Tapping the Internet
“Don’t believe what I saw.
A hundred million bottles washed up on the shore.”
– The Police
In the weeks following the World Trade Center tragedy, many government officials were actively lobbying for increased Internet surveillance as a method of restricting terrorist activity. This is likely the direct result of numerous reports that Osama Bin Laden and his many supporters are heavy users of the Internet for organizational and informational purposes. From the floor of the senate, Senator Judd Gregg of New Hampshire called for “a global prohibition on encryption products without backdoors for government surveillance”. Also, many large ISPs, including AOL, Earthlink, and @Home, have reported that the FBI approached them after the tragedy and served them with Federal Intelligence Surveillance Act (FISA) orders to search for possible communications that
may have aided the attacks in New York and Washington.
Protection of Freedom? This type of activity sends shivers down the spines of many pro-privacy technology activists. It should be noted however, that these outspoken and knowledgeable people are not pro-terrorist. In fact, many are terribly disturbed by the terrorist action. That said, they do not believe that you can protect freedom through the process of restricting or destroying it. As ammunition, they are quick to quote Constitutional contributor Benjamin Franklin — “They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety."
Disregarding these strong-minded, civil liberties based perspectives; a closer look at Internet surveillance uncovers many problems in both implementation and potential effectiveness. For starters, there is a huge predicament with just how much of the genie is already out of the bottle. So called “strong” encryption techniques (those that are nearly impossible to decipher), are broadly available on the Internet. Moreover, these “programs” are cataloged and archived in many forms – software executables, source code listings, and simple algorithms that describe the general concepts. Also importantly, many of these algorithms have been developed outside the United States.
Another perhaps disturbing but real development is the increased use and availability of Steganography. Steganography is the act of embedding or hiding a message in another transport. Several programs on the Internet, many that are shareware and free to download, make it easy for you to embed one file in another. Typically the transport file (that which hides) is a large dense file type such as a JPEG photo or an MP3 file. Interestingly, these encoding techniques are so slick that the resulting file is indistinguishable to the human eye (JPEG) or ear (MP3). As a result of this “conversion,” a covert communication may appear as innocent as two parties sharing a Britney Spears song over the Internet. USA Today has reported that Osama Bin Laden and his followers are heavy users of Steganography.
As mentioned earlier Senator Gregg has suggested that we implement a “global prohibition on encryption products without backdoors for government surveillance”. This type of proposition has many difficulties once you look under the covers:
Whom do we trust? We can’t get a majority of leading countries to join a coalition against terrorism, and we think we can line everyone up in an organized assault on encryption? Many countries have much stronger perspectives on personal privacy and are therefore unlikely to participate. Other less industrialized countries are going to have a hard time considering this a relevant priority. More importantly, how will we implement the dissemination of government keys? Do we trust all governments that join the effort? Who gets to see cross border communication?
Outlaw a t-shirt? Many in the scientific community have pointed out the silliness in outlawing an algorithm (basically a flow chart of how the code works). First, any good programmer can convert a detailed algorithm into software code, and as such the algorithm (or formula) is the tersest representation of the offending material. Second, these algorithms are everywhere. They’re on the Internet, they’re on hard drives all over the world, they’re in books, and they have even been printed on t-shirts to highlight the free speech implications of such an attempted prohibition. There is absolutely no way to reign in all the copies of these ideas, or to restrict their trade amongst those determined to do so. It’s like trying to outlaw the story of “The Three Bears” – too many people already know it at this point.
A sauna in the desert. Once again, Senator Gregg wants encryption software makers to implement government backdoors in their products. The only people I know that actually use encryption products are those that hate, loathe, or at the very least mistrust the government. Government issued encryption programs will see about as much use as a sauna in the desert. They might as well put a sticker on the box that says “don’t buy me”. This would be a colossal waste of time.
Not so intelligent. Many have suggested that the terrorists are “more intelligent than you think” due to their clever use of these technologies. Another Senator, Jon Kyl of Arizona has commented frequently on the “sophistication” of the terrorists for this very reason. This presumed intelligence might be more a factor of their accusers own ignorance rather than their own aptitude. This stuff is ridiculously easy to obtain. Go towww.google.com, type “Steganography program,” and start downloading. You will be able to put an email message into a family photograph within five minutes. You must know the magnitude ofthe problem you are trying to solve.
“Your hands can’t hit what your eyes can’t see.” Muhammad Ali used this quote to refer to his lightening fast hands, but the same statement is true for message embedded using Steganography. How will the government identify potentially hazardouscommunications if every photo, music, and video file on the Internet is an unidentifiable transport? And even if you found the transport and decoded it, the message could still be encrypted using “strong encryption.” Seems impossible. It probably is.
One “big” haystack. There are an increasing number of ways to move files on the Internet. To name a few — email, ftp, instant messenger, chat, file lockers, Napster, and Gnutella. In the next few years, the number of emails and instant messages sent each year will be measured in the trillions (for each). Peer-to-peer file transfers will easily number in the billions. How do you monitor all of this? Where could you even store the log data? The pin is small, the haystack is large, and astute cryptographers can use Steganography to increase the size of the haystack.
The government should not give up on computer surveillance. In fact, as a tool that is used to track down a particular offender after isolation and identification, these technologies can be extremely effective. However, we should not be unrealistic about what type of “magic” spy technologies are at our disposal. We are only going to spend a lot of money, waste a lot of time, and create a false sense of security.