Subject: RISKS DIGEST 13.41 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 16 April 1992 Volume 13 : Issue 41 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Tapping/taping (Donn Parker, Mark Rasch, Joel Upchurch, Phil Karn, Mike Gore, John Mainwaring, Irving Wolfe) FBI phone tapping bill (Steve Dever) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 16 Apr 1992 16:09:04 U From: "Donn Parker" Subject: Intercept legislation The Intercept law proposed by the FBI is in need of the full support of the cyberspace community but requires some additions that are disturbingly absent. The proposed amendment to the Communications act of 1934 is necessary to perpetuate an essential capability of law enforcement to protect the public from crime and particularly to protect the privacy of individuals whose personal information is communicated. However, it has serious shortcomings that must be corrected that I hope organizations such as EFF and CPSR can address that are needed to protect all the stakeholders from unauthorized use and misuse of the interception capability. Clearly, access and usage security controls are needed. In addition, recording of all intercept activity is needed for audit and evidential purposes. Finally, only the FCC rulemaking proceedings should be kept secret that would aid and abet unauthorized persons to abuse the capability to use the intercept capability for bad purposes; some detailed information about the auditing and safeguarding must not be revealed. The providers and PBX operators probably require the interception capabilities anyway for maintenance and line quality testing. However, my suggested additions would help ensure that interception for whatever reasons would not be misused, and abusers could more effectively be prosecuted. Donn B. Parker ------------------------------ Date: Thu, 16 Apr 92 16:59 EDT From: Rasch@DOCKMASTER.NCSC.MIL Subject: Taping without consent There has been a lot of debate about whether a person can be videotaped (or audiotaped) without consent. The quick answer is it depends. Of course you can videotape people or objects if they are in the public view -- they have no legitimate expectations of privacy. Just look at The Star or other tabloids that routinely photograph people on the streets. There are limitations, however. There is a common law tort of interference with or invasion of privacy, as well as exploitation of a person's likeness for financial gain. (Suppose the "Coppertone" girl decided to sue). From a Fourth Amendment standpoint, a videotape in a public place is not an "unreasonable search or seizure." Videotapes in PRIVATE places are another matter. Because they enable the government to see what otherwise cannot be seen, and therefore impart information to the government, they MAY constitute searches in Fourth Amendment terms. NOTE that the search (e.g., the videotaping) MUST entail some state action -- be performed at the behest of law enforcement. No state action -- no fourth amendment violation. (This does not prevent a private suit for interference with privacy, however). There is an exception recognized in Katz v. United States. That is, what Katz called the "invited ear" exception. You ALWAYS run the risk that the person you visit is videotaping you. (OR, in Katz, audiotaping you). This has led to the development of the law of one-party consent. IN GENERAL, one party to a conversation may consent to its being recorded. Exceptions exist in many jurisdictions for TELEPHONE conversations where the state law may require two party consent. If the law always required two-party consent to video/audio recording, imagine the effect on -- for example -- television news. No more undercover recodings -- no more 60 Minutes. No more panoramic sweeps (consent from all the pedestrians??). Finally, in the electronic environment things are even more screwy. Telephone calls are covered by privacy laws, FCC regulations, wiretap and surveillance laws, warrant requirements and the like. Electronic communications may also be covered by the Electronic Communications Privacy Act, the Privacy Protection Act, and (a la Steve Jackson) the First Amendment. The turgidity continues. ------------------------------ Date: Tue, 14 Apr 92 04:52:49 EDT From: upchrch!joel@peora.sdc.ccur.com (Joel Upchurch) Subject: Re: Tapping phones, encrypting communication, and trust I would like to address what Jerry Leichter said in RISKS-13.39. I agree with what he said about the ability of the FBI and other police authorities to tap into phone conversations being curtailed by the advances in technology. What I disagree with is that this is a bad thing. It seems to me that if tapping a phone conversation is difficult and expensive and the funding for such efforts comes out of the budget of the police agency involved, then it is far more likely that such tapping will be used with restraint, than if using it is cheap and easy. If anything I'm worried that technology is going too far in the other direction. I suspect that the major cost of any phone tap isn't the cost of placing the tap and recording the conversations, but in paying people to listen to them. It isn't collecting data that is expensive, but analyzing it. With the advent of computer voice recognition in the next few years, it is quite possible that this cost will decrease drastically, maybe by an order of magnitude or more as the technology improves. As the saying goes, government is a dangerous servant and a terrible master. A prudent citizen will try to ensure that powers of government are strictly curtailed and a close eye is kept to make sure these powers are neither abused or exceeded either through malice or an excess of zeal. I keeping asking myself, how is the FBI proposal different from one that would require audio and video surveillance equipment be placed in every home at the expense of the home owner? Even if there were strict controls to make sure the equipment was never used without a court order, I doubt that most people would approve of it. What if the FBI required me to not seal my envelopes, since it would inhibit their ability to surreptitiously read my mail? It's not so much that idea that they want me to pay for it, it is the idea that want me to pay to give them capabilities that I'd be willing to pay for them NOT to have. As for Mr. Leichter's police analogy, it is rather flawed. A better question to ask is should we forego the right of self-protection, because some criminals misuse the technology involved and always trust that the government will be able to protect us and will never oppress us? Some people think so, but I'm not one of them. Joel Upchurch/Upchurch Computer Consulting/718 Galsworthy/Orlando, FL 32809 joel@peora.ccur.com {uiucuxc,hoptoad,petsd,ucf-cs}!peora!joel (407) 859-0982 ------------------------------ Date: Tue, 14 Apr 92 02:35:17 -0700 From: karn@chicago.Qualcomm.COM (Phil Karn) Subject: Re: wire tapping (Leichter, RISKS-13.39) The debate over the FBI's proposal to ensure wiretappability of digital phone technologies largely misses the point. This is especially true for Jerry Leichter's recent comments. I think it is reasonable to ask whether any proposed restrictive legislation will be effective in its intended purpose. If the answer is "no", then it is entirely pointless to debate the merits of a bill's goals, no matter how desirable they may seem. I submit that the FBI's measure will ultimately prove ineffective, for one very simple reason: user-provided end-to-end encryption. Like it or not, it is only a matter of time before most criminals routinely use it to thwart wiretaps. Encryption is uncontrollable because the encryption-specific parts of a system can be implemented entirely in software if necessary. It need only use cheap, readily available generic computer hardware that cannot be practically controlled in a modern industrial society. The means to protect textual communications from wiretapping are already readily available. All it takes is a sufficiently motivated user. Someone, say, with good reason to fear an FBI wiretap. And before long the generic hardware necessary for secure voice communications will be just as cheap and widespread. Eventually, the FBI's wiretap facilities will be effective only against those few remaining criminals too stupid to encrypt. And they could also be quite effective against those law-abiding companies and individuals who, instead of providing their own cryptographic privacy, blindly trust whatever "safeguards" (legal and/or technical) are supposedly in place to prevent their misuse. Quite frankly, after the Nixon years it's hard to have much faith in legal safeguards, and I know too much about telco technology to have much faith in technical safeguards. Most readers of this list are highly computer literate, so these may seem like obvious statements. But they are apparently not so obvious to many in government policymaking positions. Our real problem is how to educate these people about the nature of cryptography, why it will be impossible for the FBI to maintain its precious "status quo", and to begin thinking about how they can *realistically* deal with the future instead of trying to force a return to the past. We urgently need to get these people to understand the following: 1. The use of cryptography by criminals to thwart wiretaps is inevitable in anything remotely resembling a modern free society. You don't even want to contemplate living in a state with truly effective ways to prevent the private use of encryption. So we might as well promote, not restrict, the widespread use of encryption so that law-abiding persons can benefit from it as well. 2. As the utility of the wiretap decreases, law enforcement will have to rely other ways to collect evidence. Informers, for example, or testimony compelled under grants of immunity. Eventually the government might even have to consider abandoning its attempts to penalize certain types of behavior that consist largely or entirely of communications or the mere possession of information. Unfortunately, our government's historical inability to accept the inevitable without a long, wasteful and futile fight does not give me much hope that we'll avoid one this time. Phil ------------------------------ Date: Tue, 14 Apr 92 11:58:18 -0400 From: Mike Gore Subject: FBI Phone Taps (Re: RISKS-13.39) I submit that the biggest risks in dealing with a system that allows single point phone tapping can be better addressed in questions far more basic then of trusting the good intentions of any agency itself. Rather we might first examine: 1) The number of lives and total value of all information to be entrusted to such a system. 2) The ability of such an agency to protect the proposed system from misuse by outside forces. 3) The social and monetary costs including the risks generated from proposed system vs that of the former system . So even if one fully trusts the intentions of an agency we might not sleep better knowing that we have in effect put up a big sign saying to all would be criminals "in order to save you time we have placed all are eggs in this basket right here"... Mike Gore, Technical Support, Institute for Computer Research 1-519-885-1211, x6205 uunet!watmath!watserv1!magore magore@watserv1.waterloo.edu or magore@watserv1.uwaterloo.ca ------------------------------ Date: 14 Apr 92 17:49:00 EDT From: John (J.G.) Mainwaring Subject: Re: Telephone system foibles - also cryptography James Zuchelli seems surprised that he would have calls billed by Alternate Operator Services companies from places he's never never been. The practice is known as 'Splashing', and arises from the arrangements among smaller long distance carriers and operator services companies. His call was presumably handled by an operator company in Ada, Michigan who were unable to determine the true point of origin of the call. They would bill the call to a calling card as being from their location to the actual called number. Congress and the FCC do not seem to feel that this practice was one of the benefits intended to follow from the break up of the Bell System, and seem to have initiated proceedings to ensure that all calls will be billed based on the true point of origin. The FBI/encryption/privacy debate has been interesting. Obviously the FBI will only be successful in interpreting data from wiretaps if they can manage to stay abreast of technology. The usual file archiving and compression schemes are meant to be easy to use, so any reasonbly aware user will recognize from file naming conventions what decompression techniques to use. They could become the basis for encryption schemes, but it seems reasonable to suppose that they would tend to have signatures that a knowledgeable spook could recognize fairly easily. In the same way, the FBI would have to keep abreast of technology and learn to use any widely used speech compression technology. ISDN makes end to end encryption of speech a little easier than it once was, since speech is readily available for manipulation in digital form at either end. However, it's possible to compress digital speech from the 64K bit/sec rate ISDN normally uses to rates as low as 2400 bit/sec with some loss of fidelity, and that would allow a digital stream to be encrypted and transmitted on a fairly ordinary analogue line. Any digital switch would allow the FBI to wiretap such a call, but it would take them a good deal of effort to make sense of it. Ultimately it seems unlikely that laws against using encryption will deter people who are already breaking more serious laws. They will affect people with legitimate needs for privacy such as protection of trade secrets and financial information. Restrictions on American trade will clearly not apply abroad, and can only work to the disadvantage of American (free?) enterprise. The FBI may wish for simpler times, but in the long run it seems like they'll have to heat their buildings with Crays and learn to be as good at cryptography as the bad guys. After all, the first working electronic computer may have been Colossus, which was built to do cryptography. ------------------------------ Date: Wed, 15 Apr 1992 16:17:27 GMT From: irving@happy-man.com (Irving_Wolfe) Subject: Re: Tapping phones, encrypting communication, and trust >I'm disturbed . . . . The general approach seems to be based on >the idea that government is not to be trusted, ever, with anything. >Nothing government says is to be believed. Many of us do feel that the history of government lies on issues large and small preclude believing what government tells us without substantial additional evidence. Sure, there are many good people in government, and many useful functions performed by it. But we really do differ from you in having enough concern for civil liberties to willingly, even enthusiastically accept some inefficiency and some additional crime in return for stronger guarantees of privacy and freedom for the great masses of people who are basically decent, including ourselves and our friends. >Let's take the FBI "phone tapping" proposal. Many of us, while tolerant of occasional phone-tapping under a difficult-to-get court order, might prefer no phone-tapping at all to tapping under easy-to-obtain court orders or widespread tapping of any sort. >Do they believe ... that we should banish policy [sic] departments >and arm ourselves for our own protection against criminals ... ? We might not advocate the abolition of police departments because they have not yet become that extremely corrupt. But for other reasons -- including the physical inability of even a large police force to provide protection at the level that could assure everyone's safety from assault, burglary, rape, and murder -- we certainly support possession of firearms by adult citizens, perhaps even required possession and required training. This threat of self-defense would produce a far greater reduction in violent crime than any law could. The risks issue, as I see it: I'm happy to assume the (perceived small) risk that my neighbor will shoot me, in place of the (perceived much larger) risk that either a criminal will attack my family and friends while we are defenseless or that at some future time only a fully armed population could save itself from a would-be-totalitarian government (either home-grown or invading). It is no accident that the Soviet Union's first action after taking over Hungary, Czechoslovakia, and Poland was the seizure of privately owned firearms. Irving_Wolfe@Happy-Man.com Happy Man Corp. 206/463-9399 x101 4410 SW Pt. Robinson Rd., Vashon Island, WA 98070-7399 fax x108 [Commercial advertising deleted... PGN] ------------------------------ Date: Wed, 15 Apr 92 10:06:55 PDT From: Steve.Dever@eng.sun.com (Steve Dever) Subject: FBI phone tapping bill Attached is a copy of the FBI's proposed law which would prevent telephone companies and PBX operators from using equipment which would inhibit the government's ability to perform wiretaps. This was uploaded to the Well by Mike Godwin of the EFF. Steve Dever 102nd Congress 2nd Session Amendment No. Offered by M. 1. SEC. 1. FINDINGS AND PURPOSES 2. (a) The Congress finds: 3. (1) that telecommunications systems and networks are often 4 used in the furtherance of criminal activities including 5 organized crime, racketeering, extortion, kidnapping, espionage, 6 terrorism, and trafficking in illegal drugs; and 7 (2 ) that recent and continuing advances in 8 telecommunications technology, and the introduction of new 9 technologies and transmission modes by the telecommunications 10 industry, have made it increasingly difficult for government 11 agencies to implement lawful orders or authorizations to 12 intercept communications and thus threaten the ability of such 13 agencies effectively to enfore the laws and protect the national 14 security; and 15 (3) without the assistance and cooperation of providers of 16 electronic communication services and private branch exchange 17 operators, the introduction of new technologies and transmission 18 modes into telecommunications systems without consideration and 19 accommodation of the need of government agencies lawfully to 20 intercept communications, would impede the ability of such 21 agencies effectively to carry out their responsibilities. 1 The purpose of this Act are: 2 (1) to clarify the duty of providers of electronic 3 communication services and private branch exchange operators to 4 provide such assistance as necessary to ensure the ability of 5 government agencies to implement lawful orders or authorizations 6 to intercept communications; and 7 (2) to ensure that the Federal Communications Commission, 8 in the setting of standards affecting providers of electronic 9 communication services or private branch exchange operators, will 10 accommodate the need of government agencies lawfully to intercept 11 communications. 12 SEC. 2. Title II of the Communications Act of 1934 is amended 13 by adding at the end thereof the following new sections: 14 "Sec__. GOVERNMENT REQUIREMENTS 15 "(a) The Federal Communications Commission shall, 16 within 120 days after enactment of this Act, issue such 17 regulations as are necessary to ensure that the government 18 can intercept communications when such interception is 19 otherwise lawfully authorized 20 "(b) The regulations issued by the commission shall: 21 "(1) establish standards and specifications for 22 telecommunications equipment and technology employed by 23 providers of electronic communication services or 24 private branch exchange operators as may be necessary 25 to maintain the ability of the government to lawfully 26 intercept communication 1 "(2) require that any telecommunications 2 equipment or technology which impedes the ability of 3 the government to lawfully intercept communications and 4 and which has been introduced into a telecommunications 5 system by providers of electronic communication 6 services or private branch exchange operators shall not 7 expanded so as to further impede such utility until 8 that telecommunications equpment or technology is 9 brought into compliance with the requirements set forth 10 in regulations issued by the Commission; 11 "(3) require that modifications which are 12 necessary to be made to existing telecommunications 13 equipment or technology to eliminate impediments to the 14 ability of the government to lawfully intercept 15 communications shall be implemented by such providers 16 of electronic communication services and private branch 17 exchange operators within 180 days of issuance of such 18 regulations; and 19 "(4) prohibit the use by electronic communication 20 service providers and private branch exchange operators 21 of any telecommunications equipment or technology which 22 does not comply with the regulations issued under this 23 section after the 180th day following the issuance of 24 such regulations. 25 "(c) For the purposes of administering and enforcing 26 the provisions of this section and the regulations 1 prescribed hereunder, the Commission shall have the same 2 authority, power, and functions with respect to providers of 3 electronic communication services or private branch exchange 4 operators as the Commission has in administering and 5 enforcing the provisions of this title with respect to any 6 common carrier otherwise subject to Commission jurisdiction. 7 Any violation of this section by any provider of electronic 8 communication service or any private branch exchange 9 operator shall be subject to the same remedies, penalties, 10 and procedures as are applicable to a violation of this 11 chapter by a common carrier otherwise subject to Commission 12 jurisdiction, except as otherwise specified in subsection 13 (d). 14 "(d) In addition to any enforcement authorities vested 15 in the Commission under this title, the Attorney General may 16 apply to the appropriate United States District Court for a 17 restraining order or injunction against any provider of 18 electronic communication service or private branch exchange 19 operator based upon a failure to comply with the provisions 20 of this section or regulations prescribed hereunder. 21 "(e) Any person who willfully violates any provision 22 of the regulations issued by the Commission pursuant to 23 subjection (a) of this section shall be subject to a civil 24 penalty of $10,000 per day for each day in violation. 25 "(f) To the extent consistent with the setting or 26 implementation of just and reasonable rates, charges and 1 classifications, the Commission shall authorize the 2 compensation of any electronic communication service 3 providers or other entities whose rates or charges are 4 subject to its jurisdiction for the reasonable costs 5 associated with such modifications of existing 6 telecommunications equipment or technology, or with the 7 development or procurement, and the installation of such 8 telecommunications equipment or technology as is necessary 9 to carry out the purposes of this Act, through appropriate 10 adjustments to such rates and charges. 11 "(g) The Attorney General shall advise the Commission 12 within 30 days after the date of enactment of this Act, and 13 periodically thereafter, as necessary, of the specific needs 14 and performance requirements to ensure the continued ability 15 of the government to lawfully intercept communications 16 transmitted by or through the electronic communication 17 services and private branch exchanges introduced, operated, 18 sold or leased in the United States. l9 "(h) Notwithstanding section 552b of Title 5, United 20 States Code or any other provision of law, the Attorney 21 General or his designee may direct that any Commission 22 proceeding concerning regulations, standards or 23 registrations issued or to be issued under the authority of 24 this section shall be closed to the public. 25 "(i) Definitions -- As used in this section -- 1 "(l) 'provider of electronic communication 2 service' or 'private branch exchange operator' means 3 any service which professes to users thereof the ability 4 to send or receive wire, oral or electronic 5 communications, as those terms are defined in 6 subsections 2510(1) and 2510(12) of Title 18, United 7 States Code; 8 "(2) 'communication' means any wire or electronic 9 communication, as defined in subsection 2510(1) and 10 2510 (12), of Title 18, United States Code; 11 "(3) 'impede' means to prevent, hinder or impair 12 the government's ability to intercept a communication 13 in the same form as transmitted; 14 "(4) 'intercept' shall have the same meaning l5 set forth in section 2510 (4) of Title 18, United States 16 Code; 17 "(5) 'government' means the Government of the 18 United States and any agency or instrumentality 19 thereof, any state or political subdivision thereof, 20 and the District of Columbia, and Commonwealth of Puerto 21 Rico; and 22 "(6) 'telecommunications equipment or technology' 23 means any equipment or technology, used or to be used 24 by any providers of electronic communication services 25 or private branch exchange operators, which is for the 1 transmission or receipt of wire, oral or electronic 2 communications." 3 SEC 3. Section 510, Title V, P.L. 97-259 is amended deleting the 4 phrase "section 301 or 302a" and substituting the phrase "section 5 301, 302a, or ____. DIGITAL TELEPHONY AMENDMENT (report language) Significant changes are being made in the systems by which communications services are provided. Digital technologies, fiber optics, and other telecommunications transmission technologies are coming into widespread use. These changes in communications systems and technologies make it increasingly difficult for government agencies to implement lawful orders or authorizations to intercept communications in order to enfore the laws and protect the national security. With the assistance of providers of electronic communication services, these technological advances need not impede the ability of government agencies to carry out their responsibilities. This bill would direct the Federal Communications Commission (FCC) to issue standards ensuring that communications systems and service providers continue to accommodate lawful government communications intercepts. The regulations are not intended to cover federal government communications systems. Procedure already exist by which the Federal Bureau of Investigation amy obtain federal agency cooperation in implementing lawful orders or authorizations applicable to such systems. Further, there would be no obligation on the part of the service providers or any other party to ensure access to the plain text of encrypted or other encoded material, but rather only to the communication in whatever form it is transmitted. It is thus the intent and purpose of the bill only to maintain the government's current communications interception capability where properly ordered or authorized. No expansion of that authority is sought. ANALYSIS Subsection 2(a) and (b) would require the Federal Communications Commission (FCC) to issue any regulations deemed necessary to ensure that telecommunications equipment and technology used by providers of electronic communications services or private branch exchange operators will permit the government to intercept communications when such interception is lawfully authorized. The regulations would also require that equipment or technologies currently used by such providers or operators that impede this ability until brought into compliance with the regulations. Compliance with FCC regulations issued under this section would be required within 180 days of their issuance. Subsection 2(c) provides that the Commission's authority to implement and enforce the provisions of this section are the same as those it has with respect to common carriers subject to its jurisdiction. Subsection 2(d) would give the Attorney General the authority to request injunctive relief against non-complying service providers or private branch exchange operators. Subsection 2(e) provides civil penalty authority for willful violations of the regulations of up to $10,000 per day for each violation. Subsection 2(f) would permit the FCC to provide rate relief to service providers subject to its rate-setting jurisdiction for the costs associated with modifying equipment or technologies to carry out the purposes of the bill. Subsections 2(g), (h), and (i) require the Attorney General to advise the Commission regarding the specific needs and performance criteria required to maintain government intercept capabilities, require the FCC to ensure that the standards and specifications it promulgates may be implemented on a royalty- free basis, and authorize the Attorney General to require that particular Commission rulemaking proceedings to implement the Act be closed to the public. Subsection 2(j) provides definitions for key terms used in this section. ------------------------------ End of RISKS-FORUM Digest 13.41 ************************