Bryan,
Here was my original offer:
"I realized afterwards that you may have also wanted to know whether
or not encryption could be used for illegal activity and how easily
that activity is to
detect."
And here's your answer:
Law enforcement is *very* afraid of the ability of criminals to use
encryption in order to avoid detection. Most of the information in
this essay will be very USA-centric, but the basic theory remains the
same the world over.
During the 1990s in the USA, the Clinton Administration advanced an
idea dubbed "The Clipper Chip." This technology would supposedly allow
the use of encryption in communications and transactions, with one
devious loophole: the US Government would hold a set of keys to
anything encrypted using this technology.
Professor Michael Froomkin at the University of Miami School of Law
wrote an article called "It Came From Planet Clipper: The Battle Over
Cryptographic Key 'Escrow'" [
http://www.law.miami.edu/~froomkin/articles/planet_clipper.htm ] in
1996. He explains that
"The Clipper chip makes it possible for the government to decrypt a
telephone call encrypted with a Clipper telephone by putting essential
information into "escrow." The use of the term escrow is a misnomer,
since the "escrow" is for the benefit of law enforcement, not the
parties to the communication, but the term has achieved wide currency,
and we seem to be stuck with it.{49}
Escrow in Clipper works as follows.{50} Every Clipper chip bears a
unique serial number and has a unique encryption key (the "chip-unique
key") that is burnt in by the manufacturer under secure
conditions.{51} The chip-unique keys are split into two pieces with
each half held by an "escrow agent." Currently the two escrow agents
are NIST, in the Department of Commerce, and the Treasury Department's
Automated Systems Division.{52}"
Froomkin wrote an earlier article entitled "THE METAPHOR IS THE KEY:
CRYPTOGRAPHY,
THE CLIPPER CHIP, AND THE CONSTITUTION," [
http://www.law.miami.edu/~froomkin/articles/clipper.htm ] where he
briefly explained the justification used for key escrow technology:
"Cryptography not only allows individuals to keep their communications
and records secret, it also allows them to keep their identities
secret. We are accustomed to more anonymity in our commercial life
than we realize, although this form of privacy is shrinking.
Purchasing a newspaper for a few coins from a vending machine or a
store leaves no audit trail: ordinary cash is anonymous.{58} Although
the use of credit cards continues to increase, there are some
transactions that people prefer to keep untraceable.{59} It seems safe
to suppose that some cash transactions, while legal, might not occur
if the only payment option were something that leaves A record.
Cryptologists have worked out protocols for untraceable, anonymous,
electronic cash ("E$") that also resist illicit duplication. These
permit customers to acquire E$ from A digital bank without disclosing
their identity to the bank. Using high-level cryptographic techniques,
the E$ is unforgeably certified as valid, but can be spent only
once.{60}
Unfortunately, although cryptography allows the creation of
privacy-enhancing E$ and helps ensure that an Orwellian surveillance
state remains in the realm of fiction, its advantages come at a price.
The same features that might make uncrackable encryption attractive to
groups seeking to change the social order by lawful but unpopular
means, and that protect those working towards unpopular causes from
retribution, also provide security to lawbreakers. Untraceable E$ may
help make untraceable "perfect crimes" possible.{61}
[Page 728]Undoubtedly, criminals and conspirators will find a use for
encryption,{62} but so too will many others. Not every diarist records
crimes in his daybook, but for many people there will be a certain
satisfaction in knowing that their most private thoughts are safe from
anyone's prying eyes, be they major governments or younger
siblings.{63}"
In his introduction to this article, Froomkin explains the major
forces at work which prompted him to write it:
"This Article is about the clash between two types of power: the
individual's power to keep a secret from the state and others, and the
state's power to penetrate that secret.{4} It focuses on new[Page
713]conflicts between the perennial desire of law enforcement and
intelligence agencies to have the capability to penetrate secrets at
will, and private citizens who are acquiring the ability to frustrate
these desires. This is an article about the Constitution and the
arcana of secret-keeping: cryptography.{5}"
Please be aware that both of these articles are almost a decade old.
The theoretical and historical information is largely correct (as far
as I can tell with my layman's knowledge), but some of his points have
already become obsolete.
The Electronic Frontier Foundation [ http://www.eff.org ] has
published an archive of The Clipper Chip and Key Escrow documentation
[ http://www.eff.org/Privacy/Key_escrow/ ]. There's a huge amount of
information available on this topic (see my Google Search links
below), but most of them have not been updated since late 1996. Once a
topic is no longer relevant, activists move on to other issues. In the
case of Key Escrow, I vaguely recall that the Clinton Administration
dropped the idea after opposition from a huge array of different
groups, including elected government officials who were strongly
opposed to giving the US Government the keys to their privacy.
In any case, it doesn't really matter precisely why The Clipper Chip
disappeared into oblivion. (But if you want some ideas about this and
a similar proposal in the UK in 1998, read [
http://news.bbc.co.uk/1/hi/special_report/for_christmas/_new_year/computer_crime/41734.stm
].) The main point in my presenting this information is to show the
enormous contradiction that exists between law enforcement fears
regarding its ability to operate, and private citizens' fears about
the government poking its nose where it doesn't belong. And, it
appears that Key Escrow hasn't completely disappeared. A page
currently available at the US Department of Justice shows that in
1998, the government still thought that this technology was viable: [
http://www.usdoj.gov/criminal/cybercrime/cryptfaq.htm ]. This same
page provides considerable justification for the government's fears:
"Law enforcement has already confronted encryption in high-profile
espionage, terrorist, and criminal cases. For example:
*An international terrorist was plotting to blow up 11 U.S.-owned
commercial airliners in the Far East. His laptop computer, which was
seized during his arrest in Manila, contained encrypted files
concerning this terrorist plot.
* A subject in a child pornography case used encryption in
transmitting obscene and pornographic images of children over the
Internet.
* A major international drug trafficking subject recently used a
telephone encryption device to frustrate court-approved electronic
surveillance."
How strong is government technology to crack powerful encryption? The
following quote from this page claims that government technology is
not that far ahead of consumer technology. Remember the
distributed.net project from the previous answer that I wrote for you?
"I heard about one group of Internet users that worked together to
crack a 56-bit encrypted message. If they did it, why can't the
federal government?
That example actually underscores the problems that accompany a "brute
force" approach. The successful group actually used over 14,000
computers and took over four months -- over ten million hours of
computer time -- to decrypt one single message. That is not practical
for law enforcement, especially if, for example, we are trying to
prevent a terrorist attack or find a kidnap victim. Significantly, the
time needed to decrypt a message rises exponentially as the length of
the encryption key increases. If the message had been encrypted with a
64-bit key, it would take 10,000 Pentium computers on average 58 years
to crack a single message."
Dorothy Denning, a professor at Georgetown Law School, has a
slightly-outdated web page from 1997 where she gives examples of
encryption used in computer crime [
http://www.cs.georgetown.edu/~denning/crypto/cases.html ]. Some
examples are:
"Encryption is being used as a tool for hiding information in a
variety of crimes, including fraud and other financial crimes, theft
of proprietary information, computer crime, drugs, child pornography,
terrorism, murder, and economic and military espionage. We have not
heard about many cases where criminals exploited weak encryption
systems to their advantage, for example, to steal proprietary
information. However, a British blackmailer intercepted encrypted
transactions transmitted by a bank in the U.K. After breaking the
code, he successfully extorted 350,000 from the bank and several
customers by threatening to reveal the information to the Inland
Revenue [Grabosky 97].
[...]
On March 20, 1995, the Aum Supreme Truth cult dropped bags of sarin
nerve gas in the Tokyo subway, killing 12 people and injuring 6,000
more [Kaplan & Marshall 96]. They had developed a variety of weapons
of mass destruction, both chemical (sarin, VX, mustard gas, cyanide)
and biological (botulism, anthrax, Q fever). They were attempting to
develop a nuclear capability and a "death ray" that could destroy all
life. Shoko Asahara and his followers used murder, kidnapings,
extortion, torture, poison, electric shocks, drugs, imprisonment, and
wiretaps to acquire assets, control defections, and attack their
enemies. Among the tens of thousands of members were some of Japan's
brightest scientists and doctors. The cult had stored their records on
computers, encrypted with RSA. Authorities were able to decrypt the
files after finding the key on a floppy disk. The encrypted files
contained evidence that was crucial to the investigation, including
plans and intentions to deploy weapons of mass destruction in Japan
and the United States.
[...]
Kevin Poulson was a skilled hacker who rigged radio giveaways,
"winning" Porsches, trips to Hawaii, and tens of thousands of dollars
in computer cash. He also burglarized telephone switching offices and
hacked his way into the telephone network in order to determine who
was being wiretapped and to install his own. In his book about
Poulson's crime spree, Jonathan Littman reported that Poulson had
encrypted files documenting everything from the wiretaps he had
discovered to the dossiers he had compiled about his enemies [Littman
97]. The files were said to have been encrypted several times using
the "Defense Encryption Standard" [sic]. According to Littman, a
Department of Energy supercomputer was used to find the key, a task
which took several months at an estimated cost of hundreds of
thousands of dollars. The result yielded nearly ten thousand pages of
evidence.
[...]
At hearings in June 1997, Senator Charles Grassley told of an 11-year
old boy who committed suicide after being sexually molested. Thus far,
the police have been unable to decrypt his personal organizer, which
investigators believe might contain information about the man whom his
mother believed molested him. The investigation had been on hold since
February 1996."
Despite their age, these reports (and the many others listed on
Denning's page) are sobering. Sometimes, law enforcement has been able
to crack the encryption. In other cases, the suspect has voluntarily
given the key, or it has been found that the key was written down
elsewhere. And, in some cases, the encryption has defied law
enforcement's ability to solve the case.
These cases should also make clear that decryption technology should
never be the only method used to solve a crime or a suspected crime.
If authorities place a keyboard sniffer on a suspect's computer, the
strength of the encryption used no longer matters. If human
intelligence has planted a spy in a terrorist group or crime ring,
they may be privy to discussions which were never intended to be
written down. I've provided a search link to computer forensics below,
which may give you some ideas about methods used to find hidden
information on computers.
In any case, I hope I've been successful at giving you an overview of
encryption, crime, and law enforcement. I would recommend you go
through the links I've provided above, and the search links below. At
the heart of this issue is a person's right to privacy vs. the state's
desire for security. Encryption can allow Chinese dissidents to
communicate without fear that the authorities will jail them for
criticizing the government. It can also allow terrorists to plan an
attack undetected. The balance between freedom, privacy, and security
is an issue which our society has only begun to discuss.
If you need further clarification, do not hesitate to ask.
/ephraim
Search Strategy:
[ ://www.google.com/search?as_q=&num=100&hl=en&ie=UTF-8&oe=UTF-8&btnG=Google+Search&as_epq=clipper+chip&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&safe=images
]
Google Search: "clipper chip"
[ ://www.google.com/search?as_q=encryption&num=100&hl=en&ie=UTF-8&oe=UTF-8&btnG=Google+Search&as_epq=computer+crime&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&safe=images
]
Google Search: encryption "computer crime"
[ ://www.google.com/search?as_q=%22methods+used%22&num=100&hl=en&ie=UTF-8&oe=UTF-8&btnG=Google+Search&as_epq=%22computer+forensics%22&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&safe=images
]
Google Search: "computer forensics" "methods used" |
