Impact of Computers on Society3. Encryption and Interception of Communication

It Could Never Happen…

Secret FBI papers revealed that John Lennon was ruled out as a communist threat because he was always stoned, London’s Evening Standard reported yesterday.

Never… Documents show that the FBI suspected that the ex-

Beatle was the head of revolutionaries planning to hijack a 1972 Republican conference, and kept him under close watch at first. But Lennon’s abuse of heroin, cocaine and marijuana in the early 1970s eventually ruled him out of FBI investigations. An agent concluded that Lennon “appears to be radically oriented” but “does not give the impression he is a true revolutionist, since he is constantly under the influence of narcotics.”

You Must Be Kidding! Marilyn Monroe Lucille Ball And Albert Einstein… ...were among the suspected communists

tracked by the FBI from the 1950s to 1970s.

Washington Post, September 23, 2005, p. C3

Background Different levels of message and information

security How secure is the postal service? How secure is email? How secure are financial transactions?

Three Main Issues Whom do you trust? How powerful is technology?

Technology is a “moving target” How open should communications be?

A Brief History of Wiretapping1928 – Supreme Court rules that…

wiretapping is not unconstitutional wiretapping can be banned by Congress

1934 – Congress passes the Federal Communications Act

illegal to wiretap no exception for law enforcement

More about Wiretapping 1937 – Supreme Court stands behind the ban

on wiretapping FBI did it anyway lax enforcement of anti-wiretapping laws continuing debate for many years

Wiretapping Allowed 1967 – Supreme Court rules that intercepting

phone conversations without a court order violates 4th Amendment (2007 – NSA gathers data without warrants)

1968 – Congress explicitly allows wiretapping with court order intended to help fight organized crime

USA PATRIOT Act of 2001 loosens restrictions further

Milestones in Interception The Internet changes the playing field

no longer wiretapping now, interception of communications includes broadcast communications what about fiber optics? what about monitoring of RF emissions?

Lawful Interception 1994 – CALEA (Communications Assistance for Law

Enforcement Act) requires equipment to be designed to allow interception.

1999 – FBI’s Carnivore email interception system required a court order limited to a particular ISP what about the email of other subscribers to that ISP? can’t the ISP do this without having to physically hook up FBI

computers to its own? program terminated in 2005; now using commercially available

software superseded by DCS-3000 system

Echelon 1998 – NSA’s Echelon.

Not supposed to be targeted at US citizens NSA denies its existence Major computing power Examines RF emissions, including cell phones, etc. Supposedly sifts through international traffic Sifts through business and other traffic, not just military

and law enforcement Aside: the US Embassy in Moscow and Dr. Theramin

Echelon criticisms The line is blurred on US citizens when national

security is claimed or when they are abroad What about our allies – Canada, Britain,

Australia, NZ? Going “deaf” because of the rise of fiber optic

transmission rather than satellite Major question is how much privacy should

we be expected to give up in order to (maybe) catch the bad guys?

FISA Foreign Intelligence Surveillance Act (1978) Without a warrant…

President can request surveillance without a warrant through the AG for up to one year

Limited to foreign intelligence only Electronic surveillance

With a warrant… Requires warrant from a secret court Both physical and electronic searches Only five requests for warrants have been denied since

1979

Protect America Act (PAA) A 2007 revision of FISA Adds terrorists to the list of possible targets for

monitoring Allows for massive collection of international

telecom data without court order or oversight Disagreement over retroactive protection for telecom

companies Expired on February 17, 2008 when House did not

renew But…

FISA of 1978 Amendments Act of 2008 Signed into law on August 5, 2008 Extended for 5 years, September 2012 Protects telecoms from “past or future” lawsuits for

cooperation with warrantless federal surveillance Removes requirements for detailed description of

what is being sought Requires (secret) FISA court permission to

eavesdrop on Americans who are overseas

Recommended Reading James Bamford

Puzzle Palace: a report on America’s most secret agency (1982)

Body of Secrets: anatomy of the ultra-secret National Security Administration: from the Cold War through the dawn of a new century (2001)

Leo Marks Between Silk and Cyanide: a codemaker’s war

1941-1945 (1998)

Two Main Computer Defenses Packet transmission

messages are less vulnerable en route interception is most effective at the end points

Encryption Requires a key, which must be passed secretly Only one unbreakable code: the one-time key

Public Key Encryption A known, published algorithm

RSA (Rivest, Shamir, Adelman) uses two large prime numbers for keys

Each party has two keys, a private key and a public key One pair of keys to encrypt, the other pair to decrypt Brute force attacks are essentially useless unless you have

massive computing power Quantum computing may change this situation Longer keys make the encryption stronger Problem of delivering the keys

More Encryption The problem of computational overhead Most of us use encryption for financial

transactions on the Internet 40-bit versus 128 or 256 bit encryption, and more

Remember that anything broadcast or transmitted can be intercepted

The bad guys can use encryption, too

A Few Uses of Encryption Communications, both phone and data Credit card numbers Other financial data, for example brokerage

transactions Electronic Funds Transfer (EFT) Passwords, usernames, account numbers on the

Internet Digital Signatures – did the message really come

from that person?

Steganography Concealing the fact that a message even exists Hidden in a picture – a digital watermark Hidden within a document – for example, a

computer printed postage stamp An image could conceal harmful code which

will execute on the recipient’s computer A message or virus could be concealed in

almost anything that is digital

Attempts to Control Encryption Technology 1990’s – Government attempts to restrict

export of encryption technology 1991 – Philip Zimmerman and PGP (Pretty

Good Privacy) “Restricted” browsers and other software 1993 – Daniel Bernstein’s 1st Amendment

lawsuit 1996 – Courts decide in Bernstein’s favor

Why? The genie was already out of the bottle To protect the NSA

…the main goal of the export rules was to restrict encryption to what the NSA could routinely crack in “real time,” that is as messages are scanned.

…to prevent adoption of standard cryptography systems. Standards would encourage more use of encryption and make it harder for the NSA to distinguish the messages it wants to read.

Why?? …export rules required that companies that

wanted to export encryption systems had to disclose the details of their products to the government, ensuring that the NSA had full knowledge of the technologies in use.

Diffie & Landau, summarized by Baase, p. 119

End of Restrictions 2000 – The government at last gives up the

attempt to impose import restrictions on encryption.

Officially, the genie is out of the bottle…

Encryption Control in the US 1993 – the Clipper Chip

Used an unpublished, secret NSA algorithm Designed for telephones, also used on computers Various key escrow proposals. The government wanted a

third party escrow agent. Government and law enforcement would need a court

order to get the key BUT – the escrow agent would be a government agency A failure before it got off the ground There is no provision for a “back door” in the USA

PATRIOT Act.

And In Conclusion… Remember that the goal of encryption is to

make the difficulty of reading a message not worth the effort.

Technology is progressing very rapidly To what extent do you trust government and

law enforcement to uphold the 1st and 4th Amendments?

One Certain Defense Although it may be impossible to protect

against unwarranted surveillance, at least your mind can be spared.

Wear a tin foil hat!