1995-02-12 - TEMPEST Paper by Former Civilian (2/2)

Header Data

From: nobody@nately.UCSD.EDU (Anonymous)
To: cypherpunks@toad.com
Message Hash: 8ec21a0886e45d34a99d75bb01e6a76bb017fa0eb6552953bbf251bafc67c752
Message ID: <9502120040.AA14089@nately.UCSD.EDU>
Reply To: N/A
UTC Datetime: 1995-02-12 00:37:02 UTC
Raw Date: Sat, 11 Feb 95 16:37:02 PST

Raw message

From: nobody@nately.UCSD.EDU (Anonymous)
Date: Sat, 11 Feb 95 16:37:02 PST
To: cypherpunks@toad.com
Subject: TEMPEST Paper by Former Civilian (2/2)
Message-ID: <9502120040.AA14089@nately.UCSD.EDU>
MIME-Version: 1.0
Content-Type: text/plain



                                IV. CANADIAN LAW
               Canada has taken direct steps to limit eavesdropping on
          computers.    The Canadian  Criminal  Amendment Act  of 1985

          _____________________              

          22.  Interception of Communications Act 1985    1, Prohibition on
          Interception:
               (1) Subject to the  following provisions of this section,  a
               person who  intentionally intercepts a communication  in the
               course of its  transmission by post or by  means of a public
               telecommunications system shall be guilty  of an offence and
               liable--
                    (a) on summary  conviction, to a fine not exceeding the
                    statutory maximum;
                    (b) on conviction on indictment,  to imprisonment for a
                    term not exceeding two years or to a fine or to both.
               ***

          23.  Tapping  (aka  trespassatory eavesdropping)  is  patently in
          violation  of the statute.  "The  offense created by section 1 of
          the Interception of Communications Act 1985 covers those forms of
          eavesdropping on computer communications  which involve "tapping"
          the wires along  which messages  are being passed.   One  problem
          which  may  arise,  however,  is  the  question  of  whether  the
          communication in question  was intercepted in  the course of  its
          transmission by  means of a public telecommunications system.  It
          is technically possible  to intercept a communication  at several
          stages in its transmission,  and it may be a question  of fact to
          decide the stage  at which it enters the "public" realm.  THE LAW
          COMMISSION,WORKING PAPER NO. 110: COMPUTER MISUSE,  3.30 (1988). 

          24.  "There are  also forms of  eavesdropping which the  Act does
          not cover.  For  example. eavesdropping on a V.D.U.  [referred to
          in  this text as a CRT] screen  by monitoring the radiation field
          which surrounds it  in order to  display whatever appears on  the
          legitimate  user's  screen on  the  eavesdropper's screen.   This
          activity would not  seem to  constitute any criminal  offence..."
          THE LAW COMMISSION, WORKING PAPER NO. 110: COMPUTER MISUSE,  3.31
          (1988).

<New Page>
          criminalized indirect access  to a computer service.[25]   The
          specific reference  to an  "electromagnetic device"  clearly
          shows the intent  of the legislature  to include the use  of
          TEMPEST ELINT equipment within the ambit of the legislation.
               The limitation of obtaining "any computer service" does
          lead to  some confusion.   The Canadian legislature  has not
          made  it  clear  whether  "computer  service"  refers  to  a
          computer  service  bureau  or  merely   the  services  of  a
          computer.    If  the  Canadians  had  meant  access  to  any
          computer,  why  did they  refer  to any  "computer service".
          This   is   especially   confusing   considering   the   al-
          encompassing language  of (b)  'any function  of a  computer
          system'.
               Even   if   the   Canadian   legislation   criminalizes
          eavesdropping  on  all  computers,  it  does not  solve  the
          problem  of  protecting  the privacy  of  information.   The
          purpose  of  criminal law  is  to control  crime.[26]   Merely
          making  TEMPEST  ELINT  illegal will  not  control  its use.
          First, because  it  is an  inherently  passive crime  it  is
          impossible to detect and hence punish.  Second, making  this
          form of  eavesdropping  illegal without  taking a  proactive
          stance  in  controlling  compromising emanations  gives  the
          public a false sense of security.   Third, criminalizing the
          possession of a TEMPEST ELINT  device prevents public sector
          research into countermeasures.   Finally,  the law will  not
          prevent eavesdropping on private information held in company
          computers unless  disincentives are given for companies that
          do not take sufficient precautions against eavesdropping and
          simple, more common, information crimes.[27]
          _____________________              

          25.   301.2(1) of the  Canadian criminal code states  that anyone
          who:

          ... without color of right,
          (a) obtains, directly or indirectly, any computer service,
          (b)  by  means  of  an  electromagnetic  ...   or  other  device,
          intercepts  or  causes  to  be  intercepted, either  directly  or
          indirectly, any function of  a computer system ... [is  guilty of
          an indictable offence].

          26.  UNITED   STATES   SENTENCING   COMM'N,  FEDERAL   SENTENCING
          GUIDELINES MANUAL (1988) (Principles  Governing the Redrafting of
          the Preliminary Guidelines "g." (at an unknown page)) 

          27.  There has been great debate over  what exactly is a computer
          crime.    There  are  several  schools  of  thought.    The  more
          articulate school, and the one to  which the author adheres holds
          that  the category  computer crime  should be  limited to  crimes
          directed against computers; for example, a terrorist destroying a
          computer  with explosives would fall into  this category.  Crimes
          such as  putting  ghost  employees  on  a  payroll  computer  and

<New Page>

                                  V. SOLUTIONS
               TEMPEST ELINT  is passive.   The  computer or  terminal
          emanates  compromising radiation which is intercepted by the
          TEMPEST device  and reconstructed  into useful  information.
          Unlike conventional  ELINT there  is no  need to  physically
          trespass or even come near the target.  Eavesdropping can be
          performed from a nearby office or even a van parked within a
          reasonable distance.   This means  that there is  no classic
          scene of the crime; and little or  no chance of the criminal
          being discovered in the act.[28]  
               If the crime is discovered it will be ancillary to some
          other  investigation.    For example,  if  an  individual is
          investigated for insider  trading a search of  his residence
          may yield a TEMPEST ELINT device.   The device would explain
          how the defendant was obtaining  insider information; but it
          was the insider trading, not the  device, that gave away the
          crime.
               This  is  especially  true  for illegal  TEMPEST  ELINT
          performed by the state.  Unless the perpetrators are  caught
          in the act  there is  little evidence  of their  spying.   A
          trespassatory bug can be detected and located; further, once
          found it provides tangible evidence that a crime took place.
          A TEMPEST ELINT device by its inherent passive nature leaves
          nothing to detect.   Since the government is less  likely to
          commit an ancillary crime which might be detected there is a
          very small chance  that the spying will  ever be discovered.
          The  only way to  prevent eavesdropping is  to encourage the
          use of  countermeasures: TEMPEST  Certified[29] computers  and
          _____________________              
                                                                           
          collecting their pay are merely  age-old accounting frauds; today
          the  fraud involves a computer because  the records are kept on a
          computer.  The  computer is merely ancillary to  the crime.  This
          has been mislabeled  computer crime and should merely be referred
          to as a fraud perpetrated with  the aid of a computer.   Finally,
          there are information  crimes.  These  are crimes related to  the
          purloining or  alteration of information.  These  crimes are more
          common and more profitable due to  the computer's ability to hold
          and access great amounts of information.   TEMPEST ELINT can best
          be categorized as a information crime.

          28.  Compare, for  example, the  Watergate breakin  in which  the
          burglars  were discovered  when they  returned to  move  a poorly
          placed spread spectrum bug.

          29.  TEMPEST Certified refers  to the  equipment having passed  a
          testing and  emanations regime specified  in NACSIM 5100A.   This
          classified document sets forth the emanations levels that the NSA
          believes digital equipment can give  off without compromising the
          information it  is processing.   TEMPEST  Certified equipment  is
          theoretically secure against TEMPEST eavesdropping.  

<New Page>
          terminals.
               In merely making  TEMPEST ELINT  illegal the public  is
          given the  false impression  of security;  they lulled  into
          believing  the  problem  has been  solved.    Making certain
          actions illegal does not prevent them  from occurring.  This
          is  especially  true  for  a  TEMPEST  ELINT  because it  is
          undetectable.  Punishment is an empty  threat if there is no
          chance of being  detected; without detection there can be no
          apprehension and conviction.   The only way  to prevent some
          entity  from eavesdropping  on  one's  computer or  computer
          terminal is  for the equipment not to  give off compromising
          emanation; it must be TEMPEST Certified.
               The United  States can solve  this problem by  taking a
          proactive  stance on compromising  emanations.  The National
          Institute of Standards and Technology  (NIST[30]) is in charge
          of  setting  forth standards  of  computer security  for the
          private  sector.   NIST  is  also charged  with  doing basic
          research to advance the art of computer security.  Currently
          NIST does not discuss TEMPEST with  the private sector.  For
          privacy's sake,  this policy must be changed  to a proactive
          one.  The NIST should publicize  the TEMPEST ELINT threat to
          computer  security and  should set  up a  rating system  for
          level  of  emanations  produced   by  computer  equipment.[31]
          Further,  legislation  should  be  enacted  to  require  the
          labeling  of  all computer  equipment    with  its level  of
          emanations and whether it is TEMPEST Certified.  Only if the
          public  knows of the  problem can it begin  to take steps to
          solve it.
               Title III makes  possession of a surveillance  device a
          crime,  unless  it   is  produced  under  contract   to  the
          government.  This means that  research into surveillance and
          counter-surveillance   equipment   is  monopolized   by  the
          government and a  few companies working under  contract with
          _____________________              
                                                                           
               NACSIM 5100A is  classified, as are all  details of TEMPEST.
          To  obtain  access to  it, contractor  must  prove that  there is
          demand within  the government for the specific  type of equipment
          that intend to  certify.  Since  the standard is classified,  the
          contractors can not sell the equipment to non-secure governmental
          agencies or the public.  This prevents reverse engineering of the
          standard  for its physical  embodiment, the  Certified equipment.
          By  preventing  the   private  sector  from  owning   this  anti-
          eavesdropping equipment,  the NSA has  effectively prevented  the
          them from protecting the information in their computers. 

          30.  Previously the Bureau of Standards.   The NIST is a division
          of the Commerce Department.

          31.  In this case computer equipment would include all peripheral
          computer equipment.  There is no use is using a TEMPEST Certified
          computer if the printer or the modem are not Certified.

<New Page>
          the government.   If TEMPEST eavesdropping  is criminalized,
          then possession of TEMPEST ELINT equipment will be criminal.
          Unfortunately,this  does  not  solve the  problem.    Simple
          TEMPEST ELINT  equipment is easy  to make.   For just  a few
          dollars  many  older  television  sets  can be  modified  to
          receive and  reconstruct  EMR.    For less  than  a  hundred
          dollars a more  sophisticated TEMPEST ELINT receiver  can be
          produced[32].  
               The  problem  with  criminalizing  the  possession   of
          TEMPEST ELINT equipment is  not just that the law  will have
          little effect on the use of such equipment, but that it will
          have a  negative effect  on counter-measures  research.   To
          successfully   design   counter-measures  to   a  particular
          surveillance  technique  it  is  vital  to have  a  complete
          empirical  understanding   of  how  that   technique  works.
          Without  the right  to  legally manufacture  a  surveillance
          device there is no possible way for a researcher to have the
          knowledge to  produce an effective  counter-measures device.
          It  is  axiomatic:  without  a  surveillance device,  it  is
          impossible to test a counter-measures device.  
               A number of  companies produce  devices to measure  the
          emanations from electrical equipment.  Some of these devices
          are  specifically   designed  for   bench  marking   TEMPEST
          Certified equipment.  This does not  solve the problem.  The
          question  arises:  how   much  radiation  at   a  particular
          frequency  is compromising?  The  current answer is to refer
          _____________________              

          32.  The  NSA  has tried  to  limit the  availability  of TEMPEST
          information to prevent the spread of the devices.
               For a discussion of the  First Amendment and prior restraint
          See, e.g. The United  States of America v. Progressive,  Inc. 467
          F.Supp 990 (1979, WD Wis.)(magazine intended to publish plans for
          nuclear  weapon; prior  restraint injunction  issued),  reh. den.
          United States v. Progressive  Inc. 486 F.Supp 5 (1979,  WD Wis.),
          motion  den  Morland  v. Sprecher  443  US  709 (1979)(mandamus),
          motion denied  United States  v. Progressive,  Inc. 5  Media L  R
          (1979, 7th Cir.), dismd. without op. U.S. v. Progressive, Inc 610
          F.2d 819 (1979, 7th Cir.); New York Times, Co. v.  United States,
          403  U.S.  713 (1971)(per  curium)(Pentagon Papers  case: setting
          forth prior  restraint standard  which government  was unable  to
          meet); T.  EMERSON, THE SYSTEM  OF FREEDOM OF  EXPRESSION (1970);
          Balance  Between Scientific  Freedom  and  NAtional Security,  23
          JURIMETRICS  J. 1  (1982)(current  laws and  regulations limiting
          scientific and  technical expression exceed the  legitimate needs
          of national security); Hon. M.  Feldman, Why the First  Amendment
          is not Incompatible  with National Security, HERITAGE  FOUNDATION
          REPORTS (Jan.  14, 1987).  Compare Bork,  Neutral Principles  and
          Some First Amendment Problems,  47 IND. L. J. 1  (First Amendment
          applies only to  political speech); G.  Lewy, Can Democracy  Keep
          Secrets, 26  POLICY REVIEW 17  (1983)(endorsing draconian secrecy
          laws mirroring the English system).

<New Page>
          to NACSIM  5100A.   This document  specifies the  emanations
          levels suitable  for Certification.   The  document is  only
          available  to United  States  contractors having  sufficient
          security  clearance  and  an  ongoing  contract  to  produce
          TEMPEST Certified computers  for the  government.   Further,
          the correct levels are specified by the NSA and there  is no
          assurance that, while these levels are sufficient to prevent
          eavesdropping by unfriendly operatives,  equipment certified
          under NACSIM  5100A will have  levels low enough  to prevent
          eavesdropping by the NSA itself.
               The  accessibility  of  supposedly  correct  emanations
          levels  does  not solve  the  problem of  preventing TEMPEST
          eavesdropping.     Access   to  NACSIM   5100A   limits  the
          manufacturer to selling the equipment  only to United States
          governmental  agencies  with  the  need  to  process  secret
          information.[33]  Without  the right to possess  TEMPEST ELINT
          equipment  manufacturers  who  wish to  sell  to  the public
          sector cannot determine what a  safe level of emanations is.
          Further  those  manufacturers with  access  to  NACSIM 5100A
          should  want  to  verify that  the  levels  set  out in  the
          document are, in  fact, low enough to  prevent interception.
          Without an actual  eavesdropping device with which  to test,
          no   manufacturer  will   be   able  to   produce  genuinely
          uncompromising equipment.

               Even if the  laws allow ownership of  TEMPEST Certified
          equipment by the public, and even  if the public is informed
          of  TEMPEST's   threat  to  privacy,   individuals'  private
          information will not necessarily  by protected.  Individuals
          may  choose to  protect their  own information on  their own
          computers.  Companies  may choose  whether to protect  their
          own  private  information.    But  companies that  hold  the
          private information of  individuals must  be forced to  take
          steps to protect that information.
               In  England  the  Data  Protection  Act 1984[34]  imposes
          sanctions   against   anyone   who   stores   the   personal
          information[35] on  a computer  and fails  to take  reasonable
          _____________________              

          33.  For  example, the  NSA has  just recently  allowed the  Drug
          Enforcement Agency (DEA) to  purchase TEMPEST Certified  computer
          equipment.    The DEA  wanted  secure computer  equipment because
          wealthy  drug   lords  had   were  using   TEMPEST  eavesdropping
          equipment.

          34.  An  Act  to  regulate  the  use of  automatically  processed
          information relating to individuals and the provision of services
          in respect of such information.
               -Data Protection Act 1984, Long Title.

          35.  "Personal data"  means data consisting  of information which
          relates to a  living individual who  can be identified from  that

<New Page>
          measures to prevent disclosure of that information.  The act
          mandates  that  personal  data  may  not  be  stored  in any
          computer  unless  the  computer bureau  or  data  user[36] has
          registered under the  act.[37]    This provides for a  central
          registry  and  the tracking  of  which companies  or persons
          maintain databases of personal information.   Data users and
          bureaux must  demonstrate a  need and  purpose behind  their
          possession of personal data.
               The act  provides tort  remedies to  any person  who is
          damaged by disclosure  of the  personal data.[38]   Reasonable
          care to  prevent the  disclosure  is a  defense.[39]   English
          _____________________              
                                                                           
          information (or from that and other information in the possession
          of the data user), including any  expression of opinion about the
          individual but not any  indication of the intentions of  the data
          user in respect of that individual.
               -Data Protection Act 1984   1(3)

          36.  "Data user" means  a person  who holds data,  and a  persons
          "Holds" data if --
               (a) the data form part of a collection of  data processed or
               intended to be  processed by or on behalf  of that person as
               mentioned in  subsection (2) above; [subsection  (2) defines
               "data"] and
               (b) that person (either  alone or jointly or in  common with
               other persons)  controls the  contents and  use of  the data
               comprised in the collection; and
               (c) the data are in the form in which  they have been or are
               intended to be processed as mentioned in paragraph (a) above
               or (though not  for the time being  in that form) in  a form
               into which they have been converted after being so processed
               and  with  a  view  to  being  further  so  processed  on  a
               subsequent occasion.
               - Data Protection Act   1(5).

          37.  Data Protection Act 1984,   4,5.

          38.  An individual who is the subject of personal data held  by a
          data user... and who  suffers damage by reason of  (1)(c) ... the
          disclosure of the  data, or  access having been  obtained to  the
          data without  such authority as  aforesaid shall  be entitled  to
          compensation from  the data  user... for any  distress which  the
          individual has  suffered  by  reason of  the  ...  disclosure  or
          access.
               - Data Protection Act 1984   23.

          39.  ... it shall  be a defense to  prove that ... the  data user
          ...  had  taken  such  care  as  in  all  the  circumstances  was
          reasonably required  to prevent  the... disclosure  or access  in
          question.
               Data Protection Act 1984   23(3)

<New Page>
          courts  have not yet  ruled what level  of computer security
          measures  constitute  reasonable  care.     Considering  the
          magnitude of invasion possible with  TEMPEST ELINT it should
          be  clear  by now  that  failure  to use  TEMPEST  Certified
          equipment is prima facie unreasonable care.
               The Remedies section of the  act provides incentive for
          these  entities to provide  successful protection  of person
          data from disclosure  or illicit access.  Failure to protect
          the data will  result in monetary loss.  This  may be looked
          at from the economic efficiency  viewpoint as allocating the
          cost  of  disclosure the  persons  most able  to  bear those
          costs, and also most able to prevent disclosure.  Data users
          that  store   personal  data  would  use  TEMPEST  Certified
          equipment as part of their computer security plan, thwarting
          would-be eavesdroppers.  
               The Data Protection  Act 1984  allocates risk to  those
          who can  bear it best and provides  an incentive for them to
          keep other  individuals' data private.   This act  should be
          adopted by the United States as part of a full-spectrum plan
          to combat TEMPEST eavesdropping.  Data users are in the best
          position  to  prevent  disclosure  through  proper  computer
          security.    Only by  making  them  liable for  failures  in
          security can we begin to rein in TEMPEST ELINT.

                                       VII
                                 Recommendations
                 Do not  criminalize TEMPEST ELINT.   Most crimes that
          TEMPEST ELINT would aid, such a insider trading, are already
          illegal; the current laws are adequate.
                 The  National Institute of  Standards and  Technology
          should immediately begin  a program  to educate the  private
          sector about TEMPEST.  Only if  individuals are aware of the
          threat  can  they  take  appropriate precautions  or  decide
          whether any precautions are necessary.
                   Legislation  should  be   enacted  to  require  all
          electronic  equipment to  prominently display  its level  of
          emanations  and  whether  it  is   TEMPEST  Certified.    If
          individuals are to choose to protect themselves they must be
          able  to  make  a  informed   decision  regarding  how  much
          protection is enough.
                 TEMPEST  Certified equipment  should be available  to
          the private  sector.   The current  ban on  selling to  non-
          governmental  agencies  prevents  individuals  who  need  to
          protect information from having the technology to do so.
                 Possession of  TEMPEST ELINT equipment should  not be
          made  illegal.   The  inherently  passive nature  and simple
          design  of  TEMPEST ELINT  equipment  means that  making its
          possession illegal  will not deter  crime; the units  can be
          easily manufactured and are impossible  to detect.  Limiting
          their   availability   serves   only   to   monopolize   the
          countermeasures research, information, and equipment for the
          government;   this   prevents   the  testing,   design   and

<New Page>
          manufacture of counter-measures by the private sector.
                 Legislation mirroring  England's Data Protection  Act
          1984 should be  enacted.  Preventing disclosure  of personal
          data  can  only be  accomplished  by giving  those companies
          holding the data a reason to protect  it.  If data users are
          held liable for  their failure  to take reasonable  security
          precautions they  will  begin to  take  reasonable  security
          precautions,  including   the  use   of  TEMPEST   Certified
          equipment.

-------------------------------------------------------------------------
To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.







Thread