ENCRYPTION

 

 

"If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors, oil companies, and other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable military grade public-key cryptographic technology. Until now.

PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it.",

Phillip Zimmermann, author of encryption software program, PGP [1]

 

Introduction

Maintaining privacy in our personal communications is something everyone desires. Encryption is a means to achieve that privacy. It was invented for that very purpose. That makes encryption a good idea, right? But encryption, like most things, can be used for good or evil. And the debate over how to harness this powerful tool rages on as people on both sides see that there are no easy answers. .

What is encryption?

Encryption is the process of scrambling a message so that only the intended recipient can read it. The actual cryptographic process is generally a complicated mathematical formulation, the more complex -- the more difficult to break. A key is supplied to the recipient so that they can then decipher the message. Keys for encryption algorithms are described in terms of the number of bits. The higher the number of bits - the more difficult that cryptosystem would be to break.

Why do we need it?

Encryption can provide a means of securing information. As more and more information is stored on computers or communicated via computers, the need to insure that this information is invulnerable to snooping and/or tampering becomes more relevant. Any thoughts with respect to your own personal information (ie. medical records, tax records, credit history, employment history, etc.) may bring to mind an area in which you DO want, need or expect privacy. As teachers, we are often called upon to handle sensitive student information. We need to have access to student records, but maintain the confidentiality of their information..

Encryption is seen by many people as a necessary step for commerce on the internet to succeed. Without confidence that net transactions are secure, people are unwilling to trust a site enough to transact any sort of business using it. Encryption may give consumers the confidence they need to do internet business.

Encryption can also provide a means of "message authentication". The PGP User's Guide explains, "The sender's own secret key can be used to encrypt a message thereby signing it. This creates a digital signature of a message...This proves that the sender was the true originator of the message, and that the message has not been subsequently altered by anyone else, because the sender alone possesses the secret key that made that signature." [2] This prevents forgery of that signed message, and prevents the sender from denying the signature.

E-mail is certainly not secure. While you may believe that the use of a password makes your business private, you should be aware that sending information without encryption has been likened to sending postcards through the mail. Your message is totally open to interception by anyone along the way. You may believe that your personal e-mail is not incriminating and does not contain content that you must keep secret, and you may be right. But there are many common situations, where users have a legitimate need for security both to protect that information and to insure that information is not tampered with: Consumers placing orders with credit cards via the Internet, journalists protecting their sources, therapists protecting client files, businesses communicating trade secrets to foreign branches, ATM transactions, political dissenters, or whistle-blowers -- all are examples of why encryption may be needed for e-mail or data files, and why it might be necessary to create a secure environment through its use.

 

ISSUES

 

#1 : Does it really work? Does encryption guarantee security?

First, many businesses and individuals employ encryption successfully. But, it can't work if people don't use it. If encryption is not made easy-to-use, most people will not bother. But, clearly, the perception of security is important. Internet sales have skyrocketed with the public's rising confidence that online transactions are secure.

In his article, "Selling Wine Without Bottles: The Economy of Mind on the Global Net", John Perry Barlow discusses the use of encryption for protection of intellectual property. Barlow claims that in some ways using encryption is almost an invitation to hackers to try to break in!! He writes that "the more security you hide your goods behind, the more likely you are to turn your sanctuary into a target" [3] In attempting to secure information, it becomes less secure!!?? Remember, that once a code is broken, all the information stored using that method is vulnerable to tampering, or copying.

Additionally, the level of encryption determines its effectiveness. Current levels of encryption vary remarkably from situation to situation. Certainly, a level of encryption that is easily broken can do more harm than good - giving the false sense of security.

 

#2 : Laws regarding encryption?

Currently, encryption is classified as a munition under the Internation Traffic in Arms Regulations (ITAR). That makes the export of encryption programs or devices illegal.

Why does this law exist? In what ways could encryption be considered dangerous?

The power of encryption to keep secrets could be misused. It might be employed to conceal criminal activity or for harassment. Stalkers or predators could "hide" using encryption, their identities would be untraceable. It could be used for acts of terrorism, the likes of which are pretty frightening when you consider all of the systems that are computerized today.

In many applications, encryption could be seen as a threat to existing methods of law enforcement. Should a level of encryption that law enforcement is unable to decipher become easily available, law enforcement would be unable to use current surveillance/wiretapping techniques.

With malevolent use of encryption our information infrastructure may be at risk. Peter Ludlow, and many cypherpunks, have speculated that free, unrestrained encryption could cause loss of governmental control on the tax revenues generated in businesses on the web. If the business is "secret", how can taxes be assessed? There would be no means for the government to track revenues in order to collect! With the loss of tax revenues, government as we know it could simply cease to exist. Timothy May describes (foretells?) of a hypothetical underground black market for swapping proprietary information could be set up on the internet (BlackNet) that would allow for the sale of all types of destructive and/or sensitive information. The legal authorities would be powerless to stop it. [4]

Understandably, there are concerns to making powerful encryption available to all Americans. Yet, when the need for privacy is so clear, do we make encryption illegal because it could be used for evil?? As Peter Ludlow asks, "The question is, which set of concerns should weigh more heavily, those of individuals or those of government security forces?" [? ]

 

#3 : By current law, (ITAR) the President has the power to determine what items warrant export controls. Encryption is allowed, but only in 40 bit keys.

The government says it controls this level for valid national security purposes. The trouble is that the government's acceptable level of encryption is not very safe. Most savvy users realize that DES is breakable, and use other stronger methods. US businesses, restricted to using this level of encryption that is known to be less secure, lose foreign business. Additionally, US companies and talented programmers, are unable to legally market their inventions. Some have already moved to other countries to get around this law. (Find example of programmer in Antigua ) American business is not playing on a level playing field!

Court challenges to encryption's classification under ITAR have met with mixed results. In the Bernstein case, the federal judge found software code to be free speech, protected under the first amendment. Professor Bernstein is now free to publish his Snuffle 5.0 software on the Internet without fear of prosecution. Two other challenges have failed. Karn challenged the logic of a law that permits the export of a textbook version of cryptography, but denies legal export of a floppy disk containing the exact same material! Junger, a college professor, wished to use links to encryption on his webpage as part of hiscourse. The judge in this case found that posting software on the Internet is an export, and the export of source code is "not protected conduct under the First Amendment." He declared the Bernstein court's assertion that "language equals protected speech" unsound, since it disregards the issue of whether it expresses ideas.

Most of the legislation concerning encryption that has been/is being proposed, such as

outline relaxation of export controls and lessening government involvement. The SPNA (Secure Public Networks Act) is an exception, proposing a government-line bill. For up-dates on the status of such legislation, visit EPIC's online legislative bill tracking website.

 

#4 : E-mail Security - an OXYMORON?

Who has access to your email? There are a few people (systems) that could possibly read your message along the way. The system operator has access to your message in the "spool files" at the local site. A system administrator has access as well and can release information regarding your email to law enforcement agencies should they be requested to do so. Bounced messages go to Postmasters at a site with the entire message intact. Some mailing lists are actually publicly accessible using mail routing software systems.

There are levels of e-mail privacy associated with the types of messages that are sent. Public messages are those posted to newsgroups and other forum groups. Anyone within these groups can read your message and forward it on to other people. Make sure that only public information is displayed in this type of correspondence. Chat rooms and newsgroups that claim to be private because they require a password are a little more private than the public newsgroups or chat rooms. But the participants in these groups can copy your communiqué and send that information wherever they wish.

There are online services that provide some "private" means of communicating and are protected by the ECPA (Electronic Communications Privacy Act), a law that applies to email. However, there are three exceptions to this law that are important to note. The article "Privacy in Cyberspace" takes a close look at these exceptions: "The online service may view private email if it suspects the sender is attempting to damage the system or harm another user. The service may legally view and disclose private email if either the sender or the recipient of the message consent to the inspection or disclosure. And, if the email system is owned by an employer, the employer may inspect the content of employee email on the system". [7]

There is really only one sure way to protect your email privacy and that is by using encryption.

 

Ways to Protect Privacy

The Electronic Privacy Information Center (EPIC) offers an Online Guide to Practical Privacy Tools including such software methods as:

It should be noted that hardware devices can also be used to insure privacy. One example of a hardware device, originally proposed for privacy purposes by the Bush Administration, is the Clipper Chip. This chip was to be inserted into all electronic communications devices, giving them automatic encryption powers. The idea was to protect cellular phone conversations, fax machine communiqués, etc from eavesdroppers. The Clipper chip was to use a new classified NSA (National Security Agency) encryption algorithm called SKIPJACK. Government agencies would hold a copy of the key so that they could gain access in situations where they acquired a legal wiretap. While the government claimed this would help people and protect them, there are many concerns about the untested, unknown algorithm. Will overseas businesses accept it? Will they trust it's security? Is this mandatory hardware privacy device really private? Is this such a great idea after all??

 

Educational Ramifications - Do teachers need to know about encryption?

More and more information in the school setting is being computerized. If current equipment used in the school setting is using the current level of encryption allowed by law, all of our records are vulnerable to both perusal and alteration!! Scary thought.

On the positive side, access to databases of student records (both academic and medical) would make accessing needed information quicker and easier. There would be no more waiting for records on students transferring into your district. It is not a large leap to assume that the same use of computerization for convenience would apply to the use of databases for teachers employment files and medical records. Certainly, levels of encryption that can be trusted to be secure are warranted. But does your district apply that technique?

Teachers and parents need to keep the "lines of communication" open. These "lines" now include computer modems as well as telephone and postal service!! To be able to discuss the important issues affecting our students and their success in school, e-mail must be secured. We need to be activists for privacy in our school districts, making sure that the appropriate steps are being taken to respect and insure the privacy in our communication.

Commercial Security Resources-

Thawte - Internet security products http://www.thawte.com

Valicert - Secure document transfer http://www.valicert.com/

Internet Security Systems - Network security http://www.iss.net/

The Center for Internet Security - http://www.cisecurity.org/

Symantec - Privacy Control Products - http://www.symantec.com/sabu/nis/nis_pe/

Web Resources:

 

[1] Zimmermann, Philip "PGP User's Guide, Volume I: Why do you need PGP?"

 

[2] Zimmermann, Philip "PGP User's Guide, Volume I: How it works"

 

[3] Barlow, John Perry "Selling Wine Without Bottles: The Economy of Mind on the Global

Net"

 

[4] May, Timothy "Introduction to BlackNet"

 

[5] EPIC Bill Track: "Tracking Privacy, Speech and Cyber-Liberties Bills in the 106th

Congress", updated 1/20/98

 

[6] Electronic Frontier Foundation, "DES Challenge III Broken in Record 22 Hours", Jan 19, 1999

 

[7] Privacy Rights Clearinghouse, "Fact Sheet #18: Privacy in Cyberspace" San Diego, CA June

1995 revised Dec. 1998

Return to Privacy Homepage