Spooks on the net

It was a bright cold day in April and the clocks were striking thirteen. -- George Orwell, Nineteen Eighty-Four

If you're are doing something even remotely mysterious, somewhere in the bowels of Washington there is a government acronym that wants to know about it. -- Bruce Schneier

Within Europe all email, telephone and fax communications are routinely intercepted by the United States National Security Agency ... via the crucial hub at Menwith Hill. -- European Parliament report

A major battle is taking place in cyberspace for control of the net. In one corner the massed ranks of the intelligence services representing the state, in the other corner civil liberty groups representing the public. Just one aspect of the erosion of civil liberties and the encroachment into personal space by big government and big business.

Electronic monitoring and eavesdropping pre-dates the net. In the US NSA, in the UK its smaller cousin GCHQ trawl the ether and tap into telephone lines. Major listening centres are around the world, within the UK Morwenstow in Cornwall, Menwith Hill in the Yorkshire Dales. At independence, the UK retained parts of Cyprus as UK Sovereign Territory, so important was the strategic position of Cyprus for eavesdropping.

The European Parliament has recently woken up to the existence of Menwith Hill and its function. Shock horror! The Brits and the Americans are engaged in spying. What did they think the golf-balls were - Civic Art!

The golf balls have been granted a new lease of life as we move into the new Millennium. They will be used for missile tracking, part of a new Star Wars project.

The game has changed from the old days of bugging, tapping, steaming open mail and illegal break-ins. Various electronic aids, highly focused mikes, laser beams, mobile phones enable remote monitoring, and more importantly, use does not require a warrant even in those countries that demand at least a minimal level of prior authorisation and accountability. In this new era, Internet facilitates an unprecedented level of monitoring, especially as an increasing level of communication is via e-mail. An agreement exists between EU, Norway, US, Australia and Canada whereby security services have real-time access into ISPs to monitor e-mail traffic. And yet simultaneous with this unexpected bonanza for the intelligence services the public now has access to powerful computers, and more importantly powerful encryption software, previous the preserve of the intelligence agencies, that enables the public to cloak itself in secrecy.

The NSA (together with its UK counterpart GCHQ) monitors electronic traffic worldwide. The groups it targets are as diverse as peace groups to Catholic Bishops. The NSA is the lead agency in an Anglo-alliance that consists of US, UK, Canada, Australia and New Zealand. Echelon, NSA Project P415, monitors European traffic - the golf balls on the Yorkshire hills are more than space-age art. By the early 1990s, Echelon was automatically monitoring electronic messages at the rate of 2 million/hour. The EU, not part of the Anglo-alliance, intends through its K4 group, to establish a worldwide telephone tapping network.

Known as Enfopol 98, the EU plans to establish a Europe wide monitoring network to tap into telephones, mobile phones, fax, e-mail, net access, interactive television. Providers of electronic services will be expected to establish ports for real time access. Mobile phones will be tracked to locate their user. National scrutiny is to be avoided by keeping much of the agreement secret. The use of hard encryption, such as PGP, will be made illegal. The plans came to light when they were leaked to Telepolis.

The problem of snooping and citizen control is not restricted to the net, the intelligence services or the West. Virtually every town of any size in the UK has CCTV monitoring the public. Little is known as to who is watching or to what purpose. In London trials are being conducted of pattern recognition, faces will be matched to a data base. A 'ring of steel' encircles the City of London, with carefully controlled access points. The CCTV system is linked into a data base of car registrations and logs all the cars entering and leaving. In Russia, the FSB (the successor to the KGB) are demanding that all companies and ISPs install a black box to enable real-time monitoring of their Internet traffic. The black box known as Sorm (system of ensuring investigative action) will have a high-speed link to FSB headquarters. Sorm contravenes the Russian constitution and existing legislation. Most Russians will circumvent Sorm with hard encryption. Use of hard encryption contravenes a Yeltsin directive, but Russians treat the directive with the same contempt as they do all other Yeltsin directives.

In the UK even customs have jumped onto the bandwagon. Laptops, disks brought into the UK are liable to be scanned. An image scan will be taken, picking up hidden and deleted files. Refusal is not an option. Encrypted files are treated in the same way as a locked suitcase, with a requirement to hand over the keys. Refusal can lead to arrest, serving of a court order, and a charge of contempt of court. It is not necessary for customs to establish 'grounds for reasonable search'.

Governments around the world fear the net for two reasons - (i) the public has unfettered access to information, (ii) if hard encryption is in use governments can not see what is going on. Both of which engender government paranoia and threaten powerful elites. Put simply, governments do not, can not control the net. Governments have awoken to this one simple fact rather late in the day and my God does it hurt.

All sorts of scare stories and disinformation are fed to the media about the net. The media has been only too happy to repeat and add gloss to this disinformation as they too are losing control. The net is full of paedophiles, who can't wait to get stuck into your little kiddies; pornographers hang out in deep and dank corners; terrorists, drug traffickers, bombmakers and all other sorts of social miscreants are making full use of the net, poised to destroy life as we now know it.

Each of these stories has a small grain of truth, making them all the more believable to the computer illiterate. What is interesting is that they vary from country to country, each placing their own little spin to play on that country's phobias. In the US terrorists and bomb plotters, in the UK pornographers, especially child pornographers, in Malaysia (and don't laugh too loud) impure and incorrect thoughts. The real truth is that governments fear the net and will plant any scare story to justify their own desire for control.

This desire to control is because governments are losing control. It has nothing to do with crime, it has everything to do with controlling what we do, see and hear and monitoring our every thought and movement.

To date, governments and mainstream media have operated in lock-step, each singing from the same song-book and looking after their common vested interests. The truth is out there, you only have to look.

Crude attempts at controlling what we can see and read were tried in the US (Computer Decency Act) and fell at the first hurdle when the CDA was found to be unconstitutional. Attempts to invade our privacy have also failed.

In the US, where the net ironically started life as a military project to avoid control, there have been numerous crude and to date failed attempts to outlaw personal use of encryption. These have ranged from bans on encryption, other than that approved by the government and to which the government has a back-door key, to rather weak encryption systems for domestic use and extremely weak encryption systems for export. The latter to enable the US to spy with relative ease on its allies.

The rather poor encryption system for Web browsers allows a 128-bit key for domestic use, 40-bit key for export. A test message with a 40-bit key was broken by a student within hours of the message being released.

Recently the US has backed down under commercial pressure and allowed the export of browsers with a 128-bit key, but these have a US back-door.

The infamous attempts to introduce a mandatory encryption system met with universal ridicule and contempt.

Not that any experienced net user would use anything as insecure as the above systems. 1024-bit keys are seen as the absolute minimum, with many users having much larger keys. This is all thanks to one pioneer, nay folk hero, Phil Zimmermann and his revolutionary package PGP.

Do we (in the West) live in a free society or not? The experience of Phil Zimmermann indicates not. On the release of PGP, which spread around the world faster than a brush fire, he felt the full wrath of the totalitarian state. For three and a half very long years he was under investigation by the US Assistant Attorney General.

A major felony had been committed, or so it would appear. What was Zimmermann's crime? He took publicly available algorithms and turned them into a very powerful software encryption package. Worse than that, he placed hard encryption, previously the sole preserve of the state security apparatus into the hands of the people to protect them from the prying eyes of the state.

To the people Phil Zimmermann was a hero, to the state public enemy number one.

The situation in other countries is not much better. Several countries have banned the use of encryption. But I will concentrate on the situation I know best, the UK.

Following various leaks, the government finally published a paper on encryption. The paper itself was a disaster, it was badly written, extremely muddled in its thinking, and clearly written by person or persons who had not a clue either about the net, electronic commerce or encryption. The natural response to the paper was widespread ridicule, but it had to be stopped, just in case some dumb minister decided to enact legislation in its support.

Lessons were learnt, a second paper was published. Far better written, and clearly lessons had been learnt from the previous escapade. But it again was fundamentally flawed and questions had to be asked as to whether the government fully understood the Internet and how it worked.

The second paper assumed that it was possible to regulate the Internet by decree, forgetting that the Internet was designed to route around danger. It also made the fundamental flaw of assuming that there could be a compromise on encryption, good enough for commerce, but weak enough to allow surveillance.

In encryption there can be no compromise, either hard encryption and real security, or weak encryption and no security.

Possibly learning from the US fiasco with attempts to impose a government encryption system with a back-door key the UK tried a much more subtle approach. Use whatever encryption system you liked, but the government would have a copy of your key. If government can read your secret traffic then anyone can.

The UK paper had a second danger that most commentators overlooked. The government was going to move into the regulation of the encryption business. Anyone signing a PGP key would be offering an encryption service, as they would unlikely to be a government approved service, they would henceforth be guilty of a criminal offence. This at a stroke would outlaw the use of PGP.

The response to the second government attempt at regulation of encryption indicated it had been a universal failure. The response had been a resounding no. The government is currently considering its next move.

In the US things just went from bad to worse, at least as seen from the government's viewpoint. Phil Zimmermann released PGP 5.0.

Encryption was now a doddle, all you had to do was hit an encrypt button, before the send button, the package would even download the recipient's key of the net if it was not already attached to your keyring. Worse was to come. Export bans were still in force, but these mean nothing on the net (cyberspace has no frontiers), further heightening government paranoia. The release of PGP 5.0 exactly followed the initial release of PGP, only now the world knew what to expect, PGP 5.0 appeared all over the world. To add to the farce the the source code was legally exported from the US and recompiled in Europe.

It is illegal to export PGP 5.0, illegal to export the electronic source code, but not illegal to export the source code in printed form. Nor is it illegal to actually place PGP 5.0 on the net, that is free speech under the US First Amendment. Ståle Schumacher took full advantage of this opportunity to ridicule the US by ordering a copy of the PGP source code, 12 volumes, 6000 pages, then spending the next two months with a scanner. By mid-1997 he had a UNIX version available, by 1998 a Windows 95 version was available

Other people simply took PGP 5.0 from the US, and made it available on sites around the world.

The reaction of the US to being made a laughing stock around the world has been to propose Draconian legislation. It will be a criminal offence to encrypt, to use encryption the intelligence services do not have immediate access to, to design, sell or import effective encryption. These measures are currently being forced through Congress by the FBI in cahoots with NSA. No longer is the FBI (Federal Bureau of Incompetence) seen as the federal crime busting agency, for many Americans it is seen in the same light as Russians viewed the KGB at the height of the Cold War. Both were a threat to the individual and a free society, the FBI still is.

The US FBI/NSA bill is called SAFE - Security and Freedom through Encryption. Like all Big Brother acts it uses newspeak. It offers neither security nor freedom, and it would be difficult to imagine a more oppressive piece of legislation. Trials may be held in secret (disclosure of proceedings would be held to be contempt of court), the President is to be granted executive powers to waive any part of the act and to punish non-compliant governments.

The US is aiming to use its muscle to force governments around the world to enact the same legislation.

The US may find it has a fight on its hands. The US joined the Oslo Conference on a Global Landmine Ban, with the sole intention of destroying the treaty. The US bullied, and got nowhere. Eventually it had to withdraw with its tail between its legs when it found it had no support.

As the Oslo Conference showed, the world will no longer be bullied by the US and its security apparatus.

The US, its security apparatus and its lackeys in the UK may already have bitten off more than they can chew. The repressive legislation the FBI/NSA has attempted to force through the US Congress has stirred up a hornets nest and created massive opposition. The attempts within the UK to impose crackpot legislation were met with derision. The European Commission has now leapt into the fray. What they are proposing is the exact antithesis of what the US is seeking. The European Commission appear to have taken on board virtually everything I set out in my paper to the DTI. It is not often I praise the European Commission, but this is one of those rare occasions when they appear to have got it right.

The Soviet Union and the Eastern Bloc collapsed, not because of an internal armed uprising or because the West had a vastly superior military advantage, it collapsed because it proved impossible to stop the free flow of information.

Charles Arthur, Start using encryption now, and maybe it won't be outlawed, Network+, The Independent, 30 September 1997

Ian Burrell, Police use lasers to beat laws on bugging, The Independent, 28 July 1998

Ian Burrell, Britain's spies drop cloak of secrecy, The Independent, 30 July 1998

Duncan Campbell, Screw the Internet, Online, The Guardian, 17 September 1997

Duncan Campbell, Cops call the shots, Online, The Guardian, 25 September 1997

Duncan Campbell, Europe spikes spooks' e-mail eavesdrop bid, Online, The Guardian, 16 October 1997

Duncan Campbell, Tip for tap, Online, The Guardian, 10 September 1998

Duncan Campbell, Star Wars strikes back, Online, The Guardian, 3 December 1998

Duncan Campbell, EU hatches plan to tap Net and mobile phones, The Observer, 6 December 1998

Simon Davies, They are eavesdropping on our every word, connected, The Daily Telegraph, 16 December 1997

Simon Davies, EU simmers over Menwith listening post, connected, The Daily Telegraph, 16 July 1998

Simon Davies, Customs targets laptop harddrive contents, connected, The Daily Telegraph, 20 August 1998

Simon Davies, The ever-widening gaze of big brother, connected, The Daily Telegraph, 10 September 1998

Ivo Dawnay, FBI comes under fire for fatal blunders, International News, The Sunday Telegraph, 14 September 1997

DTI, Licencing of Trusted Third Parties for the Provision of Encryption Services, March 1997

EC, Towards A European Framework for Digital Signatures And Encryption, October 1997

Paul Eddy, True detective stories, The Sunday Times Magazine, 10 August 1997

Michael Evans, Cook criticised over blunder in surveillance, The Times, 24 July 1998

Wendy Grossman, DTI threatens privacy, connected, The Daily Telegraph, 1 April 1997

Patric Hook, Putting a face to face, connected, The Daily Telegraph, 13 August 1998

Justice, Under Surveillance - covert policing and human rights standards, Justice, July 1998

Paul Lashar, Ex-targets are now ministers, The Independent, 30 July 1998

Declan McCullagh, Building In Big Brother, 10 September 1997

Richard Norton-Taylor, MI5 gains key to cyber codes, The Guardian, 28 April 1998

Richard Norton-Taylor, Here's looking at you kid, The Guardian, 28 July 1998

Richard Norton-Taylor, MI5 holds 500,000 files on individuals, The Guardian, 30 July 1998

Keith Parkins, UK Proposals for a Key Escrow System, July 1996, rev 6

Keith Parkins, Privacy in an Electronic Age, November 1996 rev 13

Keith Parkins, Why Use Pretty Good Privacy?, April 1997 rev 9

Keith Parkins, UK DTI Proposals for Licencing Third Party Encryption Services, May 1997 rev 1

Keith Parkins, Intelligence Services Unaccountable and Out of Control?, December 1998

Bruce Schneier and David Banisar (Eds), The Electronic Privacy Papers, John Wiley, 1997

Michael Smith, Tales of fear and loathing in the service, The Daily Telegraph, 25 August 1997

Telegraph, special privacy edition, connected, The Daily Telegraph, 29 April 1997

Robert Uhlig, Ministers seek Net codebuster, connected, The Daily Telegraph, 23 April 1996

Jonathan Wallace, The Crypto Boondoggle, SLAC Bulletin, 1 October 1997

Mark Ward, The secret is out, New Scientist, 6 September 1997

Marcus Warren, Rusian spies target Web, The Daily Telegraph, 6 August 1998

Lauren Weinstein (Moderator), PRIVACY Forum Digest, Vol06 #13, 21 September 1997

Index ~ PGP ~ Privacy ~ PGP Key
(c) Keith Parkins 1997-1998 -- December 1998 rev 14