Datamex Technologies Inc.

7490 Pacific Cricle, Unit 7  Mississauga, ON  L5T 2A3  Canada

Tel: 905-565-0900   Fax: 905-565-0901   eMail: info@datamex.com

 

New York  .  Toronto  .  Ottawa  .  Montreal  .  Calgary  .  Vancouver

From an internet article written by Phillip Zimmerman, author of encryption program, PGP (Pretty Good Privacy).

The link to this article is here: http://education.illinois.edu/wp/privacy/encrypt.html

"If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors, oil companies, and other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable military grade public-key cryptographic technology. Until now.

 

PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it.",

Phillip Zimmermann, author of encryption software program, PGP [1]

 

Introduction

 

Maintaining privacy in our personal communications is something everyone desires. Encryption is a means to achieve that privacy. It was invented for that very purpose. That makes encryption a good idea, right? But encryption, like most things, can be used for good or evil. And the debate over how to harness this powerful tool rages on as people on both sides see that there are no easy answers.

 

What is encryption?

 

Encryption is the process of scrambling a message so that only the intended recipient can read it. The actual cryptographic process is generally a complicated mathematical formulation, the more complex -- the more difficult to break. A key is supplied to the recipient so that they can then decipher the message. Keys for encryption algorithms are described in terms of the number of bits. The higher the number of bits - the more difficult that cryptosystem would be to break.

 

Why do we need it?

 

Encryption can provide a means of securing information. As more and more information is stored on computers or communicated via computers, the need to insure that this information is invulnerable to snooping and/or tampering becomes more relevant. Any thoughts with respect to your own personal information (ie. medical records, tax records, credit history, employment history, etc.) may bring to mind an area in which you DO want, need or expect privacy. As teachers, we are often called upon to handle sensitive student information. We need to have access to student records, but maintain the confidentiality of their information.

 

Encryption is seen by many people as a necessary step for commerce on the internet to succeed. Without confidence that net transactions are secure, people are unwilling to trust a site enough to transact any sort of business using it. Encryption may give consumers the confidence they need to do internet business.

 

Encryption can also provide a means of "message authentication". The PGP User's Guide explains, "The sender's own secret key can be used to encrypt a message thereby signing it. This creates a digital signature of a message...This proves that the sender was the true originator of the message, and that the message has not been subsequently altered by anyone else, because the sender alone possesses the secret key that made that signature." [2] This prevents forgery of that signed message, and prevents the sender from denying the signature.

 

E-mail is certainly not secure. While you may believe that the use of a password makes your business private, you should be aware that sending information without encryption has been likened to sending postcards through the mail. Your message is totally open to interception by anyone along the way. You may believe that your personal e-mail is not incriminating and does not contain content that you must keep secret, and you may be right. But there are many common situations, where users have a legitimate need for security both to protect that information and to insure that information is not tampered with: Consumers placing orders with credit cards via the Internet, journalists protecting their sources, therapists protecting client files, businesses communicating trade secrets to foreign branches, ATM transactions, political dissenters, or whistle-blowers -- all are examples of why encryption may be needed for e-mail or data files, and why it might be necessary to create a secure environment through its use.

 

ISSUES

 

#1 : Does it really work? Does encryption guarantee security?

 

First, many businesses and individuals employ encryption successfully. But, it can't work if people don't use it. If encryption is not made easy-to-use, most people will not bother. But, clearly, the perception of security is important. Internet sales have skyrocketed with the public's rising confidence that online transactions are secure.

In his article, "Selling Wine Without Bottles: The Economy of Mind on the Global Net", John Perry Barlow discusses the use of encryption for protection of intellectual property. Barlow claims that in some ways using encryption is almost an invitation to hackers to try to break in!! He writes that "the more security you hide your goods behind, the more likely you are to turn your sanctuary into a target" [3] In attempting to secure information, it becomes less secure!!?? Remember, that once a code is broken, all the information stored using that method is vulnerable to tampering, or copying.

Additionally, the level of encryption determines its effectiveness. Current levels of encryption vary remarkably from situation to situation. Certainly, a level of encryption that is easily broken can do more harm than good - giving the false sense of security.

 

#2 : Laws regarding encryption?

 

Currently, encryption is classified as a munition under the Internation Traffic in Arms Regulations (ITAR). That makes the export of encryption programs or devices illegal.

Why does this law exist? In what ways could encryption be considered dangerous?

The power of encryption to keep secrets could be misused. It might be employed to conceal criminal activity or for harassment. Stalkers or predators could "hide" using encryption, their identities would be untraceable. It could be used for acts of terrorism, the likes of which are pretty frightening when you consider all of the systems that are computerized today.

In many applications, encryption could be seen as a threat to existing methods of law enforcement. Should a level of encryption that law enforcement is unable to decipher become easily available, law enforcement would be unable to use current surveillance/wiretapping techniques.

With malevolent use of encryption our information infrastructure may be at risk. Peter Ludlow, and many cypherpunks, have speculated that free, unrestrained encryption could cause loss of governmental control on the tax revenues generated in businesses on the web. If the business is "secret", how can taxes be assessed? There would be no means for the government to track revenues in order to collect! With the loss of tax revenues, government as we know it could simply cease to exist. Timothy May describes (foretells?) of a hypothetical underground black market for swapping proprietary information could be set up on the internet (BlackNet) that would allow for the sale of all types of destructive and/or sensitive information. The legal authorities would be powerless to stop it. [4]

Understandably, there are concerns to making powerful encryption available to all Americans. Yet, when the need for privacy is so clear, do we make encryption illegal because it could be used for evil?? As Peter Ludlow asks, "The question is, which set of concerns should weigh more heavily, those of individuals or those of government security forces?" [? ]

 

#3 : By current law, (ITAR) the President has the power to determine what items warrant export controls. Encryption is allowed, but only in 40 bit keys.

The government says it controls this level for valid national security purposes. The trouble is that the government's acceptable level of encryption is not very safe. Most savvy users realize that DES is breakable, and use other stronger methods. US businesses, restricted to using this level of encryption that is known to be less secure, lose foreign business. Additionally, US companies and talented programmers, are unable to legally market their inventions. Some have already moved to other countries to get around this law. (Find example of programmer in Antigua ) American business is not playing on a level playing field!

 

Court challenges to encryption's classification under ITAR have met with mixed results. In the Bernstein case, the federal judge found software code to be free speech, protected under the first amendment. Professor Bernstein is now free to publish his Snuffle 5.0 software on the Internet without fear of prosecution. Two other challenges have failed. Karn challenged the logic of a law that permits the export of a textbook version of cryptography, but denies legal export of a floppy disk containing the exact same material! Junger, a college professor, wished to use links to encryption on his webpage as part of hiscourse. The judge in this case found that posting software on the Internet is an export, and the export of source code is "not protected conduct under the First Amendment." He declared the Bernstein court's assertion that "language equals protected speech" unsound, since it disregards the issue of whether it expresses ideas.

 

Most of the legislation concerning encryption that has been/is being proposed, such as

  • ECPA (Encrypted Communications Privacy Act),

  • ProCODE (Promotion of Commerce On-Line in the Digital Era),

  • E-PRIVACY (Encryption Protects the Rights of Individuals from Violation and Abuse in CYberspace),

  • SAFE (Security and Freedom through Encryption)

outline relaxation of export controls and lessening government involvement. The SPNA (Secure Public Networks Act) is an exception, proposing a government-line bill. For up-dates on the status of such legislation, visit EPIC's online legislative bill tracking website.

 

#4 : E-mail Security - an OXYMORON?

 

Who has access to your email? There are a few people (systems) that could possibly read your message along the way. The system operator has access to your message in the "spool files" at the local site. A system administrator has access as well and can release information regarding your email to law enforcement agencies should they be requested to do so. Bounced messages go to Postmasters at a site with the entire message intact. Some mailing lists are actually publicly accessible using mail routing software systems.

 

There are levels of e-mail privacy associated with the types of messages that are sent. Public messages are those posted to newsgroups and other forum groups. Anyone within these groups can read your message and forward it on to other people. Make sure that only public information is displayed in this type of correspondence. Chat rooms and newsgroups that claim to be private because they require a password are a little more private than the public newsgroups or chat rooms. But the participants in these groups can copy your communiqué and send that information wherever they wish.

There are online services that provide some "private" means of communicating and are protected by the ECPA (Electronic Communications Privacy Act), a law that applies to email. However, there are three exceptions to this law that are important to note. The article "Privacy in Cyberspace" takes a close look at these exceptions: "The online service may view private email if it suspects the sender is attempting to damage the system or harm another user. The service may legally view and disclose private email if either the sender or the recipient of the message consent to the inspection or disclosure. And, if the email system is owned by an employer, the employer may inspect the content of employee email on the system". [7]

There is really only one sure way to protect your email privacy and that is by using encryption.

 

Ways to Protect Privacy

 

The Electronic Privacy Information Center (EPIC) offers an Online Guide to Practical Privacy Tools including such software methods as:

  • encryption programs. Through the use of this software, one can send messages in code to be sure only the recipient can read it. PGP (Pretty Good Privacy) is an example

  • steganography, a process of hiding files within other files

  • programs for file wiping. Often files that you believe you have deleted are not really gone, but simply relocated to another portion of the drive or disk. A program like WipeIt ensures that sensitive material is truly destroyed.

  • Anonymous Remailers are services that provide a way to send e-mail anonymously. Andre Bacard explains these services in easy to understand language.

  •  

It should be noted that hardware devices can also be used to insure privacy. One example of a hardware device, originally proposed for privacy purposes by the Bush Administration, is the Clipper Chip. This chip was to be inserted into all electronic communications devices, giving them automatic encryption powers. The idea was to protect cellular phone conversations, fax machine communiqués, etc from eavesdroppers. The Clipper chip was to use a new classified NSA (National Security Agency) encryption algorithm called SKIPJACK. Government agencies would hold a copy of the key so that they could gain access in situations where they acquired a legal wiretap. While the government claimed this would help people and protect them, there are many concerns about the untested, unknown algorithm. Will overseas businesses accept it? Will they trust it's security? Is this mandatory hardware privacy device really private? Is this such a great idea after all??