[ISN] Privacy On The Line (book review)

From: mea culpa (jerichoat_private)
Date: Thu Jun 25 1998 - 02:45:08 PDT

  • Next message: mea culpa: "[ISN] WorldOnline ISP security fiasco"

    From: David Hakala <dhakalaat_private>
    
    
    "Privacy on the Line:  The Politics of Wiretapping and Encryption"
    by Whitfield Diffie and Susan Landau
    
    Reviewed by:  Stewart Baker
    
    I wasn't sure I would like this book, but I knew I had to read it.  It's the
    story of my life---the last several years, anyway.
         
    In the early 1990s, I was the general counsel of the National Security
    Agency (NSA), a job that required me among other things to sell key escrow
    encryption and the Clipper Chip to the Clinton Administration (mission
    accomplished) and to the rest of the country (er, the less said about
    that, the better).  I had the chance, too, to work closely with the
    Federal Bureau of Investigation (FBI), especially on the problem of how to
    conduct wiretaps in a new and far more demanding environment. 
    
    One of the surprising results of breaking up AT&T was to create a slow-
    motion crisis for law enforcement.  So long as communications were
    controlled by one company---with a heavy stake in demonstrating its good
    citizenship---planning for and providing wiretap access was easy.  AT&T
    knew what the FBI needed, and it could build those requirements into its
    products , passing the cost along to consumers.  But deregulation put a
    premium on getting to market quickly, reducing overhead, and building
    lightweight innovative products.  Law enforcement wasn't the customer, and
    it was increasingly left behind in the explosion of new products and
    services. Often, law enforcement didn't have the technical expertise or
    the funds to adapt to the new technologies; and sometimes even expertise
    and money weren't enough. 
    
    After several years of trying to jawbone industry into compliance with its
    requirements, the FBI decided in the early 1990s that it needed a big
    stick, it needed a law.  The law would not try to sort out all the
    technical problems that industry said were preventing wiretaps.  It would
    solve the problem by fiat, simply requiring that all telecommunications
    carriers and manufacturers design wiretap capabilities into all their
    products and services. 
         
    Privacy advocates were horrified.  The press was hostile. Industry jeered.
    Not one member of Congress could be found who would introduce the FBI's bill
    ..
      
    The FBI, however, never gave up.  They showed up for every debate, they
    mobilized local police, they lobbied Congress relentlessly.
         
    Three years later, the Senate passed the Communications Assistance to Law
    Enforcement Act (CALEA), with the FBI's requirement, by a voice vote of 98-0
    ..
         
    That was round one.  Round two, for the FBI, is encryption. Most of the
    computer software and hardware industry sat out the fight over CALEA, and
    those companies haven't grasped how much the CALEA debate shaped the FBI's
    view of encryption. 
    
    Thanks to CALEA, the FBI is undaunted by the technical complexity of
    building key recovery into encryption, or by the claims of industry that it
    can't be done.  They heard the same thing from telecommunications companies-
    --all of whom are now building wiretap capabilities into their products.
    
    And thanks to CALEA, the FBI is not too troubled by the bad press it's
    getting over encryption, or by the privacy and industry complaints---or
    even by the Congressional harrumphing.  They've heard all that before,
    too. In the CALEA debate, it was patience that paid off; and, in the end,
    the Bureau believes that Congress will have to mandate crypto controls
    just as it had to mandate wiretap requirements. 
    
    Since leaving government, I've advised dozens of companies on how to live
    not just with encryption controls and key recovery, but also CALEA.  I've
    started to joke that my law practice consists of being the first lawyer to
    discover that the country's main technology and telecommunications
    regulatory body is the Federal Bureau of Investigation. 
    
    So any book that deals with the politics of wiretapping and encryption is
    hard to resist. If I took it to the beach to read, I could probably deduct
    the trip.
     
    Still, I had my doubts. Whitfield Diffie is a famous cryptographer, of
    course, but I knew him first as NSA's single most determined and effective
    opponent.  I can't defend every aspect of the government's current
    policies on encryption and wiretapping, but I still have a deep reservoir
    of sympathy for that point of view.  Wiretapping is an important criminal
    investigation tool, particularly when law enforcement is targeting the
    leaders of organized crime, who usually don't commit crimes so much as
    order them committed.  There is no doubt that a wired society needs
    ubiquitous encryption; but it's equally true that ubiquitous encryption
    will give wired criminals new protections from the law. 
    
    That's why I still bridle at too-simplistic Silicon Valley retorts to law
    enforcement concerns---especially those that run along the lines of,
    ``We're smart.  We're rich.  They're not.  We win.'' I wasn't looking
    forward to reading a self-congratulatory book about clueless cops being
    outsmarted by liberty-loving technologists. 
    
    To my surprise, that's not what Diffie and Landau have written.  They've
    produced something quieter and more useful.  Like a handful of others
    (mostly professional privacy advocates and FBI officials) they see the
    entire picture---something the high-tech industry has so far only seen in
    bits and pieces.  Ready or not, the FBI is determined to force us all into
    a debate over how and whether we will shape the direction of technological
    change. 
     
    This book draws together the elements of that story in a fashion that is
    scholarly, though it's too well written to deserve that adjective.  Diffie
    and Landau don't quite popularize the issue---this is still a book only a
    policy wonk could love---but they ease the reader gracefully into some
    remarkably complex material as though it were a warm bath.
    
    The book begins with an admirably simple introduction to cryptography that
    carries the reader deep into the topic.  I have to confess that I never
    knew how "S-boxes'' got their name until I worked my way through Diffie
    and Landau's description of the Digital Encryption Standard and its
    historical debt to Vingenere ciphers.  (I told you this was a wonk's
    book.)  The authors next march the reader through a history of crypto
    policy, laying out the interests of the National Security Agency, the
    public cryptography movement, law enforcement, the National Institute of
    Standards and Technology, and privacy advocates. 
      
    With the groundwork laid, the book then plunges into wiretapping, its
    history, value, and abuses.  It sketches the FBI's five-year fight to enact
    CALEA.
    
    The closing chapter traces the evolution of the encryption debate from a
    fight between the software industry and the NSA into a fight that pits the
    FBI against the likes of Americans for Tax Reform and the National
    Association of Manufacturers.
    
    Throughout this tour, there isn't any doubt where the authors' sympathies
    lie.  They linger almost lovingly over thirty- and forty-year-old stories
    of how the FBI once abused its wiretap authority.  They insist on a long
    and not entirely persuasive discussion of why wiretaps aren't that useful
    to law enforcement. Government arguments tend to get much shorter shrift
    than civil libertarian rebuttals.  But it is perhaps a sign of how bitter
    the encryption battle has become that Diffie and Landau deserve credit for
    including the government's arguments at all. 
    
    They deserve praise as well for avoiding dishonest arguments that support
    their point of view.  Not everyone in this debate is so careful.  Lawyers
    for industry, for example, can still be heard to argue that there's no
    need for encryption controls because the FBI hasn't offered evidence that
    it has lost any cases because of good crypto.  Of course this is the kind
    of Catch- 22 argument that is hard to resist because the lawyers know it
    can't lose.  If the FBI found a way to read the files, then the industry
    lawyers can say "See, crypto wasn't a problem.'' And, if the FBI is truly
    stymied and can't read the files, then the lawyers can say either "The
    defendant was acquitted , and there's >no proof the encrypted files were
    related to a crime,'' or "The defendant was convicted, so the FBI didn't
    need to decrypt the files.  '' Unlike some of their allies, Diffie and
    Landau never insult our intelligence. 
    
    In short, it's hard to imagine a better introduction to an issue that will
    be with us for years to come.
    
    [Published in Notices of the AMS, Volume 45, Number 6, at 709 (June/July
    1998)]
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:43 PDT