|   home   |   subscribe   |   jobs   |

Spooks out

You'll never catch criminals by tapping the Net, so don't even try

FOR the police and security services, the telephone is a godsend. An itemised phone bill will tell them at a glance who a person is talking to. Check those people's bills and an entire network of contacts emerges. Then, if the investigators want to listen to what's being said, the phone system is eminently tappable.

Governments would love to monitor Internet activity with the same ease. But they still don't seem to have grasped that the Net is like nothing they've dealt with before. As a result, their efforts to tap cyberspace so far have led to disaster.

First up, in its haste to read encrypted messages, the US government pushed the Clipper chip, which scrambled information but left a handy port through which officials could snoop. Business refused to play ball. Next came a software version in which "trusted third parties" held the encryption keys, handing them over to government agencies when required. That idea bit the dust in the US in 1997.

Britain only abandoned it last year. But Whitehall has quickly tried again. This week, howls of outrage greeted the Regulation of Investigatory Powers (RIP) Bill as the House of Lords started to scrutinise it line by line.

This piece of would-be legislation forces all Internet service providers (ISPs) to install connections to the security services. Without even a whiff of a warrant, spooks will then be able to see who's e-mailing who. And when they do have a warrant, they can intercept a person's e-mail. If those messages are encrypted, the investigators can demand the keys from their target's correspondents and ISP. If a person cannot find a key, they must convince a jury that they are not just hiding it, or face a jail sentence of up to two years.

Nobody is happy. Privacy groups complain that the bill violates human rights. ISPs argue that Net technology changes so rapidly that the cost of the interception equipment will be unbearable. Other companies warn that the bill's loose wording will give just about any government official the right to snoop.

This mess has been caused largely because the government still thinks the Net is like a phone system. But it's not. It's far more flexible and harder to control. Even if the RIP Bill becomes law, for example, people will be able to legally avoid surveillance by sending their encrypted emails to a foreign ISP. Better still, sign on with a company like Zero-Knowledge, which provides online aliases and so much encryption that not even the company can tell who you are and what you're doing.

Chasing cryptographic keys--in order to make the Net as easy to tap as the phone system--is wrong-headed. As e-commerce gains pace and the next-generation Internet arrives, a variety of forms of encryption will become the norm rather than the exception. These are designed specifically to stop the kind of intrusion that governments want. Tracing keys will become technically impractical or extremely time consuming, and will certainly lead to yet more grief for individuals and businesses. In the US, this approach is being rethought.

But if you can't tap the Net like a phone what options exist? The options range from the very sneaky to the totally open. One argument is that encrypted e-mails have more in common with a conversation between two people in a room than a telephone call. To listen in, law enforcers would have to bug the room.

There are plenty of ways of "bugging" a computer to carry out such secret surveillance. A transmitter placed in the keyboard can easily send keystrokes to a receiver. This bypasses encryption entirely. Software agents similar to viruses can do the same. They can even surreptitiously send out cryptographic keys in e-mails.

Such covert methods would, of course, need strict controls. In the US, they have proved so unpopular that they have not yet been put before Congress. American privacy groups are urging the government to regard e-mails and other electronic files in the same light as documents. If officials want to see these, they must obtain a search warrant.

For most individuals and businesses, these alternatives are preferable to handing over cryptographic keys. But they are more costly and difficult to carry out and will never give government agents everything they would like.

Loath as governments are to accept it, the Net has signalled the end of an era for eavesdropping. Their agents happily tapped telephones for the best part of last century--and telegraph lines before that. But it's not going to be that easy any more.

Governments and law enforcers need to look to the future not the past. It's better for the British government to abandon its bill and start afresh than to alienate business and the public with inappropriate, ineffective laws.

From New Scientist magazine, 17 June 2000.

Subscribe to New Scientist