Forwarded from Farber's Interesting People (IP) list...
After the FBI gets their crypto laws, no doubt Internet wiretaps will be
next on the agenda.
---------- Forwarded message ----------
Date: Tue, 16 Jun 1998 17:06:21 -0400
From: Dave Farber <farber(a)cis.upenn.edu>
To: ip-sub-1(a)majordomo.pobox.com
Subject: IP: Review of "Privacy on the Line"
From: sbaker(a)Steptoe.com
Date: Tue, 16 Jun 1998 16:05:05 -0400
To: <farber(a)cis.upenn.edu>
Dave, I thought you might like to see the review I did for the American
Mathematical Society of Whit Diffie's and Susan Landau's book. Feel free to
share it as long as the Notices of the AMS gets a credit line.
Stewart Baker
********************************************************************************
******************************
"Privacy on the Line: The Politics of Wiretapping and Encryption"
by Whitfield Diffie and Susan Landau
Reviewed by: Stewart Baker
I wasn't sure I would like this book, but I knew I had to read it. It's the
story of my life---the last several years, anyway.
In the early 1990s, I was the general counsel of the National Security Agency
(NSA), a job that required me among other things to sell key escrow encryption
and the Clipper Chip to the Clinton Administration (mission accomplished) and to
the rest of the country (er, the less said about that, the better). I had the
chance, too, to work closely with the Federal Bureau of Investigation (FBI),
especially on the problem of how to conduct wiretaps in a new and far
more demanding environment.
One of the surprising results of breaking up AT&T was to create a slow-motion
crisis for law enforcement. So long as communications were controlled by one
company---with a heavy stake in demonstrating its good citizenship---planning
for and providing wiretap access was easy. AT&T knew what the FBI needed, and
it could build those requirements into its products, passing the cost along to
consumers. But deregulation put a premium on getting to market quickly,
reducing overhead, and building lightweight innovative products. Law
enforcement wasn't the customer, and it was increasingly left behind in the
explosion of new products and services. Often, law enforcement didn't have the
technical expertise or the funds to adapt to the new technologies; and sometimes
even expertise and money weren't enough.
After several years of trying to jawbone industry into compliance with its
requirements, the FBI decided in the early 1990s that it needed a big stick, it
needed a law. The law would not try to sort out all the technical problems that
industry said were preventing wiretaps. It would solve the problem by fiat,
simply requiring that all telecommunications carriers and manufacturers
design wiretap capabilities into all their products and services.
Privacy advocates were horrified. The press was hostile. Industry jeered. Not
one member of Congress could be found who would introduce the FBI's bill.
The FBI, however, never gave up. They showed up for every debate, they
mobilized local police, they lobbied Congress relentlessly.
Three years later, the Senate passed the Communications Assistance to Law
Enforcement Act (CALEA), with the FBI's requirement, by a voice vote of 98-0.
That was round one. Round two, for the FBI, is encryption. Most of the computer
software and hardware industry sat out the fight over CALEA, and those companies
haven't grasped how much the CALEA debate shaped the FBI's view of encryption.
Thanks to CALEA, the FBI is undaunted by the technical complexity of building
key recovery into encryption, or by the claims of industry that it can't be
done. They heard the same thing from telecommunications companies---all of whom
are now building wiretap capabilities into their products.
And thanks to CALEA, the FBI is not too troubled by the bad press it's getting
over encryption, or by the privacy and industry complaints---or even by the
Congressional harrumphing. They've heard all that before, too. In the CALEA
debate, it was patience that paid off; and, in the end, the Bureau believes that
Congress will have to mandate crypto controls just as it had to mandate wiretap
requirements.
Since leaving government, I've advised dozens of companies on how to live not
just with encryption controls and key recovery, but also CALEA. I've started to
joke that my law practice consists of being the first lawyer to discover that
the country's main technology and telecommunications regulatory body is the
Federal Bureau of Investigation.
So any book that deals with the politics of wiretapping and encryption is hard
to resist. If I took it to the beach to read, I could probably deduct the trip.
Still, I had my doubts. Whitfield Diffie is a famous cryptographer, of course,
but I knew him first as NSA's single most determined and effective opponent. I
can't defend every aspect of the government's current policies on encryption and
wiretapping, but I still have a deep reservoir of sympathy for that point of
view. Wiretapping is an important criminal investigation tool, particularly
when law enforcement is targeting the leaders of organized crime, who usually
don't commit crimes so much as order them committed. There is no doubt that a
wired society needs ubiquitous encryption; but it's equally true that ubiquitous
encryption will give wired criminals new protections from the law.
That's why I still bridle at too-simplistic Silicon Valley retorts to law
enforcement concerns---especially those that run along the lines of, ``We're
smart. We're rich. They're not. We win.'' I wasn't looking forward to
reading a self-congratulatory book about clueless cops being outsmarted by
liberty-loving technologists.
To my surprise, that's not what Diffie and Landau have written. They've
produced something quieter and more useful. Like a handful of others (mostly
professional privacy advocates and FBI officials) they see the entire
picture---something the high-tech industry has so far only seen in bits and
pieces. Ready or not, the FBI is determined to force us all into a debate over
how and whether we will shape the direction of technological change.
This book draws together the elements of that story in a fashion that is
scholarly, though it's too well written to deserve that adjective. Diffie and
Landau don't quite popularize the issue---this is still a book only a policy
wonk could love---but they ease the reader gracefully into some remarkably
complex material as though it were a warm bath.
The book begins with an admirably simple introduction to cryptography that
carries the reader deep into the topic. I have to confess that I never knew how
"S-boxes'' got their name until I worked my way through Diffie and Landau's
description of the Digital Encryption Standard and its historical debt to
Vingenere ciphers. (I told you this was a wonk's book.) The authors next march
the reader through a history of crypto policy, laying out the interests of the
National Security Agency, the public cryptography movement, law enforcement, the
National Institute of Standards and Technology, and privacy advocates.
With the groundwork laid, the book then plunges into wiretapping, its history,
value, and abuses. It sketches the FBI's five-year fight to enact CALEA. The
closing chapter traces the evolution of the encryption debate from a fight
between the software industry and the NSA into a fight that pits the FBI against
the likes of Americans for Tax Reform and the National Association of
Manufacturers.
Throughout this tour, there isn't any doubt where the authors' sympathies lie.
They linger almost lovingly over thirty- and forty-year-old stories of how the
FBI once abused its wiretap authority. They insist on a long and not entirely
persuasive discussion of why wiretaps aren't that useful to law enforcement.
Government arguments tend to get much shorter shrift than civil libertarian
rebuttals. But it is perhaps a sign of how bitter the encryption battle has
become that Diffie and Landau deserve credit for including the government's
arguments at all.
They deserve praise as well for avoiding dishonest arguments that support their
point of view. Not everyone in this debate is so careful. Lawyers for
industry, for example, can still be heard to argue that there's no need for
encryption controls because the FBI hasn't offered evidence that it has lost any
cases because of good crypto. Of course this is the kind of Catch-22
argument that is hard to resist because the lawyers know it can't lose. If the
FBI found a way to read the files, then the industry lawyers can say "See,
crypto wasn't a problem.'' And, if the FBI is truly stymied and can't read the
files, then the lawyers can say either "The defendant was acquitted, and there's
no proof the encrypted files were related to a crime,'' or "The
defendant was convicted, so the FBI didn't need to decrypt the files.'' Unlike
some of their allies, Diffie and Landau never insult our intelligence.
In short, it's hard to imagine a better introduction to an issue that will be
with us for years to come.
[Published in Notices of the AMS, Volume 45, Number 6, at 709 (June/July 1998)]