Forwarded from Farber's Interesting People (IP) list... After the FBI gets their crypto laws, no doubt Internet wiretaps will be next on the agenda. ---------- Forwarded message ---------- Date: Tue, 16 Jun 1998 17:06:21 -0400 From: Dave Farber <farber@cis.upenn.edu> To: ip-sub-1@majordomo.pobox.com Subject: IP: Review of "Privacy on the Line" From: sbaker@Steptoe.com Date: Tue, 16 Jun 1998 16:05:05 -0400 To: <farber@cis.upenn.edu> Dave, I thought you might like to see the review I did for the American Mathematical Society of Whit Diffie's and Susan Landau's book. Feel free to share it as long as the Notices of the AMS gets a credit line. Stewart Baker ******************************************************************************** ****************************** "Privacy on the Line: The Politics of Wiretapping and Encryption" by Whitfield Diffie and Susan Landau Reviewed by: Stewart Baker I wasn't sure I would like this book, but I knew I had to read it. It's the story of my life---the last several years, anyway. In the early 1990s, I was the general counsel of the National Security Agency (NSA), a job that required me among other things to sell key escrow encryption and the Clipper Chip to the Clinton Administration (mission accomplished) and to the rest of the country (er, the less said about that, the better). I had the chance, too, to work closely with the Federal Bureau of Investigation (FBI), especially on the problem of how to conduct wiretaps in a new and far more demanding environment. One of the surprising results of breaking up AT&T was to create a slow-motion crisis for law enforcement. So long as communications were controlled by one company---with a heavy stake in demonstrating its good citizenship---planning for and providing wiretap access was easy. AT&T knew what the FBI needed, and it could build those requirements into its products, passing the cost along to consumers. But deregulation put a premium on getting to market quickly, reducing overhead, and building lightweight innovative products. Law enforcement wasn't the customer, and it was increasingly left behind in the explosion of new products and services. Often, law enforcement didn't have the technical expertise or the funds to adapt to the new technologies; and sometimes even expertise and money weren't enough. After several years of trying to jawbone industry into compliance with its requirements, the FBI decided in the early 1990s that it needed a big stick, it needed a law. The law would not try to sort out all the technical problems that industry said were preventing wiretaps. It would solve the problem by fiat, simply requiring that all telecommunications carriers and manufacturers design wiretap capabilities into all their products and services. Privacy advocates were horrified. The press was hostile. Industry jeered. Not one member of Congress could be found who would introduce the FBI's bill. The FBI, however, never gave up. They showed up for every debate, they mobilized local police, they lobbied Congress relentlessly. Three years later, the Senate passed the Communications Assistance to Law Enforcement Act (CALEA), with the FBI's requirement, by a voice vote of 98-0. That was round one. Round two, for the FBI, is encryption. Most of the computer software and hardware industry sat out the fight over CALEA, and those companies haven't grasped how much the CALEA debate shaped the FBI's view of encryption. Thanks to CALEA, the FBI is undaunted by the technical complexity of building key recovery into encryption, or by the claims of industry that it can't be done. They heard the same thing from telecommunications companies---all of whom are now building wiretap capabilities into their products. And thanks to CALEA, the FBI is not too troubled by the bad press it's getting over encryption, or by the privacy and industry complaints---or even by the Congressional harrumphing. They've heard all that before, too. In the CALEA debate, it was patience that paid off; and, in the end, the Bureau believes that Congress will have to mandate crypto controls just as it had to mandate wiretap requirements. Since leaving government, I've advised dozens of companies on how to live not just with encryption controls and key recovery, but also CALEA. I've started to joke that my law practice consists of being the first lawyer to discover that the country's main technology and telecommunications regulatory body is the Federal Bureau of Investigation. So any book that deals with the politics of wiretapping and encryption is hard to resist. If I took it to the beach to read, I could probably deduct the trip. Still, I had my doubts. Whitfield Diffie is a famous cryptographer, of course, but I knew him first as NSA's single most determined and effective opponent. I can't defend every aspect of the government's current policies on encryption and wiretapping, but I still have a deep reservoir of sympathy for that point of view. Wiretapping is an important criminal investigation tool, particularly when law enforcement is targeting the leaders of organized crime, who usually don't commit crimes so much as order them committed. There is no doubt that a wired society needs ubiquitous encryption; but it's equally true that ubiquitous encryption will give wired criminals new protections from the law. That's why I still bridle at too-simplistic Silicon Valley retorts to law enforcement concerns---especially those that run along the lines of, ``We're smart. We're rich. They're not. We win.'' I wasn't looking forward to reading a self-congratulatory book about clueless cops being outsmarted by liberty-loving technologists. To my surprise, that's not what Diffie and Landau have written. They've produced something quieter and more useful. Like a handful of others (mostly professional privacy advocates and FBI officials) they see the entire picture---something the high-tech industry has so far only seen in bits and pieces. Ready or not, the FBI is determined to force us all into a debate over how and whether we will shape the direction of technological change. This book draws together the elements of that story in a fashion that is scholarly, though it's too well written to deserve that adjective. Diffie and Landau don't quite popularize the issue---this is still a book only a policy wonk could love---but they ease the reader gracefully into some remarkably complex material as though it were a warm bath. The book begins with an admirably simple introduction to cryptography that carries the reader deep into the topic. I have to confess that I never knew how "S-boxes'' got their name until I worked my way through Diffie and Landau's description of the Digital Encryption Standard and its historical debt to Vingenere ciphers. (I told you this was a wonk's book.) The authors next march the reader through a history of crypto policy, laying out the interests of the National Security Agency, the public cryptography movement, law enforcement, the National Institute of Standards and Technology, and privacy advocates. With the groundwork laid, the book then plunges into wiretapping, its history, value, and abuses. It sketches the FBI's five-year fight to enact CALEA. The closing chapter traces the evolution of the encryption debate from a fight between the software industry and the NSA into a fight that pits the FBI against the likes of Americans for Tax Reform and the National Association of Manufacturers. Throughout this tour, there isn't any doubt where the authors' sympathies lie. They linger almost lovingly over thirty- and forty-year-old stories of how the FBI once abused its wiretap authority. They insist on a long and not entirely persuasive discussion of why wiretaps aren't that useful to law enforcement. Government arguments tend to get much shorter shrift than civil libertarian rebuttals. But it is perhaps a sign of how bitter the encryption battle has become that Diffie and Landau deserve credit for including the government's arguments at all. They deserve praise as well for avoiding dishonest arguments that support their point of view. Not everyone in this debate is so careful. Lawyers for industry, for example, can still be heard to argue that there's no need for encryption controls because the FBI hasn't offered evidence that it has lost any cases because of good crypto. Of course this is the kind of Catch-22 argument that is hard to resist because the lawyers know it can't lose. If the FBI found a way to read the files, then the industry lawyers can say "See, crypto wasn't a problem.'' And, if the FBI is truly stymied and can't read the files, then the lawyers can say either "The defendant was acquitted, and there's no proof the encrypted files were related to a crime,'' or "The defendant was convicted, so the FBI didn't need to decrypt the files.'' Unlike some of their allies, Diffie and Landau never insult our intelligence. In short, it's hard to imagine a better introduction to an issue that will be with us for years to come. [Published in Notices of the AMS, Volume 45, Number 6, at 709 (June/July 1998)]