the “cybercrime” treaty) would force ISPs to cooperate not only with local governments but with foreign ones. These surveillance proposals are related to another interesting trend: that of making ISPs (or anyone else hosting content on their systems) maintain information on the people who put up content.

Requiring suspects to give law enforcement their encryption keys.

While this court-based strategy is much more transparent and technically feasible than key escrow, it places serious risks on anyone who dares to use encryption. As numerous critics pointed out when the British parliament put this controversial policy in their Regulation of Investigatory Powers Act 2000, what if somebody deletes a key by mistake and is later considered a criminal because he can’t surrender it?

Making hardware and software illegal.

The attempt to define certain devices as having a “primary purpose” that is illegal goes back many years. The arrogance of such a definition becomes even greater when it is applied to software, which is much more malleable and offers greater potential for development than physical devices. The clause of the 1998 U.S. Copyright Act that makes it illegal to “circumvent a technological measure” installed by copyright holders is notorious.

As you can see, the new trend is toward much more modest goals and technical requirements. Ironically, it seems that one of the central doctrines of my organization, Computer Professionals for Social Responsibility, has sunk in to the skulls of the cops and the spies: don’t count on technology to solve a social problem.

A look at technology, however, often sheds light on legal issues. What makes modern Internet surveillance so hard is that the tools and techniques used by criminals are precisely the same as those used by those trying to stop the criminals (both the police and the civilians trying to go about their everyday business). Technology wears neither a black hat nor a white one, but lets its hair grow out all frizzy. So entwined are the technologies of surveillance and the technologies of law enforcement that one of the common objections law enforcement proposals receive from security experts is, “The system you want to put in place could be subverted by an intruder and put to criminal use.”

Echelon seems to be unshaken by all the controversy surrounding it, but it hangs over the world like the ethereal ghost of the Cold War. The U.S. has simply marshaled its old team of allies to send bits to its number-crunchers instead of troops to Vietnam.

European protests (even though motivated more by envy than by disapproval) shed light on the key tension brought by today’s globalization. On the one hand, international investment and trade requires trust and a certain willingness to accept foreigners as one’s allies. Nobody gets away for long with the kind of xenophobia that led the U.S. government to persecute Los Alamos researcher Wen Ho Lee; it has already cost us some talented scientists of East Asian parentage.

On the other hand, businesses in each country can’t resist trying to gain advantage over foreign competitors, and enlisting all levels of government in that cause, including spy agencies. Thus, the communications infrastructure has joined such traditional resources as food and energy in the fears felt by many countries over ceding control to foreigners. The U.S. government hesitated this past summer before letting a Japanese phone company buy an American ISP, and there were anti-foreign rumblings in Congress against Deutsche Telekom’s purchase of an American wireless phone provider.

Still, the new world order is represented less by Echelon than by the cybercrime treaty currently being drafted by the Council of Europe. It requires or points to a need for all the new measures I listed in this article: tapping the Internet, requiring ISPs to provide traffic and content data, requiring users to surrender keys, and making certain hardware and software illegal.

If this treaty is adopted, one might well see the British government compel an ISP to preserve all the content of one of its customers because that customer is a suspected supporter of a Basque separatist group, for example, and to hand the content over to the Spanish government. One might argue that only the Spanish authorities can determine the best way to handle the violence produced by the Basque conflict, but the chain of responsibilities opens up many questions about how broad a category of suspects can become for the purposes of surveillance. Not much time has passed since a scandal involving Spanish government assassination of Basque politicians.

The Council of Europe and the United States lead the way in prying open the Internet to police, but they are joined by many other countries:

Nobody trusts law enforcement in any country, of course. Police have consorted with and protected criminals in places around the world from Boston to Karachi. Since the COINTELPRO scandal of the 1970s it’s been widely understood in the U.S. that “it can happen here.” And assurances by the FBI that Internet tapping will be restricted just like phone wiretaps by the courts fall flat as details of their Carnivore system are gradually uncovered.

Traditional telephone technology allows specific devices to be installed by a phone company to record particular data about a particular phone. The packetized homogeneity of the Internet, by contrast, has an all-or-nothing quality. So Carnivore devices check all traffic, simply picking out particular user addresses and protocols according to the device’s configuration. The FBI’s promise that Carnivore reads only email, and only targets a particular court-authorized user, is just that: a promise. In fact, the descriptions leaking out of Carnivore make it sound like a sophisticated filtering device that offers tantalizing possibilities for increasing the effective surveillance capabilities of police, not restricting them.

Sometimes the Internet, as the new boy on the block, just provides a convenient scapegoat. On December 15, the Clinton administration released a report detailing the international spread of crime. The Internet was implicated in such problems as money laundering, illegal drug deals, and the transport of illegal immigrants (sometimes for the purposes of slavery). Why is it easier to place controls on the Internet than to follow drugs, immigrants, and other illegal activities in the real world? The Internet is a powerful tool for organizing people and for trading, but it will cease that role if it becomes instead a tool for surveillance.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Member, Computer Professionals for Social Responsibility
Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles