From: Matt Thomlinson <phantom@u.washington.edu>
Date: Sun, 27 Mar 94 02:04:16 PST
To: cypherpunks@toad.com
Subject: NewMedia article, April 1994
Message-ID: <Pine.3.89.9403270327.A7890-0100000@stein1.u.washington.edu>
MIME-Version: 1.0
Content-Type: text/plain


Just got this in the mail, and flipping through it I saw a decent article 
(with quotes from our own prolific Tim May!). Any mistakes are probably 
OCR errors -- it's 3am and time to go to bed. _You_ proof it!



Privacy in the Digital Age
by Curtis Lang
NewMedia, April 1994

Welcome to the digital frontier, where network by network, metaphor by 
metaphor, a splendid, global, multimedia palace is being built through 
trial and error. You won't need to take a long and winding road to this 
frontier, though, it's coming soon to your home. You'll know it has arrived 
when you can read messages on your telephone, have a dialogue with your 
television and watch beautiful movies on your PC. 
AT&T has already established a giant encampment on this digital frontier, 
and it is now concentrating on building a virtual community. In 
advertisements, the company paints seductive pictures of fully wired--and 
wireless--consumers interacting in the cyberspace equivalent of 
Hemingway's dean, well-lighted place. A happy couple in a jumbo kitchen 
uses a computerized telephone to take and receive electronic messages and 
make reservations for the ball game. A nomadic businessman in an airport 
shuttle bus tells his PDA how much he's willing to spend on a used car for 
his son, what makes he prefers and the maximum acceptable mileage. He 
sends his PDA on a shopping trip around the region with a single touch. It 
all sounds thrilling--empowering for consumers and businesses alike. But 
in the 21st-century world of interactive television, broadband Internet 
access and ubiquitous multipurpose communications gizmos, every 
message you send and each dollar you spend could be an unbidden 
messenger as well. Electronic traces of your passage will remain in data 
banks of cable, telephone and on-line service providers. And the 
government wants to install a trap door in software and hardware used to 
encrypt messages and data from medical smart cards, IRS records, digital 
cash transfers and plain old e-mail. These databases will be digital gold in 
the world of direct marketing, where vendors and advertisers will tailor 
special offers to individuals based upon this information and deliver 
coupons that will issue from your smart cable TV set-top box What's to 
prevent unscrupulous third parties--or underpaid government workers with 
access to the software trap door--from obtaining information that could be 
used to harm consumers? Not much, judging from stories like that of 
black-data buccaneer Al Schweitzer, who bought and sold confidential 
government files for a living (see "Penetrating Uncle Sam's Data," page 
68). Unless government agencies, infrastructure suppliers, software 
wizards and producers of programming can guarantee privacy in the 
rapidly expanding web of cyberspace, it may be impossible for the trust 
upon which a virtual community depends to develop sufficiently to make 
the grand digital experiment a success. Without this assurance there will 
be no secure business communications, and the kind of transactional data 
that is currently gathered by insurance firms, credit companies and banks 
might fall into the hands of anyone with the skills to track it across the 
global network Security of transactions over cable networks is already a 
concern to American consumers, according to surveys by Viacom Cable 
and others. And the lack of secure transaction methods may already be 
hampering buying and selling via modem. Consumer's unwillingness to 
put it on their Visa when traveling in cyberspace has slowed public 
acceptance of such services as American Airlines' Easy Sabre ticket 
service, available on Prodigy, America Online and other on-line services. 
Consumers, like businesses, are eager to take advantage of the digital 
highway, but they are leery of financial data and other sensitive 
information falling into the wrong hands. 

ENCRYPTION MAY BE THE KEY
When you make a phone call or send a letter, you can be fairly certain that 
the contents of your communications will remain private. Such trust 
makes our postal and phone systems possible. AT&T hopes to give 
customers that same sense of security about wireless communications. It is 
the first company to implement General Magic's new Telescript 
communications software in its PersonaLink Services, which will be the 
foundation for AT&T's multimedia web of services that include smart 
messaging, electronic shopping and custom news delivery. "Telescript. .is 
a technology which creates something called agent-based 
communication," explained Marc Porat, chairman and CEO of General 
Magic, at a winter conference on electronic consumer appliances in New 
York Such software agents will be able to travel throughout wired and 
wireless networks searching for information, like-minded individuals or 
bargain prices on PCs. Agents will act as your virtual doorman, your 
e-mail bozo filter, tossing mail on subjects you nix into the trash. "General 
Magic is a really good idea," contends Jerry Michalski of the industry 
newsletter, Release l.a "You can create a little agent that .[will] go out 
there and look for things for you. Let's say you're a stamp collector--it can 
look for a particular kind of stamp, or a bubble-gum card or whatever, and 
maybe even buy the thing for you automatically. Now, gosh, you're 
putting that up on AT&T's network. They could find out within very small 
fractions of activity what you're doing, what your preferences are, what 
kind of agents you've decided to broadcast into the world. So you're only 
going to do that if you have some kind of confidence that they're not 
going to misuse that information." To that end, AT&T and General Magic 
intend to set up "trusted spaces," secure virtual meeting rooms where your 
agent can meet with another agent, representing a vendor or an individual, 
and communicate, shop, cut deals or consummate business transactions 
free from prying software. But what about the security of these networks? 
And how will you know the identity of the entity lurking behind the vir-
tual agent that your virtual agent is schmoozing up in supposedly secure 
cyberspace? "Most wireless communications systems are security 
nightmares," says Jim Bidzos, president of RSA Data Security Inc., a 
giant in the global cryptography business. "They have no real encryption, 
no authentication.... General Magic realized that for a lot of people, 
wireless services of any kind simply can't be trusted. So they built RSA 
encryption and authentication services right into the foundation of 
Telescript and Magic Cap [the interface for General Magic's PDA]." 

A DIFFERENT VIEW
Advocates of civil liberties such as the cypherpunks, the grassroots 
encryption experts who have developed widely distributed personal 
encryption shareware for e-mail, worry that even in such a 
security-conscious system, the government will find a way to snoop. They 
see alternatives to AT&T's vision of tomorrow. "The issue of digital 
money is going to be key," argues Tim May, "so that people can buy 
access codes." May, formerly a physicist with Intel and one of the most 
visible cypherpunks, envisions a future in which digital cash is used for 
most transactions. In such a system encryption schemes would be floating 
through the computer community that could make most financial 
transactions virtually untraceable. "Imagine a satellite dish on your roof," 
he continues. "You decide to buy an X-rated movie, and you don't want 
records kept of that on your monthly bill. [There will be] mechanisms by 
which you can buy 'coupons' that are usable on a one-time basis to decrypt 
a packet, and the vendor of the service--say, the seller of the X-rated 
movie--has no idea that you, in particular, are decrypting his packet. I 
think that'll be essential." 

DO YOU TRUST UNCLE SAM?
After months of review, during which a torrent of digital complaints 
flooded the White House from multinational corporations, the Software 
Publishers Association, cypherpunks and civil libertarians, President 
Clinton announced that he wants the National Security Agency (NSA) to 
implement secret standards for encryption to be used in computerized 
communications systems to facilitate e-mail surveillance.     The 
Computer Security Act of 1987 mandated that the National Institute of 
Standards and Technology (NIST), a civilian agency, develop appropriate 
standards for digital communications networks. At the time it was clear 
that there would be a need for digital envelopes (cryptography), digital 
signatures and other technologies to provide security and enable legally 
enforceable digital transactions on the Internet, and eventually across 
fiber-optic cables and wireless systems connected to telephones, 
computers, TVs and PDAs. However, during the Bush administration, a 
series of executive orders placed authority for developing those standards 
in the hands of the NSA, America's largest and most secretive spy 
organization, which has a checkered history that includes large-scale 
illegal surveillance of Americans. Thus it was no surprise that the agency's 
proposal to provide digital encryption systems focused on easy wiretap 
surveillance rather than privacy, security and other civilian needs. The 
NSA produced a 64-bit encryption algorithm, classified "Secret" and 
called Skipjack The NSA declined to make the algorithm public, 
prompting concern that, given the NSA's track record, there might be a 
"trap door" in Skipjack that would allow secret surveillance of all 
Skpjack-encoded messages. In April 1993, the White House outlined 
plans for a microcircuit called the Clipper chip, which would scramble 
telephone conversations. Each chip, encoded with Skipjack, would 
generate an encryption session key, a chip unique key and a chip family 
key, all of which are sent to the receiver. The White House asks users to 
register their chip unique key with the government, which will then split 
each key into two parts and "escrow" the parts with two different 
agencies, so that law enforcement agencies can unscramble suspects' 
messages. 

SURVEILLANCE ON THE UPSWING
The White House claims that the system would be used by government 
officials with legal authorization to conduct wiretaps and thus represents 
no intensification of government surveillance. But in NIST's letter inviting 
five hand-picked cryptography experts to do a quick survey of Skipjack, 
the agency says that key components will be made available "only to 
authorized government officials under proper legal authorizations, usually 
a court order." They said usually, not always. The distinction was not 
accidental. For the last several years, the FBI has been increasing its 
surveillance of all Americans at a dizzying pace as part of a 
mind-boggling expansion of its powers and activities. This includes 
increased access to computerized data on Americans, which now often no 
longer requires a court order to be accessed. The Bush average of 332 
wiretap applications per year was double that of the Reagan 
administration, and state agencies' wiretaps also increased during the Bush 
years. Despite the rapid increase of such requests, wiretaps are far from 
widespread, and according to the June 1993 issue of the Privacy Journal, 
the FBI has publicized no instances in which its investigations were 
hampered because a suspect had used encrypted e-mail or other digital 
security devices. The Clinton administration asked for an amendment to 
the Fair Credit Reporting Act that would allow the FBI to obtain credit 
information, without a court order, by issuing a "national security letter." 
The rationale is that although the FBI has access to your bank records, it 
will not know which banks' records to obtain without ready access to your 
credit reports, as David MacMichael reports in the National Security 
Alumni Association Magazine, Unclassified (October/November 1993). 



OPERATION ROOT CANAL
Meanwhile, the FBI continues to move forward with "Operation Root 
Canal," also known as the 1992 Digital Telephony Proposal, which 
encourages service and equipment providers to design their computerized 
systems in such a way that the government can easily "obtain the plain 
text contents of voice, data and other communications," according to FBI 
memoranda obtained by the nonprofit Computer Professionals for Social 
Responsibility (CPSR) from the Commerce Department in November of 
last year. The threat of the Digital Telephony Proposal to 
telecommunications companies is very real. CPSR reported that Rep. Jack 
Brooks, a Texas Democrat, said that Root Canal "could obstruct or distort 
telecommunications technology development by limiting fiber optic 
transmission, ISDN, digital cellular services and other technologies until 
they are modified...and could impair the security of business 
communications. .could facilitate not only lawful government 
interception, but unlawful interception by others [and] could impose on 
industries' ability to offer new services and technologies." And the NSA, 
which oversees export-control regulations of weapons of war--including 
encryption products--has signaled its intent to prevent grassroots 
cryptography from enlisting enough users to constitute a de facto standard. 
Recently Phil Zimmerman, the creator of Pretty Good Privacy, a popular 
and widely available piece of encryption shareware, was busted for 
export-control violations (see "Penetrating Uncle Sam's Data," below). 
After all, if everyone has access to encryption techniques, when law 
enforcement agencies decrypt the Skipper algorithm on someone's 
intercepted message, they'll find a secondary layer of encryption that 
could be more difficult to crack That would render Skipjack pointless; 
some Clinton critics worry that the logical outcome of Skipjack 
implementation will be the criminalization of other forms of encryption. 
Never mind the implications for secure business communications. With a 
government-imposed Skpjack standard, the feds would be able to do 
something they have never been able to do before--easily conduct mass 
surveillance. 

THE RIGHT TO PRIVACY
"No right of private conversation was enumerated in the Constitution," 
said Sun Microsystems' Whitfield Diffie, one of the pioneers of modern 
civilian encryption, in June 1993 testimony before the House 
Subcommittee on Telecommunications and Finance. "I don't suppose it 
occurred to anyone at the time that it could be prevented. Now, however, 
we are on the verge of a world in which electronic communication is both 
so good and so inexpensive that intimate business and personal 
relationships will flourish between parties who can, at most, occasionally 
afford the luxury of traveling to visit each other. If we do not accept the 
right of these people to protect the privacy of their communication, we 
take a long step in the direction of a world in which privacy will belong 
only to the rich."Canada and most European countries regulate public and 
private data collection. By contrast, direct marketers and credit and 
insurance companies in the United States are able to obtain large amounts 
of data about the buying habits and lifestyles of most citizens. U.S. Law 
provides no redress for the individual who complains of privacy 
violations, other than the right to sue the violator. That great amounts of 
information are being gathered about each of us is hardly news. And the 
evidence that privacy has become a commodity has been accumulating for 
years. Want an unlisted number? You pay for it. Want to restrict direct 
marketers' ability to target you over cable TV? You may pay again. "If 
you don't want to be intruded on at home, don't have a home phone," 
advises Esther Dyson, a policy consultant on all things digital for the 
Clinton administration. "Which is what I do. If you really are worried 
about this, take action. That's very difficult on a lot of things, but people 
sort of act like they're helpless, and they're not." Or, in the immortal 
words of Count Niccolo Machiavelli, counselor of princes: "Only those 
means of security are good, are certain, are lasting, that depend on 
yourself and your own vigor." We have seen the future, where everyone 
plays James Bond in the palatial network that composes tomorrow's 
worldwide digital web. In such a world, the Count could become a best-
selling author again.




Matt Thomlinson                               Say no to the Wiretap Chip!
University of Washington, Seattle, Washington.
Internet: phantom@u.washington.edu      	    phone: (206) 548-9804
PGP 2.2  key available via email or finger phantom@hardy.u.washington.edu