ON BUGGING THE DIGITAL NETWORK Lance J. Hoffman Department of Electrical Engineering and Computer Science The George Washington University Washington, D. C. In 1991, the FBI pushed legislation (S. 266) "to restrict sales of encryption technology, to require major changes in virtually all computer hardware, software, and communications equipment, and to create trapdoors in encryption programs so that agents could listen in on encrypted conversations". But a last-minute campaign led by the Electronic Frontier Foundation and Computer Professionals for Social Responsibility convinced the Senate to remove the provision from its crime bill. In 1992, the FBI abandoned (for the moment) its wish to "hold the cryptographic keys" but pushed on even stronger with its desire to force communications network providers to build access points into their hardware and software through which the FBI and, in fact, any law enforcement official with a warrant, could eavesdrop on a conversation (or data). The FBI proposal would "broaden the authority of the Federal Communications Commission to license telecommunications equipment and would cover ... all types of computer communications. ... It would require telecommunications and computer equipment manufacturers here and abroad to follow government guidelines in developing their products and to finance changes in their current systems to comply with the law, if enacted."[1] In other words, the FBI proposal would bring the regulated world of the Federal Communications Commission to computerdom! Listening in on conversations under certain circumstances is a legitimate tool of law enforcement. Donn B. Parker, consulting editor for Information Systems Security, has called it the "most important tool of criminal justice".[2] Director William Sessions of the FBI contends that "the proposed legislation does not expand the authority of the FBI or any other criminal justice agency. It simply preserves what Congress authorized in 1968".[3] But Janlori Goldman of the American Civil Liberties Union disagrees; she decries a "legislative fix that freezes technology" and likens the FBI to modern-day Luddites who would "dumb down existing software" and reduce the competitiveness of U.S. equipment manufacturers.[4] As Geoffrey Turner has observed, "(the) arrival of cryptography and such new information technologies as data base matching present challenges to traditional legal theories. For example, the development of case law defining a citizen's right to avoid self-incrimination and of legal procedures for searches could not have anticipated a world in which cryptographic security systems were widely available. Therefore, to resolve the smaller issue of the right of business to use cryptography to protect proprietary information, governments must also begin to resolve the more fundamental issues of citizens' rights to privacy in a technological world."[5] Mike Godwin of the Electronic Frontier Foundation (EFF) has pointed out that the phone system was not originated as a system of surveillance, but as a communications network. "If I have a computer that's designed for my desk, I want it to work for me as a tool. I don't want something to be added on to make it easier for the government to monitor me or regulate me."[6] The FBI wants to change the design of the way the phone system is built in the future. The FBI, and law enforcement in general, may have to develop new techniques now that "It looks as though an individual might be able to protect information in such a way that the concerted efforts of society are not going to be able to get at it."[7] As Arv Larson, speaking for the United States Activities Board of the Institute of Electrical and Electronics Engineers (IEEE), has pointed out in a letter to Congress, "Every communications development in history -- from smoke signals to semaphore flags to telephones connected by copper-wire to radio -- has required interceptors to update their own techniques. Digital telephony is no exception."[8] A committee was formed in Spring 1992 by senior technical and legal staff of the leading telecommunications companies to work with the FBI in an attempt to develop what the FBI wants without having it crammed down the providers' throats by legislation. The working committee met several times over the spring of 1992 and the FBI's principal contractor on this effort, Booz-Allen and Hamilton, produced a document setting forth law enforcement requirements that called for an "intercept access point" in future network systems.[9] But even if this is provided, it will be impossible to build in effective universal tapping capabilities without dealing with the problem of user-provided end-to-end encryption. A free market is likely to provide this very soon. Interestingly, some of the planning of strategy and tactics to oppose the current FBI thrust is taking place -- unencrypted -- on the Internet. One might assume that the discussions there are not bugged. In the network of the future, of course, one might be able to plug in his or her own end-user encryption device and be assured that any intercepted data would be powerfully enciphered. That is, if it is not illegal. NOTES 1. Letter dated April 10, 1992 to Senator Ernest Hollings, Chairman of the Senate Committee on Commerce, Science and Transportation, from representatives of these organizations: American Association of Law Libraries, American Civil Liberties Union/Privacy and Technology Project, Association of Research Libraries, AT&T, Cellular Telecommunications Industry Association, Computer and Business Equipment Manufacturers Association, Computer and Communications Industry Association, Computer Professionals for Social Responsibility, Digital Equipment Corporation, Electronic Frontier Foundation, Electronic Mail Association, GTE, IBM, Information Industry Association, Information Technology Associaton of America, Lotus Development Corporation, McCaw Cellular Communications, Inc., Microsoft Corporation, NYNEX, Pacific Telesis Group, Software Publishers Association, Southwestern Bell Corporation, Telecommunications Industry Association, United States Telephone Association, U S West 2. Parker, Donn B. in "Ethics, Morality, and Criminality" in Lance J. Hoffman (ed.) Proceedings of the Second Conference on Computers, Freedom, and Privacy, ACM Press, New York (to appear approximately December 1992). 3. Sessions, William S., "Keeping an Ear on Crime", The New York Times, March 27, 1992. 4. Goldman, Janlori, "Why Cater to Luddites?", The New York Times, March 27, 1992. 5. Turner, Geoffrey W., "Commercial Cryptography at the Crossroads", Information Systems Security, Vol. 1, No. 2 (Summer 1992). 6. Godwin, Mike in "Ethics, Morality, and Criminality" in Lance J. Hoffman (ed.) Proceedings of the Second Conference on Computers, Freedom, and Privacy, ACM Press, New York (to appear approximately December 1992). 7. Diffie, Whitfield in "Who Holds the Keys?" in Lance J. Hoffman (ed.) Proceedings of the Second Conference on Computers, Freedom, and Privacy, ACM Press, New York (to appear approximately December 1992). 8. Letter to Chairman Jack Brooks of the House Judiciary Committee, Mary 13, 1992. 9. Booz-Allen and Hamilton, "Law Enforcement Requirements for the Surveillance of Electronic Communications", June 19, 1992.