CFP'93 - Will "Usually Secure" Cryptography Permit Bugging of the Digital Network?
by Lance J. Hoffman
Department of Electrical Engineering and Computer Science
The George Washington University
Washington, D. C. 20052
After an overview of the development of the FBI's digital telephony initiative, two possible futures for the digital network are presented: "usually secure" and "absolutely secure"cryptography. No adequate analysis of the economic and social costs and benefits of retrofitting the telephone network to satisfy the digital telephony initiative has ever been done, and the preconditions (trusted data, cool heads, and time) are not here yet. Until the "culture gap" between the law enforcement andcomputer communities is narrowed, a "religious war" between the "unlimited crypto" and "law and order" camps is likely to continue.
Listening in on conversations under certain circumstances is a legitimate tool of law enforcement. Donn B. Parker has called it the "most important tool of criminal justice" [Parker 1992]. In 1991, the Federal Bureau of Investigation (FBI) pushed legislation (S. 266) to restrict sales of encryption technology, to require significant changes in computer hardware, software, and communications equipment, and to create trapdoors in encryption programs so that agents could listen in on encrypted conversations. But opposition by computer and communications companies and professional societies and by civil libertarians convinced the Senate to remove the provision from its crime bill.
In 1992, the FBI abandoned (for the moment) its wish to "hold the cryptographic keys" but pushed on with its desire to force communications network providers to build access points into their hardware and software through which the FBI (and any law enforcement official with a warrant) could eavesdrop on a conversation (or data). The FBI proposal would, in the eyes of its opponents, "broaden the authority of the Federal Communications Commission to license telecommunications equipment and would cover ... all types of computer communications. ... It would require telecommunications and computer equipment manufacturers here and abroad to follow government guidelines in developing their products and to finance changes in their current systems to comply with the law, if enacted." [Hollings 1992]
Director William Sessions of the FBI contends that "the proposed legislation does not expand the authority of the FBI or any other criminal justice agency. It simply preserves what Congress authorized in 1968 [under the Omnibus Crime Control and Safe Streets Act]". [Sessions 1992] But opponents, like Janlori Goldman of the American Civil Liberties Union disagree; she decries a "legislative fix that freezes technology" and likens the FBI to modern-day Luddites who would "dumb down existing software" and reduce the competitiveness of U.S. equipment manufacturers. [Goldman 1992]
Arv Larson, speaking for the United States Activities Board of the Institute of Electrical and Electronics Engineers (IEEE), has pointed out in a letter to Congress, "Every communications development in history - from smoke signals to semaphore flags to telephones connected by copper-wire to radio - has required interceptors to update their own techniques. Digital telephony is no exception." [Larson 1992] Indeed, the FBI, and law enforcement in general, may have to develop new techniques as it has in the past, now that "It looks as though an individual might be able to protect information in such a way that the concerted efforts of society are not going to be able to get at it." [Diffie 1992]
A committee was formed in Spring 1992 by senior technical and legal staff of the leading telecommunications companies to work with the FBI in an attempt to develop what the FBI wants without having it required by legislation. The working committee met several times during 1992 and the FBI's principal contractor on this effort, Booz-Allen and Hamilton, produced a document setting forth law enforcement requirements that called for an "intercept access point" in future network systems. [Booz-Allen 1992]
Even if this is provided, it will be impossible to build in effective universal tapping capabilities without dealing with the problem of user-provided end-to-end encryption. AT&T already sells a device which provides this. And limiting the development of encryption (or any) technology raises hackles in a number of technological and other communities. Additionally, with the end of the Cold War, some foreign nations may turn their espionage apparatus into a tool for industrial espionage, making U.S. companies targets of intelligence-grade threats seeking industrial secrets [Garfinkel 1993]. Mathematically secure encryption will become increasingly important in industry. And building trap doors into the encryption for use by a legally authorized law enforcement agency with a court order will not suffice; in addition to the legal, ethical, and societal arguments against it, if such encryption is technologically breakable by law enforcement, it will also be technologically breakable by others. As Garfinkel points out, "in the 1990s, we will all be playing by the same rules [Garfinkel 1993].
If those rules reflect an accommodation among law enforcement, competitiveness, privacy, and other interests which results in a network which is "usually secure" (but open to taps under certain conditions such as court orders), the relatively few persons who wish "guaranteed" confidentiality - both law-abiding persons and criminals - will find and use other networks and mechanisms to transmit information they wish to keep "always" secure. These networks will probably be somewhat more expensive (since they won't use "mass market" system components for encryption) but they will be readily obtainable (from non-U. S. vendors if American firms are prohibited from manufacturing or exporting them). Thus, a "Digital Volstead Act", while having some benefits to law enforcement, will also be somewhat harmful to American interests.
The alternative to "usually secure" cryptography is for law enforcement to concede that the fast-paced and unstoppable development of computer and communications networks, coupled with the open literature on and market in cryptography, will inevitably lead to communications it cannot "break", and thus it will need to develop another strategy to deter, detect, and prosecute crime - one that makes less use of information from electronic eavesdropping and more use of information from other sources (physical evidence, etc.).
It's a clear social policy choice, but no adequate analysis of the economic and social costs and benefits of retrofitting the telephone network has ever been done [D. Denning 1993]. To carry out such a study, trusted data, respected researchers, cool heads, and time are needed. For a variety of reasons, there has been a mutual distrust by both sides (the FBI and many elements of the computer systems community). Each side's unfamiliarity with (and, in some cases, contempt for) the other's culture has slowed down progress. Until this "culture gap" is lessened significantly, a "religious war" between the "unlimited crypto" and "law and order" camps is likely to continue.
[Booz-Allen 1992]Booz-Allen and Hamilton, "Law Enforcement Requirements for the Surveillance of Electronic Communications", June 19, 1992.
[Branscomb 1989]Branscomb, Anne W. "Legal Right of Access to Transnational Data, Electronic Highways for World Trade", Issues in Telecommunications and Data Service, #287 (1989).
[D. Denning 1993]Denning, D., "To Tap or Not to Tap", Communications of the Association for Computing Machinery, March 1993, to appear.
[Diffie 1992]Diffie, W. in "Who Holds the Keys?" in [Hoffman 1993b].
[Garfinkel 1993]Garfinkel, S., "Wire Tapping and Encryption in the 1990s", Proc. 6th International Computer Virus and Security Conference, New York, NY, 1993.
[Goldman 1992]Goldman, J., "Why Cater to Luddites?", The New York Times, March 27, 1992.
[Hoffman 1993a]Hoffman, Lance J., "Bugging the Digital Network", Information Systems Security 1, 4 (Winter 1993), 12-15.
[Hoffman 1993b]Hoffman, Lance J. (ed.), Proceedings of the Second Conference on Computers, Freedom, and Privacy, Association for Computing Machinery Conferences Office, New York, January 1993.
[Hoffman 1993c]Hoffman, Lance J., Policy Choices for Computer Networks, to appear.
[Hoffman 1992]Hoffman, Lance J., "The Impact of Telephone Services on Information Privacy", Information Systems Security 1, 2 (Summer 1992)
[Hoffman 1991]Hoffman, Lance J. and Paul C. Clark, "Imminent Policy Considerations in the Design and Management of National and International Computer Networks", IEEE Communications Magazine, February 1991.
[Hollings 1992]Letter dated April 10, 1992 to Senator Ernest Hollings, chairman of the Senate Committee on Commerce, Science, and Transportation, from representatives of 25 organizations including AT&T, IBM, GTE, Lotus, McCaw, Microsoft, and the Software Publishers Association.
[Larson 1992]Larson, A., Letter to Chairman Jack Brooks of the House Judiciary Committee, May 13, 1992.
[Parker 1992]Parker, Donn B. in "Ethics, Morality, and Criminality" in [Hoffman 1993b]
[Sessions 1992]Sessions, W. A., "Keeping an Ear on Crime", The New York Times, March 27, 1992.
Return to CPSR conferences page.
Return to the CPSR home page.
Send mail to webmaster.
Created before October 2004