[CTRL] SCIENTIFIC AND TECHNOLOGICAL OPTIONS ASSESSMENT (May '99 update release)

[Kris Millegan]

 -Caveat Lector-

from;
http://cryptome.org/dst-1.htm
<A HREF="http://cryptome.org/dst-1.htm">Development of Surveillance
Technology and Risk </A>
------
Tthis just portion of part one of a four part paper. Rest at site.

--"Nowadays almost all economic information is exchanged through electronic
means (telephone, fax, e-mail). In addition, all digital
telecommunication devices and switches have enhanced wiretapping
capabilities. As a conclusion we have to consider privacy protection in
a global international networked society. And when we speak about
electronic protection and privacy in the exchange of economic
information, we actually speak for electronic commerce over the
Internet." --

Om
K
-----
20 August 1999
Source: Hardcopy of 61 pages. Thanks to Sten Linnarsson.

This is part 1 of 4 of "Development of Surveillance Technology and Risk
of Abuse of Economic Information (an appraisal of technologies of
political control)."

Part 2: "The legality of the interception of electronic communications:
A concise survey of the principal legal issues and instruments under
international, European and national law," by Prof. Chris Elliott:
http://cryptome.org/dst-2.htm

Part 3: "Encryption and cryptosystems in electronic surveillance: a
survey of the technology assessment issues," by Dr. Franck Leprévost:
http://cryptome.org/dst-3.htm

Part 4: "The state of the art in Communications Intelligence (COMINT) of
automated processing for intelligence purposes of intercepted broadband
multi-language leased or common carrier systems, and its applicability
to COMINT targeting and selection, including speech recognition," by
Duncan Campbell: http://www.iptvreports.mcmail.com/stoa_cover.htm



------------------------------------------------------------------------

EUROPEAN PARLIAMENT

SCIENTIFIC AND TECHNOLOGICAL OPTIONS ASSESSMENT
STOA


DEVELOPMENT OF SURVEILLANCE
   TECHNOLOGY AND RISK OF ABUSE
OF ECONOMIC INFORMATION

(An appraisal of technologies of political control)




Part 1/4
The perception of economic risks arising from the potential
vulnerability
of electronic commercial media to interception

Survey of opinions of experts
Interim Study



Working document for the STOA Panel


Luxembourg, May 1999                  PE 168.184/Int.St./part 1/4

Directorate General for Research




------------------------------------------------------------------------
Cataloguing data:
Title:

Part 1/4 of:
DEVELOPMENT OF SURVEILLANCE TECHNOLOGY AND
RISK OF ABUSE OF ECONOMIC INFORMATION
(An appraisal of technologies of political control)

Workplan Ref.: EP/IV/B/STOA/98/1401

Publisher: European Parliament
         Directorate General for Research
         Directorate A
         The STOA Programme

Author: Mr Nikos BOGONIKOLOS - ZEUS E.E.I.G.

Editor: Mr Dick HOLDSWORTH, Head of STOA Unit

Date: May 1999

PE number: PE 168. 184/Int.St./1/4



------------------------------------------------------------------------
This document is a working Document for the 'STOA Panel'. It is not an
official publication of STOA.
This document does not necessarily represent the views of the European
Parliament.



------------------------------------------------------------------------
CONTENTS

PART A: OPTIONS

Introduction
General overview of the outcome of the survey (interim stage)
Views on privacy collected from the survey
General privacy issue
The market for privacy
The role of industry
The need for European legislation
Options for action on surveillance and privacy
PART B: ARGUMENTS AND EVIDENCE

General
Examples of Abuse of Economic Information
PART C: TECHNICAL FILE

1. INTRODUCTION
Surveillance and Privacy
Dataveillance Techniques
Risks Inherent in Data Surveillance
Controls
2. SURVEILLANCE: TOOLS AND TECHNIQUES - Current technologies
1. Visual Surveillance
2. Audio Surveillance
3. Phone Tapping and Encryption
4. Voice and Word Pattern Recognition
5. Proximity Smart Cards
6. Transmitter Location
7. E-mail at Workplace
8. Electronic Databases
9. The Internet

3. THE USE OF SURVEILLANCE TECHNOLOGY SYSTEMS FOR THE TRANSMISSION AND
COLLECTION OF ECONOMIC INFORMATION
3.1 CALEA System
3.2 ECHELON Connection
3.3 Inhabitant identification Schemes

4. THE NATURE OF ECONOMIC INFORMATION SELECTED BY SURVEILLANCE
TECHNOLOGY SYSTEMS
A. From telecommunication systems
B. From new information technologies (Internet)
C. Some examples of data collection on the Internet

5. PROTECTION FROM ELECTRONIC SURVEILLANCE
A. Encryption (Cryptography)
Private sector initiatives

B. Key - recovery
Encryption and the global information infrastructure
Key-Recovery: Requirements and proposals

6. SURVEILLANCE TECHNOLOGY SYSTEMS IN LEGAL AND REGULATORY CONTEXT
A. Privacy regulation
Multinational data protection measures
Data protection directive in Europe
Privacy regulation in the United States

B. Protection of Privacy in the telecommunications sector

C. Cryptography
Cryptography policy in USA
Cryptography policy guidelines from OECD
E. U. cryptography policy
Other national and international activities related to cryptography
policy

D. Key recovery

E. European Initiatives
DLM-FORUM- Electronic Records
Promoting Safe Use of Internet
REFERENCES




------------------------------------------------------------------------
PART A: OPTIONS


Introduction

The present study, 'Development of surveillance technology and risk of
abuse of economic information' presents the interim results from a
survey of the opinions of experts, together with additional research and
analytical material by the authors. It has been conducted by ZEUS
E.E.I.G. as part of a technology assessment project on this theme
initiated by STOA in 1998 at the request of the Committee on Civil
Liberties and Internal Affairs of the European Parliament. This STOA
project is a follow-up to an earlier one entitled: "An appraisal of
technologies of political control" conducted for the same Committee. The
earlier project resulted in an Interim Study (PE 166.499) written by
OMEGA Foundation, Manchester, and published by STOA on January 1998 and
later updated (September 1998).

In the earlier study it was reported that within Europe all fax, e-mail
and telephone messages are routinely intercepted by means of what is
called the ECHELON global surveillance system. The monitoring was said
to be "routine and indiscriminate". The ECHELON system formed part of
the UKUSA system, but unlike many of the electronic spy systems
developed during the cold war, ECHELON was said to be designed for
primarily non-military targets: governments, organisations and
businesses in virtually every country.

In the present study the authors were requested to investigate the use
of surveillance technology systems, for the collection and possible
abuse of sensitive economic information.

The principal method selected was a procedure of data collection and
processing based on a modified DELPHI method (to be referred to here as
"the survey"). Under this method, a list of potential sources of data
was prepared. These were some 49 experts from universities, industrial
and commercial undertakings in the informations and telecommunications
technology sector, as well as a smaller number of persons in
international or governmental organisations. The experts were drawn from
11 Member States of the European Union, plus Cyprus, Norway and
Switzerland.

The next step was the collection of the data. This was mostly achieved
by direct interviews of the experts, with the use of a questionnaire.
The views (data) were processed and a convergence examination performed.
The convergence procedure was based on a recursive approach for the
exclusion of the non-reliable data. The last step was the drawing of the
analytical results.

General overview of the outcome of the survey

The predominant view among the experts was that since nowadays almost
all economic information is exchanged through electronic means
(telephone, fax, e-mail), and, in addition, all digital
telecommunication devices and switches have enhanced wiretapping cap
abilities, for these reasons they suggested that we must focus on the
protection of the data when transmitted (using encryption products), on
the use of government-approved encryption products and on the adoption
of common standards concerning encryption and key-recovery products. The
position could be summed up in the statement that 'since it is difficult
to prove that economic information has been captured by ECHELON system
and passed on by the NSA, we have to consider privacy protection in a
global international networked society'.

In summary, therefore, we see that two perceptions of this question
emerge: (1) a concern about the possible threat to privacy and economic
and civil rights potentially posed by global clandestine electronic
surveillance systems operated by large and powerful secret government
agencies, and (2) anxiety about the problems of commercial and personal
privacy which arise now that so much commercial and other communications
traffic is conducted over the Internet. Managers of businesses engaged
in electronic commerce may perhaps be concerned about global clandestine
surveillance systems: what is certain is that they are worried in a more
familiar way about threats to commercial security posed by the nature of
the new electronic business media and their possible vulnerability to
interception by competitors and fraudsters.

Reflecting the feedback from the survey, the present study tends to
reflect Perception 2, whereas the earlier one of 1998 tended to reflect
Perception 1.

Advances in information and communication technologies have fostered the
development of complex national and international networks which enable
thousands of geographically dispersed users to distribute, transmit,
gather and exchange all kinds of data. Transborder electronic exchanges
-- private, professional, industrial and commercial -- have proliferated
on a global scale and are bound to intensify among businesses and
between businesses and consumers, as electronic commerce develops.

At the same time developments in digital computing have increased the
capacity for accessing, gathering, recording, processing, sorting,
comparing and linking alphanumeric, voice and image data. This
substantial growth in international networks and the increase in
economic data processing have arisen the need at securing privacy
protection in transborder data flows.

Today, it is not necessary to define new principles for the protection
of data (and privacy) in an expanding global electronic environment. It
is necessary to define the appropriate means of putting the established
principles into practice, particularly on the information and
communication networks.

An active education strategy may be one of the ways to help achieve
on-line and privacy protection and to give all actors the opportunities
to understand their common interests.

Common technological solutions can assist in implementing privacy and
data protection guidelines in global information networks. The general
optimism about technological solutions, the pressure to collect economic
information and the need for political and social policy decisions to
ensure privacy must be considered.

The growth in international networks and the increase in economic data
processing have arisen the need at securing privacy protection in
transborder data flows and especially the use of contractual solutions.
Global E-Commerce has changed the nature of retailing. There were great
cultural and legal differences between countries affecting attitudes to
the use of sensitive data (economic or personal) and the issue of
applicable law in global transaction had tope resolved. Contracts might
bridge the gab between those with legislation and the others.

Since Internet symbolised global commerce, faced with a rapid expansion
in the numbers of transactions, there is a need to define a stable
lasting framework for business. Internet is changing profound the
markets and adjusting new contracts. To that reality is a complex
problem.

Views on privacy collected from the survey

In this section the experts' views on the various privacy issues are
reported. The information was mostly collected by direct interviews of
the experts, based on a predefined questionnaire.

General privacy issues

•Privacy can be a contentious subject because it means different things
to different people. The definition given is: "Privacy is the claim of
individuals, groups, or institutions to determine for themselves how,
when and to what extent information about them is communicated to
others"
•A clear problem expressed is that in an electronic environment, it
becomes hard to differentiate between a private and public place and
therefore what should be protected and what should not.
•It was argued that is unreasonable for the society to subsidise the
cost of individuals to maintain their privacy, pointing out that most
people will choose utility over security (and consequently privacy)
•It was suggested that privacy in many ways sacrifices other goods
(time, effort and energy among them) in order to obtain it.
•Three basic tools necessary for privacy protection were outlined:
notice (to the data supplier), consent (to the consumer), and
accountability.
•Although accountability may be essential to ensuring privacy, it
unfortunately conflicts with the anonymity, privacy implies. For any
commerce to take place on the Internet, therefore, some level of
anonymity and therefore privacy must be sacrificed. The question to be
answered is " how much and who will decide".


The market for privacy

•When the European Commission adopted the privacy directive (95/46/EC),
it stated that privacy protection is a central precondition to
consumers' acceptance of electronic commerce. Accordingly, a critical
issue experts argued, was whether there was a "market failure' in the
electronic environment that required some sort of government
intervention to ensure data privacy.
•Some experts responded that data privacy is not purely a public good,
and so at some point someone will have a market incentive to protect it.
Some corporations that have tried to market their strong privacy
protection have yet to see any results and have concluded that: "privacy
doesn't sell". Other industries have marketed privacy successfully (such
as the cellular telephone industry) which could mean that the public
demands for privacy are forthcoming and will eventually be profitable.
•They feel that a question to be answered is: Who governs the
responsibility of the information collector, or does society have to
impose a sense of responsibility?"


The role of industry

•Most experts expressed the view that the information industry should be
primarily self-regulated: the industry is changing too rapidly for
government legislative solutions, and most corporations are not simply
looking at National or European but at global markets, which national
governments cannot regulate.
•Indeed several experts expressed the fear that any European attempt to
allow USA to oversee (via global surveillance systems) data would lead
to abuses by the government or other competitive companies.
•They noted that many companies (such as Citibank) already inform
consumers and clients that, unless told otherwise, they will disclose
information to their affiliates. They suggested that a simple seal on
the home page of a Web site, declaring that a company adheres to certain
industry privacy standards might cease the fears of the public and offer
some level of accountability.
•Alternatively, they suggested that the media could act as an effective
watchdog, informing consumers and companies of what information is being
collected about them and how that information is being used.
•They also noted that multinational companies could better negotiate for
themselves across national boundaries than governments can. Electronic
commerce is unlikely to gain popularity until the issues of notice,
consent and recourse have been resolved. The market will force companies
wishing to participate in this medium to address and solve these
concerns.


The need for European legislation

•Experts took the view that the European Parliament must now ask how, in
a world of the Internet, one reconciles the objectives of protecting
both: privacy and free flow of information.
•In recent years there have been disclosures that unauthorised
individuals have examined financial information from the Internal
Revenue Service in USA. Several experts pointed to the flap over the
decision by the Social Security Administration in USA to provide
companies account information on-line. Each of these examples suggests
that protecting data privacy may be a great challenge for the European
Parliament.
•Experts agreed that the European Parliament should play a role in
creating a standard for disclosure. Several experts went further and
argued the need of a privacy agency within the European Union to act as
an ombudsman and to represent privacy interests, so that in debates
between European Union and USA there is someone whose responsibility
would be to protect privacy.
•Whatever several experts believe the appropriate role for national
governments to be in ensuring privacy in an electronic environment, some
"private regulation" is already occurring on the Internet by the
computer engines, who write code and decide computer standards. In fact
experts suggested that when encryption software becomes ubiquitous it
will push Internet commerce because it allows for potentially anonymous
transactions, which will solve privacy issues by default.
•It was pointed out that a group of high-tech companies in co-operation
with standardisation organisations should agree on a web-based standard
that would allow companies and consumers to interact with data
collectors and inform them of what information they would be comfortable
having disclosed to other parties.


Options for action on surveillance and privacy

The policy options for consideration by the committee on Civil Liberties
and Internal Affairs of the European Parliament which emerged from the
survey are:

•Authorities in the EU and Member States should:
engage in a dialogue involving the private sector and individual users
of networks in order to learn about their needs for implementing the
privacy guidelines in the global network;
undertake an examination of private sector technical initiatives;
encourage the development of applications within global networks, of
technological solutions that implement the privacy principles and uphold
the right of users, businesses and consumers for protection of their
privacy in the electronic environment.
•Drafting methods for enforcing codes of conduct and privacy statements
ranging from standardisation, labelling and certification in the global
environment through third-party audit to formal enforcement by a
regulatory body.
•Definitions of the transactions which must remain anonymous, and
technical capabilities for providing anonymity need to be specified.
•Enforcement for the adoption of adequate standards (cryptography and
key encryption) from all E.U. member states. Multilateral agreements
with other countries could then be negotiated.
•Drafting of common guidelines of credit information use (in each member
state of the E.U. different restriction policies exist). It must be dear
how those restrictions could apply to a globally operating credit
reference agency.
•Drafting of common specifications for cryptography systems and
government access key recovery systems, which must be compatible with
large scale, economical, secure cryptographic systems.
•Enforcement for the adoption of special authorisation schemes for
Information Society Services and supervision of their activities by
National Authorisation Bodies.
•Drafting of a common responsibilities framework for on-line service
providers, who transmit and store third party information. This could be
drafted and supervised by National PTTs.
•The European Parliament should examine critically proposals from the US
for the elimination of cryptography and the adoption of encryption
controls supervised by US Agencies.
•Annual statistics and reporting on abuse of economic information by any
means must be reported to the Parliament of each member state of the
E.U.
•Measures for encouraging the formal education systems of each member
state of the E.U. or the appropriate European Training
Institute/Organisation to take up the general task of educating users in
the technology and their rights.




------------------------------------------------------------------------
PART B: ARGUMENTS AND EVIDENCE


General

Nowadays almost all economic information is exchanged through electronic
means (telephone, fax, e-mail). In addition, all digital
telecommunication devices and switches have enhanced wiretapping
capabilities. As a conclusion we have to consider privacy protection in
a global international networked society. And when we speak about
electronic protection and privacy in the exchange of economic
information, we actually speak for electronic commerce over the
Internet.

The information society promises economic and social benefits for all:
citizens, companies and governments. Advances in information and
communication technologies have fostered the proliferation of private,
professional, industrial and commercial transborder electronic exchanges
on a global scale which are bound to intensify among businesses and
between businesses and consumers as electronic commerce develops. New
methods for processing the vast accumulation of data -such as data
mining techniques- make it possible, on the basis of demographic data,
credit information, details of on-line transactions etc, to identify new
kinds of purchasing patterns or unusual relationships.

Indeed, compliance with rules governing the protection of privacy and
personal data is crucial to establishing confidence in electronic
transactions, and particularly in Europe, which has traditionally been
heavily regulated in this area. The development of the global
information society makes the convergence of government policies, the
transparency of rules and regulations and their effective implementation
on economic and social life. In particular, in the context of electronic
commerce, the development of on-line commercial activities hinges to a
large extent, not only on the faith consumers have in business in terms
of guaranteed product delivery or security payment systems, but also on
the confidence that users and consumers will have in the ways that busi
nesses handle their personal data.

To operate with confidence on the global networks, most consumers need
assurance that their on-line activities and electronic transactions will
not be collected or used without their knowledge or made available to
parties other than their initial correspondents. Neither linked to other
data about them in order to compile behavioural profiles without their
consent.

The importance of information and communication systems for society and
the global economy is intensifying with the increasing value and
quantity of data that is transmitted and stored on those systems. At the
same time those systems and data are also increasingly vulnerable to a
variety of threats such as unauthorised access and use,
misappropriation, alteration and destruction. Proliferation of
computers, increased computing power, interconnectivity,
decentralisation, growth of networks and the number of users, as well as
the convergence of information and communication technologies, while
enhancing the utility of these systems, also increase system
invulnerability.

Cryptography is an important component of secure information and
communication systems and a variety of application have been developed
that incorporate cryptographic methods to provide data security.

Although there are legitimate governmental, commercial and individual
needs and uses for cryptography, it may also be used by individuals or
entities for illegal activities, which can affect public safety,
national security, the enforcement of laws, business interests,
consumers interests or privacy. Governments together with industry and
the general public, are challenged to develop balanced policies to
address these issues.

Cryptography uses an algorithm to transform data in order to render it
unintelligible to anyone who does not possess certain secret information
(the cryptographic "key"), necessary for decryption of the data. Within
the new concept of cryptography, rather than sharing one secret key, the
new design uses two mathematically related keys for each communication
party: a "public key" that is disclosed to the public and a
corresponding "private key", that is kept secret. A message that is
encrypted with a public key can only be decrypted by the corresponding
private key.

An important application for public key cryptography is "digital
signature", which can be used to verify the integrity of data or the
authenticity of the sender of data. In this case, the private key is
used to "sign" a message, while the corresponding public key is used to
verify a "signed" message.

Public key cryptography plays an important role in developing
information infrastructure. Much of the interest in information and
communication networks and technologies centres on their potential to
accommodate electronic commerce; however open networks such as the
Internet present significant challenges for making enforceable
electronic contracts and secure payments.

Since Electronic Commerce on one hand is one of the key strategies of
the European Union and the privacy protection on the other hand, one of
its main principles, E.U. in 1998 released three "key" working
documents:

•Proposal for a European Parliament and Council Directive on certain
legal aspects of Electronic Commerce in the internal market [ COM(1998)
586 final].
•Proposal for a European Parliament and Council directive on a common
framework for electronic signatures [COM (1998)297 final].
•Ensuring security and trust in electronic communication: "Towards a
European framework for digital signatures and Encryption" [COM(1997) 503
final].


Increasing the number of people with authorised access to the critical
infrastructure and to business data, will increase the likelihood of
attack, whether through technical means, by exploitation of mistakes or
through corruption. Further "key-recovery" requirements to the extent
that they made encryption can have the effect of discouraging or
delaying the deployment of cryptography in increasingly vulnerable
computing and communication networks.

As the Internet and other communications systems reach further into
everyday lives, national security, law enforcement and individual
privacy have become perilously intertwined. Governments want to restrict
the free flow of information; software producers are seeking ways to
ensure consumers are not bugged from the very moment of purchase. The US
is behind a world-wide effort to limit individual privacy and enhance
the capability of its intelligence services to eavesdrop on personal
conversations. The campaign has had two legal strategies: the first made
it mandatory for all digital telephone switches, cellular and satellite
phones and all developing communication technologies to build in
surveillance capabilities; the second sought to limit the dissemination
of software that contains encryption, a technique which allows people to
scramble their communications and files to prevent others from reading
them. The first effort to heighten surveillance opportunities was to
force telecommunications companies to use equipment designed to include
enhanced wiretapping capabilities. The end goal was to ensure that the
US and its allied intelligence services could easily eavesdrop on
telephone networks anywhere in the world. In the late 1980s, in a
programme known internally as 'Operation Root Canal', US law enforcement
officials demanded that telephone companies alta their equipment to
facilitate the interception of messages. The companies refused but,
after several years of lobbying, Congress enacted the Communications
Assistance for Law Enforcement Act (CALEA) in 1994.

CALEA requires that terrestrial carriers, cellular phone services and
other entities ensure that all their ' equipment, facilities or
services' are capable of expeditiously. . . enabling the government...to
intercept... all wire and oral communications carried by the
carrier...concurrently with their transmission.' Communications must be
interceptable in such a form that they could be transmitted to a remote
government facility.

Manufacturers must work with industry and law enforcement officials to
ensure that their equipment meets federal standards. A court can fine a
company US$10,000 per day for each product that does not comply.

The passage of CALEA has been controversial but its provisions have yet
to be enforced due to FBI efforts to include even more rigorous
regulations under the law. These include the requirement that cellular
phones allow for location-tracking on demand and that telephone
companies provide capacity for up to 50,000 simultaneous wiretaps.

While the FBI lobbied Congress and pressured US companies into accepting
a tougher CALEA, it also leaned on US allies to adopt it as an
international standard. In 1991, the FBI held a series of secret
meetings with EU member states to persuade them to incorporate CALEA
into European law. The plan, according to an EU report, was to 'call for
the Western World (EU, US and allies) to agree to norms and procedures
and then sell their products to Third World countries. Even if they do
not agree to interception orders, they will find their
telecommunications monitored by the UK-USA signals intelligence network
the minute they use the equipment.' The FBI's efforts resulted in an EU
Council of Ministers resolution that was quietly adopted in January
1995, but not publicly released until 20 months later. The resolution's
text is almost word for word identical to the FBI's demands at home. The
US government is now pressuring the International Telecommunications
Union (ITU) to adopt the standards globally.

The second part of the strategy was to ensure that intelligence and
police agencies could understand every communication they intercepted.
hey attempted to impede the development of cryptography and other
security measures, fearing that these technologies would reduce their
ability to monitor the emissions of foreign governments and to
investigate crime.

These latter efforts have not been successful. A survey by the Global
Internet Liberty Campaign (GILC) found that most countries have either
rejected domestic controls or not addressed the issue at all. The GILC
found that 'many countries, large and small, industrialised and
developing, seem to be ambivalent about the need to control encryption
technologies'.

The FBI and the National Security Agency (NSA) have instigated efforts
to restrict the availability of encryption world-wide. In the early
1970s, the NSA's pretext was that encryption technology was 'born
classified' and, therefore, its dissemination fell into the same
category as the diffusion of A-bomb materials. The debate went
underground until 1993 when the US launched the Clipper Chip, an
encryption device designed for inclusion in consumer products. The
Clipper Chip offered the required privacy, but the government would
retain a 'pass-key' - anything encrypted with the chip could be read by
government agencies.

Behind the scenes, law enforcement and intelligence agencies were
pushing hard for a ban on other forms of encryption. In a February 1993
document, obtained by the Electronic Privacy Information Center (EPIC),
they recommended 'Technical solutions, such as they are, will only work
if they are incorporated into all encryption products'.

To ensure that this occurs, legislation mandating the use of
government-approved encryption products, or adherence to government
encryption criteria, is required.' The Clipper Chip was widely
criticised by industry, public interest groups, scientific societies and
the public and, though it was officially adopted, only a few were ever
sold or used.

>From 1994 onwards, Washington began to woo private companies to develop
an encryption system that would provide access to keys by government
agencies. Under the proposals - variously known as 'key escrow', 'key
recovery' or 'trusted third parties' - the keys would be held by a
corporation, not a government agency, and would be designed by the
private sector, not the NSA. The systems, however, still entailed the
assumption of guaranteed access to the intelligence community and so
proved as controversial as the Clipper Chip. The government used export
incentives to encourage companies to adopt key escrow products: they
could export stronger encryption, but only if they ensured that
intelligence agencies had access to the keys.

Under US law, computer software and hardware cannot be exported if it
contains encryption that the NSA cannot break. The regulations stymie
the availability of encryption in the USA because companies are
reluctant to develop two separate product lines -- one, with strong
encryption, for domestic use and another, with weak encryption, for the
international market. Several cases are pending in the US courts on the
constitutionality of export controls; a federal court recently ruled
that they violate free speech rights under the First Amendment.
(... The NSA is one of the shadowiest of the US intelligence agencies.
Until a few years ago, it existence was a secret and its charter and any
mention of its duties are still classified. However, it does have a Web
site (www.nsa.gov:8080) in which it describes itself as being
responsible for the signals intelligence and communications security
activities of the US government. One of its bases, Menwith Hill, was to
become the biggest spy station in the world. Its ears -- known as
radomes -- are capable of listening in to vast chunks of the
communications spectrum throughout Europe and the old Soviet Union

In its first decade the base sucked data from cables and microwave links
running through a nearby Post Office tower, but the communications
revolutions of the Seventies and Eighties gave the base a capability
that even its architects could scarcely have been able to imagine. With
the creation of Intelsat and digital telecommunications, Menwith and
other stations developed the capability to eavesdrop on an extensive
scale on fax, telex and voice messages. Then, with the development of
the Internet, electronic mail and electronic commerce, the listening
posts were able to increase their monitoring capability to eavesdrop on
an unprecedented spectrum of personal and business communications.

This activity has been all but ignored by the UK Parliament. When Labour
MPs raised questions about the activities of the NSA, the Government
invoked secrecy rules. It has been the same for 40years.... )

(Simon Davis report: http://www.telegraph.co.uk)

The FBI has not let up on efforts to ban products on which it cannot
eavesdrop. In mid-1997, it introduced legislation to mandate that
key-recovery systems be built into all computer systems. The amendment
was adopted by several congressional Committees but the Senate preferred
a weaker variant. A concerted campaign by computer, telephone and
privacy groups finally stopped the proposal; it now appears that no
legislation will be enacted in the current Congress.

While the key escrow approach was being pushed in the USA, Washington
had approached foreign organisations and states. The linchpin for the
campaign was David Aaron, US ambassador to the Organisation for Economic
Co-operation and Development (OECD), who visited dozens of countries in
what one analyst derided as a programme of 'laundering failed US policy
through international bodies to give it greater acceptance'.

Led by Germany and the Scandinavians, the EU has been generally
distrustful of key escrow technology. In October 1997, the European
Commission released a report which advised: 'Restricting the use of
encryption could well prevent law-abiding companies and citizens from
protecting themselves against criminal attacks. It would not, however,
totally prevent criminals from using these technologies.' The report
noted that 'privacy considerations suggest limit the use of cryptography
as a means to ensure data security and confidentiality'.

Some European countries have or are contemplating independent
restrictions. France had a longstanding ban on the use of any
cryptography to which the government does not have access. However, a
1996 law, modified the existing system, allowing a system of "tiers du
confidence", although it has not been implemented, because of EU
opposition. In 1997, the Conservative government in the UK introduced a
proposal creating a system of trusted third parties.

It was severely criticised at the time and by the new Labour government,
which has not yet acted upon its predecessor's recommendations. The
debate over encryption and the conflicting demands of security and
privacy are bound to continue. The commercial future of the Internet
depends on a universally-accepted and foolproof method of on-line
identification; as of now, the only means of providing it is through
strong encryption. That put the US government and some of the world's
largest corporations, notably Microsoft, on a collision course. (Report
of David Banisar, Deputy director of Privacy International and Simon
Davies, Director General of Privacy International).

The issue of encryption divides the member states of the European Union.
Last October the European Commission published a report entitled:
"Ensuring security and Trust in Electronic Commerce", which argued that
the advantages of allowing law enforcement agencies access to encrypted
messages are not clear and could cause considerable damage to the
emerging electronic industry. It says that if citizens and companies
"fear that their communications and transactions are being monitored
with the help of key access or similar schemes unduly enlarging the
general surveillance possibility of government agencies, they may prefer
to remaining in the anonymous off-line world and electronic commerce
will just not happen".

However, Mr Straw said in Birmingham (JHA Informal JHA Ministers) that:
"It would not be in the public interest to allow the improper use of
encryption by criminals to be totally immune from the attention of law
enforcement agencies". The UK, along with France (which already has a
law obliging individuals to use "crackable" software) and the USA, is
out on a limb in the EU. "The UK presidency has a particular view and
they are one of the access hard-liners. They want access: "them and the
French", commented an encryption expert. They are particularly about
"confidential services" which ensure that a message can only be read by
the person for whom it is intended who has a "key" to access it. The
Commission's report proposes "monitoring" Member States laws' on "c
onfidential services" to ensure they do not contravene the rules of the
single market.

Examples of Abuse of Economic Information

In the course of collecting the data for and preparing this Interim
Study various examples were cited of abuse of privacy via global
surveillance telecommunication systems. A number of them is given in
[54]. For the final version of the study, we shall see whether the
experts have further comments to make on these examples, or whether they
have new examples to suggest.

The consultation of experts in our survey so far yielded the following
comments:

•Since Internet has come to play a significant role in global commerce,
then (as in Examples 1, 2, 3 and 4 cited below) Internet also became a
tool of misleading information and a platform for deceitful
advertisement.
•On the positive side, Internet is a "golden highway" for those
interested in the process of information.
•However, apart from global surveillance technology systems, additional
tools have been developed for surveillance. The additional tool used for
information transferred via Internet or via Digital Global
telecommunication systems is the capture of data with Taiga software.
Taiga software has the possibility to capture, process and analyse
multilingual information in a very short period of time (I billion
characters per second), using key-words.


The examples given below are taken from the sources named:

Example 1

On January 15, 1990, the telephone network of AT&T company, in all the
North-east part of USA faced serious difficulties. The network
NuPrometheus had illegally owned and distributed the key-code of the
operational system of AT&T Macintosh computer (Apple company).
J.P. Barlow: "A not terribly brief history of the Electronic Frontier
Foundation," 8 November 1990

Example 2

On January 24, 1990, the Electronic Frontier Foundation (EFF) in USA,
accused a huge police operation under the encoded name "Sun Devil", in
which 40 computers and 23,000 diskettes were seized from teenagers, in
15 towns within USA. Teenager Craig Neidorf supported by EFF, not to be
punished in 60 years prison and 120,000 USD penalty. Craig Neidorf had
published in Phrack (a hackers magazine) part of the internal files of a
telephone company.
M. Godwin: "The EFF and virtual communities," 1991

Example 3

On June 25, 1998, in Absheim, an aircraft A-320 of the European Company
"Airbus Industries" crashed during a demonstration flight. The accident
was reportedly caused by dangerous manoeuvres. One person died and 20
were injured.

Very soon afterwards, and before the announcement of the official
report, in the aerospace and transport Internet newsgroups there
appeared many hostile messages against the Airbus undertaking and
against the French company Aerospatiale as well, with which Airbus had
close cooperation. Messages declared that the accident was to be
expected because European engineers are not so highly qualified as
American engineers. It was also clearly stated, that in the future
similar accidents were to be expected.

Aerospatiale's representatives took these hostile messages very
seriously. They tried to discover the sources of messages and they
finally realised that senders' identification data, addresses and nodes
were false. The source messages came from USA, from computers with
misleading identification data and transferred from anonymous servers in
Finland.
B. Martnet and Y.M. Marti: "L'intelligence econimique. Les yeux et les
oreilles de 1' enterprise, Editions d'organisation". Paris 1995

Example 4

In October 31, 1994, in USA, an accident occurred to an ATR aircraft (of
the European Consortium Aeritalia and Aerospatiale). Owing to this
accident, a ban on ATR flights for two months was imposed. This decision
became catastrophic on a commercial level for the company, because ATR
was obliged to carry out test flights in fog conditions.

During this period, in Internet newsgroups (and especially in the AVSIG
forum, supported by Compuserve), the exchange of messages was of vital
significance. The messages supporting the European company were few,
while the messages against ATR were many.

At the beginning of January 1995, there appeared a message from a
journalist in this forum asking the following: "I have heard that ATR
flights will begin soon. Can anybody confirm this information?" The
answer came very soon. Three days after, unexpectedly, permission to
continue ATR flights was given. The company learned this, as soon as the
permission announced. But if they had actively participated in the
newsgroups, they would have gained some days to inform their offices and
their clients.
"Des langages pour analyser la poussiere d' info", Liberation, 9 June
1995

Example 5

The government of Brasil in 1994, announced its intention to assign an
international contract (Amazonios). This procurement was of great
interest since the total amount available for the contract was 1,4
billion USD. From Europe, the French companies Thomson and Alcatel
expressed their interest and from USA, the huge weapon industry
Raytheon. Although the offer of the French companies was technically
excellent and allegedly better documented, the contract was eventually
assigned to the USA company. It was reported in the press that this was
achieved with a new offensive strategy used by USA. When the government
of Brazil was about to assign the contract to the French companies,
American Officials (allegedly with the personal involvement of President
Bill Clinton) readjusted their offer, according to the offer of the
European companies, and asserted that French companies influenced the
committee, an accusation which was never proved. On the other hand, the
European companies were reported to have indications that the intention
of the government of Brazil to assign the contract to the European
companies became known to Americans with the use of FBI's surveillance
technologies.
"La nouvelle machine de querre americaine", LeMonde du reseingnement no
158, 16 February 1995

Example 6

In January 1994 Edouard Balladur, French Prime Minister, went to Ryadh
(Saudi Arabia), feeling certain to bring back a historic contract for
more than 30 million francs in sale of weapons and, especially, Airbus.
He returned disappointed. The contract went to the McDonnell-Douglas
American company, rival of Airbus. The French were report to believe
that this was at least in part due to electronic surveillance by the
ECHELON system, which had given to the Americans the financial
conditions and incentives authorised by Airbus.

French press reports said the National Security Agency is the most
secret and most significant of the thirteen secret agencies of the
United States. It receives about a third of the appropriations allocated
with clandestine intelligence: 8 of the 26,6 billion dollars (160 18
billion francs) registered appropriations in the 1997 budget. With its
20.000 employees in United States and some thousands of agents
throughout the world, the NSA (which forms part of ministry for Defence
since its creation in 1956) is more important than the CIA, even if the
latter is better known to the public. Its site at Fort Meade contains,
according to sources familiar with the place, the greatest concentration
of data processing power and mathematicians in the world. They are
employed to sort and analyse the flood of data acquired by ECHELON on
the networks of international telecommunications.
"Echelon est au service des interets americains", Liberation, 21 April
1998
--much more at site--
Aloha, He'Ping,
Om, Shalom, Salaam.
Em Hotep, Peace Be,
Omnia Bona Bonis,
All My Relations.
Adieu, Adios, Aloha.
Amen.
Roads End
Kris

DECLARATION & DISCLAIMER
==========
CTRL is a discussion and informational exchange list. Proselyzting propagandic
screeds are not allowed. Substance—not soapboxing!  These are sordid matters
and 'conspiracy theory', with its many half-truths, misdirections and outright
frauds is used politically  by different groups with major and minor effects
spread throughout the spectrum of time and thought. That being said, CTRL
gives no endorsement to the validity of posts, and always suggests to readers;
be wary of what you read. CTRL gives no credeence to Holocaust denial and
nazi's need not apply.

Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://home.ease.lsoft.com/archives/CTRL.html

http:[EMAIL PROTECTED]/
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]

To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]

Om