- Email: [email protected]
Carnivores, Predators and Civil Liberties
E:COMMERCE: THE DARK SIDE
Carnivores, Predators and Civil Liberties Bill Boni Last month we discussed some of the well-founded concerns over the implementation of the Regulation of Investigative Powers (RIP) Bill in the UK. Recently it seems that our friends in the US Federal Bureau of Investigation (FBI) are determined not to be outdone by their cousins in the UK for they have implemented a curiously named investigative system, the ‘Carnivore’. If one puts aside for a moment the lack of public relations that went into choosing that name, the system does seem to have raised issues and increased awareness of the consequences of increased police surveillance of the Internet and electronic communications. Predictably the professional civil libertarians were first into the media noting the potential for abuse such systems create, and just as predictably the spokespersons for the FBI and the US Attorney General claimed the law-abiding public have nothing to fear from such systems. Just as predictably, the real truth of these systems is probably somewhere between the two extremes. In this column we have joined with other writers, security professionals and law enforcement officers asking that law enforcement do more to combat cyber crime. Our concern has been that absent proven capability to confront and best the cyber criminals, fraudsters and techno-terrorists, there is a very real chance that E-commerce growth will be severely stunted and full exploitation of the many benefits delayed. As losses increase and
“Hiding the criminal communications inside an innocent container would allow the moderately sophisticated perpetrator to escape detection of the means currently proposed for monitoring.” 18
public suspicions grow about the safety and security of using the global Internet to transact business, more must be done, and it must be done globally. In response, nearly every one of the G-8 nations has been creating law enforcement capability to accomplish the same goal; monitor and intercept electronic traffic on the Internet to cull out those who are actively involved in committing crimes such as drug smuggling, child pornography and electronic frauds. In the eyes of leading law enforcement agencies such monitoring is merely an extension of police powers that have proven to be effective in the physical world as exemplified by telephone taps and interceptions. If this is so, why has there been such hue and cry among so many segments of the advanced industrial societies, especially the socalled ‘digerati’, the leading proponents of electronic communications? In part, opposition to creation of new monitoring capabilities directed against the Internet, arises from a fear, based on historical precedent, that all forms of surveillance, even in advanced liberal democracies have been subject to periods of abuse. One need only recall the dark days of the ‘CoIntelPro’ (counterintelligence program) masterminded by the FBI in the late 1960s to imagine how abuse develops. This programme, the complete exposition of which is beyond the scope of commentary here represents a sorry chapter in recent American history. The many abuses alleged include the widespread abuse of the Federal security apparatus in the USA including military
monitoring of civilian protesters, ‘black bag jobs’ to bug leading dissidents, provocative but bogus letters sent to militant leaders, wiretaps and steaming open the postal mail of selected targets (such as Dr Martin Luther King) and other techniques. Although some attribute these abuses to a combination of historical anomalies (Nixon, Hoover and the Vietnam War) others see a reaffirmation of Lord Acton’s famous dictum that “Power corrupts and absolute power corrupts absolutely.” Not much imagination required seeing how such programs could be served by Internet surveillance technologies originally sold to the global public as safeguards against cyber criminals. The custodians of the monitoring systems need only replace or supplement the key words focused on drugs and child pornography with those designed to ferret out political dissidents and opponents. Suddenly a highly efficient means of society-wide surveillance is created. Another dimension of the opposition is based on the fear that such surveillance measures are so easily neutralized that only ‘honest’ (read that as ‘naïve’) citizens will
“Another qualitative difference appears to be the sheer volume or scope of potential monitoring.” have meaningful content. The serious criminals must be expected to leverage increasingly diverse means of concealing their wrongdoing. Consider for one moment that application of steganography (see: http://www.demcom.com/) offers a prime example of a technology that at present is difficult if not impossible to detect in operation. Hiding the criminal communications inside an innocent container would allow the moderately sophisticated perpetrator to escape detection of the means currently proposed for monitoring. There are many other protection techniques that could possibly circumvent the monitoring, perhaps something as simple as a ‘substitution’ of suspect words with
e-commerce: the dark side innocent surrogates and so forth. Thus we may end up with a tool that really works best only against very stupid criminals and a public lead to believe they have nothing to fear. Another qualitative difference appears to be the sheer volume or scope of potential monitoring. Even in its best (worst?) days it was estimated that the despised secret police agencies of the East European communist states could only monitor a small fraction of the daily telephone communications of the enslaved populations they controlled. However, with the rapid advances in computing processors, speech recognition and artificial intelligence engines optimized for security purposes, volume alone may not offer much protection against future monitoring. It may be possible for a large percentage, perhaps most, message traffic to be scanned by the law enforcement personnel of a country. One need not believe that the police agencies themselves are in any way corrupt to fear that the current ‘good intentions’ could be abused during some future political or military crisis by those with less ethics. It is interesting that so many law enforcement agencies globally have settled on similar techniques using monitoring as a means of ‘protecting’ their respective societies. The USA now appears to be joining Russia, China and other leading nations in the path towards electronic surveillance. It seems that the response of law enforcement agencies to the tide of cyber crimes is to take the ‘easy’ way out and try to convince citizenry that they need to be monitored by the
security apparatus of the nation in order to have effective protection. Alternatives that would require the development of more capability to
“volume alone may not offer much protection against future monitoring.” confront the criminals through collaborative techniques more in keeping with the traditions and openness of the Internet may not receive adequate consideration. Could a global ‘posse’ of licensed digital private investigators achieve as much with less potential for violation of civil liberties? Perhaps this or other creative options could do at least as much as our current system, but don’t expect government agents in any country to willingly share their responsibility for public safety with others just because they know technology and are willing to help. But maybe a digital variant of ‘vigilante justice’ (sans the lynchings!!) and market-based private sector investigators may be a more viable resource than faceless government agents operating in the shadows. We need to consider all our options as an evolving global society confronts cyber criminals and techno-terrorists. However, we must make sure that the solutions we accept really solve the problems we face, and do not themselves create future challenges that will jeopardize the liberties we currently enjoy. Electronic commerce has the potential to revolutionize the global economy, let’s make sure the price is not a global surveillance society that will be a variant of George Orwell’s 1984 !
How much has cybercrime cost you? Computers & Security Highlighting the threats and giving you the solutions
Computers & Security is the most respected technical journal in the IT security field. Now in its 19th year, with a new editorial board and new regular features and columns, the journal is essential reading for IT security professionals around the world.
Subscribe to Computers & Security and claim your 10% off the Information Security Technical Report Computers & Security (PCS05+B1) 8 issues per year ISSN: 0167-4048 2000 Subscription Rate - £360*/US$592/NLG1166/e529.11 Information Security Technical Report (PCS06+B1) 4 issues per year ISSN: 1363-4127 Special price to Computers & Security subscribers only £675*/US$1110.60/NLG2187/e992.42
For further information Phone: +44 (0) 1865 843687, Fax: +44 (0)1865 843971 or E-mail: [email protected] Elsevier Advanced Technology, PO Box 150, Kidlington, Oxford, OX5 1AS, UK
19
Carnivores, Predators and Civil Liberties Bill Boni Last month we discussed some of the well-founded concerns over the implementation of the Regulation of Investigative Powers (RIP) Bill in the UK. Recently it seems that our friends in the US Federal Bureau of Investigation (FBI) are determined not to be outdone by their cousins in the UK for they have implemented a curiously named investigative system, the ‘Carnivore’. If one puts aside for a moment the lack of public relations that went into choosing that name, the system does seem to have raised issues and increased awareness of the consequences of increased police surveillance of the Internet and electronic communications. Predictably the professional civil libertarians were first into the media noting the potential for abuse such systems create, and just as predictably the spokespersons for the FBI and the US Attorney General claimed the law-abiding public have nothing to fear from such systems. Just as predictably, the real truth of these systems is probably somewhere between the two extremes. In this column we have joined with other writers, security professionals and law enforcement officers asking that law enforcement do more to combat cyber crime. Our concern has been that absent proven capability to confront and best the cyber criminals, fraudsters and techno-terrorists, there is a very real chance that E-commerce growth will be severely stunted and full exploitation of the many benefits delayed. As losses increase and
“Hiding the criminal communications inside an innocent container would allow the moderately sophisticated perpetrator to escape detection of the means currently proposed for monitoring.” 18
public suspicions grow about the safety and security of using the global Internet to transact business, more must be done, and it must be done globally. In response, nearly every one of the G-8 nations has been creating law enforcement capability to accomplish the same goal; monitor and intercept electronic traffic on the Internet to cull out those who are actively involved in committing crimes such as drug smuggling, child pornography and electronic frauds. In the eyes of leading law enforcement agencies such monitoring is merely an extension of police powers that have proven to be effective in the physical world as exemplified by telephone taps and interceptions. If this is so, why has there been such hue and cry among so many segments of the advanced industrial societies, especially the socalled ‘digerati’, the leading proponents of electronic communications? In part, opposition to creation of new monitoring capabilities directed against the Internet, arises from a fear, based on historical precedent, that all forms of surveillance, even in advanced liberal democracies have been subject to periods of abuse. One need only recall the dark days of the ‘CoIntelPro’ (counterintelligence program) masterminded by the FBI in the late 1960s to imagine how abuse develops. This programme, the complete exposition of which is beyond the scope of commentary here represents a sorry chapter in recent American history. The many abuses alleged include the widespread abuse of the Federal security apparatus in the USA including military
monitoring of civilian protesters, ‘black bag jobs’ to bug leading dissidents, provocative but bogus letters sent to militant leaders, wiretaps and steaming open the postal mail of selected targets (such as Dr Martin Luther King) and other techniques. Although some attribute these abuses to a combination of historical anomalies (Nixon, Hoover and the Vietnam War) others see a reaffirmation of Lord Acton’s famous dictum that “Power corrupts and absolute power corrupts absolutely.” Not much imagination required seeing how such programs could be served by Internet surveillance technologies originally sold to the global public as safeguards against cyber criminals. The custodians of the monitoring systems need only replace or supplement the key words focused on drugs and child pornography with those designed to ferret out political dissidents and opponents. Suddenly a highly efficient means of society-wide surveillance is created. Another dimension of the opposition is based on the fear that such surveillance measures are so easily neutralized that only ‘honest’ (read that as ‘naïve’) citizens will
“Another qualitative difference appears to be the sheer volume or scope of potential monitoring.” have meaningful content. The serious criminals must be expected to leverage increasingly diverse means of concealing their wrongdoing. Consider for one moment that application of steganography (see: http://www.demcom.com/) offers a prime example of a technology that at present is difficult if not impossible to detect in operation. Hiding the criminal communications inside an innocent container would allow the moderately sophisticated perpetrator to escape detection of the means currently proposed for monitoring. There are many other protection techniques that could possibly circumvent the monitoring, perhaps something as simple as a ‘substitution’ of suspect words with
e-commerce: the dark side innocent surrogates and so forth. Thus we may end up with a tool that really works best only against very stupid criminals and a public lead to believe they have nothing to fear. Another qualitative difference appears to be the sheer volume or scope of potential monitoring. Even in its best (worst?) days it was estimated that the despised secret police agencies of the East European communist states could only monitor a small fraction of the daily telephone communications of the enslaved populations they controlled. However, with the rapid advances in computing processors, speech recognition and artificial intelligence engines optimized for security purposes, volume alone may not offer much protection against future monitoring. It may be possible for a large percentage, perhaps most, message traffic to be scanned by the law enforcement personnel of a country. One need not believe that the police agencies themselves are in any way corrupt to fear that the current ‘good intentions’ could be abused during some future political or military crisis by those with less ethics. It is interesting that so many law enforcement agencies globally have settled on similar techniques using monitoring as a means of ‘protecting’ their respective societies. The USA now appears to be joining Russia, China and other leading nations in the path towards electronic surveillance. It seems that the response of law enforcement agencies to the tide of cyber crimes is to take the ‘easy’ way out and try to convince citizenry that they need to be monitored by the
security apparatus of the nation in order to have effective protection. Alternatives that would require the development of more capability to
“volume alone may not offer much protection against future monitoring.” confront the criminals through collaborative techniques more in keeping with the traditions and openness of the Internet may not receive adequate consideration. Could a global ‘posse’ of licensed digital private investigators achieve as much with less potential for violation of civil liberties? Perhaps this or other creative options could do at least as much as our current system, but don’t expect government agents in any country to willingly share their responsibility for public safety with others just because they know technology and are willing to help. But maybe a digital variant of ‘vigilante justice’ (sans the lynchings!!) and market-based private sector investigators may be a more viable resource than faceless government agents operating in the shadows. We need to consider all our options as an evolving global society confronts cyber criminals and techno-terrorists. However, we must make sure that the solutions we accept really solve the problems we face, and do not themselves create future challenges that will jeopardize the liberties we currently enjoy. Electronic commerce has the potential to revolutionize the global economy, let’s make sure the price is not a global surveillance society that will be a variant of George Orwell’s 1984 !
How much has cybercrime cost you? Computers & Security Highlighting the threats and giving you the solutions
Computers & Security is the most respected technical journal in the IT security field. Now in its 19th year, with a new editorial board and new regular features and columns, the journal is essential reading for IT security professionals around the world.
Subscribe to Computers & Security and claim your 10% off the Information Security Technical Report Computers & Security (PCS05+B1) 8 issues per year ISSN: 0167-4048 2000 Subscription Rate - £360*/US$592/NLG1166/e529.11 Information Security Technical Report (PCS06+B1) 4 issues per year ISSN: 1363-4127 Special price to Computers & Security subscribers only £675*/US$1110.60/NLG2187/e992.42
For further information Phone: +44 (0) 1865 843687, Fax: +44 (0)1865 843971 or E-mail: [email protected] Elsevier Advanced Technology, PO Box 150, Kidlington, Oxford, OX5 1AS, UK
19