Date: Wed, 23 Sep 92 09:03:23 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#081 Computer Privacy Digest Wed, 23 Sep 92 Volume 1 : Issue: 081 Today's Topics: Moderator: Dennis G. Rears submission for comp.society.privacy The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Subject: submission for comp.society.privacy Date: Fri, 18 Sep 92 01:27:42 -0700 From: Joseph Truitt Subject: Letter protesting proposed FBI Digital Telephony bill [This message posted to usenet groups alt.privacy, alt.society.civil-liberty, comp.society.cu-digest, comp.society.privacy, comp.dcom.telecom, comp.org.eff.talk, and sci.crypt. I apologize if you see this more than once; I do not have a means to reliably cross-post. If you make public comments about this message, please add these newsgroups to the Followup-To: header, if you consider it appropriate, and have the means to do so. Thanks.] By now, you have probably heard of the proposed FBI Digital Telephony bill, a sweeping piece of legislation that would grant the Justice Department many new technical and executive capabilities for tapping into any wire or fiber optic data stream. This is my open letter to the following congressmen regarding the proposal. I encourage you to write and send a letter, as well. Permission is granted to freely redistribute this article [wholly intact, preferably]. The Honorable Sen. Ernest Hollings, Chairman Senate Commerce Committee U.S. Senate Washington, DC 22101 The Honorable Don Edwards, Chairman, Subcommittee on Constitutional Rights House Judiciary Committee U.S. House of Representatives Washington, DC 20515 The Honorable Jack Brooks, Chairman, House Judiciary Committee U.S. House of Representatives Washington, DC 20515 Chairman, Senate Communication Subcommittee U.S. Senate Washington, DC 22101 Chairman, House Telecommunication Subcommittee U.S. House of Representatives Washington, DC 20515 Chairman of the FCC 1919 M Street N.W. Washington, DC 20554 References: May 1992 Digital Telephony proposal (I will gladly send you a copy, if you don't already have one). FBI Congressional Affairs office, 202/324-3000 "Decrypting the Puzzle Palace" EFFector Online, July 29, 1992 Electronic Foundier Foundation "FBI Seeks Right to Tap All Net Services" ComputerWorld, June 8, 1992 - Vol. XXVI, No. 23 "Tap Dance" Scientific American, June, 1992 "Promising Technology Alarms Government" Houston Chronicle, June 21, 1992 Editorial NewsBytes, July 13, 1992 By Joseph Truitt on 92/09/17. - ----- begin letter ----- September 17, 1992 Dear Sir, I am writing you an open letter in regard to the FBI Digital Telephony proposal, in the hopes that it can be heavily revised before being introduced as a bill. While I can appreciate the FBI's concern about staying abreast of communication technology advances, I must take issue with the implications of the sweeping proposal. I believe it has the potential to create some serious problems (especially in combination with future legislation to limit or standardize encryption algorithms): * Allows the government to be too much like "Big Brother"--to very conveniently monitor [from comfortable central offices] all types of wired communications from virtually any source. * Violates the right for businesses and individuals to employ a secure communications channel, if they so desire. * Discourages development of better communications technology. * Puts domestic communication equipment makers at a disadvantage in the international market. * Invites abuse of executive branch power. * Promotes a black market of illegally obtained information. To expound on these points, I wish to respond in some detail to several quoted portions of the latest draft of the proposal I have available, introduced in May, 1992: A BILL To ensure the continuing access of law enforcement to the content of wire and electronic communications when authorized by law and for other purposes. May I inquire as to these "other purposes"? (1)(b) The purposes of this Act are to clarify the responsibilities of providers of electronic communication services and private branch exchange operators to provide such assistance as necessary to ensure the ability of government agencies to implement lawful court orders or authorizations to intercept wire and electronic communications. Footnote 2. Whether the content is voice, facsimile, imagery (e.g. video), computer data, signalling information, or other forms of communication, does not matter; all forms of communication are intercepted. Shortly after the introduction of the May draft of the DT proposal, William A. Bayse, head of the FBI's technical services division, confirmed that the FBI wants real-time remote access to all data, fax, voice and video traffic in the U.S. I contend that this is more than a mere clarification of the telecom common carrier's responsibility to assist law enforcement (Omnibus Crime and Safe Streets Act of 1968), as the proposal indicates. It is ominous and unreasonably intrusive. (a) Providers of electronic communication services and private branch exchange operators shall provide within the United States capability and capacity for the government to intercept wire and electronic communications when authorized by law: (1) concurrent with the transmission of the communication to the recipient of the communication; (2) in the signal form representing the content of the communication between the subject of the intercept and any individual with whom the subject is communicating, exclusive of any other signal representing the content of the communication between any other subscribers or users of the electronic communication services provider or private branch exchange operator, and including information on the individual calls (including origin, destination and other call set-up information), and services, systems, and features used by the subject of the interception; (3) notwithstanding the mobility of the subject of the intercept or the use by the subject of the intercept of any features of the telecommunication system, including, but not limited to, speed- dialing or call forwarding features; (4) at a government monitoring facility remote from the target facility and remote from the system of the electronic communication services provider or private branch exchange operator; (5) without detection by the subject of the intercept or any subscriber (6) without degradation of any subscriber's telecommunications service. Telecommunication systems are the highway for information exchange between computers around the world. Modifying U.S. telecommunication systems to comply with item (4), in combination with the other items (and parallel government efforts to cripple legal encryption schemes, such as a narrowly defeated FBI rider to Senate Bill 266--sure to be followed by other attempts) would create grave security and privacy risks for any business or individual subscriber to those systems, not to mention the international computer users whose telecom traffic--such as private electronic mail--is unwittingly routed through the U.S. Given a fertile environment for growth, cyberspace (partial definition: an immersive, interactive communication environment facilitated by computers) might soon be where a majority of commercial and private transactions will occur. A person sitting in New York can already meet and discuss business with another person sitting in San Francisco, in one virtual living room. However, since electronic codes describing these meetings/transactions must travel over wire or optics, exciting advances in sensitive business communications (for highly dynamic cooperation and strategic maneuvers) would most likely be thwarted by fear that competitors or other enemies might wrongfully gain access to that communication via the new remote wire taps. Why should businesses be paranoid about such eavesdropping? Because a hole for the FBI to plug into would also be available for any other knowledgeable user to plug into. Remote monitoring of all wires would require an extensive system of hardware and/or software tapping devices that could be activated by remote commands. Frank Dzubeck, president of Communications Network Architects, Inc. in Washington, D.C. believes that [for the telephone common carrier portion of the electronic network], in essence, the FBI wants to hook up a leased line from its remote monitoring post to a spare port on the telephone company's switch or the LAN's router or smart hub. Like it or not, such "back doors" _would_ be discovered, and exploited by people outside of law enforcement--and outside of the U.S.--regardless of threatening fines and prison terms. High tech espionage, extortion, and blackmail would explode with such convenient, uniform information taps available. It is not feasible to create remote monitoring devices for FBI use that cannot be widely abused by other agencies or individuals. The 4th Amendment to the Bill of Rights does not just bar the government from unreasonable searches. I believe that it also implies that the government should avoid creating an environment that encourages citizens to search each other without permission, and that the citizens have a right to privately communicate (so as to avoid "unreasonable searches" of their ideas). Imagine the implications if a bill were introduced to instruct the U.S. Post Office and all cargo carriers to provide devices to remotely inspect the contents of all letters and parcels at the leisure of law enforcement officials. Without fail, this hypothetical device would soon arrive in the hands of people outside of law enforcement, and it would be immediately duplicated and sold underground. A bill might as well be introduced to force everyone to pay for and install remotely activated and government monitored "secure" video cameras in their offices and living rooms. This analogy may sound extreme, but it is valid, given the end-user financial burden from this proposal, the proliferation of computer-facilitated conference meetings, and the sundry attempts by the FBI and NSA to disallow serious encryption algorithm development and use in the U.S. Encryption restrictions are inextricably linked with digital wire tapping, because the sender must have total control of either the format or the distribution of his/her communications in order to have reasonable electronic privacy. If both format and distribution are controlled/compromised by others (like the government), then the foundation of electronic privacy crumbles. Under the guise of regulating international export of encryption technology, the recent State Department / Commerce Department / NSA attempts to legislate inferior encryption standards into wireless communications are just a short step away from similar standards for wired communication. One individual close to the TR45.3 committee reviewing the standards said that at least some of the members were "interested in weak cellular encryption because they considered warrants not to be 'practical' when it came to pursuing drug dealers and other criminals using cellular phones." That attitude does not align with the "minimization" principle of the Omnibus Crime and Safe Streets Act that is touted as the foundation for the new Digital Telephony proposal (to require a warrant for every search, and to avoid monitoring parties that are not listed in that warrant). The cellular encryption standard pushed by the NSA is so weak that anyone with the right PC-based black box would be able to monitor so-called "secure" cellular conversations in their area. I posit that, given the proposed remote taps, wired communications would suffer a similar indignity, especially as wire tap activation/decryption codes filtered into the hands of non-law-enforcement people. Such a built-in weakness to communications privacy would not only discourage healthy, competitive growth of companies producing tangible goods and services, but also threaten cutting-edge information-based companies, such as the American Information Exchange (AMIX) in Palo Alto, CA. It does not seem wise to introduce more stumbling blocks into the path of the already ponderous U.S. business economy. Information _is_ the future of business--and the secure exchange of information must be encouraged, rather than discouraged, if the U.S. wants to participate in the astounding growth that can be facilitated by computers. Ron Rivest (the "R" in RSA, a popular and relatively secure encryption scheme) said, "We have the largest information based economy in the world. We have lots of reasons for wanting to protect information, and weakening our encryption systems for the convenience of law enforcement doesn't serve the national interest." (e) The Attorney General shall have exclusive authority to enforce the provisions of subsections (a), (b) and (c) of this section. The Attorney General may apply to the appropriate United States District Court for an order restraining or enjoining any violation of subsection (a), (b) or (c) of this section. The District Court shall have jurisdiction to restrain and enjoin violations of subsections (a) of this section. (h) Notwithstanding section 552b of Title 5, United States Code or any other provision of law, the Attorney General or his designee may direct that any Commission proceeding concerning regulations, standards or registrations issued or to be issued under the authority of this section shall be closed to the public. What is the purpose of this unprecedented step of placing control over certification of telecommunications equipment in the hands of the Attorney General? Why shouldn't the Federal Communications Commission (FCC) remain in control of such certification, as opposed to becoming a rubber stamp? And why should we place the Attorney General in a position to shut down any telecommunications advance without benefit of a public hearing? (f) Any person who willfully violates any provision of subsection (a) of this section shall be subject to a civil penalty of $10,000 per day for each day in violation. The Attorney General may file a civil action in the appropriate United States District Court to collect, and the United States District Courts shall have jurisdiction to impose, such fines. (g) Definitions--As used in subsections (a) through (f) of this section-- (1) 'provider of electronic communication service' or 'private branch exchange operator' means any service or operator which provides to users thereof the ability to send or receive wire or electronic communication, The proposal does not limit itself to new network connections--it also applies to all existing connections. Can our nation's struggling businesses afford to upgrade their computer and PBX networks to be easily, remotely tappable? I think not. Can they afford the resulting $10,000/day fine as soon as the FBI discovers the omission? Not likely. The substantial expense of upgrading equipment would immediately be passed along to the the subscribers. What an insult--to be forced to pay for the privilege of being tapped! In short, the Digital Telephony proposal would encourage abuse of executive branch power. It has the potential to inhibit technological innovation in communications equipment, systems, and services. It could indirectly place certain designs, manufacturers, or types of service at an advantage or a disadvantage, and it places no statutory safeguards against being quietly exploited in this way by someone with favored access to the Attorney General or to the FCC. What specific changes do I request on the Digital Telephony proposal? 1. Limit the type of data lines that can be tapped to PBX and common-carrier phone lines, so as to not impede the development of other computer communications technology. This would be be in line with a "clarification" of the Omnibus Crime and Safe Streets Act. 2. Eliminate the "remote access" capability. Instead of forcing telecom providers to install ubiquitous tapping hardware and/or software equipment that can be accessed via privileged leased telephone lines, have them publish clear documentation completely describing the protocols used on their wires and optics. The FBI should contract some domestic electronic companies to design, build, maintain, and periodically upgrade a reasonable number of data channel isolation / storage devices that could be temporarily connected on a per-warrant basis to the phone lines, trunks, or hubs that serve the suspects in question. Since the domestic telecommunication companies would not have to engineer a built-in data tap/compromise into their equipment, they would not be put at a disadvantage in the international market because of inferior security or having to maintain dual models (one domestic, one international). 3. Keep lawmaking in Congress where the Constitution--for very good reason--put it. A committee or small advisory office could be established to take input from the Justice Department, establish expertise in the area, and formulate occasional legislation to be submitted through the normal legislative process, in full public view. Also, if the Justice Department introduces any more legislation (boldly, or surreptitiously as a rider) to regulate or outlaw the domestic use of any type of electronic data encryption, please reject it. The freedom of format and content of speech must be upheld, as well as the author's right to know and limit the forum. In closing, I would like to quote John Perry Barlow of the Electronic Frontier Foundation, as he echoes my sentiments precisely: The legal right to express oneself is meaningless if there is no secure medium through which that expression may travel. By the same token, the right to hold certain unpopular opinions is forfeit unless one can discuss those opinions with others of like mind without the government listening in. ... there is a kind of corrupting power in the ability to create public policy in secret while assuring that the public will have little secrecy of its own. In its secrecy and technological might, the NSA already occupies a very powerful position. And conveying to the Department of Justice what amounts to licensing authority for all communications technology would give it a control of information distribution rarely asserted over English-speaking people since Oliver Cromwell's Star Chamber Proceedings. Are there threats, foreign or domestic, which are sufficiently grave to merit the conveyance of such vast legal and technological might? And even if the NSA and FBI may be trusted with such power today, will they always be trustworthy? Will we be able to do anything about it if they aren't? Sincerely, Joseph Truitt 53 S. Cragmont Ave. San Jose, CA 95127 joseph@biocad.com (my employer does not necessarily share my opinions) ------- End of Forwarded Message ------------------------------ End of Computer Privacy Digest V1 #081 ******************************