FOR the police and security
services, the telephone is a godsend. An itemised phone bill will
tell them at a glance who a person is talking to. Check those
people's bills and an entire network of contacts emerges. Then, if
the investigators want to listen to what's being said, the phone
system is eminently tappable.
Governments would love to monitor Internet activity
with the same ease. But they still don't seem to have grasped that
the Net is like nothing they've dealt with before. As a result,
their efforts to tap cyberspace so far have led to disaster.
First up, in its haste to read encrypted messages,
the US government pushed the Clipper chip, which scrambled
information but left a handy port through which officials could
snoop. Business refused to play ball. Next came a software version
in which "trusted third parties" held the encryption keys, handing
them over to government agencies when required. That idea bit the
dust in the US in 1997.
Britain only abandoned it last year. But Whitehall
has quickly tried again. This week, howls of outrage greeted the
Regulation of Investigatory Powers (RIP) Bill as the House of Lords
started to scrutinise it line by line.
This piece of would-be legislation forces all
Internet service providers (ISPs) to install connections to the
security services. Without even a whiff of a warrant, spooks will
then be able to see who's e-mailing who. And when they do have a
warrant, they can intercept a person's e-mail. If those messages are
encrypted, the investigators can demand the keys from their target's
correspondents and ISP. If a person cannot find a key, they must
convince a jury that they are not just hiding it, or face a jail
sentence of up to two years.
Nobody is happy. Privacy groups complain that the
bill violates human rights. ISPs argue that Net technology changes
so rapidly that the cost of the interception equipment will be
unbearable. Other companies warn that the bill's loose wording will
give just about any government official the right to snoop.
This mess has been caused largely because the
government still thinks the Net is like a phone system. But it's
not. It's far more flexible and harder to control. Even if the RIP
Bill becomes law, for example, people will be able to legally avoid
surveillance by sending their encrypted emails to a foreign ISP.
Better still, sign on with a company like Zero-Knowledge, which
provides online aliases and so much encryption that not even the
company can tell who you are and what you're doing.
Chasing cryptographic keys--in order to make the
Net as easy to tap as the phone system--is wrong-headed. As
e-commerce gains pace and the next-generation Internet arrives, a
variety of forms of encryption will become the norm rather than the
exception. These are designed specifically to stop the kind of
intrusion that governments want. Tracing keys will become
technically impractical or extremely time consuming, and will
certainly lead to yet more grief for individuals and businesses. In
the US, this approach is being rethought.
But if you can't tap the Net like a phone what
options exist? The options range from the very sneaky to the totally
open. One argument is that encrypted e-mails have more in common
with a conversation between two people in a room than a telephone
call. To listen in, law enforcers would have to bug the room.
There are plenty of ways of "bugging" a computer to
carry out such secret surveillance. A transmitter placed in the
keyboard can easily send keystrokes to a receiver. This bypasses
encryption entirely. Software agents similar to viruses can do the
same. They can even surreptitiously send out cryptographic keys in
Such covert methods would, of course, need strict
controls. In the US, they have proved so unpopular that they have
not yet been put before Congress. American privacy groups are urging
the government to regard e-mails and other electronic files in the
same light as documents. If officials want to see these, they must
obtain a search warrant.
For most individuals and businesses, these
alternatives are preferable to handing over cryptographic keys. But
they are more costly and difficult to carry out and will never give
government agents everything they would like.
Loath as governments are to accept it, the Net has
signalled the end of an era for eavesdropping. Their agents happily
tapped telephones for the best part of last century--and telegraph
lines before that. But it's not going to be that easy any more.
Governments and law enforcers need to look to the
future not the past. It's better for the British government to
abandon its bill and start afresh than to alienate business and the
public with inappropriate, ineffective laws.