- Email: [email protected]
United States remains adamantly opposed to data protection
CONFERENCE REPORTS European Conference on Security Evaluation and Common Criteria
techniques for the evaluation of security services was also identified as a high priority. On 8 November, a workshop looking at detailed implementation issues, with specific attention to security firewalls, completed the two-day event.
David Herson
The European Commission hosted a full day Conference on Security Evaluation and Common Criteria on 7 November 1996 in Brussels, Belgium. Over 80 participants attended this event to listen to a wide range of speakers representing both the Criteria writers as well as those that are trying to work with the Criteria as evaluators and vendors. Early in 1993, a decision was taken to try and merge the most successful elements of the ITSEC and the then recently published US Federal Criteria. A six-nation Common Criteria Editorial Board was established to carry out the work including representatives from Canada, France, Germany, the Netherlands, the UK and the USA. Their first public draft (Vl.0) was issued earlier this year and has been undergoing trials in the home countries of the authors as well as receiving general public comment. The Commission was closely associated with this work during the initial phases and specifically provided funding for the post of editor. The Conference was primarily arranged to enable an exchange between the authors and potential users of the Common Criteria and to determine whether further action by the Commission might be required. Initial feedback from the participants has shown that this event was very successful in meeting the first objective. There is also clearly widespread acceptance that the Common Criteria constitute the first important step forward in the development of a improved international approach to IT Security Evaluation for the end of the decade. For the time being, however, the ITSEC approach remains the only one officially recommended by the European Union. The European Commission was asked to look at the remaining problems associated with Mutual Recognition of Certificates from different national schemes and to examine ways in which the use of certified products could be encouraged in those sectors where take up is still rather low. Development of
6
Further details are available from David Herson at the European Commission, DG X/11/7, E-mail: [email protected]. The Conference papers will be available on http:/!www.cordis.lufinfosec.
United States Remains Adamantly Opposed to Data Protection Wayne Madsen
The Privacy Commission of Canada hosted the 18th International Conference on Privacy and Data Protection from 18-20 September 1996, in Ottawa, Canada. The position of the United States on data protection principles was shown to be at great variance with the accepted international norms adopted by the European Union, the Council of Europe, and the governments of Australia, New Zealand, and Canada. Addressing data protection and privacy commissioners from 22 nations, one international organization, six Canadian provinces, five German lander, and one Swiss canton, Sally Katzen, the administrator of the White Houses Office of Information and Regulatory Affairs of the Office of Management and Budget, claimed that she was the closest thing the United States had to a Chief Information Officer. As the official assigned responsibility to oversee the outdated Privacy Act of 1974, Katzen pointed to all the Clinton administration’s ‘successes’ in the areas of data protection and privacy. Several data protection commissioners privately expressed dismay at Katzen’s claims. One was overheard saying her comments were “a lot of crap”.
Computer Fraud & Security December 1996 0 1996 Elsevier Science Ltd
CONFERENCE REPORTS While some data protection commissioners were discussing their need to extend national data privacy legislation to cover the private sector, Katzen defended the United States policy of ensuring individual privacy by a myriad patchwork quilt of “constitutional guarantees, federal and state statutes, regulations, voluntary industry codes of conduct and... market demand, woven together and applied to the public and private sectors in different ways.” Katzen defended US policy by stating that “while there is no single piece of legislation that is comparable to the Privacy Act governing private sector collection and use of personal information, a number of Federal and state laws cover such items as credit records, educational records, drivers license records, banking electronic and telephonic and records, communications”. Even though the United States Attorney General, FBI director, and intelligence community have prompted the passage of laws designed to invade the privacy of the personal communications of American citizens, Katzen cited the Electronic Communications Privacy Act of 1986 as prohibiting “the interception of individual electronic communications by unauthorized governmental and private sector organizations.” However, the Communications Assistance to Law Enforcement Act (CALEA) of 1995 will give the FBI and other law enforcement agencies virtual turn-key access to the nation’s digital communications network. Moreover, the number of star chamber-ordered intercepts under the 1978 Foreign Intelligence Surveillance Act are at an all-time high. Katzen announced that the Commerce Department issued standards for privacy protection in the communications sector. Katzen did not talk about the other ‘privacy’ actions of the Commerce Department including allowing the National Security Agency to dictate encryption, key management infrastructure, and key escrow standards to digital signature, Commerce’s National Institute for Standards and Technology and permitting the US Patent and Trademark Office to issue patents on the human DNA genome of citizens of Papua New Guinea and the Solomon Islands.
Computer Fraud & Security 0 1996 Elsevier Science Ltd
December 1996
Katzen also pointed to the Federal Trade Commission’s Consumer Privacy Initiative. What she did not report on was the cozy relationship the Clinton administration has maintained with the nemesis of any privacy-minded consumer: the Direct Marketing Association. Let’s look at the record. I reported on Clinton and the DMA as early as April 1993: While many felt that President Clinton would take a sensitized proactive interest in furthering the goal of personal data protection, events seemed to indicate otherwise. In November 1992, Clinton transition team members met with representatives of the powerful Direct Marketing Association (DMA) to assure them that Clinton would propose no regulations that would impede their business. This included any new regulations on privacy and increases in bulk postal rates. In December, one of the legal counsels for the DMA received an appointment to the Clinton transition team’s core group that dealt with communications policy. (Computer Fraud & Security Bulletin, April 1993). Katzen did not mention the major Clinton privacy debacles: the wholesale transporting of over 1000 sensitive Federal Bureau of Investigation files on former Reagan and Bush administration employees from FBI headquarters to the White House for purposes of digging up dirt from raw investigative reports. Neither did she mention the White House Office Database (nicknamed ‘Big Brother’ by White House officials) that contained personal information on over 200 000 individuals in over 125 database fields. The database includes information on journalists, political contributors, and members of Congress. Such revelations have not been received well in Congress. Some members express concern that a government that cannot be trusted with sensitive files certainly could not be trusted to hold encryption keys in escrow. The cavalier attitude of the administration towards the privacy of political figures is reminiscent of the abuses carried out during the Nixon administration. Katzen summed up her comments to the commissioners in stating, “We acknowledge the leadership on privacy that has been demonstrated by data protection offices in many nations. We share your
7
CONFERENCE REPORTS goals. While we operate under different constraints, we believe we can all arrive at a harmonious arrangement.” The International Data Protection Commissioners have a reason to be wary of United States interest in arriving at “harmonious arrangements”. Such language has been used with regard to international ‘harmonized’ information technology security criteria and international key management ‘arrangements’. However, these arrangements have been dictated by the electronic surveillance czars at the US National Security Agency and their counterparts in other countries. The success of the United States intelligence and Federal law enforcement community in penetrating the Organization for Economic Cooperation and Development (OECD) should serve as an ominous warning to the International Data Protection Commissioners. The OECD, since the 1980s has placed a premium on protecting the privacy of trans-border flows of personal information. The organization is now faced with a well-organized and financed brigade of Americans from the NSA and the Department of Justice. The American representatives are aiming at not only forcing the OECD to adopt an unpopular international key escrow system but also to whittle away at previous OECD guidelines protecting privacy. When some OECD officials and representatives stood in the way of the American key escrow steamroller, they were simply shunted aside and placed in less threatening positions. The National Security Agency and its allies in the administration seem to have adopted the following policy towards its opponents: “If you don’t approve, you will be removed.” If the US gains influence, either through the front door or the back door, in the International Data Protection Commissioners’ Group, will a similar fate await them? The Clinton administration faces a possible insurmountable obstacle in 1998. That year represents the deadline for members of the European Union to bring their laws in line with the European Union Council Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data. The directive prohibits the transfer of personal information from EU members (and companies within each nation) to non-member
8
countries having laws that do not provide an adequate level of protection for such data. The United States is in the cross hairs of the EU on this issue. Most EU members consider the myriad of US data privacy laws to be inadequate and outdated. Some have threatened data blockades to the United States. The Clinton administration has responded to this threat by sending messages to Brussels and elsewhere that US trade officials might regard the EU Directive as a non-tariff trade barrier and protest the statute to the World Trade Organization. A relatively bizarre interlude at the commissioner’s conference came when they were treated to an multimedia description of ‘information warfare’ and written descriptions of high energy radio frequency (HERF) guns and electro-magnetic pulse transformer bombs. The presentation was made by a representative of the National Computer Security Association an (NCSA), organization based in Pennsylvania, USA. Confidence in American understanding of data protection principles was eroded by the presentation because some European commissioners were aware that recent reports of HERF gun, logic bomb, and other computer threats against banks in London and elsewhere, were partly originated by a schizophrenic escapee from a Munich mental institution. This was reported by the respected German news magazine [Der Spiegel in an article entitled “Schweigen ist Gold” (Silence is Golden)].
“allowing the Nat ion al Security Agency to dictate encryption, key management infrastructure, digital signature, and key escrow standards”
The day before the data protection commissioner’s conference, Industry Canada sponsored a conference on privacy-invasive and privacy-enhancing technologies. Many data protection commissioners and their staff were present. They heard about developments in genetic
December 1996 Computer Fraud & Security 0 1996 Elsevier Science Ltd
CONFERENCE REPORTS profiling, intelligent vehicle highway systems, video surveillance, biometrics, the international linking of police information systems, the monitoring of the Internet communications of human rights, religious, and environmental organizations by the National Security Agency and other intelligence agencies. On 16 September, many data protection and Canadian government officials attended the Privacy International’s Electronic Privacy Information Center’s Conference on Advanced Surveillance Technologies. One presentation highlighted the fact that the Mondex electronic purse system, designed to offer anonymity, actually provided an audit record of an individual’s purchases. However, the highlight of the seminar was the speech by Mike Frost, the author of the popular book (Spyworld), an expose of the espionage activities of the Communications Security Establishment (CSE), Canada’s NSA partner. Frost made some important points about the current state of government electronic surveillance of innocent citizens: Even in a democracy, let us not kid ourselves. This is not a ‘clean’ game. People cheat. And I guess what I came here to tell you today is, that with the proliferation of wireless communications, this cheating has become easier and easier. Speaking about the so-called minimization rules that the signals intelligence agencies claim bar them from spying on their own citizens, Frost was quite candid: Well, I can only tell you from experience that all it takes to break those rules is one man and one order from above. Those kinds of orders are rarely written down. And the results, although analyzed, fully documented, and often used by government departments who rarely know the source, are shredded.
words. For example, Oratory could be programmed to select all conversations containing the word ‘Whitewater’ or any word or words associated with Whitewater or, more selectively, all conversations made by a certain individual that contain the word Whitewater. This type of technology has been in use by both CSE and NSA for at least the last 15 years. When I left CSE, experiments were underway on ‘topic’ recognition, so even guarded conversations using no key words at all would still be selected. Such revelations cannot be reassuring to independent special counsel Kenneth Starr and his staff. Starr has been investigating President and Mrs Clinton and their associates for an array of allegations surrounding the Whitewater affair. If the same willingness to assist the Clintons with sensitive and classified information exists at the NSA as exists at the FBI, Starr and his staff could be in real trouble. The Canadian intelligence agencies, like their counterparts in the United States, claim they need expanded wiretap authority for their ‘wars’ on terrorism and drugs. However, most wiretaps are conducted not for these purposes, but for pure political surveillance. Citing the Canadian experience, Frost concluded that: It is wrong to mess around with democratic principles. And that is exactly what eavesdropping, through government intercepts, on democratically elected parties, separatist or not, is doing.
Frost talked about current NSA and CSE communications surveillance systems. He stated that the two signals intelligence agencies:
Frost’s claims of widespread wiretapping by signals intelligence agencies against political targets have been bolstered by the publication of another book entitled Silent Power by Nicky Hager. The New Zealand author chronicles the secret deeds of the National Security Agency’s New Zealand partner, the Government Communications Security Board (GCSB). Hager contends that US surveillance equipment installed at GCSB’s satellite intercept station at Waihopai, on New Zealand’s South Island, routinely intercepts Internet messages, among other forms of communications.
.. . use ‘voice recognition’ devices and compact computers, such as the one code named ‘Oratory’, that automatically select key words or groups of
Targets of such intercepts include all communications, including Internet messages of interest, from numerous small Pacific island nations that
Computer Fraud & Security 0 1996 Elsevier Science Ltd
December 1996
9
CONFERENCE REPORTS are reliant on the Intelsat 701 satellite parked in geostationary orbit at 174 degrees east over the Pacific Ocean. Internet traffic of Greenpeace, Amnesty International, the Bougainville Revolutionary Army, the Rotuma independence movement, Cook Islands anti-nuclear and banks, offshore testing/pro-independence groups of French Polynesia are of particular interest to GCSB which transmits its intercepts to NSA headquarters at Fort Mead& Maryland, USA. The Hager book demonstrates the long reach of the American eavesdropping net in quoting veteran peace researcher Owen Wilkes: Imagine how difficult it would be for a bored analyst in, say, Fort Meade in Maryland, to remember who [New Zealand unionist] Ken Douglas is, or who [Kanak activist] Susanna Ounei is and so on. In Maryland it would be hard to remember whether Apia is the capital of Tonga or Samoa, whether Vanuatu is on our side or theirs, etc. It would be far better to let the Kiwis sort out all that, and just send over the daily summaries. Apparently not content with merely monitoring computer message traffic, the NSA seems to also be engaged in active computer hacking. It has been reported that US intelligence agents, probably working for NSA’s K-25 group (the special collections group responsible for international data network surveillance), hacked their way into computers of the European parliament and commission in Luxembourg and Brussels. The European Union’s internal computer network links more than 5000 officials, including members of the European Parliament and EU Commissioners. The American hackers may have penetrated firewalls of US manufacture that protect the internal EU network from access via the Internet. “If the US firewalls are rigged, it would certainly be in keeping with other NSA programs to rig encryption devices and database management systems”, said one former intelligence operative. Ironically, the EU called in experts from NSA’s British partner, the Government Communications Headquarters (GCHQ), to help fix the
10
security holes in Brussels and Luxembourg. Given the close relationship between NSA and its English-speaking allied agencies,.one can only wonder if the GCHQ fixed the problem or ‘fix’ the problem. Such cooperation is routine. Mike Frost stated in Ottawa that NSA’s British counterpart, GCHQ based in Cheltenham, England actually requested CSE to eavesdrop on two of former Prime Minister Margaret Thatcher’s ministers simply because she didn’t trust them. Responding to a question in the House of Commons, Prime Minister John Major said that the allegation was “claptrap”, but he neither denied the allegation nor answered the question. Frost said he “knew for a fact who and how we did that intercept”. Clearly, the electronic mail, file transfers, faxes, electronic funds transfers, videoconferences, telexes, and telephone calls of political, social, religious, business, and activist groups everywhere are being monitored by intelligence agencies. Contrary to what is being claimed by intelligence and law enforcement officials, most targets of intercepts are not drug dealers, terrorists, and paedophiles but are political and social groups. When such groups use sophisticated encryption programs or anonymous remailing services to protect themselves, the Fort Meade analysts are stymied. The NSA and the Clinton administration are not the least interested in the benefits of encryption and other privacy-enhancing technologies to human rights and political groups. Nevertheless, the United States continues to push for international key escrow regimes and banning of anonymity on the Internet. They have achieved some success. In August 1996, a popular anonymous remailer (anon.penet.fi) was shut down by its Finnish operator. The United States, acting on behalf of the Church of Scientology and Singapore, acting on behalf of a former prime minister, managed to make things too difficult for the Helsinki-based operator. So much for America’s commitment to privacy and free speech on the information super highway.
Computer Fraud & Security
December 1996 0 1996 Elsevier Science Ltd
techniques for the evaluation of security services was also identified as a high priority. On 8 November, a workshop looking at detailed implementation issues, with specific attention to security firewalls, completed the two-day event.
David Herson
The European Commission hosted a full day Conference on Security Evaluation and Common Criteria on 7 November 1996 in Brussels, Belgium. Over 80 participants attended this event to listen to a wide range of speakers representing both the Criteria writers as well as those that are trying to work with the Criteria as evaluators and vendors. Early in 1993, a decision was taken to try and merge the most successful elements of the ITSEC and the then recently published US Federal Criteria. A six-nation Common Criteria Editorial Board was established to carry out the work including representatives from Canada, France, Germany, the Netherlands, the UK and the USA. Their first public draft (Vl.0) was issued earlier this year and has been undergoing trials in the home countries of the authors as well as receiving general public comment. The Commission was closely associated with this work during the initial phases and specifically provided funding for the post of editor. The Conference was primarily arranged to enable an exchange between the authors and potential users of the Common Criteria and to determine whether further action by the Commission might be required. Initial feedback from the participants has shown that this event was very successful in meeting the first objective. There is also clearly widespread acceptance that the Common Criteria constitute the first important step forward in the development of a improved international approach to IT Security Evaluation for the end of the decade. For the time being, however, the ITSEC approach remains the only one officially recommended by the European Union. The European Commission was asked to look at the remaining problems associated with Mutual Recognition of Certificates from different national schemes and to examine ways in which the use of certified products could be encouraged in those sectors where take up is still rather low. Development of
6
Further details are available from David Herson at the European Commission, DG X/11/7, E-mail: [email protected]. The Conference papers will be available on http:/!www.cordis.lufinfosec.
United States Remains Adamantly Opposed to Data Protection Wayne Madsen
The Privacy Commission of Canada hosted the 18th International Conference on Privacy and Data Protection from 18-20 September 1996, in Ottawa, Canada. The position of the United States on data protection principles was shown to be at great variance with the accepted international norms adopted by the European Union, the Council of Europe, and the governments of Australia, New Zealand, and Canada. Addressing data protection and privacy commissioners from 22 nations, one international organization, six Canadian provinces, five German lander, and one Swiss canton, Sally Katzen, the administrator of the White Houses Office of Information and Regulatory Affairs of the Office of Management and Budget, claimed that she was the closest thing the United States had to a Chief Information Officer. As the official assigned responsibility to oversee the outdated Privacy Act of 1974, Katzen pointed to all the Clinton administration’s ‘successes’ in the areas of data protection and privacy. Several data protection commissioners privately expressed dismay at Katzen’s claims. One was overheard saying her comments were “a lot of crap”.
Computer Fraud & Security December 1996 0 1996 Elsevier Science Ltd
CONFERENCE REPORTS While some data protection commissioners were discussing their need to extend national data privacy legislation to cover the private sector, Katzen defended the United States policy of ensuring individual privacy by a myriad patchwork quilt of “constitutional guarantees, federal and state statutes, regulations, voluntary industry codes of conduct and... market demand, woven together and applied to the public and private sectors in different ways.” Katzen defended US policy by stating that “while there is no single piece of legislation that is comparable to the Privacy Act governing private sector collection and use of personal information, a number of Federal and state laws cover such items as credit records, educational records, drivers license records, banking electronic and telephonic and records, communications”. Even though the United States Attorney General, FBI director, and intelligence community have prompted the passage of laws designed to invade the privacy of the personal communications of American citizens, Katzen cited the Electronic Communications Privacy Act of 1986 as prohibiting “the interception of individual electronic communications by unauthorized governmental and private sector organizations.” However, the Communications Assistance to Law Enforcement Act (CALEA) of 1995 will give the FBI and other law enforcement agencies virtual turn-key access to the nation’s digital communications network. Moreover, the number of star chamber-ordered intercepts under the 1978 Foreign Intelligence Surveillance Act are at an all-time high. Katzen announced that the Commerce Department issued standards for privacy protection in the communications sector. Katzen did not talk about the other ‘privacy’ actions of the Commerce Department including allowing the National Security Agency to dictate encryption, key management infrastructure, and key escrow standards to digital signature, Commerce’s National Institute for Standards and Technology and permitting the US Patent and Trademark Office to issue patents on the human DNA genome of citizens of Papua New Guinea and the Solomon Islands.
Computer Fraud & Security 0 1996 Elsevier Science Ltd
December 1996
Katzen also pointed to the Federal Trade Commission’s Consumer Privacy Initiative. What she did not report on was the cozy relationship the Clinton administration has maintained with the nemesis of any privacy-minded consumer: the Direct Marketing Association. Let’s look at the record. I reported on Clinton and the DMA as early as April 1993: While many felt that President Clinton would take a sensitized proactive interest in furthering the goal of personal data protection, events seemed to indicate otherwise. In November 1992, Clinton transition team members met with representatives of the powerful Direct Marketing Association (DMA) to assure them that Clinton would propose no regulations that would impede their business. This included any new regulations on privacy and increases in bulk postal rates. In December, one of the legal counsels for the DMA received an appointment to the Clinton transition team’s core group that dealt with communications policy. (Computer Fraud & Security Bulletin, April 1993). Katzen did not mention the major Clinton privacy debacles: the wholesale transporting of over 1000 sensitive Federal Bureau of Investigation files on former Reagan and Bush administration employees from FBI headquarters to the White House for purposes of digging up dirt from raw investigative reports. Neither did she mention the White House Office Database (nicknamed ‘Big Brother’ by White House officials) that contained personal information on over 200 000 individuals in over 125 database fields. The database includes information on journalists, political contributors, and members of Congress. Such revelations have not been received well in Congress. Some members express concern that a government that cannot be trusted with sensitive files certainly could not be trusted to hold encryption keys in escrow. The cavalier attitude of the administration towards the privacy of political figures is reminiscent of the abuses carried out during the Nixon administration. Katzen summed up her comments to the commissioners in stating, “We acknowledge the leadership on privacy that has been demonstrated by data protection offices in many nations. We share your
7
CONFERENCE REPORTS goals. While we operate under different constraints, we believe we can all arrive at a harmonious arrangement.” The International Data Protection Commissioners have a reason to be wary of United States interest in arriving at “harmonious arrangements”. Such language has been used with regard to international ‘harmonized’ information technology security criteria and international key management ‘arrangements’. However, these arrangements have been dictated by the electronic surveillance czars at the US National Security Agency and their counterparts in other countries. The success of the United States intelligence and Federal law enforcement community in penetrating the Organization for Economic Cooperation and Development (OECD) should serve as an ominous warning to the International Data Protection Commissioners. The OECD, since the 1980s has placed a premium on protecting the privacy of trans-border flows of personal information. The organization is now faced with a well-organized and financed brigade of Americans from the NSA and the Department of Justice. The American representatives are aiming at not only forcing the OECD to adopt an unpopular international key escrow system but also to whittle away at previous OECD guidelines protecting privacy. When some OECD officials and representatives stood in the way of the American key escrow steamroller, they were simply shunted aside and placed in less threatening positions. The National Security Agency and its allies in the administration seem to have adopted the following policy towards its opponents: “If you don’t approve, you will be removed.” If the US gains influence, either through the front door or the back door, in the International Data Protection Commissioners’ Group, will a similar fate await them? The Clinton administration faces a possible insurmountable obstacle in 1998. That year represents the deadline for members of the European Union to bring their laws in line with the European Union Council Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data. The directive prohibits the transfer of personal information from EU members (and companies within each nation) to non-member
8
countries having laws that do not provide an adequate level of protection for such data. The United States is in the cross hairs of the EU on this issue. Most EU members consider the myriad of US data privacy laws to be inadequate and outdated. Some have threatened data blockades to the United States. The Clinton administration has responded to this threat by sending messages to Brussels and elsewhere that US trade officials might regard the EU Directive as a non-tariff trade barrier and protest the statute to the World Trade Organization. A relatively bizarre interlude at the commissioner’s conference came when they were treated to an multimedia description of ‘information warfare’ and written descriptions of high energy radio frequency (HERF) guns and electro-magnetic pulse transformer bombs. The presentation was made by a representative of the National Computer Security Association an (NCSA), organization based in Pennsylvania, USA. Confidence in American understanding of data protection principles was eroded by the presentation because some European commissioners were aware that recent reports of HERF gun, logic bomb, and other computer threats against banks in London and elsewhere, were partly originated by a schizophrenic escapee from a Munich mental institution. This was reported by the respected German news magazine [Der Spiegel in an article entitled “Schweigen ist Gold” (Silence is Golden)].
“allowing the Nat ion al Security Agency to dictate encryption, key management infrastructure, digital signature, and key escrow standards”
The day before the data protection commissioner’s conference, Industry Canada sponsored a conference on privacy-invasive and privacy-enhancing technologies. Many data protection commissioners and their staff were present. They heard about developments in genetic
December 1996 Computer Fraud & Security 0 1996 Elsevier Science Ltd
CONFERENCE REPORTS profiling, intelligent vehicle highway systems, video surveillance, biometrics, the international linking of police information systems, the monitoring of the Internet communications of human rights, religious, and environmental organizations by the National Security Agency and other intelligence agencies. On 16 September, many data protection and Canadian government officials attended the Privacy International’s Electronic Privacy Information Center’s Conference on Advanced Surveillance Technologies. One presentation highlighted the fact that the Mondex electronic purse system, designed to offer anonymity, actually provided an audit record of an individual’s purchases. However, the highlight of the seminar was the speech by Mike Frost, the author of the popular book (Spyworld), an expose of the espionage activities of the Communications Security Establishment (CSE), Canada’s NSA partner. Frost made some important points about the current state of government electronic surveillance of innocent citizens: Even in a democracy, let us not kid ourselves. This is not a ‘clean’ game. People cheat. And I guess what I came here to tell you today is, that with the proliferation of wireless communications, this cheating has become easier and easier. Speaking about the so-called minimization rules that the signals intelligence agencies claim bar them from spying on their own citizens, Frost was quite candid: Well, I can only tell you from experience that all it takes to break those rules is one man and one order from above. Those kinds of orders are rarely written down. And the results, although analyzed, fully documented, and often used by government departments who rarely know the source, are shredded.
words. For example, Oratory could be programmed to select all conversations containing the word ‘Whitewater’ or any word or words associated with Whitewater or, more selectively, all conversations made by a certain individual that contain the word Whitewater. This type of technology has been in use by both CSE and NSA for at least the last 15 years. When I left CSE, experiments were underway on ‘topic’ recognition, so even guarded conversations using no key words at all would still be selected. Such revelations cannot be reassuring to independent special counsel Kenneth Starr and his staff. Starr has been investigating President and Mrs Clinton and their associates for an array of allegations surrounding the Whitewater affair. If the same willingness to assist the Clintons with sensitive and classified information exists at the NSA as exists at the FBI, Starr and his staff could be in real trouble. The Canadian intelligence agencies, like their counterparts in the United States, claim they need expanded wiretap authority for their ‘wars’ on terrorism and drugs. However, most wiretaps are conducted not for these purposes, but for pure political surveillance. Citing the Canadian experience, Frost concluded that: It is wrong to mess around with democratic principles. And that is exactly what eavesdropping, through government intercepts, on democratically elected parties, separatist or not, is doing.
Frost talked about current NSA and CSE communications surveillance systems. He stated that the two signals intelligence agencies:
Frost’s claims of widespread wiretapping by signals intelligence agencies against political targets have been bolstered by the publication of another book entitled Silent Power by Nicky Hager. The New Zealand author chronicles the secret deeds of the National Security Agency’s New Zealand partner, the Government Communications Security Board (GCSB). Hager contends that US surveillance equipment installed at GCSB’s satellite intercept station at Waihopai, on New Zealand’s South Island, routinely intercepts Internet messages, among other forms of communications.
.. . use ‘voice recognition’ devices and compact computers, such as the one code named ‘Oratory’, that automatically select key words or groups of
Targets of such intercepts include all communications, including Internet messages of interest, from numerous small Pacific island nations that
Computer Fraud & Security 0 1996 Elsevier Science Ltd
December 1996
9
CONFERENCE REPORTS are reliant on the Intelsat 701 satellite parked in geostationary orbit at 174 degrees east over the Pacific Ocean. Internet traffic of Greenpeace, Amnesty International, the Bougainville Revolutionary Army, the Rotuma independence movement, Cook Islands anti-nuclear and banks, offshore testing/pro-independence groups of French Polynesia are of particular interest to GCSB which transmits its intercepts to NSA headquarters at Fort Mead& Maryland, USA. The Hager book demonstrates the long reach of the American eavesdropping net in quoting veteran peace researcher Owen Wilkes: Imagine how difficult it would be for a bored analyst in, say, Fort Meade in Maryland, to remember who [New Zealand unionist] Ken Douglas is, or who [Kanak activist] Susanna Ounei is and so on. In Maryland it would be hard to remember whether Apia is the capital of Tonga or Samoa, whether Vanuatu is on our side or theirs, etc. It would be far better to let the Kiwis sort out all that, and just send over the daily summaries. Apparently not content with merely monitoring computer message traffic, the NSA seems to also be engaged in active computer hacking. It has been reported that US intelligence agents, probably working for NSA’s K-25 group (the special collections group responsible for international data network surveillance), hacked their way into computers of the European parliament and commission in Luxembourg and Brussels. The European Union’s internal computer network links more than 5000 officials, including members of the European Parliament and EU Commissioners. The American hackers may have penetrated firewalls of US manufacture that protect the internal EU network from access via the Internet. “If the US firewalls are rigged, it would certainly be in keeping with other NSA programs to rig encryption devices and database management systems”, said one former intelligence operative. Ironically, the EU called in experts from NSA’s British partner, the Government Communications Headquarters (GCHQ), to help fix the
10
security holes in Brussels and Luxembourg. Given the close relationship between NSA and its English-speaking allied agencies,.one can only wonder if the GCHQ fixed the problem or ‘fix’ the problem. Such cooperation is routine. Mike Frost stated in Ottawa that NSA’s British counterpart, GCHQ based in Cheltenham, England actually requested CSE to eavesdrop on two of former Prime Minister Margaret Thatcher’s ministers simply because she didn’t trust them. Responding to a question in the House of Commons, Prime Minister John Major said that the allegation was “claptrap”, but he neither denied the allegation nor answered the question. Frost said he “knew for a fact who and how we did that intercept”. Clearly, the electronic mail, file transfers, faxes, electronic funds transfers, videoconferences, telexes, and telephone calls of political, social, religious, business, and activist groups everywhere are being monitored by intelligence agencies. Contrary to what is being claimed by intelligence and law enforcement officials, most targets of intercepts are not drug dealers, terrorists, and paedophiles but are political and social groups. When such groups use sophisticated encryption programs or anonymous remailing services to protect themselves, the Fort Meade analysts are stymied. The NSA and the Clinton administration are not the least interested in the benefits of encryption and other privacy-enhancing technologies to human rights and political groups. Nevertheless, the United States continues to push for international key escrow regimes and banning of anonymity on the Internet. They have achieved some success. In August 1996, a popular anonymous remailer (anon.penet.fi) was shut down by its Finnish operator. The United States, acting on behalf of the Church of Scientology and Singapore, acting on behalf of a former prime minister, managed to make things too difficult for the Helsinki-based operator. So much for America’s commitment to privacy and free speech on the information super highway.
Computer Fraud & Security
December 1996 0 1996 Elsevier Science Ltd