|
PRIVACY Forum Digest Friday, 7 October 1994 Volume 03 : Issue 19 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS *** SPECIAL ISSUE on the Digital Telephony Bill *** PRIVACY Forum Special Issue on the Digital Telephony Bill (Lauren Weinstein; PRIVACY Forum Moderator) Support the Digital Telephony Bill! (Dorothy Denning) Rebuttal (Marc Rotenberg) The FBI's Wiretap Plan: Welcome to the Information Snooper Highway (Marc Rotenberg) Rebuttal (Dorothy Denning) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW home page at the URL: "http://www.vortex.com/". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 19 Quote for the day: "And now here's something we hope you'll *really* like!" -- Rocket [Rocky] J. Squirrel (June Foray) "Rocky and His Friends" (1959-1961) ---------------------------------------------------------------------- Date: Fri, 7 Oct 94 11:08 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: PRIVACY Forum Special Issue on the Digital Telephony Bill Greetings. As many of you know, the issues surrounding the Digital Telephony Bill, which involves the controversial issue of wiretapping, have resulted in considerable animosity in some discussions. The Senate version of the bill (SB 2375) in fact may be up for final vote today (Friday, 10/7/94). In an attempt to further reasoned discussion of this matter, I recently invited two of the best known spokespersons for each side of the debate (Marc Rotenberg of the Electronic Privacy Information Center [EPIC], and Dorothy Denning of Georgetown University) to send the Forum short essays summarizing their positions on this topic, and to also send in rebuttals to each other's essays. They both graciously agreed to do so, and the four items are included below. Since nobody had an ordering preference, I determined the presentation order through coin flips. I urge everyone to carefully read and consider the arguments below. More details regarding the bill are in the PRIVACY Forum archive--see the masthead of this digest for access info and look through the index for locations. And remember that your opinion *counts*. You can pick up the phone sitting right next to you, call your Senators, and let them know how you feel--either pro or con. If you don't know the numbers, just call Washington D.C. directory assistance at (202) 555-1212 and ask. Such calls to Senators *do* have an impact. I hope you'll find this special issue of the digest to be useful. And now, the essays. --Lauren-- ------------------------------ Date: Tue, 4 Oct 94 11:58:38 EDT From: denning@chair.cosc.georgetown.edu (Dorothy Denning) Subject: Support the Digital Telephony Bill! Support the Digital Telephony Bill! Changes in technology are threatening the ability of law enforcement to conduct court-ordered wiretaps. In testimony given to the Senate Judiciary Subcommittee on Technology and the Law and the House Judiciary Subcommittee on Civil and Constitutional Rights on Aug. 11, FBI Director Louis Freeh reported that a recent informal survey by the FBI identified 183 instances where law enforcement was frustrated by technological impediments. This figure includes orders for dialing information as well as call content, but excludes those instances where court orders were never sought or served on carriers because the impediments were known in advance. In testimony given to the same subcommittees in March, he noted that one federal agency reported that it did not pursue 25 court orders because of the known inabilities of a particular cellular carrier. He also reported on an earlier survey that identified 91 instances where court orders were frustrated. Of those 91 instances, 33% related to cellular services and 32% to custom calling features. His written statement describes five specific cases where court orders could not be fully implemented. In one of those cases, a cellular provider was unable to provide access to the subject's long distance communications made through the provider's cellular service. In another, a regional telephone company was unable to provide content and dialed number information as a result of the subjects use of custom calling features. At the August 11 hearings, Hazel Edwards of the GAO reported that "industry representatives told us that there are current and imminent technological situations that would be difficult to wiretap," and Roy Neel, president of U.S. Telephone Association, stated that in a number of cases, wiretaps probably would be frustrated because of new services. The primary purpose of the Digital Telephony bill is to ensure that the government can continue to intercept the contents of communications and acquire dialing information as the telecommunications infrastructure evolves with advances in technology, particularly digital technology. The bill is sponsored in the Senate by Senator Patrick Leahy (S. 2375) and in the House by Representative Don Edwards (H.R. 4922), both of whom are ardent advocates of liberties. They and their staff have been working closely with the FBI, industry groups, and privacy advocates to address concerns about privacy, costs, compliance, scope, design requirements, and government accountability. A lot of effort has gone into it. The result is a very well thought through and worked over piece of legislation. The bill was introduced only after it was recognized that the problems would not be solved voluntarily. Director Freeh testified in March that while meetings with industry over the past four years have led to a greater understanding of the problem, they have not produced implemented solutions or a commitment from industry to implement solutions. Moreover, of the 2,000 or so companies that would be affected, only a handful have participated in the technical working group which was established two years ago to address the problem and is now operating as the Electronic Communications Service Provider Committee (ECSP) under the Alliance for Telecommunications Industry Solutions (ATIS). This experience plus the general non-binding nature of committee resolutions and the cost factor led the Administration and Congressional leaders to conclude that a legislative mandate was needed. The bill authorizes reimbursements to industry of $500 million over the next four fiscal years. The Digital Telephony bill strengthens privacy and security. It requires that the carriers protect "the privacy and security of communications and call-identifying information not authorized to be intercepted" and that switched-based intercepts "be activated only with the affirmative intervention of an individual officer or employee of the carrier." Law enforcement officers will not be able to dial into switches and start their own taps. The bill strengthens privacy protections for transactional records, location-specific information, cordless phones, and radio communications. It provides long-needed legislation against fraudulent cellular phone cloning. Defeating the bill would not provide greater security for communications, guarantee that communications could not be intercepted, or provide better switch security. Many of the carriers likely would continue to implement some intercept capabilities for maintenance purposes as well as for law enforcement. If anything, the bill should lead to more secure switches because of the security and privacy requirement in the bill. Since switch security is essential to the integrity of the phone system, this is a step in the right direction. Nothing in the bill weakens privacy protections. Wiretaps will have to be carried out under the same tightly controlled conditions as they have been, subject to strict legal and procedural controls. As a result of the provisions of the bill and changes in technology, it will be increasingly unlikely that the government could systematically intercept the communications of a particular person without the assistance of the service providers. Although accommodating the need for court-ordered wiretaps is sometimes viewed as trading some privacy for law enforcement, for nearly all of us, our privacy is totally unaffected by whether the government can conduct wiretaps since our communications never will be targeted for interception anyway. Even for those who are the subject of a criminal investigation, it is not obvious that they would have greater privacy if wiretaps became technically impossible. Although the government would be unable to successfully investigate or prosecute many cases without the use of wiretaps, it is likely to try other methods that might otherwise have been rejected because they are more dangerous, for example, undercover operations and the placing of bugs on subjects' premises. These methods are potentially more invasive of privacy than a wiretap. If we don't take steps to maintain an effective wiretap capability, our telecommunications systems will evolve into sanctuaries for criminality wherein organized crime leaders, drug dealers, terrorists, and others can conspire and act with impunity. Eventually, we could find ourselves with an increase in incidents such as the World Trade Center bombing, a diminished capability to fight crime and terrorism, and no timely solution. Louis Freeh, Director of the FBI, identified the wiretap maintenance issue as "the number one law enforcement, public safety, and national security issue facing us today." In his August testimony, FBI Director Freeh stated that "electronic surveillance is one of law enforcement's most important and effective investigative techniques, and is often the only way to prevent or solve the most serious crimes facing today's society." In earlier testimony given in March, he described numerous incidents where wiretaps had been critical in fighting organized crime, drug trafficking, public corruption, fraud, terrorism, violent crime, and in saving innocent lives. For example, wiretaps helped prevent the bombing of a foreign consulate in the U.S., a rocket attack against a U.S. ally, and the shooting down of a commercial airliner. They led to the conviction of 22,000 serious criminals in the past decade, including 79 individuals in a major health fraud case and 65 in a major government fraud case. The latter case alone has led to $271,000,000 in fines, restitutions, and recoveries ordered. With wiretaps, criminals can be caught and convicted using their own words rather than testimony "bought" from other criminals. Wiretaps can be more reliable and less dangerous than other methods, for example, the use informants. Director Freeh predicted that loss of a viable electronic surveillance technique would result in a substantial loss of life; a substantial increase in corruption and economic harm to business, industry, and labor unions caused by the growth/emergence of organized crime groups; a substantial increase in the availability of illegal drugs; a substantial increase in undetected and unprosecuted public corruption and fraud against the government; a substantial increase in undetected and unprosecuted terrorist acts and murders; and a substantial increase in acquittals and hung juries resulting from lack of direct and persuasive evidence. He estimated the economic harm to be in the billions of dollars. He predicted "dire consequences to effective law enforcement, the public safety, and the national security if no binding solution to [the problem of maintaining a wiretap capability] is obtained." The Digital Telephony bill is essential for law enforcement and public safety. It has been carefully crafted to address concerns about privacy, scope, cost, compliance, design requirements, and accountability. Dorothy Denning ------------------------------ Date: Fri, 7 Oct 1994 12:35:46 EST From: Marc Rotenberg <rotenberg@washofc.epic.org> Subject: Rebuttal Denning and I agree on one point: "The primary purpose of the Digital Telephony bill is to ensure that the government can continue to intercept the contents of communications and acquire dialing information as the telecommunications infrastructure evolves with advances in technology." The question is whether this goal justifies the expense of $500 million and the entry of the FBI into the technical development of the nation's communication network. She says yes. I believe the answer is no. First, Denning's argument relies largely on the assurances of the FBI director. Mr. Freeh is, of course entitled to express his views, and he has been an extremely effective proponent of the legislation. But a proposal as sweeping as a fundamental redesign of the communications system calls out for an open, public analysis. The problem must be well understood by all concerned, not just the FBI and not just the telephone companies. Alternatives should be explored, less costly and less intrusive approaches should be considered. The public has a right to know the specific reasons for spending $500 m and why alternatives were rejected. The FBI has frustrated the public debate through secrecy and left us only with their characterization of the problem. The Bureau has not disclosed information regarding the 183 incidents that it claims justifies the proposal even after we submitted a Freedom of Information Act request. So important is this issue that we sued the FBI in court to obtain the document. The FBI replied that it would take *five* years before the document could be disclosed. This seemed an incredible delay to find 20 pages that the Director frequently referred to at Congressional hearings. At the same time, the FBI was fast tracking the legislation in Congress. When the district court judge considered the case EPIC v. FBI earlier this week he was shocked. "I could have this document in an hour and a half," he said. He instructed the FBI to turn over the survey within 30 day. Why should Congress or the public accept any less? We cannot substitute the assurances of government officials, however well intended and sincerely believed, for the necessary disclosure of relevant facts. Denning's frequent appeals to the statements of the FBI director do not strengthen her case. They simply remind us that we are being asked to accept the FBI's position without the opportunity to challenge the evidence. It is also hard to argue that the wiretap bill will strengthen privacy and security, as those terms are generally understood. The intent is obviously to make it easier to conduct electronic surveillance, and even the "privacy" provisions in the bill do little to disturb this fundamental goal. Some may say that this is a necessary sacrifice. But it can hardly be said that a bill to promote electronic wiretapping is good for privacy and security. Third, Denning says nothing would be gained by defeating the bill. To the contrary, putting the bill off till next year would allow privacy and civil liberties organizations to come to the table and press for a better solution. Alternatives could be explored. Real privacy safeguards could be put in place. The privacy community was kept out of the development of this legislation. That is the reason the bill went unchallenged until it was finally introduced in August. Not surprisingly, Denning concludes with the FBI Director's dire predictions about threats to public safety and national security if the bill does not pass. It is an argument intended to scare. It is the same type of argument that was made earlier to support the Clipper proposal and that will be made in the future to support other attempts by government to encroach on personal freedom. The question always is whether we must accept such claims. -- Marc Rotenberg, EPIC ------------------------------ Date: Wed, 5 Oct 1994 17:46:33 EST From: Marc Rotenberg <rotenberg@washofc.epic.org> Subject: The FBI's Wiretap Plan: Welcome to the Information Snooper Highway THE FBI'S WIRETAP PLAN: WELCOME TO THE INFORMATION SNOOPER HIGHWAY Marc Rotenberg, Electronic Privacy Information Center, Washington, DC. In August of this year the most expensive proposal ever developed for monitoring personal communications in the United States was introduced in Congress. The FBI wiretap bill would commit more than $500 million dollars toward the goal of making the information highway easy to wiretap. It is an elaborate scheme that allows the Attorney General to force telecommunications companies, equipment manufacturers, and professional organizations to incorporate electronic surveillance capabilities into services and standards for network communications. In other words, welcome to the Information Snooper Highway. If something about this idea seems wrong to you, you're not alone. Industry groups, privacy advocates, and computer users, have all expressed concern about the wiretap plan. EPIC, the Internet Business Association, the ACLU, the Society for Electronic Access, and Voters Telecomm Watch have said simply that the bill should be dropped. Why the concern? THE REAL STORY ON WIRETAP Supporters of the plan say that new technology is making the job of law enforcement more difficult. They cast wiretapping as the only way to solve crime, trot out stories about terrorists and pedophiles, blur the distinction between wiretapping and bugging, and characterize FBI as hopelessly behind the hi-tech curve. It is a picture that has virtually nothing in common with the reality of wiretapping in the United States First, wiretapping contributes a very small number to the total number of arrest in the United States. In 1991 for example, more than 14,000,000 people were arrested in the United States, according to statistics compiled by the Bureau of Justice Statistics. The same source reports that only about 2,000 people were arrested as a result of wiretap. That means that wiretapping is responsible for about one in seven thousand arrests in the United States. Now, you may think those arrests involve terrorists and pedophiles. In fact, the vast majority of court warrants are for narcotics investigations (536 of the total 856 warrants issued at the federal and state level). Next in line is racketeering (114). Kidnapping and extortion were at the bottom of the list. There were a total of five wiretaps, three at the federal level and two at the state level, for all cases involving kidnapping in 1991. A total of two cases involving loansharking, usury, and extortion. Does this mean that wiretapping is not an important or useful technique for law enforcement? No. But does it justify the massive and expensive overhaul of the US. phone system proposed? Clearly not. Consider also that law enforcement agencies have become savvy users of new technologies. The FBI is now developing the most sophisticated surveillance systems in the world, everything from pre-fabricated microphones, smaller than a computer chip, to Forward Looking Infra-Red Radar, a new technology that actually allows police to see through the walls of a home. That particular device raises staggering Fourth Amendment concerns. It also reminds us that law enforcement has hardly been left behind the curve. The proponents of the wiretap plan are not really seeking "to preserve the status quo" or save a particular tool for criminal investigation. (Wiretapping is too insignificant to justify the massive campaign being waged by the backers of the bill.) What the proponents really want is to build new surveillance capabilities into the communications network, to make it easier to conduct wiretapping, and to establish a basis for the incorporation of new monitoring features in the future. That's what this debate is about. Let's look at the real case more closely. THE PROBLEMS WITH THE REAL PROPOSAL ** Americans do not like wiretapping. For this reason, wiretap law restricts the government, it does not coerce the public. ** We should begin by asking a simple question: Do Americans, the people who will be directly affected by this plan, favor wiretapping? Here is the answer. Surveys taken every year by the Bureau of Justice Statistics show that American oppose wiretapping by roughly a three to one margin (Question: "Everything considered, would you say that you approve or disapprove of wiretapping?"). The opposition to wiretapping is found across all demographic groups, from sex, race and education to region, religion and political affiliation. The American attitude toward wiretapping is not surprising. The framers of the Fourth Amendment believed that barriers must be erected against the natural tendency of government to seize personal property and private correspondence in the name of criminal investigation. And the drafters of the federal wiretap law established every conceivable obstacle to the execution of wiretap authority. They never intended that the government could tell private companies -- as the current proposal would -- to make their technologies "wiretap friendly." The 1968 law that permits the government to conduct electronic surveillance described wiretapping as "an investigative method of last resort." The law set out elaborate restrictions on the government's ability to conduct wiretap. The reason for the precautions is understandable. Wire surveillance is far more intrusive than other types of criminal investigation and more prone to abuse. To treat an investigative method of last resort as a design goal of first priority, as the wiretap bill would do, is to stand wiretap law in this country on its head. ** The FBI wiretap bill will cost taxpayers at least $500,000,000. ** The FBI wiretap bill authorizes the expenditure of $500 million over the next four years to reimburse private firms for complying with the FBI's "capacity requirements" for electronic surveillance. But that amount may not be enough to satisfy the FBI's goal. The General Accounting Office estimates that the cost could run as high as $2 billion to $3 billion. Roy Neal, the President of the United States Telephone Association estimated that it could cost as much as $1.8 billion just to redesign call forwarding to satisfy the FBI's concerns. ** The GSA trashed the proposal. ** The General Services Administration, which is the largest purchaser of telecommunications equipment in the federal government, said the FBI wiretap plan would have an adverse impact on national security. In 1992 the General Services Administration wrote that the FBI wiretap plan would make it "easier for criminals, terrorists, foreign intelligence (spies) and computer hackers to electronically penetrate the phone network and pry into areas previously not open to snooping." The confidential memo was obtained as a result of a Freedom of Information Act request. ** The wiretap bill mandates new technologies for data surveillance. ** The wiretap bill says that "a telecommunications carrier shall ensure that it can enable government access to call-identifying information." This is the first time the U.S. government has required by law that communications networks be designed to facilitate electronic data surveillance. Telecommunications firms, equipment manufacturers, and those who work in the hi-tech industry face a legal obligation to design networks for electronic monitoring. ** The Constitution protects the right of privacy, not the use of wiretap. ** Privacy is a Constitutional right. The Fourth Amendment protects privacy and the right of individuals to be free from unreasonable search and seizure. Wiretapping is permitted by federal statute only in narrow circumstances. It has no Constitutional basis. Congress could outlaw all wiretapping tomorrow if it chose to do so, but it could not easily repeal the Fourth Amendment. ** Clipper shows what happens when government tries to develop standards for surveillance. ** Recent experience shows that standards developed to facilitate wiretapping are less robust, and are costly to American business and individual privacy. The development of a technical standard called the "Digital Signature Standard" used for authentication of electronic documents provides a case study of what happens when an agency with legal authority to conduct wire surveillance is also given authority to set technical standards for communications networks. Viewing the role of the National Security Agency in the development of the DSS, MIT Professor Ronald Rivest said "It is my belief that the NIST proposals [for DSS] represent an attempt to install weak cryptography as a national standard, and that NIST is doing so in order to please the NSA and federal law enforcement agencies." Stanford Professor Martin Hellman concluded that "NIST's action give strong indication of favoring NSA's espionage mission at the expense of American business and individual privacy." ** The FBI wiretap plan will undermine the privacy and security of communication networks around the world. ** Communications firms in the United States are the largest produces of networking equipment in the world. The adoption of surveillance-based standards in the United States will almost certainly lead to more electronic monitoring in other countries by state police. Many countries do not have even basic legal protections to control unlawful electronic surveillance. There is one story, almost apocryphal. When FBI Director Lou Freeh was in Eastern Europe earlier this year and urged the leaders of the new democratic government to adopt similar proposals for wiretap capability, he was turned down. Not surprisingly, those who had just lived through regimes where governments routinely spied on their citizens were not eager to repeat past mistakes. ** The wiretap bill established a framework for further encroachments on personal privacy. ** In granting power to the Department of Justice to establish standards for communications surveillance across every telephone system in the United States, the wiretap plan takes a sharp turn toward greater encroachments on personal privacy. What could follow? Mandatory licensing schemes for technologies that protect privacy. Criminal sanctions for developers and manufacturers of equipment that is not easily wiretapped. A presumption of illegal conduct when people choose to communicate with technologies that the United States has not certified can be wiretapped. If this sounds like speculation, consider the fact that the Department of Energy recently announced that it moving forward with a research program to develop network technologies that will make it easy for law enforcement to track payments. Sound familiar? BAD IDEAS HAVE CONSEQUENCES Considering both our national views on wiretap and all the Reasons to oppose the plan, does it matter if the government goes forward anyway? Yes, for several reasons. First, the plan will waste hundreds of millions of dollars. The FBI may not succeed in building a "wiretapable" network, but if the pending wiretap bill goes forward it will spend more than half a billion dollars of taxpayer dollars in the effort. Combined with the costs of Clipper, taxpayers are looking at a bill of around one billion dollars for a plan that even the proponents agree cannot fully work. Second, there is no question that the wiretap proposal will slow technical innovation and leave US companies to play catch-up with foreign firms that do not face similar requirements. New network technologies require good privacy technology. Wireless networks in particular, such as cellular phones and satellite systems, would benefit greatly from better privacy protection. Smart companies will design networks that protect privacy and security, not promote eavesdropping and surveillance. The wiretap plan means less security for consumers and businesses, and less competitive products for U.S. firms. Third, the risks of the proposal are enormous. Networks designed for surveillance are inherently more vulnerable than those designed for security. Are the FBI and the proponents of the plan really prepared to jeopardize the integrity of the nation's communications grid for less than a thousand wiretaps a year? Digital Telephony also will not meet the government's goal of trying to ensure the viability of electronic wiretapping. But in the effort to preserve this form of electronic surveillance, a lot of damage can be done to network security, American business, and personal privacy. In fact, of all the many proposals for the information highway, no two are less popular, less needed, or less desirable than Clipper and Digital Telephony. The White House can cut it losses if it simply drops these surveillance plans. Some will say that the plans are necessary for law enforcement. But Americans have never been comfortable with electronic wiretapping. We recognize that enforcement of law is a central goal in every democratic society. But the exercise of law enforcement, and the ability to conduct surveillance of citizens, requires a careful assessment of methods and objectives. Even a country deeply concerned about crime is prepared to draw some limits on the scope of government power. -- Marc Rotenberg, Electronic Privacy Information Center ------------------------------ Date: Fri, 7 Oct 94 09:49:41 EDT From: denning@chair.cosc.georgetown.edu (Dorothy Denning) Subject: Rebuttal Marc welcomes us to the "Information Snooper Highway." If maintaining a capability to conduct court-ordered wiretaps makes the phone system a snooper highway, then by Marc's reasoning, we arrived many decades ago since until recently, implementing wiretaps has not been a problem. Why doesn't Marc complain about our roadways being snooper highways? After all, the police can follow us, pull us over, search our vehicles, and test our alcohol level. We have to display license plates on our cars so that we can be identified, and we even have to pay for the "privilege" of being easily identified. The fact is, nothing in the Digital Telephony bill precludes the adoption of privacy enhancing technologies, including encryption. With such technologies, our telecommunications infrastructure will be less prone to snooping that it is right now. Illegal wiretaps will be virtually impossible. Marc seems to prefer that the information highway be wiretap proof. But imagine if the roadways were police proof. What would have happened if the police could not have followed O.J. Simpson's white bronco on the freeway or if they could not have seen inside his vehicle in order to base their decisions on a reasonable assessment of dangers and risks? Marc cites an old GSA memo, where GSA raised concerns relating to an earlier draft of the proposed legislation, including concerns that the wiretap capability could threaten security. Telecommunications security is, of course, extremely important. But the real vulnerabilities are with the switches, which may be subject to penetration attacks (possibly leading to a shut-down of the phone system), and with the over-the air communications, which can be intercepted with cheap scanners. The Digital Telephony bill does not aggravate these vulnerabilities. More likely, the security and privacy requirements of the bill will lead to greater security. Congress could, of course, outlaw wiretaps as Marc suggests. They could also outlaw auto emissions requirements and speed limits. And since we don't like taxes any better than wiretaps, maybe they should outlaw that too. Fortunately, Congress acts more responsibly than that, and considers the needs of society as well as personal freedoms. Marc claims that standards developed to facilitate wiretapping are less robust, quoting Ron Rivest as saying that the DSS proposal was an attempt to install weak cryptography as a national standard. Marc does not tell us that Ron made his statement before the DSS was adopted as a standard, with key lengths up to 1024 bits. For comparable key sizes, the DSS is at least as strong as the RSA digital signature system. None of us is thrilled with the idea of the government tapping our lines. That's why the use of this tool is severely restricted. The Digital Telephony bill is not about extending the surveillance authorities of the government, but about maintaining a tool that people in law enforcement view as vital to their work against organized crime, drug trafficking, fraud and corruption, terrorism, and other serious crimes. That the FBI is going to all this trouble to fight for something that is used in less than 1000 cases per year is evidence of how important they view this tool for performing their job. If Marc understood this, he would not erroneously infer that the FBI wanted to build new surveillance capabilities into the communications network. While it is tempting to rush forward with new technologies, we must make sure those technologies serve us over the long term. In general, it is cheaper and easier to design safety and security features into systems while they are being designed than after the fact. The Digital Telephony bill is about doing just that, and not waiting until wiretapping becomes a more serious problem to law enforcement and a more costly problem to fix. Dorothy Denning ------------------------------ End of PRIVACY Forum Digest 03.19 ************************