Did Encryption Empower These Terrorists?
Sept. 11 - "Well, I guess this is the end now. . . ." So wrote the
first Netizen to address today's tragedy on the popular
discussion group, sci.crypt. The posting was referring what
seems like an inevitable reaction to the horrific terrorist act: an
attempt to roll back recent relaxations on encryption tools, on
the theory that cryptography helped cloak preparations for the
deadly events.
BUT THE DESPONDENCY reflected in the comment can be
applied more generally. The destruction of the World Trade
Center and the attack on the Pentagon comes at a delicate time
in the evolution of the technologies of surveillance and privacy.
In the aftermath of September 11, 2001, our attitude toward
these tools may well take a turn that has profound implications
for the way individuals are monitored and tracked, for decades
to come.
The first issue on
the docket will be the
fate of tools that enable
citizens to encrypt their
e-mail, documents and
phone conversations as
they zip through
cyberspace and the
ether. Over the past
decades there have
been heated debates
over whether this
technology should be restricted-as it can clearly benefit
wrong-doers as well as businesspeople and just plain average
people. The prime government argument in favor of restrictions
invoked the specter of precisely this kind of atrocity. Quite
literally, it was the fear of "another World Trade Center" that
led the Clinton administration in the 1990s to propose a system
whereby people could encode their e-mails and conversations,
but also provide the Feds with a "back-door" means of access.
Now that those fears have come to pass, it's fair to ask those
who lionized crypto as a liberating tool to face a tough question:
Did encryption empower these terrorists? And would
restricting crypto have given the authorities a chance to stop
these acts?
The answer to the first question is quite possibly yes. We
do know that Osama Bin Laden, who has been invoked as a
suspect, was a sophisticated consumer of crypto technology. In
the recent trial over the bombing of the Libyan embassy,
prosecutors introduced evidence that Bin Laden had mobile
satellite phones that used strong crypto. Even if Bin Laden was
not behind it, the acts show a degree of organization that
indicates the terrorists were smart enough to scramble their
communications to make them more difficult, if not impossible,
to understand. If not for encryption, notes former USAF Col.
Marc Enger (now working for security firm Digital Defense)
"they could have used steganography [hiding messages
between the pixels of a digital image] or Web anonymizers
[which cloak the origin of messages]."
But that doesn't mean that laws or regulations could have
denied these tools to the terrorists. After all, many of the
protocols of strong cryptography are in the public domain.
Dozens of programs were created overseas, beyond the
control of the U.S. Congress. The government used to argue
that allowing crypto to proliferate, particularly to the point of
being built into popular systems made by Microsoft or AOL,
would empower even stupid criminals. But these were
sophisticated terrorists, not moronic crooks.
Before September 11, commercial interests, privacy
advocates and most in the government had reached a sort of
common ground, balancing high-tech with threats.
Cryptography was regarded as a fact of life, one with some
benefit to national secruity as well as risks. (In an age of
Info-Warfare, we are the most vunerable nation, and
cryptography can help secure our infrastructure.) Intelligence
agencies could make up for the difficulties that crypto creates
for them by several means, including heightened work in
codebreaking, more use of "human assets" (spies), and-most
of all-taking advantage of the bounty of new information that
the telecom revolution has forced out into the open. E-mail,
pagers, faxes, cell phones, Blackberries, GPS systems, Web
cookies-every year another device or system seems to
emerge to expose information to eavesdroppers. Even if
terrorists encrypt content on some of those tools, simply
tracking who talks to whom, and measuring the volume of
messages, can yield crucial intelligence. (Indeed, this form of
"traffic analysis" did produce evidence that was used in the
Embassy bombing trial.) The challenge to our spy
agencies-one tragically not met this time around-is to use
those means to compensate for whatever information might
have been lost to encryption.
Beyond the crypto issue are a raft of controversies
involving other technologies of surveillance. Before this attack,
there was a general feeling that we would see legislation to
protect privacy on the Web and perhaps limit tools that
threatened civil liberties. Some feared that face-scanning
devices like the one used at the last Super Bowl can track
individuals as they move from one publicly mounted
surveillance camera to another. There was criticism directed
toward the FBI's "Carnivore" device, capable of scooping up
massive numbers of e-mails from Internet service providers.
There was concern over Web bugs that tracked people's
movements on the Internet. There were objections to the
Department of Justice's scheme to insure that cell phones were
also tracking devices, presumably to aid 911 services, but
potentially becoming homing devices to follow our roamings.
Until today, a pro-privacy consensus was building. Will those
concerns be set aside in the rush to do something-anything-to
assure ourselves that we can prevent another September 11,
2001? Privacy advocate Richard Smith anticipates big changes
in airport security, but not necessarily a reboot on overall
privacy outlook. "Those types of restrictions just don't work
against people like [these terrorists]," he says. Let's hope that
he's right-that wisdom and courage, and not fear, dictates
future policy. Otherwise, the legacy of this terrible day may
become even more painful.
