Roy Williams

                                                                                                            rew6

                                                                                                            10/30/2002

 

Encryption: Friend or Foe?

Introduction:

            Encryption has been a hot topic in the area of law enforcement lately.  As more advances are made in this field, it becomes harder and harder for those who are trying to enforce the law to collect information on those who they are building a case against, or for them to monitor a suspect’s activities.  In order to aid law enforcement in combating this, the federal government came up with CALEA, or the Communications Assistance for Law Enforcement, and later the Patriot act.  Both of these further the government ability to listen to online activity.  Both of these acts give law enforcement the right to listen to online activity, but not necessarily understand it.  The FBI, however, argues differently.  They argue that understanding the messages in part of the CALEA.  They propose a key-escrow service where the FBI (with a court order only, of course J) can access the keys for a certain online transaction and therefore decrypt the information.  Civil rights organizations and Domestic business don’t like this one bit.  Civil right advocates say that it is a violation of free speech, and a violation of unreasonable search and seizure.  American businesses claim that it jeopardizes the integrity of online transactions. They also argue that since there already exists escrow-free encryption, so no one is going to want to switch over to an arguably less secure encryption to communicate, and therefore enabling one would be pointless.  I will argue, however that there does lie a solution in the middle.  The government can use trap-and-trace and pen-registers via carnivore, just like they would with telephones, but if they want to actually get the information on the computer, they will need to install a keystroke register of some sort on the computer, whether it be through hacking or physically breaking into the computer.

 

Problems with the FBI’s interpretation of the law:

            There are a few major flaws in the FBI’s reasoning for using CALEA to enforce things such as mandatory key-escrow.  First, there is no precedent for it.  CALEA is intended to help law enforcement listen into conversations, not necessarily understand them or interpret them.  For example, if the FBI is tapping the telephone lines of Tony Soprano, and he asks the person he is talking to “Did you get rid of that rat?” this could be referring to a number of things.  He could either be talking about killing an informant, or just getting rid of a rat that has been pestering his office.  The FBI had the right to hear that with the wiretap order, but not the right to interpret it or take it out of context.  This applies to encryption.  They should have a right, with a wiretap order, to see who a person is “Calling” (Where the packets are going), who “Called Them” (Who sent them packets), and to understand unencrypted data, but that is it. 

 

            The other major problem is the international aspect of having a key-escrow service.  The computer industry is not an American industry; it is an international one.  Therefore, any computer/internet related policies that we implement inside the states will also have world-wide ramifications.  If all American-made computers have built-in key escrow in them that means that any foreign government or business is going to have a big problem with that.  No foreign company or government if going to want to buy a computer and try to partake in secure transactions if it is known that the US government can intercept and decrypt that transaction.  No foreign government is going to want the US to know about its secrets either.  Therefore, the US software market would be almost completely dead to exports, and software is one of the only things that the US does export more than it imports, thereby hurting the economy.

 

Solution to accommodate privacy and business concerns:

            What I consider to be the best solution to this problem with encryption is sort of a hybrid answer.  I believe that we should use is one similar to that of phones, but treating encrypted communications as the norm.  The FBI should use carnivore to do things such as Trap-and-Trace and Pen-Registers to gather information.  Both of these can provide valuable information, for example, if there is a flurry of e-mails between two parties right before a crime, and then the e-mails die down again, but then there is another flurry right before another crime, the two can somehow be connected.  These wouldn’t require as much scrutiny as a wiretap order would, just like for a phone tap.  But if the FBI wants to deploy something like “Magic Lantern” (a Trojan Horse virus that is sent to the suspect via a friend or a family member who is co-operating), or install a key-register on the computer physically, then that requires a higher level of clearance to obtain.  This would be like an actual wire-tap where the FBI can obtain the keys needed to decrypt the data and thus understand all communications.

 

            The reason that this is advantageous to key-escrow is for a number of reasons.  First, it doesn’t require that everyone give up privacy for law enforcement.  By using key-registers, only the suspects have their security compromised.  Second, it allows the FBI to function the same exact way that it would have before and still obtain the same amount of information.  Third, it isn’t internationally required.  While key-registers can be deployed to other countries, it is much harder than just getting the keys for them.