NETWORKS

Freedom and Privacy on the Electronic Frontier: A Personal View

by Tim O'Connor

[Ed: Links to web pages which have become inactive since the publication of this article have been enclosed in curly brackets { }. Replacement links have been provided where possible.]

In matters of electronic privacy and online communication, 1994 and 1995 were discouraging years in the United States. Newly popular forms of communication -- electronic mail, network news, and Web publishing -- were embraced by private citizens. However, it has become clear that the U.S. legal system offers few explicit indications of how cherished American ideals (such as freedom of speech, freedom from unreasonable search and seizure, and the right to privacy) can be protected in the new medium we now call cyberspace.

Freedom of expression is protected when it takes the form of printed material or public speech; it is more frequently restrained in broadcast media such as television and radio. At present, it is not clear that U.S. lawmakers or courts know how to categorize cyberspace communications. Cyberspace proponents and privacy advocates assert that online expression should be protected as much as printed information is protected; some politicians and interest groups, on the other hand, argue that cyberspace is a broadcast medium that most resembles television, and that it must be regulated accordingly.

At the center of these discussions is a movement to keep cyberspace "clean," which is generally interpreted to mean that obscene or offensive material should be suppressed or regulated.

Both sides tend to phrase their arguments in apocalyptic terms. Cyberspace advocates view the current debate in terms of the individual battling for liberty against a tyrannical state that would feel free to review even private e-mail for offensive content. Moralists frame the debate as a fight to defend children from harmful or offensive material and to prevent criminals and terrorists from operating in complete secrecy. Neither side seems able to accept that nearly every element of the dispute over freedom in cyberspace resides in a shapeless area to which no group can lay claim.

As with other reforms, current U.S. proposals tend to use children, drugs, and terrorist bombs as excuses to trim civil liberties and impose restrictions that would be unconstitutional if they were applied to traditional media. Lawmakers, courts, and law-enforcement authorities make distinctions between information in electronic form and the same information when it appears in printed form (which has historically been protected by the U.S. Constitution).

In this topsy-turvy world, for instance, information that is completely legal when printed on paper is illegal when it exists in electronic form. In one case, the book Applied Cryptography, by Bruce Schneier, contains an appendix that lists the source code for many computer programs that can be used to encrypt information. One could type or scan the material into a computer and compile it into working programs. The book may be legally exported from the U.S. The electronic version of the appendix, however, may not be exported from the U.S., because it is classified as a munition -- exactly as if it were a missile, a tank, or a rocket launcher. (See the Web page at {http://www.qualcomm.com/people/pkarn/export} for information about a current lawsuit against the State Department regarding the export of this computer code.)

To date, courts have generally been unwilling to extend traditional protection to newer forms of expression, even when equivalent written and spoken expressions are recognized as protected forms of speech. As a result, the world of cyberspace enjoys significantly less protection from seizure and scrutiny than the world of paper, ink, and voice.

At present, early in 1996, it is not yet clear how various legal issues will be settled, though in the eyes of many activists, today's uncertain period may yet provide the best possible opportunity for private citizens to seize control of the issue in favor of greater individual privacy and freedom.

It is still legal for U.S. computer users to acquire and use tools that can provide reasonable privacy for computer files and online communication. And as long as legislation aimed at reforming communications law remains stalled in Washington, there is still a chance for citizens to contact lawmakers who might vote to impose broad new restrictions on computer and Internet use.

Popular interest in the Internet skyrocketed in the last year, and such services as e-mail and Web publishing have become less exotic and more accessible to private citizens. In the process, computer users have become aware of software privacy tools. These are programs that make it possible to securely scramble personal information, and to enjoy private, tamperproof transmission of data. If people begin to widely use such software, say privacy advocates, then the government may find it impossible to enforce a broad ban on privacy programs.

Techno-optimists have declared that we are entering a new era of personal liberty, in which widespread adoption of digital technology will provide greater personal freedom and privacy for all those who have online access, whether in democratic countries or under oppressive regimes. Techno-pessimists argue that eventually this medium will be reined in and tightly controlled by authoritarian governments.

Ensuring Privacy

In the open range between the extremes of utopia and paranoia, there are modest steps that private citizens can take immediately to familiarize themselves with the tools of the privacy trade.

One encryption tool, PGP (Pretty Good Privacy), is available over the Internet at no cost, to operate on most major computer systems. (See http://web.mit.edu/network/pgp.html for information on PGP.) PGP allows you to securely encrypt mail messages and computer files, and to create digital signatures for mail and files. (For more about PGP, see "When 'Pretty Good' Encryption Is Good Enough.")

PGP is moderately difficult to operate, and its concepts can at first be complex to grasp, but it can be a useful tool that allows close-knit groups to exchange secure mail messages.

A person interested in exploring the world of encryption can get a personal copy of PGP and learn how to use it properly. One approach is to experiment with friends, try to exchange encrypted messages, and get a feel for how it works. PGP performs three essential functions for anyone concerned about privacy of electronic information.

It can be used to encrypt -- that is, to scramble -- files and mail messages so that only you or the message's recipient (or both of you, if you choose) can unscramble them.
It can be used to create a "digital signature," which is attached to a file or a message. If any part of the message is modified in the slightest way, the signature will fail to pass authentication when the recipient checks it.
It can be used to authenticate people and messages. The idea is that if you add my PGP "key" to your keyring, then you can compare all later messages and files from me against my known, good key in your possession. If the information passes PGP's authentication check, you can be assured that I am the author of the message, and that the message was created on the date and at the time noted in the timestamp that is attached to the message.

At its heart, PGP relies on what is called a "web of trust," meaning that its users must exchange keys, which are tiny pieces of computer code that are the electronic equivalent of a passport. People vouch for each other, and at any time you can check your copy of a person's key to determine whether the individual has been vouched for by someone you trust. In this way, PGP follows one model of human social interaction, in which we exchange common bonds upon meeting a stranger. ("Hi," you might say at a wedding, "I'm Bob, and I'm married to the bride's cousin Sue," and your interlocutor responds, "The groom's my cousin; my name is Alice." Web of trust established.)

If all this sounds like cloak-and-dagger spy business, or like the kind of ranting associated with exceptionally paranoid people, consider what reliable electronic privacy could mean in your personal and professional life.

If you use e-mail for routine business, how much trust would you place in a sensitive message you receive? For instance, if you are a university administrator who is handling a student disciplinary matter, and you receive a mail message about the incident from a colleague who is involved in the event, can you be sure that the message is truly from the person it claims to be from? An authenticated digital signature on the mail would allow you to proceed with reasonable confidence that the message was valid.
If you are a student whose classwork is supplemented by electronic communication with your professor, and you receive a crucial message about a presentation you are scheduled to make, can you be certain that the message is genuine and not a forgery created by an ultracompetitive fellow student? A digital signature, along with the date stamp (which serves as a kind of electronic postmark) could assure you that the message is genuine.
If you are a professor who prepares final exams on your home computer, and you need to submit them to the department's administrative assistant, can you be sure the message will not be intercepted between your computer and the assistant's? PGP's encryption feature would let you scramble the message so that only the assistant can unscramble it.

Paranoia or Preparedness?

For those who might dismiss privacy concerns as outbreaks of paranoia, there were a number of chilling incidents in the news during the last two years. Some of these could be addressed by the widespread use of strong encryption; many are the result of greater official intrusion in the world of cyberspace. More boldly than ever, governments and corporations seem to have begun intruding into what any reasonable person would consider private business.

Consider some events of 1994 and 1995:

The FBI renewed its efforts to widen its power to tap telephone wires.

The move came in response to the staggering growth in digital communication, which is more resistant to eavesdropping than conventional analog communication. If the effort succeeds, the bureau would have the ability to tap many more domestic telephone calls than is now possible. FBI spokesmen assure the public that law-enforcement agencies perform less than 1,200 wiretaps annually and that the bureau does not expect that number to increase significantly. The New York Times reported (on November 2, 1995) that the FBI has proposed new plans to dramatically extend wiretap capabilities. Louis Freeh, director of the FBI, contested this in a letter to the chairman of the House Judiciary Committee {http://www.fbi.gov/wiretap.htm}. But the director acknowledged that the bureau considers having extensive access to state-of-the-art wiretapping an essential part of its mission (as stated in {http://www.fbi.gov/crypto.htm}). Meanwhile, privacy activists gently remind us of the need for constant vigilance against U.S. government abuses (http://www.cpsr.org/cpsr /privacy/epic/epic.html; {http://vip.hotwired.com/Lib/Privacy/index.html}).

CompuServe restricted its network news service, based on the content of certain news groups.

CompuServe, a U.S. company that is seeking to become a major worldwide Internet service provider, took unprecedented action just before the end of 1995. The company announced that at the demand of prosecutors in Munich, who objected to the content of certain news groups, the online service would ban more than two hundred sexually oriented network news groups from access through any CompuServe account around the world. As the year ended, CompuServe was at the center of a firestorm of controversy. The German government denied having made any such demands, and CompuServe publicly promised to engineer its service so that it could selectively control news access solely for customers in Germany. U.S. activists who oppose attempts by Congress to regulate Internet traffic noted the irony of the situation, in which a European power imposed -- even if only temporarily -- broad restrictions on a U.S.-based information provider, precisely in subject areas U.S. reformers have tried to restrict. As this article was written, CompuServe and the German government were pointing fingers of blame at each other, but the news groups in question were still unavailable to CompuServe subscribers. Two popular slogans among Internet enthusiasts are that the Internet "recognizes no geographical borders" and that it has the ability to "interpret censorship as damage, and route [traffic] around it." The CompuServe case is a chilling reminder that on the Internet, repression and restriction also respect no traditional borders of culture or geography, and that technological solutions are not always impervious to political manipulation.

The U.S. government still maintains tight control over secure computer hardware and software.

All strong tools that can be used to encrypt information are officially classified as "munitions," along with the usual military hardware, and are subject to strict U.S. export controls. (Some encryption tools are considered so effective that even U.S. intelligence agencies are unable to break the codes.) People convicted of violating the export regulations are subject to heavy fines and jail sentences. One result of this situation is that U.S. companies are unable to produce competitive products for world markets when those products contain cryptographic features. The only security tools approved for export from the U.S. are tools that are cryptographically weak, and nobody involved in computer security -- whether buying it or selling it -- has a vested interest in relying on suspect security products when the goal is to protect sensitive information. • Netscape crippled its own server software to comply with U.S. export laws. Netscape Communications, which produces the most popular browsing software used to read Web pages, released its secure Web server in 1995. (A Web server is the software that makes Web pages available on the Internet.) Netscape's target audience for that product is primarily the business market. The software incorporates a cryptographic feature that scrambles information as it passes over the Internet, in order to allow credit-card and other sensitive transactions to be transmitted securely. However, because of U.S. export restriction, Netscape was forced to offer weakened cryptographic features in order to get approval to sell its product overseas. Netscape developers watched helplessly as resourceful computer researchers in Europe quickly and gleefully cracked the server's security with surprisingly slight effort. The Europeans had made their point: By forcing companies to weaken security features, the U.S. government undermines its own software industry.

The Clipper Chip may rise again.

In 1994, the Clinton administration abandoned its efforts to introduce the "Clipper Chip" in telephone products. The Clipper initiative would have allowed manufacturers of communications equipment to legally install strong cryptographic features into devices and to sell them domestically and overseas. These devices would transmit encrypted information, so that anyone who managed to tap the telephone line would hear only unintelligible noise. The government, however, would retain "master keys" for each encryption device, to be held in escrow by two government departments. On paper, the plan called for the Justice Department to be granted access to those master keys only after receiving legal authorization in the form of a court order. It appears, though, that a broad majority of the American public remembers past abuses sufficiently to deeply mistrust the Justice Department; public opposition eventually doomed the Clipper Chip. However, it is widely rumored that a revised version of the scheme will emerge sometime before the end of the century. Observers expect that there will be no great demand for such products outside the U.S. Why, ask critics of Clipper, would any foreign government or corporation want to use an encryption device to which the U.S. government holds the master key? It seems the U.S. government favors strong encryption tools -- but only as long as it can override encryption at its discretion.

The FBI may want a copy of your private keys.

The director of the FBI, Louis Freeh, has hinted that his department might at some point seek to entirely outlaw private encryption schemes in which federal authorities do not have access to the keys. Freeh entered uncharted territory when he hinted that use of private encryption software might eventually be made strictly illegal in the U.S. (Possession and use of such software is already prohibited in France, Russia, and Belgium.) Freeh explains that strong encryption is too dangerous in private hands, because it can be used by drug traffickers, terrorists, and producers of child pornography.

Staking Claims before the Fences Get Built

Many of these events received considerable attention in the news. They caused a number of people -- not all of them computer experts -- to reconsider certain realities of the online world, and to evaluate all the available options that might provide for better integrity and security of electronic communications, including, of course, private electronic mail.

Politically speaking, these are all emotionally charged issues that cannot be reduced to simplistic terms. But concerned citizens have the option of acquainting themselves with software privacy tools now. And there may still be time for people to educate elected representatives about issues like privacy in cyberspace.

The Internet finally reached critical mass in the United States during 1995. Sophisticated online services and communications went mainstream with astonishing vigor. E-mail addresses now routinely appear in traditional publications and in advertisements. Web addresses are plastered on billboards and buses. A significant number of households across the U.S. have started to add additional telephone lines to allow uninterrupted modem access to online services without interfering with regular voice service.

Many people in the Internet community, and also in the printed media that target the online community, cheer these developments. Electronic communication is viewed in many circles as a liberating force that provides unprecedented powers to ordinary citizens.

Given the right tools, say enthusiasts, any private individual can now communicate with a mass audience (by way of topical mailing lists or network news groups), publish material free from censorship at little or no financial cost (by creating a World-Wide Web site through an independent network-service provider), slice through layers of bureaucracy (by sending e-mail directly to an individual at any level in an organization), take advantage of online information as effectively as any big business (by accessing public and private databases), and conduct business without the constraints associated with paper mail and telephone calls (by using private e-mail and other one-to-one forms of communication).

But for each step forward, cyberspace enthusiasts have come to realize that they must remain perpetually vigilant against the intrusions of governments and other authorities, and that the dizzying freedom associated with the early days of the Internet may not always be taken for granted. [ C ]

Tim O'Connor was the ACF's System and Network Security Manager at the time of this article's publications.
{tim.oconnor@nyu.edu}

Posted 21 February 1996. Revised 20 May 2004.