December 8, 1998

DOUBLE BLOW DEALT TO PRIVACY BY INTERNATIONAL NEGOTIATIONS

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—International privacy advocates have been reeling as two news reports, in quick succession, threaten legal protections for privacy. In November, the German news site Telepolis published international police plans for a surveillance regime called ENFOPOL. Before the implications of this audacious strategy could sink in, attendees of an arms-control conference in Vienna last week announced new controls on encryption.

The privacy community doesn’t even know what hit it. Government representatives are saying little, if anything, about either development. In fact, the only official statement on encryption is a consummately mushy statement about the arms-control treaty, the Wassenaar Agreement, citing “…the modernization of encryption controls to keep pace with developing technology and electronic commerce, while also being mindful of security interests. Participating States also discussed the potential need for the WA and national export control authorities to respond quickly and effectively to the emergence of new technologies.”

Let’s start with ENFOPOL. The European Union hopes with this initiative to provide police with access to any and all kinds of electronic transmissions. The Iridium satellite network, which provides telephone and information services worldwide, was explicitly singled out for surveillance.

In its general description, ENFOPOL sounds like the new requirements for digital telephony approved in the U.S. recently by the FCC. After years of wrangling in Congress, and years more wrangling among law enforcement, telephone companies, and civil libertarians, the industry seems to have a clear regulation concerning access by police to phone conversations.

But in several ways ENFOPOL goes further than the 1994 U.S. law, which is called the Communications Assistance for Law Enforcement Act. CALEA explicitly excluded information services like the Internet; these are explicitly included in the ENFOPOL plans.

Technological standards and costs are also an open question with ENFOPOL. CALEA imposes new requirements on telephone equipment manufacturers as well as carriers, and Congress went so far as to offer them 500 million dollars for technical upgrades. ENFOPOL’s impact on Internet service providers, while still unclear, would be greater and more disruptive.

European commentators have therefore compared ENFOPOL not to CALEA so much as to another wiretapping system, Echelon. Little known in the United States, Echelon is a comprehensive, secret surveillance system about which some rudimentary information has leaked to the press over the past year.

Echelon is a science fiction story come to life—a development so crazy that it wouldn’t be publicized unless it was real. It consists of many large, scattered computers scattered around the world, all picking up information from satellites and telephone lines. Each system checks traffic for keywords (such as potential targets for terrorism) and extracts suspicious messages. There is no oversight, no legal checks on spying.

Many countries are implicated in Echelon, notably the U.S., Great Britain, Australia, and New Zealand. Civil libertarians in Europe have raised debate around Echelon in the hope of getting their governments to denounce the system. Instead, the result has been the ENFOPOL proposal. Have the Europeans, forgetting the Tenth Commandment, succumbed to envy over the English-speaking countries’ undercover toy?

Whether a real threat or just a waste of taxpayer money, Echelon joins such underground U.S. activities as the Rat Line that saved hundreds of Nazis after World War II, the Bay of Pigs invasion, and the Iran-Contra affair. But we don’t know enough about Echelon to determine if it could actually work.

To be effective, each Echelon system must first extract and reassemble particular conversations from the endless streams of traffic that move at nearly the speed of light. Then the systems must determine what type of traffic it is—text, fax, voice—and decode it properly. How does a computer read the words off of a fax? How does it determine the meaning of a binary graphic file? And most important, how does it break an encrypted message?

That is where Echelon/ENFOPOL ties into the changes announced last week in the Wassenaar Agreement. If users have strong cryptography, the police’s carefully culled data becomes just a bunch of pretty patterns.

Delegates from the technologically advanced nations of the world met to update the Wassenaar Agreement and to see if they could stem the growing diffusion of dangerous materials, which range from small arms to weapons of mass destruction. The Global Internet Liberty Campaign, led by Electronic Frontiers Australia, had been lobbying their countries’ delegates to remove restrictions on encryption, which arguably should not be considered a “dual-use technology” at all.

But U.S. envoy David Aaron emerged from the meetings proudly announcing that the 33 member countries had agreed to new restrictions on encryption. The first news reports uncritically repeated his assertions, saying the U.S. had brought the rest of the world around to its view that no one should be able to expert encryption stronger than 56 bits.

Using 56-bit encryption is rather like locking your bicycle with a thin chain. You indicate a desire for security, but can’t prevent a thief from doing what he wants.

A number of privacy experts in other countries immediately began to challenge Aaron’s claim. Silence from the other nations made it even harder to guess just what had happened. Any change would be a major departure from the liberal position on encryption announced by several nations (notably Germany) and arguably contradictory with other international agreements.

The blanket U.S. announcement raised numerous questions. Were nations really committed to changing their laws, or did the Agreement just suggest a direction for them? Did the new restrictions cover “public-domain software,” like the internationally popular PGP encryption program? And was it required—or even possible—to pass laws prohibiting someone from downloading PGP across the Internet?

While Aaron may have oversimplified or magnified the extent of his victory, something is clearly afoot, and it is not good for the free flow of encryption. When government delegates are reluctant to talk about a policy that is the focus of a vocal, international movement, one can only assume the outcome is not to that movement’s liking. Law enforcement agents, sometimes contradicting national laws, are launching Europe on a course toward information control.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles