limits of watermarking (Re: First Steganographic Image in the Wild)
On Tue, Oct 16, 2001 at 11:30:05AM -0700, Greg Broiles wrote: > Adam Back wrote: > >Stego isn't a horseman, and the press drumming up scare stories around > >stego is ludicrous. We don't need any more stupid cryptography or > >internet related laws. More stupid laws will not make anyone safer. > > I agree, but if Congress isn't careful (and they don't seem to be in a > careful mood these days), they'll end up outlawing watermarking in > digital "content", which would do to the DRM (digital rights management) > industry what they tried to do to security researchers with the DMCA. > > Perhaps the RIAA and SDMI folks will now come out in favor of > steganography in order to save their businesses. > > Or maybe they be forced to rewrite their complicated protection schemes > to enable "stego escrow", so that federal agents can monitor the secrets > hidden inside published content, to make sure there aren't any hidden > messages in Anthrax albums. So I presume your discussion on the applicability of stego techniques to the detection of unauthorised copying refers to the framework where content is personalised by having something identifying the purchaser encoded in it at time of delivery to the purchaser. Steganography means hiding the existance of a message -- making it hard to distinguish content without a stegotext from content with a stegotext embedded in it. Copymarks are about making it hard for the user to remove the message without massively degrading the quality (*). This means you want some or all of the purchaser identifying information to be hard to locate -- because once it is located it can be removed. But watermarks don't have to be invisible -- just hard to remove without degrading the image quality. This tends to mean spread spectrum techniques, and unpublished parameters of where the signal will be stored so that there is no publicly constructable discriminator, and no black-box discriminators queryable either. However this framework inherently violates Kerchoff's principle. Another framework is to have players which will only play content with certified copy marks (no need for them to be visible -- they could be encoded in a logo in the corner of the screen). The copymark is a signed hash of the content and the identity of the purchaser. This could be relatively robust, except that usually there is also a provision for non-certified content -- home movies etc -- and then the copy mark can be removed while still playing by converting the content into the home movie format, which won't and can't be certified. Just to say that copymarks and steganography are related but different. In my opinion copymarks are evil and doomed to fail technically. There always need to be playble non-certified content, and current generation watermarks seem easy to remove; and even if some really good job of spread spectrum encoding were done, someone would reverse engineer the players to extract the location parameters and then they too would be removable -- and in the end even if someone did manage to design a robust watermarking scheme respecting Kerchoff's principle, the identity information is weakly authenticated, and subject to identity theft or the content itself could be stolen or plausibly deniably claimed to have been stolen and this only has to happen once for each work. All with no comments on the US Congress being careful of course -- they are ham-fisted at the best of times, and they have degraded far beyond their normal state. Adam (*) This in itself is pretty hard -- reportedly stirmark [1] (a small random shearing image transform) gets rid of all evaluated watermarks. [1] Fabien A.P. Petitcolas, Ross J. Anderson, Markus G. Kuhn: "Attacks on copyright marking systems Information Hiding", Second International Workshop, IH'98 http://www.cl.cam.ac.uk/~mgk25/stirmark.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Security Research (Was: Scarfo "keylogger", PGP )
In message <[EMAIL PROTECTED]>, Ben Laurie writes: >"Trei, Peter" wrote: >> Windows XP at least checks for drivers not signed by MS, but >> whose security this promotes is an open question. > >Errr ... surely this promotes MS's bottom line and no-one's security? It >is also a major pain if you happen to want to write a device driver, of >course. > Microsoft? See their view of how to deal with security at http://www.newsbytes.com/news/01/171173.html -- I wonder if they think it should apply to crypto research, too? Of course, why should I be surprised at this? Some crypto research is already banned by the DMCA; why not ban even more? --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
FIPR Release 16/10/2001: EMERGENCY POWERS ALLOW MASS-SURVEILLANCE FOR NON-TERRORIST INVESTIGATIONS
FIPR Press release: FOR IMMEDIATE USE : 16th October 2001 EMERGENCY POWERS ALLOW MASS-SURVEILLANCE FOR NON-TERRORIST INVESTIGATIONS *) Home Office undecided whether ISP data retention to be voluntary or compulsory *) Data revealing who you talk to, what you read, where you are, collected for "national security" *) Data can be trawled for public order, minor crimes, tax, health and safety *) E-Commerce to bear open-ended storage and data-protection compliance costs As part of an emergency package of anti-terrorism measures, Home Secretary David Blunkett announced yesterday (Note 3) that Internet Service Providers would be "enabled" to retain logs detailing the online activity of their customers (but NOT the contents of communications). Data protection legislation (Note 4) currently protects electronic privacy by prohibiting blanket storage by ISPs of logs recording such details as websites browsed, To and From addresses of e-mails, and which 'newsgroup' articles are read by a subscriber. Other "communications data", such as the telephone number used to dial-up the Internet, may be kept so long as it is relevant to billing or fraud control. Although Mr.Blunkett's use of the word "enable" (rather than "require") implied that compliance will be at the ISP's discretion, the lead official told FIPR that retention may be made compulsory, enforced through civil law. The same source said a ministerial certificate will assert "national security" exemptions (Note 5) so that ISPs and telephone companies will not be in breach of European Directives. The government will only specify later exactly what data may be collected and for how long in a Code of Practice in consultation with ISPs. No new legislation is necessary for police and intelligence agencies to collect the data once it is recorded by ISPs and telephone companies. The Regulation of Investigatory Powers (RIP) Act 2000 (Note 5) allows records to be obtained for broad purposes including tax, health and safety, public order offences and minor crime. Although "communications data" provides a complete map of private life, revealing who you talk to, what you read, and where you go, the authorities can rubber-stamp compilation and trawling of large and detailed databases. In contrast, inspection of the contents of a single e-mail requires a warrant from a Secretary of State, and a search for documents requires a court order. Bulk requests can be made on groups or the history of an individual and kept by police and intelligence agencies indefinitely under data protection exemptions. This includes the exact co-ordinates of your geographic location - which 3rd-generation mobiles produce continuously whilst the phone is switched on. Computerised 'traffic analysis' (tracing links between individuals) is a powerful new form of mass-surveillance, but is only efficient at keeping tabs on the law-abiding. Professional terrorists know how to cover their tracks - for example throw-away use of pre-paid mobile phones. Reports of the modus operandi of the September 11th terrorists indicate they used Web-based e-mail from public terminals. Clearly it is not persuasive to argue for privacy to be sacrificed in the name of fighting terrorism if the measures would not in fact be effective. A leaked report from the National Criminal Intelligence Service last year revealed that police and security agencies are nevertheless pressing for a mandatory data retention law to warehouse the traffic data of the entire population for several years (http://cryptome.org/ncis-carnivore.htm). Blunkett's proposals amount to blanket 'dataveillance' for non-terrorist investigations, using the the tragic events of Sep 11 as justification. Providers of e-commerce authentication services could be affected as well as ISPs and telcos. Anyone offering "provision of access to, and of facilities for making use of...the transmission of communications" [RIP S.22(4) & S.1 defs] could face extra costs of providing suitable storage devices and media, and full compliance with data protection legislation. Quotes == Caspar Bowden, director of Internet think-tank FIPR (Foundation for Information Policy Research) commented: "Sensitive data revealing what you read, where you are, and who you talk to online could be collected in the name of national security. But Mr.Blunkett intends to allow access to this data for purposes nothing to do with fighting terrorism. Minor crimes, public order and tax offences, attendance at demonstrations, even 'health and safety' will be legitimate reasons to siphon sensitive details of private life into government databases to be retained indefinitely. This would be in flagrant breach of the first and second Data Protection Principles." (Note 6) Contact for enquiries: Caspar Bowden Foundation for Information Policy Re
Re: Scarfo "keylogger", PGP
Of course, but the difference is that Windows users routinely install programs that update libraries in random ways, Unix users don't. By and large, Unix applications only install libraries unique to the application, and the general stuff only changes when you upgrade the operating system. If you're moderately clueful (a big assumption, I know) the applications aren't installed as root so they can't whomp the system libraries. Most Windows applications, on the other hand, come with copies vendor C libraries, graphics libraries, and who knows what else, and just install them in \Windows\System. It's a very common problem on Windows systems to have programs mysteriously stop working because the user installed an unrelated application that happened to use the same DLL, but the newly installed version is older than the previous one and is missing features or bug fixes. The current generation of install software tries to check version numbers and warn you if it's about to downgrade a library, but it's entirely a convention in the installation software, not enforced by anything. >The same is true of, say, libX11.so, or worse, libpam.so, on Unix >systems. >> One of my continual gripes about Windows security has to do with the GUI >> DLLs. An attacker could silently replace a component with one which has >> the old version number and the same API as the normal one, but which >> does something extra - -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
NIST Key Mgmt. Workshop Documents
Both the key schemes document and the key management guideline for the NIST key management workshop are now available at http://csrc.nist.gov/encryption/kms/workshop2-page.html. Please register by October 30 by email, FAX or phone; see the web page for details. If unable to attend, a report of the workshop will be available on the web site shortly afterward, as well as any slide presentations. If you prefer not to receive further emails on NIST cryptographic activities, please let me know. Thanks. Elaine Barker National Institute of Standards and Technology 100 Bureau Dr., Stop 8930 Gaithersburg, MD 20899-8930 Phone: 301-975-2911 Fax: 301-948-1233 Email: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
NIST Key Mgmt. Workshop Documents
Both the key schemes document and the key management guideline for the NIST key management workshop are now available at http://csrc.nist.gov/encryption/kms/workshop2-page.html. Please register by October 30 by email, FAX or phone; see the web page for details. If unable to attend, a report of the workshop will be available on the web site shortly afterward, as well as any slide presentations. If you prefer not to receive further emails on NIST cryptographic activities, please let me know. Thanks. Elaine Barker National Institute of Standards and Technology 100 Bureau Dr., Stop 8930 Gaithersburg, MD 20899-8930 Phone: 301-975-2911 Fax: 301-948-1233 Email: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: First Steganographic Image in the Wild
At 11:43 PM 10/15/2001 +0100, Adam Back wrote: >If you read the web page it was just a demo created by ABC news -- >that doesn't count as found in the wild. Not that it would be that >far out to find the odd image in the wild created as a novelty by >someone tinkering with stego software, or perhaps even individuals >playing with stego. > >Stego isn't a horseman, and the press drumming up scare stories around >stego is ludicrous. We don't need any more stupid cryptography or >internet related laws. More stupid laws will not make anyone safer. I agree, but if Congress isn't careful (and they don't seem to be in a careful mood these days), they'll end up outlawing watermarking in digital "content", which would do to the DRM (digital rights management) industry what they tried to do to security researchers with the DMCA. Perhaps the RIAA and SDMI folks will now come out in favor of steganography in order to save their businesses. Or maybe they be forced to rewrite their complicated protection schemes to enable "stego escrow", so that federal agents can monitor the secrets hidden inside published content, to make sure there aren't any hidden messages in Anthrax albums. -- Greg Broiles [EMAIL PROTECTED] "We have found and closed the thing you watch us with." -- New Delhi street kids - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
Capturing keystrokes of email in composition would appear to me to be part of a "transfer of ..intelligence of any nature transmitted ... in part by a wire...", and nothing to do with stored email or 2703, but I am not a lawyer. -- Peter Fairbrother > Steven M. Bellovin wrote: [snip] > The problem is that you're thinking like a computer scientist instead > of like a lawyer... > > Definitions are important in the law. The wiretap statute (18 USC 2510 > et seq, http://www4.law.cornell.edu/uscode/18/2510.html) defines > an "electronic communication" as "any transfer of signs, > signals, writing, images, sounds, data, or intelligence of any > nature transmitted in whole or in part by a wire, radio, > electromagnetic, photoelectronic or photooptical system that > affects interstate or foreign commerce, but does not include - > (A) any wire or oral communication..." ("Wire communications" > refers to telephone calls.) Interception of such transmissions > is one of the things governed by the wiretap statute; the procedure > for getting an authorization for a tap is very cumbersome, > and is subject to numerous restrictions in both the statute and > DoJ regulations. > > Access to *stored communications* -- things that aren't actually > traveling over a wire -- are governed by 18 USC 2701 et seq., > which was added to the wiretap statute in 1986. (That's when > electronic communications were added as well.) The rules for > access there are much simpler. But that section was written on > the assumption that email would only be stored on your service > bureau's machine! In this case, it would appear that we're back to > the ordinary search and seizure statutes governing any computer records > owned by an individual. *But* -- if they're *in the process of being > sent* -- 2511 would apply, it would be a wiretap, and it would be > hard to do. The FBI agents who wrote that keystroke logger are > well aware of this distinction, and apparently tried to finesse > the point by ensuring that no communications (within the meaning > of the statute) were taking place when their package was operating. > > I suppose that someone could make an argument to a judge that > email being composed is intended for transmission, and that it > should therefore be covered by 2511. The government's counter will > be to cite 2703, which provides for simpler access to some email, as > evidence that Congress did not intend the same protections for > email not actually in transit. I'd have to reread the ruling > in the Steve Jackson Games case to carry my analysis any further, > but I'll leave that to the real lawyers. > > > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
The same is true of, say, libX11.so, or worse, libpam.so, on Unix systems. -derek "Trei, Peter" <[EMAIL PROTECTED]> writes: > One of my continual gripes about Windows security has to do with the GUI > DLLs. An attacker could silently replace a component with one which has > the old version number and the same API as the normal one, but which > does something extra - for example, the component which handles the > textbox for entering passwords could check the system table to see if > the active program was PGP, and if so log the text entered. The user > would be none the wiser, and even re-installing PGP would not restore > security. > > A secure system would use crytographically signed components, > and an application would check the signatures before loading a > dynamic library. An attacker would then need to get the trojaned > components signed, which raises the bar. > > Windows XP at least checks for drivers not signed by MS, but > whose security this promotes is an open question. > > Peter Trei > > > > > > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
"Trei, Peter" wrote: > Windows XP at least checks for drivers not signed by MS, but > whose security this promotes is an open question. Errr ... surely this promotes MS's bottom line and no-one's security? It is also a major pain if you happen to want to write a device driver, of course. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
In message <9qftr6$23i$[EMAIL PROTECTED]>, David Wagner writes: >It seems the FBI hopes the law will make a distinction between software >that talks directly to the modem and software that doesn't. They note >that PGP falls into the latter category, and thus -- they argue -- they >should be permitted to snoop on PGP without needing a wiretap warrant. > >However, if you're using PGP to encrypt email before sending, this >reasoning sounds a little hard to swallow. It's hard to see how such a >use of PGP could be differentiated from use of a mail client; neither >of them talk directly to the modem, but both are indirectly a part of >the communications path. Maybe there's something I'm missing. The problem is that you're thinking like a computer scientist instead of like a lawyer... Definitions are important in the law. The wiretap statute (18 USC 2510 et seq, http://www4.law.cornell.edu/uscode/18/2510.html) defines an "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include - (A) any wire or oral communication..." ("Wire communications" refers to telephone calls.) Interception of such transmissions is one of the things governed by the wiretap statute; the procedure for getting an authorization for a tap is very cumbersome, and is subject to numerous restrictions in both the statute and DoJ regulations. Access to *stored communications* -- things that aren't actually traveling over a wire -- are governed by 18 USC 2701 et seq., which was added to the wiretap statute in 1986. (That's when electronic communications were added as well.) The rules for access there are much simpler. But that section was written on the assumption that email would only be stored on your service bureau's machine! In this case, it would appear that we're back to the ordinary search and seizure statutes governing any computer records owned by an individual. *But* -- if they're *in the process of being sent* -- 2511 would apply, it would be a wiretap, and it would be hard to do. The FBI agents who wrote that keystroke logger are well aware of this distinction, and apparently tried to finesse the point by ensuring that no communications (within the meaning of the statute) were taking place when their package was operating. I suppose that someone could make an argument to a judge that email being composed is intended for transmission, and that it should therefore be covered by 2511. The government's counter will be to cite 2703, which provides for simpler access to some email, as evidence that Congress did not intend the same protections for email not actually in transit. I'd have to reread the ruling in the Steve Jackson Games case to carry my analysis any further, but I'll leave that to the real lawyers. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
The "keystroke capture component" (which does not work when the modem is operating) would capture email when composed offline before transmission. I don't know whether this needs a wiretap warrant or not, but in effect it is tapping email, during a part of it's journey from brain to brain. The "PGP-key capture component" only captured the PGP logon, and wouldn't capture email in any case. It would work when the modem was working (on something else). The encrypted data on Scarfo's computer may or may not include email, which the PGP key would decode, but the FBI were authorised to seize business records, not email. Perhaps the FBI might not be allowed to decrypt or look at any email found, though in practice it would be nearly impossible to stop them doing so. The affidavit is extremely complex and hard to unravel, whether to try to preserve secrecy, in the hope that it will confuse the defence/Court, or perhaps it's just legalese, I don't know. -- Peter Fairbrother > David Wagner wrote: > It seems the FBI hopes the law will make a distinction between software > that talks directly to the modem and software that doesn't. They note > that PGP falls into the latter category, and thus -- they argue -- they > should be permitted to snoop on PGP without needing a wiretap warrant. > > However, if you're using PGP to encrypt email before sending, this > reasoning sounds a little hard to swallow. It's hard to see how such a > use of PGP could be differentiated from use of a mail client; neither > of them talk directly to the modem, but both are indirectly a part of > the communications path. Maybe there's something I'm missing. > > If you're using PGP to encrypt stored data only, though, then I can > see how one might be able to make a case that use of PGP should be > distinguished from use of a mail client. > > Does anyone know what PGP was used for in this case? Was it used only > for encrypting stored data, or was it also used from time to time for > encrypting communications? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Scarfo "keylogger", PGP
> Peter Fairbrother[SMTP:[EMAIL PROTECTED]] > > The other and more worrying "component" picked up the PGP key Scarfo used > - > his father's prison number! - and virtually nothing else. It didn't > capture > keystrokes. Almost certainly it detected and captured only the PGP logon > when the enter key was pressed, and it is almost certainly software. I > don't > know if Scarfo entered his PGP key more than once but apparently it only > recorded it once. The PGP key information was at the end of the output > presented to the Court so it may have stopped operation then, but the > "keystroke capture component" should have continued to work if the overall > design was good. > > Could it be remotely installed? Is this a serious security failure in PGP? > The recent announcement by NA that they are looking for a buyer for PGP, > at > a time when it's value would be low anyway following the WTC attacks, may > be > relevant... > > -- Peter Fairbrother > Windows programs can incorporate the GUI components (MFC libraries, etc) either as staticly linked libraries at compiliation time, or (more commonly) as dynamically linked libraries (DLLs). One of my continual gripes about Windows security has to do with the GUI DLLs. An attacker could silently replace a component with one which has the old version number and the same API as the normal one, but which does something extra - for example, the component which handles the textbox for entering passwords could check the system table to see if the active program was PGP, and if so log the text entered. The user would be none the wiser, and even re-installing PGP would not restore security. A secure system would use crytographically signed components, and an application would check the signatures before loading a dynamic library. An attacker would then need to get the trojaned components signed, which raises the bar. Windows XP at least checks for drivers not signed by MS, but whose security this promotes is an open question. Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scarfo "keylogger", PGP
At 12:09 AM + 10/16/2001, David Wagner wrote: >It seems the FBI hopes the law will make a distinction between software >that talks directly to the modem and software that doesn't. They note >that PGP falls into the latter category, and thus -- they argue -- they >should be permitted to snoop on PGP without needing a wiretap warrant. > >However, if you're using PGP to encrypt email before sending, this >reasoning sounds a little hard to swallow. It's hard to see how such a >use of PGP could be differentiated from use of a mail client; neither >of them talk directly to the modem, but both are indirectly a part of >the communications path. Maybe there's something I'm missing. Reading between the lines, I think the FBI is taking the position that e-mail stored on your computer, either before or after you send it, is a business record and not an electronic communication. Thus they would also claim the right to key-log a mail client when it was off line under the authority of just a search warrant, without a wire tap order. In effect, they seem to be claiming that only instant messaging is protected under anti-wiretapping laws. > >If you're using PGP to encrypt stored data only, though, then I can >see how one might be able to make a case that use of PGP should be >distinguished from use of a mail client. > >Does anyone know what PGP was used for in this case? Was it used only >for encrypting stored data, or was it also used from time to time for >encrypting communications? > Press reports said PGP was used to encrypt gambling records. The defense challenged the keylogging on the grounds that it must have intercepted electronic communications as well, and therefore went beyond the authority of the FBI'ssearch warrant. It also seems that the FBI used two separate tools on Scarfo's computer: 1. an only-when-the-modem's-off key logger 2. a tool to capture the passphrase when it was entered into the PGP dialog box. One way to create the latter tool is to simply use the PGP source code to make a doctored version of PGP that saves the passphrase in a hidden file or even e-mails it and the secret key to a special address. This possibility suggests that it is a mistake to include the full PGP version number in plaintext, as is done in the present PGP message format. Doing so allows any attacker to prepare a doctored program that matches the target's version in advance, reducing the number of surreptitious entries needed. This may not matter much to the FBI (which apparently made five entries is this case) but could be significant to an attacker with fewer resources, e.g. a terrorist cell. Transmitting the software version enclar may also help in creating a capture tool that knows where keying information is stored in memory. If there is a need to alert the receiving program as to the format of the encrypted message, a message format code should be used, not the software version number. Arnold Reinhold (who is not a lawyer) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Fear of prying
It's amazing how fast the irony bit gets flipped, huh? Cheers, RAH --- http://www.townhall.com/columnists/jacobsullum/printjs20011016.shtml QUICK LINKS: HOME | NEWS | OPINION | RIGHTPAGES | CHAT | WHAT'S NEW townhall.com Jacob Sullum (back to story) October 16, 2001 Fear of prying I first downloaded Pretty Good Privacy a couple of years ago, at the request of an interview subject. He was nervous about discussing his drug use through unprotected e-mail, and my willingness to use PGP reassured him not only that he would be safe from eavesdroppers but that he could trust me to take his privacy concerns seriously. It was a small illustration of encryption's power, but it brought home to me what a godsend this kind of readily available, easily used software must be to dissidents who risk prison by sharing unauthorized information or expressing forbidden opinions. Phil Zimmermann had such people in mind when he created PGP a decade ago and risked prison by posting it online. At the time, the U.S. government considered strong encryption software a "munition," and by making it available to human rights activists around the world Zimmermann was arguably violating a federal ban on the export of such weapons. Some politicians are trying to revive this sinister view of encryption in the wake of last month's terrorist attacks. In a floor speech a week after hijacked airplanes collided with the Pentagon and the World Trade Center, Sen. Judd Gregg, R-N.H., worried aloud about "somebody out there using encryption technology for the purposes of pursuing a terrorist act in the United States." He declared, "There is no excuse for anybody to be underwriting that type of activity in our country." To prevent terrorists from shielding their communications, Gregg wants to make all producers of encryption systems design their products so the government can read the messages they generate. The surveillance would be "judicially controlled" to make sure it "simply gets at the bad guys." Gregg's opposition to strong encryption is echoed in some surprising quarters. Boston Globe columnist Cathy Young, a colleague of mine at Reason magazine, has confessed that "the idea of people being able to encrypt electronic communications so that they are beyond surveillance" has always seemed "scary" to her, "precisely because of the threat of terrorism." This is like saying that computers or telephones or airplanes or box cutters are scary. Any technology can be used for good or ill. The question is whether the potential for evil justifies restrictions on legitimate uses. As more than one critic has pointed out, the arguments against strong encryption could also be used against strong locks, since criminals tend to hatch their plans behind closed doors. That doesn't mean all of us should make extra sets of house keys for the police in case they need to search our homes. We have been down this road before with various proposals during the 1990s for "key recovery" arrangements through which the authorities could break otherwise unbreakable codes. Now as then, the most decisive argument against encryption controls is that they wouldn't work because PGP-like software is already available from a variety of sources. Does Sen. Gregg plan to come to my house and erase my copy of PGP? If not, how can he possibly hope to stop terrorists, who are much more highly motivated than I am to shield their communications, from obtaining and using such software? The attempt to do so would weaken security rather than enhancing it. A 1998 report from a panel of distinguished cryptographers and computer scientists concluded that "there are compelling reasons to believe that, given the state of the art in cryptology and secure systems engineering, government-access key recovery is not compatible with large scale, economical, secure cryptographic systems." A member of the panel, Matt Blaze, recently told The Washington Post, "I am extremely doubtful that this could be done without weakening computer systems, and the costs would be absolutely staggering." In addition to the bugs introduced by added complexity, keeping extra copies of the keys used to decode messages would create tempting targets for thieves. The keys could also be compromised by incompetent or corrupt officials charged with protecting them. Misuse of official records is not exactly unheard of in this country, and the problem would be magnified if every unsavory regime that has enlisted in the war on terrorism were to be trusted with the keys to its citizens' e-mail. For the dissidents Phil Zimmermann is rightly proud of helping, the whole point of encryption is to guard against official surveillance. If Gregg's vision were ever realized, they would once again have to watch what they say. Contact Jacob Sullum ©2001 Creators Syndicate, Inc. townhall.com QUICK LINKS: HOME | NEWS | OPINION | RIGHTPAGES | CHAT | WHAT'S NEW -- - R. A. Hettinga The Internet Beare