Practical Privacy Protection, Unless Congress Prohibits It

by Jim Warren

Copyright 1991, Jim Warren, original in MicroTimes #83, May 27, 1991.
This may be copied or reprinted in full, or full paragraphs may be
excerpted, provided copies indicate author, copyright, and origin.

	This column concerns our futures that we can create, *if* we protect
our options.

Protecting Against Peepers
	Computer and electronic-mail users are becoming increasingly concerned
about information pirates and email eavesdroppers.
        Some naive folks think legislation will halt such intrusion.
        Realists, however, are urging technical protections against
technological surveillance.  Numerous speakers at the Computers,
Freedom & Privacy Conference stated that the *only* real protection
against such surveillance and data theft is robust, verifiably-secure
encryption.
        Many say "public key" crypto is the most secure--and also the most
easily used.  It's actually a two-key system, a "key" being simply a
number.  Everyone can have your "public" key, using it to encrypt
information for you.  But only you, knowing the "private" half of your
two-part key, can decrypt the data.
        Recently, numerous major companies have joined, or appear about to
join, the public-key bandwagon.  They include DEC, Sun, Apple,
Microsoft, Lotus, Novell, etc..  They seem likely to endorse the
public-key implementation developed by RSA Data Security (Redwood
City).

Locksmiths Need Agreement
	In all cases, the transmitter must have an encryption tool--a program
or device, and the receiver must have a matching decryption tool.
Thus, there must be widespread agreement on any crypto that is to be
widely used.
        The US government adopted the Data Encryption Standard (DES).  But
its 56-bit key was publicly proven crackable by Stanford's Marty
Hellman, even before DES was adopted.  The National Security Agency
(NSA) opposed Marty's recommendation of an uncrackable 64-bit key.
        Further, there are widespread--unproven--rumors that NSA has a "back
door" into anything encrypted with DES, so they don't even need a Cray
to crack it.  Its source code was never released by IBM and NSA, its
developers, so users cannot verify that it's secure.

Protecting Fax & Phone
	On related fronts, the SecureFX fax encryptor can protect fax
transmissions (from Cylink, Sunnyvale).  It reportedly includes
RSA-licensed public-key crypto, has tamper detection that zeroes-out
keys before they can be read, and works with any pair of standard
faxes.  Each fax plugs into a SecureFX, plugged into the phone line.
Sadly, the units cost about four times what a fax costs.  (Watch for
faxes with built-in crypto.)
        Fujitsu may be the first offering a cordless consumer telephone that
scrambles communication between the handset and the base-station
(Azet-R10).  This will render most nosy neighbors' scanners useless
and force wire-tappers back onto the telephone poles.

Who's Peeping?
	On the other hand, undetectable monitoring of any voice, fax or data
phond-line--from anywhere in the nation--is reportedly implemented in
current-generation US phone systems.  These optional surveillance
facilities are reportedly far beyond anything the telcos ever
requested or showed any interest in wanting.
        Even more curious:  Local and state police have said *they* can't
get use of it, even for a court-authorized phone tap.  They still have to
climb a pole or clip onto lines in the central office (c.o.), just
like J. Edgar Hoover's surveillance of the Kennedys, Martin Luther
King and '60s pacifist groups.  [pacifist: someone who's always trying
to start a peace]
        So--who uses the phone-tap-from-anywhere facilities that the telcos
never wanted and aren't available to local and state cops?

Most Peepers Aren't Crackers
	Irresponsible news media and mythological movies have inflamed
widespread fear that droves of omnipotent computer crackers will
invade every computer--and probably make your microwave irradiate your
children, too.  Even columnist Jack Anderson's staff got suckered into
naively touting cracker terror.
        In fact, almost all computer criminals and data-peepers are
employees, managers, agents and politicians--working on the
inside--using authorized access for covert and/or unauthorized
purposes.
        Example:  The Mayor of Colorado Springs secretly monitored
confidential electronic correspondence between members of his City
Council, using his access as system operator.  (He is also President
of the US Council of Mayors.)
        Of course, robust, verifiably-secure crypto would cure such
automated surveillance.  If permitted.

Congressional Call for Guaranteed Insecurity
	Early this year, Senators Biden (D-DE) and DeConcini (D-AZ) buried
this sentence in Senate Bill 266, an "omnibus anti-terrorism
bill"--introduced on the House side by Rep. Tom Lantos (D-CA):
[A        "... providers of electronic communications services and
manufacturers of electronic communications service equipment shall
*ensure that communications systems permit the government to obtain
the plain text contents of voice, data, and other communications* when
appropriately authorized by law."  [emphasis added]
        If this is passed, all US crypto systems will have a hole in them--a
back door for "authorized" agents.  Industrial and foreign spies
wouldn't have to *wonder* whether encrypted data and communications
were crackable; the law will guarantee it.  Spies would need only to
crack it, or simply obtain access through any "authorized agent" they
could bribe or blackmail.
        Well, Desert Storm died and the terrorist terror went away.
(Terrorists are *so* undependable.)
        So, this "data insecurity guarantee" promptly resurfaced in an
"omnibus anti-crime bill," S618.  (US criminals are more reliable than
terrorists.)

What's More Important--People or Prosecution?
	Admittedly, if secure encryption were available to citizens and
companies, criminals might also use it.  But, even if law-abiding
citizens are prohibited from having secure crypto tools, criminals can
still have them--the techniques are widely published and well
understood in international computer circles.
        Should everybody be permitted to adequately protect their
communications and records--or should such security be available only
to lawbreakers?  Do police and prosecutor needs justify guaranteeing
insecurity for everyone else?
        The Beltway bureaucrats who insistently push this legislation will
only be stopped by a widespread outcry from an informed, vocal
public.

Computers, Freedom & Privacy Talks and Tapes Now Available
	In the last several months, I've given a number of lectures deriving
from this Spring's premier Computers, Freedom & Privacy Conference.
And, I gotta say, it is the most exciting and provocative subject I've
presented, since '70s lectures about "personal computing"--when
microcomputing was an infant industry unknown to an unsuspecting
population.
        Also, audiotapes of the CFP Conference are (finally!) available.
Contact Recording, Etc., Palo Alto CA; (415)327-9344, 321-9261/fax.
Pre-tax prices are $14.95/tape, $34.95/day (5 tapes), $59.95/full set
(15 tapes).

Contribute Your Two Sense [sic]!
        Share *your* fantasies seeking realization.  Send 'em to Jim Warren,
Realizable Fantasies, 345 Swett Road, Woodside CA 94062.  Published
proposals will be attributed to their authors unless anonymity is
requested.

Steve Jackson Games | SJ Games vs. the Secret Service