1995-02-12 - TEMPEST Paper by Former Civilian (1/2)

Header Data

From: nobody@nately.UCSD.EDU (Anonymous)
To: cypherpunks@toad.com
Message Hash: b49ab7350a57e2c3ae8cde45140c4c918dcad3a480b096b71492f36dd11c2ce3
Message ID: <9502120100.AA14610@nately.UCSD.EDU>
Reply To: N/A
UTC Datetime: 1995-02-12 00:57:12 UTC
Raw Date: Sat, 11 Feb 95 16:57:12 PST

Raw message

From: nobody@nately.UCSD.EDU (Anonymous)
Date: Sat, 11 Feb 95 16:57:12 PST
To: cypherpunks@toad.com
Subject: TEMPEST Paper by Former Civilian (1/2)
Message-ID: <9502120100.AA14610@nately.UCSD.EDU>
MIME-Version: 1.0
Content-Type: text/plain



For those interested in TEMPEST, below is a draft paper written 5 years ago
by Christopher Seline.  Mr Seline's new E-mail address ends with
"DOCKMASTER.NCSC.MIL",  so any attempts to query him about TEMPEST are
guaranteed to go unanswered.  I hope he still feels the same about TEMPEST
now that he has changed employers.  
 

Date: Fri, 19 Jan 90 19:13:44 -0500
From: cjs%cwru@cwjcc.ins.cwru.edu (Christopher J. Seline (CJS@CWRU.CWRU.EDU))

The following is a prepublication draft of an article on TEMPEST.  I am posting
it to this news group in the hope that it will:
        (1) stimulate discussion of this issue;
        (2) expose any technical errors in the document;
        (3) solicit new sources of information;
        (4) uncover anything I have forgotten to cover.

I will be unable to monitor the discussions of the article.  Therefore, PLEASE
post your comments to the news group BUT SEND ME A COPY AT THE ADDRESS LISTED
BELOW.

I have gotten a number of mail messages about the format of this
article.  Some explanation is in order:  The numbered paragraphs
following "____________________" on each page are footnotes.  I suggest
printing out the document rather than reading it on your CRT.

Thanks you in advance.

Christopher Seline
cjs@cwru.cwru.edu
cjs@cwru.bitnet

(c) 1990 Christopher J. Seline
=============================================================================
<Start Print Job>
<New Page>
                                Eavesdropping On 
                         the Electromagnetic Emanations 
                              of Digital Equipment:
                               The Laws of Canada,
                          England and the United States

                           This  document is  a rough
                           draft.        The    Legal
                           Sections  are   overviews.
                           T h e y    w i l l     b e
                           significantly expanded  in
                           the next version.

               We in this country, in this generation, are -- by
               destiny rather than choice -- the watchmen on the
               walls of world freedom.[1]
                                             -President John F.
          Kennedy

          _____________________              

          1.  Undelivered  speech  of  President  John  F.  Kennedy, Dallas
          Citizens Council (Nov. 22, 1963) 35-36.

<New Page>
                    In the novel 1984, George Orwell foretold a future
          where individuals had no expectation  of privacy because the
          state monopolized the technology of  spying.  The government
          watched the actions of its subjects from birth to death.  No
          one could protect himself because  surveillance and counter-
          surveillance technology was controlled by the government.
               This note explores  the legal status of  a surveillance
          technology  ruefully  known  as  TEMPEST[2].    Using  TEMPEST
          technology  the  information in  any  digital device  may be
          intercepted  and  reconstructed  into   useful  intelligence
          without the  operative ever having to come  near his target.
          The technology is  especially useful in the  interception of
          information  stored  in  digital computers  or  displayed on
          computer terminals.
               The use of TEMPEST is not illegal under the laws of the
          United  States[3],  or  England.    Canada has  specific  laws
          criminalizing TEMPEST eavesdropping but the  laws do more to
          hinder surveillance countermeasures than to prevent  TEMPEST
          surveillance.  In  the United  States it is  illegal for  an
          individual  to  take   effective  counter-measures   against
          TEMPEST surveillance.  This  leads to the conundrum that  it
          is legal  for individuals and  the government to  invade the
          privacy of others but illegal for  individuals to take steps
          to protect their privacy.
               The author would  like to suggest that the  solution to
          this   conundrum   is  straightforward.      Information  on
          _____________________              

          2.  TEMPEST  is an  acronym for  Transient Electromagnetic  Pulse
          Emanation Standard.   This standard sets forth the official views
          of the United  States on the amount  of electromagnetic radiation
          that a device may emit without compromising the information it is
          processing.   TEMPEST  is  a defensive  standard; a  device which
          conforms to this standard is referred to as TEMPEST Certified.
               The United States  government has refused to  declassify the
          acronym  for  devices  used   to  intercept  the  electromagnetic
          information of  non-TEMPEST Certified  devices.   For this  note,
          these  devices  and  the  technology  behind  them  will  also be
          referred  to as  TEMPEST;  in  which  case,  TEMPEST  stands  for
          Transient Electromagnetic Pulse Surveillance Technology.
               The  United  States  government refuses  to  release details
          regarding TEMPEST and continues an organized effort to censor the
          dissemination of  information  about it.    For example  the  NSA
          succeeded in shutting  down a  Wang Laboratories presentation  on
          TEMPEST Certified equipment  by classifying  the contents of  the
          speech and threatening  to prosecute  the speaker with  revealing
          classified information.  [cite coming].  

          3.  This  Note  will not  discuses  how  TEMPEST relates  to  the
          Warrant Requirement under  the United  States Constitution.   Nor
          will it discuss the Constitutional exclusion of foreign nationals
          from the Warrant Requirement. 

<New Page>
          protecting  privacy  under  TEMPEST should  be  made  freely
          available;  TEMPEST  Certified equipment  should  be legally
          available; and organizations possessing  private information
          should  be  required  by  law  to protect  that  information
          through  good  computer security  practices  and the  use of
          TEMPEST Certified equipment.

                            I. INTELLIGENCE GATHERING
               Spying is divided by professionals into two main types:
          human   intelligence   gathering  (HUMINT)   and  electronic
          intelligence gathering (ELINT).  As  the names imply, HUMINT
          relies   on   human   operatives,   and  ELINT   relies   on
          technological operatives.   In the past HUMINT  was the sole
          method  for collecting intelligence.[4]   The HUMINT operative
          would  steal  important  papers, observe  troop  and  weapon
          movements[5],  lure people  into  his confidences  to  extract
          secrets,  and   stand  under   the  eavesdrip[6]   of  houses,
          eavesdropping on the occupants.  
               As  technology  has progressed,  tasks that  once could
          only  be  performed  by  humans  have  been  taken  over  by
          machines.  So  it has  been with spying.   Modern  satellite
          technology allows troop and weapons movements to be observed
          with greater  precision and  from greater  distances than  a
          human  spy  could ever  hope to  accomplish.   The  theft of
          documents  and  eavesdropping on  conversations  may now  be
          performed electronically.  This means greater safety for the
          human operative, whose  only involvement may be  the placing
          of  the  initial  ELINT  devices.    This  has  led  to  the
          ascendancy of ELINT  over HUMINT  because the placement  and
          _____________________              

          4.  HUMINT  has  been  used  by  the   United  States  since  the
          Revolution.   "The necessity  of procuring  good intelligence  is
          apparent &  need not be further urged --  All that remains for me
          to add is, that you keep the  whole matter as secret as possible.
          For  upon Secrecy,  Success depends  in Most  Enterprises of  the
          kind, and for  want of it,  they are generally defeated,  however
          well planned &  promising a favorable  issue."  Letter of  George
          Washington (Jul. 26, 1777).

          5.  "... I wish  you to take every possible pains in your powers,
          by  sending  trusty persons  to  Staten  Island in  whom  you can
          confide,  to  obtain  Intelligence  of  the Enemy's  situation  &
          numbers --  what kind of  Troops they are,  and what  Guards they
          have -- their strength & where posted."  Id.

          6.  Eavesdrip is  an Anglo-Saxon  word,  and refers  to the  wide
          overhanging eaves used  to prevent rain  from falling close to  a
          house's foundation.   The eavesdrip  provided "a sheltered  place
          where  one  could hide  to  listen clandestinely  to conversation
          within the house."   W. MORRIS & M. MORRIS,  MORRIS DICTIONARY OF
          WORD AND PHRASE ORIGINS, 198 (1977).

<New Page>
          monitoring of ELINT devices may be performed by a technician
          who has  no training  in the  art of spying.   The  gathered
          intelligence  may be  processed by  an intelligence  expert,
          perhaps  thousands of  miles  away, with  no  need of  field
          experience.  
               ELINT has a number of other advantages over HUMINT.  If
          a  spy is caught his existence could embarrass his employing
          state and he could  be forced into giving up  the identities
          of his compatriots  or other important information.   By its
          very nature, a discovered ELINT device (bug)  cannot give up
          any information; and the ubiquitous  nature of bugs provides
          the  principle  state  with the  ability  to  plausibly deny
          ownership or involvement.
               ELINT   devices   fall  into   two   broad  categories:
          trespassatory  and  non-trespassatory.   Trespassatory  bugs
          require some type of trespass in order for them to function.
          A transmitter  might require  the physical  invasion of  the
          target  premises  for placement,  or  a microphone  might be
          surreptitiously attached  to  the outside  of a  window.   A
          telephone transmitter can  be placed  anywhere on the  phone
          line, including at the  central switch.  The trespass  comes
          either when it is physically attached  to the phone line, or
          if it is  inductive, when placed  in close proximity to  the
          phone line.   Even microwave  bugs require the  placement of
          the resonator cone within the target premises.[7]
               Non-trespassatory  ELINT  devices  work   by  receiving
          electromagnetic radiation (EMR) as  it radiates through  the
          aether, and do not  require the placement of bugs.   Methods
          include intercepting[8] information transmitted  by satellite,
          microwave, and  radio, including mobile  and cellular  phone
          transmissions.   This information was  purposely transmitted
          with the intent that  some intended person or  persons would
          receive it.  
               Non-trespassatory ELINT also includes  the interception
          of information that  was never  intended to be  transmitted.
          All electronic devices emit electromagnetic radiation.  Some
          of  the  radiation,  as  with radio  waves,  is  intended to
          transmit  information.    Much  of  this  radiation  is  not
          intended to transmit information and is merely incidental to

          _____________________              

          7.  Pursglove, How  Russian Spy  Radios Work,  RADIO ELECTRONICS,
          89-91 (Jan 1962).

          8.  Interception  is  an  espionage  term of  art  and  should be
          differentiated from  its more common usage.   When information is
          intercepted, the interceptor  as well  as the intended  recipient
          receive the information.  Interception when not used as a term of
          art refers to one person receiving something intended for someone
          else; the intended recipient never receives what he  was intended
          to receive.

<New Page>
          whatever  work  the  target  device  is performing.[9]    This
          information  can be  intercepted  and reconstructed  into  a
          coherent  form.    With  current  TEMPEST technology  it  is
          possible to  reconstruct  the  contents  of  computer  video
          display  terminal  (VDU)  screens  from  up to  a  kilometer
          distant[10];  reconstructing  the  contents  of  a  computer's
          _____________________              

          9.  There are  two types  of emissions,  conducted and  radiated.
          Radiated  emissions are formed  when components or  cables act as
          antennas for transmit the EMR; when radiation is conducted  along
          cables or other connections but not radiated it is referred to as
          "conducted".  Sources  include cables,  the ground loop,  printed
          circuit boards, internal  wires, the power  supply to power  line
          coupling, the cable to cable coupling, switching transistors, and
          high-power  amplifiers.    WHITE  &  M. MARDIGUIAN,  EMI  CONTROL
          METHODOLOGY AND PROCEDURES,   10.1 (1985).
               "[C]ables  may act  as an  antenna to  transmit the  signals
          directly  or  even  both  receive the  signals  and  re-emit them
          further away  from the  source equipment.   It  is possible  that
          cables acting as an  antenna in such a manner could  transmit the
          signals  much  more  efficiently than  the  equipment  itself...A
          similar  effect  may occur  with metal  pipes  such as  those for
          domestic water supplies. ...  If an earthing [(grounding)] system
          is  not installed  correctly such  that there  is a  path  in the
          circuit  with a  very high  resistance (for  example  where paint
          prevents  conduction and  is acting  as an  insulator), then  the
          whole earthing  system could well act in  a similar fashion to an
          antenna. ...   [For a  VDU] the strongest  signals, or  harmonics
          thereof, are  usually between  60-250 MHz  approximately.   There
          have  however  been  noticeable  exception  of  extremely  strong
          emissions  in  the  television bands  and  at  higher frequencies
          between 450-800  MHz.  Potts,  Emission Security, 3  COMPUTER LAW
          AND SECURITY REPORT 27 (1988).

          10.  The TEMPEST ELINT operator can distinguish between different
          VDUs  in   the   same  room   because   of  the   different   EMR
          characteristics of both  homo and heterogeneous units.   "[T]here
          is little comparison  between EMR characteristics  from otherwise
          comparable equipment.   Only if the  [VDU] was made with  exactly
          the  same components  is there  any similarity.   If some  of the
          components have come from a different batch, have been updated in
          some   way,  and  especially   if  they  are   from  a  different
          manufacturer, then completely different results are obtained.  In
          this way a  different mark or version of the same [VDU] will emit
          different  signals.   Additionally  because  of the  variation of
          manufacturing standards between counties, two  [VDUs] made by the
          same  company  but  sourced  from  different counties  will  have
          entirely different EMR signal characteristics...From this  it way
          be thought that there is such a jumble of emissions  around, that
          it would not be possible to isolate those from any one particular
          source.  Again, this is not the case.  Most received signals have

<New Page>
          memory or the contents  of its mass storage devices  is more
          complicated and must be performed  from a closer distance.[11]
          The reconstruction  of information  via EMR,  a process  for
          which the  United States  government  refuses to  declassify
          either  the  exact  technique or  even  its  name[12], is  not
          limited to computers  and digital devices but  is applicable
          to  all devices  that generate  electromagnetic radiation.[13]
          TEMPEST is  especially effective  against VDUs  because they
          produce a very high level of EMR.[14]
          _____________________              
                                                                           
          a  different  line synchronization,  due  to  design, reflection,
          interference or  variation of component  tolerances.  So  that if
          for  instance  there  are three  different  signals  on the  same
          frequency  ...  by  fine  tuning  of  the  RF  receiver,  antenna
          manipulation  and modification  of  line synchronization,  it  is
          possible to lock onto each of the three signals separately and so
          read  the  screen information.    By  similar techniques,  it  is
          entirely  possible  to discriminate  between individual  items of
          equipment in the same room."  Potts, supra note 9.
               For  a discussion  of  the TEMPEST  ELINT  threat See  e.g.,
          Memory Bank, AMERICAN BANKER 20 (Apr 1 1985); Emissions from Bank
          Computer Systems  Make Eavesdropping Easy,  Expert Says, AMERICAN
          BANKER  1  (Mar  26 1985);  CRT  spying:  a  threat to  corporate
          security, PC WEEK (Mar 10 1987).

          11.  TEMPEST is  concerned  with  the  transient  electromagnetic
          pulses formed  by digital  equipment.   All electronic  equipment
          radiates  EMR  which  may be  reconstructed.    Digital equipment
          processes information as 1's and 0's--on's  or off's.  Because of
          this, digital equipment  gives off pulses  of EMR.  These  pulses
          are easier to  reconstruct at a  distance than the non-pulse  EMR
          given off by  analog equipment.   For a  thorough discussion  the
          radiation  problems  of  broadband digital  information  see e.g.
          military standard MIL-STD-461   REO2; White supra note 9,   10.2.

          12.  See supra note 2.

          13.       Of special interest  to ELINT  collectors are EMR  from
          computers,  communications   centers  and  avionics.     Schultz,
          Defeating Ivan with TEMPEST, DEFENSE ELECTRONICS 64 (June 1983). 

          14.     The  picture on  a  CRT screen  is  built up  of  picture
          elements  (pixels) organized  in lines  across the  screen.   The
          pixels  are made  of material  that fluoresces  when struck  with
          energy.  The energy is produced by a beam of electrons fired from
          an electron gun  in the back of  the picture tube.   The electron
          beam scans the screen of the  CRT in a regular repetitive manner.
          When the voltage of the beam is high then the pixel it is focused
          upon  emits  photons and  appears as  a  dot on  the screen.   By
          selectively firing  the gun as  it scans across  the face of  the
          CRT, the pixels form characters on the CRT screen.
<New Page>
               ELINT is not limited to  governments.  It is  routinely
          used by  individuals for  their  own purposes.   Almost  all
          forms of ELINT are  available to the individual with  either
          the technological  expertise or  the money  to hire  someone
          with  the  expertise.     Governments   have  attempted   to
          criminalize all use  of ELINT by their  subjects--to protect
          the privacy of both the government and the population.

                              II. UNITED STATES LAW
               In the United States, Title III of  the Omnibus Streets
          and Crimes Act of 1968[15] criminalizes trespassatory ELINT as
          the intentional interception  of wire communications.[16]   As
          originally  passed,   Title  III   did  not  prohibit   non-

          _____________________              
                                                                           
               The pixels  glow for  only a  very  short time  and must  be
          routinely struck by the electron beam  to stay lit.  To  maintain
          the light output of  all the pixels that are supposed  to be lit,
          the electron beam traverses  the entire CRT screen sixty  times a
          second.   Every time the beam fires it  causes a high voltage EMR
          emission.  This EMR  can be used  to reconstruct the contents  of
          the  target CRT  screen.   TEMPEST  ELINT  equipment designed  to
          reconstruct the information synchronizes its  CRT with the target
          CRT.  First, it uses the EMR to synchronize its electron gun with
          the electron gun in the target CRT.  Then, when the TEMPEST ELINT
          unit detects EMR indicating that the target CRT fired on a pixel,
          the TEMPEST ELINT  unit fires the electron  gun of its CRT.   The
          ELINT CRT is in perfect synchronism with the target CRT; when the
          target lights a pixel, a corresponding pixel on the TEMPEST ELINT
          CRT  is lit.  The exact picture on  the target CRT will appear on
          the TEMPEST ELINT  CRT.  Any changes on the target screen will be
          instantly reflected in the TEMPEST ELINT screen. 
               TEMPEST Certified equipment gives off emissions  levels that
          are too faint to  be readily detected.  Certification  levels are
          set   out  in   National   Communications  Security   Information
          Memorandum  5100A   (NACSIM  5100A).    "[E]mission   levels  are
          expressed in the time  and frequency domain, broadband or  narrow
          band  in terms of the frequency domain, and in terms of conducted
          or radiated emissions."  White, supra, note 9,   10.1.
               For a  thorough  though purposely  misleading discussion  of
          TEMPEST ELINT see  Van Eck, Electromagnetic Radiation  from Video
          Display units: An Eavesdropping Risk?, 4 Computers & Security 269
          (1985).

          15.   Pub. L.  No. 90-351,  82 Stat. 197.   The Act  criminalizes
          trespassatory  ELINT  by  individuals  as  well  as  governmental
          agents.  cf.  Katz v. United States, 389 U.S. 347  (1967) (Fourth
          Amendment prohibits surveillance by government not individuals.) 

          16.  18 U.S.C.   2511(1)(a).

<New Page>
          trespassatory  ELINT,[17] because  courts found  that non-wire
          communication lacked any expectation of p2IIIrivacy.[18]   The
          Electronic Communications  Privacy  Act  of  1986[19]  amended
          Title  III  to  include non-wire  communication.    ECPA was
          specifically  designed  to include  electronic  mail, inter-
          computer  communications,  and  cellular  telephones.     To
          accomplish  this,  the  expectation  of  privacy   test  was
          eliminated.[20]
               As  amended, Title  III  still outlaws  the  electronic
          interception of  communications.  The  word "communications"
          indicates  that   someone  is   attempting  to   communicate
          something to someone; it  does not refer to the  inadvertent
          transmission   of   information.       The   reception   and
          reconstruction of emanated transient  electromagnetic pulses
          (ETEP), however, is based on  obtaining information that the
          target does  not  mean to  transmit.   If  the ETEP  is  not
          intended as communication, and  is therefore not transmitted
          in a form approaching current communications protocols, then
          it can not  be considered communications as  contemplated by
          Congress  when  it   amended  Title  III.     Reception,  or
          interception, of emanated  transient electromagnetic  pulses
          is not criminalized by Title III as amended.

                                III. ENGLISH LAW
               In  England  the  Interception  of  Communications  Act
          1985[21] criminalizes the tapping of  communications sent over

          _____________________              

          17.  United States v. Hall,  488 F.2d 193 (9th Cir.  1973) (found
          no legislative history  indicating Congress  intended the act  to
          include radio-telephone conversations).  Further,  Title III only
          criminalized  the interception  of  "aural" communications  which
          excluded all forms of computer communications.  

          18.  Willamette  Subscription Television  v.  Cawood, 580  F.Supp
          1164 (D. Or. 1984) (non-wire communications lacks any expectation
          of privacy).

          19.  Pub. L. No. 99-508, 100 Stat. 1848 (codified at 18 U.S.C.   
          2510-710) [hereinafter ECPA].

          20.  18 U.S.C.   2511(1)(a) criminalizes the interception of "any
          wire,  oral  or electronic  communication"  without regard  to an
          expectation of privacy.

          21.  Interception of Communications Act 1985,  Long Title, An Act
          to make new provision for and in connection with the interception
          of  communications  sent   by  post   or  by   means  of   public
          telecommunications  systems  and  to  amend  section  45  of  the
          Telecommunications Act 1984.

<New Page>
          public  telecommunications  lines.[22]   The  interception  of
          communications on  a telecommunication line  can take  place
          with a physical tap on the line, or the passive interception
          of microwave or  satellite links.[23]  These  forms of passive
          interception  differ  from TEMPEST  ELINT  because  they are
          intercepting   intended    communication;   TEMPEST    ELINT
          intercepts unintended  communication.  Eavesdropping  on the
          emanations  of  computers does  not  in any  way  comport to
          tapping a telecommunication line and therefore falls outside
          the scope of the statute.[24]

-------------------------------------------------------------------------
To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.







Thread