And would restricting crypto have given the authorities a change to stop these acts?
By Steven Levy
NEWSWEEK WEB EXCLUSIVE
Sept. 11 — “Well, I guess this is the end now. . . .” So wrote the first Netizen to address today’s tragedy on the popular discussion group, sci.crypt. The posting was referring what seems like an inevitable reaction to the horrific terrorist act: an attempt to roll back recent relaxations on encryption tools, on the theory that cryptography helped cloak preparations for the deadly events.
BUT THE DESPONDENCY reflected in the comment can be applied more generally. The destruction of the World Trade Center and the attack on the Pentagon comes at a delicate time in the evolution of the technologies of surveillance and privacy. In the aftermath of September 11, 2001, our attitude toward these tools may well take a turn that has profound implications for the way individuals are monitored and tracked, for decades to come.
The first issue on the docket will be the fate of tools that enable citizens to encrypt their e-mail, documents and phone conversations as they zip through cyberspace and the ether. Over the past decades there have been heated debates over whether this technology should be restricted—as it can clearly benefit wrong-doers as well as businesspeople and just plain average people.
The prime government argument in favor of restrictions invoked the specter of precisely this kind of atrocity. Quite literally, it was the fear of “another World Trade Center” that led the Clinton administration in the 1990s to propose a system whereby people could encode their e-mails and conversations, but also provide the Feds with a “back-door” means of access. Now that those fears have come to pass, it’s fair to ask those who lionized crypto as a liberating tool to face a tough question: Did encryption empower these terrorists?
And would restricting crypto have given the authorities a chance to stop these acts?
In the recent trial over the bombing of the Libyan embassy, prosecutors introduced evidence that Bin Laden had mobile satellite phones that used strong crypto.
The answer to the first question is quite possibly yes. We do know that Osama Bin Laden, who has been invoked as a suspect, was a sophisticated consumer of crypto technology. In the recent trial over the bombing of the Libyan embassy, prosecutors introduced evidence that Bin Laden had mobile satellite phones that used strong crypto. Even if Bin Laden was not behind it, the acts show a degree of organization that indicates the terrorists were smart enough to scramble their communications to make them more difficult, if not impossible, to understand. If not for encryption, notes former USAF Col. Marc Enger (now working for security firm Digital Defense) “they could have used steganography [hiding messages between the pixels of a digital image] or Web anonymizers [which cloak the origin of messages].”
But that doesn’t mean that laws or regulations could have denied these tools to the terrorists. After all, many of the protocols of strong cryptography are in the public domain. Dozens of programs were created overseas, beyond the control of the U.S. Congress. The government used to argue that allowing crypto to proliferate, particularly to the point of being built into popular systems made by Microsoft or AOL, would empower even stupid criminals. But these were sophisticated terrorists, not moronic crooks.
Before September 11, commercial interests, privacy advocates and most in the government had reached a sort of common ground, balancing high-tech with threats.
Cryptography was regarded as a fact of life, one with some benefit to national secruity as well as risks. (In an age of Info-Warfare, we are the most vunerable nation, and cryptography can help secure our infrastructure.) Intelligence agencies could make up for the difficulties that crypto creates for them by several means, including heightened work in codebreaking, more use of “human assets” (spies), and—most of all—taking advantage of the bounty of new information that the telecom revolution has forced out into the open. E-mail, pagers, faxes, cell phones, Blackberries, GPS systems, Web cookies—every year another device or system seems to emerge to expose information to eavesdroppers. Even if terrorists encrypt content on some of those tools, simply tracking who talks to whom, and measuring the volume of messages, can yield crucial intelligence. (Indeed, this form of “traffic analysis” did produce evidence that was used in the Embassy bombing trial.) The challenge to our spy agencies—one tragically not met this time around—is to use those means to compensate for whatever information might have been lost to encryption.
Beyond the crypto issue are a raft of controversies involving other technologies of surveillance. Before this attack, there was a general feeling that we would see legislation to protect privacy on the Web and perhaps limit tools that threatened civil liberties.
Some feared that face-scanning devices like the one used at the last Super Bowl can track individuals as they move from one publicly mounted surveillance camera to another.
There was criticism directed toward the FBI’s “Carnivore” device, capable of scooping up massive numbers of e-mails from Internet service providers. There was concern over Web bugs that tracked people’s movements on the Internet. There were objections to the Department of Justice’s scheme to insure that cell phones were also tracking devices, presumably to aid 911 services, but potentially becoming homing devices to follow our roamings.
Until today, a pro-privacy consensus was building. Will those concerns be set aside in the rush to do something—anything—to assure ourselves that we can prevent another September 11, 2001?
Privacy advocate Richard Smith anticipates big changes in airport security, but not necessarily a reboot on overall privacy outlook. “Those types of restrictions just don’t work against people like [these terrorists],” he says. Let’s hope that he’s right—that wisdom and courage, and not fear, dictates future policy. Otherwise, the legacy of this terrible day may become even more painful.
--------------------------------------------------------------------------------
Newsweek Senior Editor Steven Levy is the author of “Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age”