PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest     Thursday, 7 September 2000     Volume 09 : Issue 20

                (http://www.vortex.com/privacy/priv.09.20)

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        PFIR Statement on Government Interception of Internet Data
           (Lauren Weinstein; PRIVACY Forum Moderator)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 09, ISSUE 20

     Quote for the day:

        "I find your lack of faith disturbing."

           -- Darth Vader (David Prowse / James Earl Jones)
              "Star Wars" (Fox; 1977)

----------------------------------------------------------------------

Date:    Thu, 07 Sep 2000 17:57:20 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: PFIR Statement on Government Interception of Internet Data

Greetings.  I have included the following document in its entirety since
it has obvious direct relevance to privacy issues.

--Lauren--

                -----------------------------------------


          PFIR Statement on Government Interception of Internet Data 

                             September 7, 2000

               http://www.pfir.org/statements/interception

       PFIR - People For Internet Responsibility - http://www.pfir.org

       [ To subscribe or unsubscribe to/from this list, please send the
         command "subscribe" or "unsubscribe" respectively (without the 
         quotes) in the body of an e-mail to "pfir-request@pfir.org". ]


Given the realities of today's society, most of us would agree that there
clearly are times when it is necessary for the sanctity of private
communications to be breached for the common good.  The most commonly known
such interception is the wiretap, which dates to the very dawn of
telecommunications.

We've come a long way since the invention of the telegraph and the
development of the telephone.  The Internet in particular, through its vast
reach and increasingly ubiquitous nature, has opened up a Pandora's Box of
problems when considering the ramifications of wiretap-type interceptions,
even when they are for the most laudable of purposes.

When considering these issues, it is all too easy to fall into the trap of
focusing our attention on particular instances and specific hardware or
software systems.  At this moment, the spotlight is blaring brightly on the
FBI's Carnivore system, which, according to the Bureau, is used to monitor
Internet e-mail addressing and related data under court authorization.  

Since the inner workings and operational parameters of this system have not
been known publicly (in fact, the system's existence was only recently
revealed to the public), considerable skepticism has been voiced regarding
whether or not the system actually functions "as advertised" and would
always be operated in an appropriate and correct manner.

As important as these considerations are, we feel that it is a serious
mistake for so much attention to be focused on these specific issues and
this specific system, instead of on the much more serious and broader policy
implications and questions related to the entire area of Internet
"wiretaps," regardless of the specific instrumentality through which they
are implemented.  

To a significant extent, it appears that the ongoing controversy regarding an
"independent review" of the Carnivore system is actually diverting public
attention from the more significant issues that desperately need to be
addressed.  With regard to any officially-authorized Carnivore analysis, the
U.S. Department of Justice has severely constrained the possible results.
In particular, their requirements prevent any meaningfully independent
evaluation; they reserve the right to censor and edit all resulting reports,
and they confine the analysis solely to the source code -- ignoring important
considerations such as the operational environment.  In the final analysis,
the results of any such Carnivore review will contribute little or nothing
towards resolving the much more important policy questions relating to this
entire area.

The essential nature of these questions revolve around the fundamental issue
of when it is appropriate to intercept private telecommunications channels
in the first place, and under what conditions.  There has been a disturbing
trend for increasing amounts of data that most observers would consider to
be integral parts of communications, to be treated instead as "addressing"
information for interception and legal purposes.  

This is not an unimportant distinction.  In general, the procedure for
obtaining authorization to intercept communication address data is much less
rigorous than that for obtaining communication contents.  In a telephone
context, this is the difference between monitoring the specific phone
numbers dialed from a particular telephone line (the so-called "pen
register" system) and actually overhearing the parties speaking on the
calls.  

Even before the Internet issues moved to center stage, the blurring of these
demarcations was becoming increasingly problematic.  It has become common,
for example, for the actual message data sent to pagers to be treated merely
as addressing information from the standpoint of interception
authorizations.  The rationale for this determination is difficult to
understand, because by any normal analogy, the contents of a pager message
are comparable to the contents of a telephone call.  It appears that the
specific mechanisms of the technology have been used as an excuse for
treating pager message contents in this sort of seemingly illogical (but
convenient) manner.  

When we move into the Internet universe, similar kinds of issues arise, but
in guises that are orders of magnitude more complex.  One obvious issue is
the question of control.  Most traditional wiretaps (at least until very
recently) have usually been under the ostensible control of the telephone
companies themselves, and involved specific telephone lines.  It would have
been unthinkable in most "routine" law enforcement interception situations
for Ma Bell or her descendents to hand over masses of calls relating to
non-targeted individuals (a "trunk-side tap") to officials for them to pick
through as they saw fit, without telephone company supervision or control.  

Systems such as Carnivore are very much an analogue of trunk taps and by
definition cannot be controlled by the Internet Service Providers (ISPs) who
must install them deep within their networks.  In contrast, the correct
venue for the control of interceptions should actually be the ISPs
themselves, not black boxes under outside control.  Such ISP control might
entail the creation of standards to assist the ISPs in responding to such
matters in a reasonably uniform manner from a technical standpoint, but it
does not follow that "tapping" systems need to be designed into the networks
themselves (an intrusive concept which has been roundly rejected by most
network technologists).

Perhaps most importantly, ISP technical standards in this regard can be
completely open and public in nature.  Closed standards and secret
software source code do not and can not engender public confidence.  The
argument that the source code for a system such as Carnivore must be kept
secret to protect it from hackers or from being bypassed seems overstated.

As discussed above, whereas we feel that too much emphasis on the technical
side of these issues misses the critical points, it is at least prudent that
the technical systems operate in as open an environment as possible.  We
appreciate that even the availability of source code is of only limited
value due to its ephemeral nature and ease of alteration, but there's simply
no excuse for a completely closed approach in this kind of situation.

There is nothing magical or even particularly complex about packet filters
(the heart of such systems), but it is possible for implementation errors or
intentionally placed Trojan horses to cause them to behave in inappropriate
manners.  Such errors would be best exposed by wide public inspection --
sunlight remains the best disinfectant.  Properly implemented, the
availability of source code would not permit anyone to bypass the systems
based on such knowledge.  

The key to the usefulness of such interception systems is that the targets
of surveillance must not be aware of the systems' use.  Once a target
realizes that it is under surveillance, the probability of its using easily
available mechanisms (such as encryption, alternative addresses, etc.) to
complicate the task of observers rises dramatically.  Neither source-code
dissemination, nor the placing of interception systems under responsible ISP
control as we recommend, is likely to alter any of these factors.

Another stated reason for the source code secrecy in the Carnivore case is to
protect the commercial interests of the software firm that wrote the
original source code upon which Carnivore is based.  This may be a
reasonable attitude from a commercial standpoint, but it demonstrates again
why a better course would be open systems where such commercial
considerations could not easily warp crucial public policy considerations.

Other aspects of these issues regarding the Internet relate back to our
earlier discussion of addresses versus information content.  A given packet
of Internet data may contain text, segments of an image, a piece of a voice
phone call, or innumerable other sorts of data.  The specificity with which
determinations are made regarding which kinds of data may be intercepted in
any given situation are extremely important.  Current trends in this regard
are not at all encouraging.

For example, from the standpoint of interception and other law enforcement
purposes, the record of visited Web addresses (URLs) is often treated as
roughly analogous to addresses on conventionally mailed envelopes.  This is
an inappropriate and incorrect analysis.  URLs allow for the tracing of
complete interactions deep into specific areas of Web sites, including
keyword searches and other information lookups, and in many cases data
submissions, login/password information and other detailed data as well.
Web users' URL histories are effectively a diary of nearly every aspect of
their Web use, and are more properly analogous to the contents of an
envelope, not to what was written on the outside.  However, given the abuse
of this same sort of URL data for commercial purposes (such as tracking
users via Web cookies and other means), this unfortunate state of affairs
should not be at all surprising.

When we look at the overall situation, a continuum of both policy and
technical system issues is apparent and most important.  At a minimum on the
technical side of the equation, it is crucial that system architecture and
operation continually satisfy the system requirements for security and
privacy, and that they be independently verified.  For this to be possible,
the detailed system requirements must be known to the public, and
independent assurances are needed that the system in operation remains
consistent with those requirements into the future.  

The analysis of source code can lend some credibility to the process, and
should be among the minimum requirements, but this only represents a
snapshot -- such code can be perpetually changing over time.  Therefore,
these processes must also include some demonstrable assurances that the code
subjected to analysis was actually the code in use, and that any subsequent
changes have left the entire system operationally compatible with the
previously verified requirements.  Any seemingly positive analysis of a
particular piece of source code is inherently incomplete in and of itself.
Given the serious vulnerabilities that exist in most commercial operating
systems and application software programs today, it is the overall
interaction of system issues, taken in their totality, that matters most
in this regard.

Beyond such technical considerations, the policy issues that play into all
aspects of these questions and systems must be rigorously analyzed and
understood by all concerned.  This is too important a complex of issues to
be handled in sloppy or offhanded fashions.  The Internet is rapidly
becoming the foundation of all manner of society's most basic functions.
Routine purchases, bill payments, personal and business phone calls,
education, law enforcement -- the myriad aspects of the most public and
private aspects of our lives -- are finding their way onto the conduits of
the Internet.  

Society must have the will to apply the basic precepts and protections of
our cultures to the Internet.  We must not be seduced into permitting these
basic concepts to be undermined by technological details or related
diversionary tactics in any environments, either on or off the Internet.
These principles apply regardless of whether we're dealing with physical
mail, electronic mail, pagers, conventional phone calls, Internet telephony,
or the various component parts of the World Wide Web.  Society should be
unwilling to accept anything less.


Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy

Peter G. Neumann
neumann@pfir.org or neumann@csl.sri.com or neumann@risks.org
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, RISKS Forum - http://catless.ncl.ac.uk/Risks
Chairman, ACM Committee on Computers and Public Policy
http://www.csl.sri.com/neumann

------------------------------

End of PRIVACY Forum Digest 09.20
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.