Date: Wed, 23 Sep 92 09:03:23 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#081
Computer Privacy Digest Wed, 23 Sep 92 Volume 1 : Issue: 081
Today's Topics: Moderator: Dennis G. Rears
submission for comp.society.privacy
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
Subject: submission for comp.society.privacy
Date: Fri, 18 Sep 92 01:27:42 -0700
From: Joseph Truitt <sgi.com!biocad!valis.biocad.com!joseph@PICA.ARMY.MIL>
Subject: Letter protesting proposed FBI Digital Telephony bill
[This message posted to usenet groups alt.privacy,
alt.society.civil-liberty, comp.society.cu-digest, comp.society.privacy,
comp.dcom.telecom, comp.org.eff.talk, and sci.crypt. I apologize if you
see this more than once; I do not have a means to reliably cross-post. If
you make public comments about this message, please add these newsgroups to
the Followup-To: header, if you consider it appropriate, and have the means
to do so. Thanks.]
By now, you have probably heard of the proposed FBI Digital Telephony bill,
a sweeping piece of legislation that would grant the Justice Department
many new technical and executive capabilities for tapping into any wire or
fiber optic data stream. This is my open letter to the following
congressmen regarding the proposal. I encourage you to write and send a
letter, as well. Permission is granted to freely redistribute this
article [wholly intact, preferably].
The Honorable Sen. Ernest Hollings, Chairman
Senate Commerce Committee
U.S. Senate
Washington, DC 22101
The Honorable Don Edwards, Chairman,
Subcommittee on Constitutional Rights
House Judiciary Committee
U.S. House of Representatives
Washington, DC 20515
The Honorable Jack Brooks, Chairman,
House Judiciary Committee
U.S. House of Representatives
Washington, DC 20515
Chairman, Senate Communication Subcommittee
U.S. Senate
Washington, DC 22101
Chairman, House Telecommunication Subcommittee
U.S. House of Representatives
Washington, DC 20515
Chairman of the FCC
1919 M Street N.W.
Washington, DC 20554
References: May 1992 Digital Telephony proposal (I will gladly send you a
copy, if you don't already have one).
FBI Congressional Affairs office, 202/324-3000
"Decrypting the Puzzle Palace"
EFFector Online, July 29, 1992
Electronic Foundier Foundation
"FBI Seeks Right to Tap All Net Services"
ComputerWorld, June 8, 1992 - Vol. XXVI, No. 23
"Tap Dance"
Scientific American, June, 1992
"Promising Technology Alarms Government"
Houston Chronicle, June 21, 1992
Editorial
NewsBytes, July 13, 1992
By Joseph Truitt on 92/09/17.
- ----- begin letter -----
September 17, 1992
Dear Sir,
I am writing you an open letter in regard to the FBI Digital Telephony
proposal, in the hopes that it can be heavily revised before being
introduced as a bill. While I can appreciate the FBI's concern about
staying abreast of communication technology advances, I must take issue
with the implications of the sweeping proposal. I believe it has the
potential to create some serious problems (especially in combination with
future legislation to limit or standardize encryption algorithms):
* Allows the government to be too much like "Big Brother"--to very
conveniently monitor [from comfortable central offices] all types of
wired communications from virtually any source.
* Violates the right for businesses and individuals to employ a secure
communications channel, if they so desire.
* Discourages development of better communications technology.
* Puts domestic communication equipment makers at a disadvantage in the
international market.
* Invites abuse of executive branch power.
* Promotes a black market of illegally obtained information.
To expound on these points, I wish to respond in some detail to several
quoted portions of the latest draft of the proposal I have available,
introduced in May, 1992:
A BILL
To ensure the continuing access of law enforcement to the content of
wire and electronic communications when authorized by law and for
other purposes.
May I inquire as to these "other purposes"?
(1)(b) The purposes of this Act are to clarify the responsibilities
of providers of electronic communication services and private branch
exchange operators to provide such assistance as necessary to ensure
the ability of government agencies to implement lawful court orders or
authorizations to intercept wire and electronic communications.
Footnote 2. Whether the content is voice, facsimile, imagery (e.g.
video), computer data, signalling information, or other forms of
communication, does not matter; all forms of communication are
intercepted.
Shortly after the introduction of the May draft of the DT proposal, William
A. Bayse, head of the FBI's technical services division, confirmed that the
FBI wants real-time remote access to all data, fax, voice and video traffic
in the U.S. I contend that this is more than a mere clarification of the
telecom common carrier's responsibility to assist law enforcement (Omnibus
Crime and Safe Streets Act of 1968), as the proposal indicates. It is
ominous and unreasonably intrusive.
(a) Providers of electronic communication services and private branch
exchange operators shall provide within the United States capability
and capacity for the government to intercept wire and electronic
communications when authorized by law:
(1) concurrent with the transmission of the communication to the
recipient of the communication;
(2) in the signal form representing the content of the communication
between the subject of the intercept and any individual with whom the
subject is communicating, exclusive of any other signal representing
the content of the communication between any other subscribers or
users of the electronic communication services provider or private
branch exchange operator, and including information on the individual
calls (including origin, destination and other call set-up
information), and services, systems, and features used by the subject
of the interception;
(3) notwithstanding the mobility of the subject of the intercept or
the use by the subject of the intercept of any features of the
telecommunication system, including, but not limited to, speed-
dialing or call forwarding features;
(4) at a government monitoring facility remote from the target
facility and remote from the system of the electronic communication
services provider or private branch exchange operator;
(5) without detection by the subject of the intercept or any
subscriber
(6) without degradation of any subscriber's telecommunications
service.
Telecommunication systems are the highway for information exchange between
computers around the world. Modifying U.S. telecommunication systems to
comply with item (4), in combination with the other items (and parallel
government efforts to cripple legal encryption schemes, such as a narrowly
defeated FBI rider to Senate Bill 266--sure to be followed by other
attempts) would create grave security and privacy risks for any business or
individual subscriber to those systems, not to mention the international
computer users whose telecom traffic--such as private electronic mail--is
unwittingly routed through the U.S.
Given a fertile environment for growth, cyberspace (partial definition: an
immersive, interactive communication environment facilitated by computers)
might soon be where a majority of commercial and private transactions will
occur. A person sitting in New York can already meet and discuss business
with another person sitting in San Francisco, in one virtual living room.
However, since electronic codes describing these meetings/transactions must
travel over wire or optics, exciting advances in sensitive business
communications (for highly dynamic cooperation and strategic maneuvers)
would most likely be thwarted by fear that competitors or other enemies
might wrongfully gain access to that communication via the new remote wire
taps.
Why should businesses be paranoid about such eavesdropping? Because a hole
for the FBI to plug into would also be available for any other
knowledgeable user to plug into. Remote monitoring of all wires would
require an extensive system of hardware and/or software tapping devices
that could be activated by remote commands. Frank Dzubeck, president of
Communications Network Architects, Inc. in Washington, D.C. believes that
[for the telephone common carrier portion of the electronic network], in
essence, the FBI wants to hook up a leased line from its remote monitoring
post to a spare port on the telephone company's switch or the LAN's router
or smart hub. Like it or not, such "back doors" _would_ be discovered, and
exploited by people outside of law enforcement--and outside of the
U.S.--regardless of threatening fines and prison terms. High tech
espionage, extortion, and blackmail would explode with such convenient,
uniform information taps available. It is not feasible to create remote
monitoring devices for FBI use that cannot be widely abused by other
agencies or individuals.
The 4th Amendment to the Bill of Rights does not just bar the government
from unreasonable searches. I believe that it also implies that the
government should avoid creating an environment that encourages citizens to
search each other without permission, and that the citizens have a right to
privately communicate (so as to avoid "unreasonable searches" of their
ideas).
Imagine the implications if a bill were introduced to instruct the U.S.
Post Office and all cargo carriers to provide devices to remotely inspect
the contents of all letters and parcels at the leisure of law enforcement
officials. Without fail, this hypothetical device would soon arrive in the
hands of people outside of law enforcement, and it would be immediately
duplicated and sold underground.
A bill might as well be introduced to force everyone to pay for and install
remotely activated and government monitored "secure" video cameras in their
offices and living rooms. This analogy may sound extreme, but it is valid,
given the end-user financial burden from this proposal, the proliferation
of computer-facilitated conference meetings, and the sundry attempts by the
FBI and NSA to disallow serious encryption algorithm development and use in
the U.S.
Encryption restrictions are inextricably linked with digital wire tapping,
because the sender must have total control of either the format or the
distribution of his/her communications in order to have reasonable
electronic privacy. If both format and distribution are
controlled/compromised by others (like the government), then the foundation
of electronic privacy crumbles.
Under the guise of regulating international export of encryption
technology, the recent State Department / Commerce Department / NSA
attempts to legislate inferior encryption standards into wireless
communications are just a short step away from similar standards for wired
communication. One individual close to the TR45.3 committee reviewing the
standards said that at least some of the members were "interested in weak
cellular encryption because they considered warrants not to be 'practical'
when it came to pursuing drug dealers and other criminals using cellular
phones." That attitude does not align with the "minimization" principle of
the Omnibus Crime and Safe Streets Act that is touted as the foundation for
the new Digital Telephony proposal (to require a warrant for every search,
and to avoid monitoring parties that are not listed in that warrant). The
cellular encryption standard pushed by the NSA is so weak that anyone with
the right PC-based black box would be able to monitor so-called "secure"
cellular conversations in their area. I posit that, given the proposed
remote taps, wired communications would suffer a similar indignity,
especially as wire tap activation/decryption codes filtered into the hands
of non-law-enforcement people.
Such a built-in weakness to communications privacy would not only
discourage healthy, competitive growth of companies producing tangible
goods and services, but also threaten cutting-edge information-based
companies, such as the American Information Exchange (AMIX) in Palo Alto,
CA. It does not seem wise to introduce more stumbling blocks into the path
of the already ponderous U.S. business economy. Information _is_ the
future of business--and the secure exchange of information must be
encouraged, rather than discouraged, if the U.S. wants to participate in
the astounding growth that can be facilitated by computers. Ron Rivest
(the "R" in RSA, a popular and relatively secure encryption scheme) said,
"We have the largest information based economy in the world. We have lots
of reasons for wanting to protect information, and weakening our encryption
systems for the convenience of law enforcement doesn't serve the national
interest."
(e) The Attorney General shall have exclusive authority to enforce
the provisions of subsections (a), (b) and (c) of this section. The
Attorney General may apply to the appropriate United States District
Court for an order restraining or enjoining any violation of
subsection (a), (b) or (c) of this section. The District Court
shall have jurisdiction to restrain and enjoin violations of
subsections (a) of this section.
<from a previous draft>
(h) Notwithstanding section 552b of Title 5, United States Code or any
other provision of law, the Attorney General or his designee may
direct that any Commission proceeding concerning regulations,
standards or registrations issued or to be issued under the authority
of this section shall be closed to the public.
What is the purpose of this unprecedented step of placing control over
certification of telecommunications equipment in the hands of the Attorney
General? Why shouldn't the Federal Communications Commission (FCC) remain
in control of such certification, as opposed to becoming a rubber stamp?
And why should we place the Attorney General in a position to shut down any
telecommunications advance without benefit of a public hearing?
(f) Any person who willfully violates any provision of subsection
(a) of this section shall be subject to a civil penalty of $10,000
per day for each day in violation. The Attorney General may file a
civil action in the appropriate United States District Court to
collect, and the United States District Courts shall have
jurisdiction to impose, such fines.
(g) Definitions--As used in subsections (a) through (f) of this
section--
(1) 'provider of electronic communication service' or 'private
branch exchange operator' means any service or operator which
provides to users thereof the ability to send or receive wire or
electronic communication,
The proposal does not limit itself to new network connections--it also
applies to all existing connections. Can our nation's struggling
businesses afford to upgrade their computer and PBX networks to be easily,
remotely tappable? I think not. Can they afford the resulting $10,000/day
fine as soon as the FBI discovers the omission? Not likely. The
substantial expense of upgrading equipment would immediately be passed
along to the the subscribers. What an insult--to be forced to pay for the
privilege of being tapped!
In short, the Digital Telephony proposal would encourage abuse of executive
branch power. It has the potential to inhibit technological innovation in
communications equipment, systems, and services. It could indirectly place
certain designs, manufacturers, or types of service at an advantage or a
disadvantage, and it places no statutory safeguards against being quietly
exploited in this way by someone with favored access to the Attorney
General or to the FCC.
What specific changes do I request on the Digital Telephony proposal?
1. Limit the type of data lines that can be tapped to PBX and
common-carrier phone lines, so as to not impede the development of other
computer communications technology. This would be be in line with a
"clarification" of the Omnibus Crime and Safe Streets Act.
2. Eliminate the "remote access" capability. Instead of forcing telecom
providers to install ubiquitous tapping hardware and/or software equipment
that can be accessed via privileged leased telephone lines, have them
publish clear documentation completely describing the protocols used on
their wires and optics. The FBI should contract some domestic electronic
companies to design, build, maintain, and periodically upgrade a reasonable
number of data channel isolation / storage devices that could be
temporarily connected on a per-warrant basis to the phone lines, trunks, or
hubs that serve the suspects in question. Since the domestic
telecommunication companies would not have to engineer a built-in data
tap/compromise into their equipment, they would not be put at a
disadvantage in the international market because of inferior security or
having to maintain dual models (one domestic, one international).
3. Keep lawmaking in Congress where the Constitution--for very good
reason--put it. A committee or small advisory office could be established
to take input from the Justice Department, establish expertise in the area,
and formulate occasional legislation to be submitted through the normal
legislative process, in full public view.
Also, if the Justice Department introduces any more legislation (boldly, or
surreptitiously as a rider) to regulate or outlaw the domestic use of any
type of electronic data encryption, please reject it. The freedom of
format and content of speech must be upheld, as well as the author's right
to know and limit the forum.
In closing, I would like to quote John Perry Barlow of the Electronic
Frontier Foundation, as he echoes my sentiments precisely:
The legal right to express oneself is meaningless if there is no
secure medium through which that expression may travel. By the same
token, the right to hold certain unpopular opinions is forfeit unless
one can discuss those opinions with others of like mind without the
government listening in.
... there is a kind of corrupting power in the ability to create
public policy in secret while assuring that the public will have
little secrecy of its own.
In its secrecy and technological might, the NSA already occupies a
very powerful position. And conveying to the Department of Justice
what amounts to licensing authority for all communications technology
would give it a control of information distribution rarely asserted
over English-speaking people since Oliver Cromwell's Star Chamber
Proceedings.
Are there threats, foreign or domestic, which are sufficiently grave
to merit the conveyance of such vast legal and technological might?
And even if the NSA and FBI may be trusted with such power today, will
they always be trustworthy? Will we be able to do anything about it if
they aren't?
Sincerely,
Joseph Truitt
53 S. Cragmont Ave.
San Jose, CA 95127
joseph@biocad.com (my employer does not necessarily share my opinions)
------- End of Forwarded Message
------------------------------
End of Computer Privacy Digest V1 #081
******************************