It's easy to list the tools that were used in horrific acts and to argue that depriving ourselves of those tools will prevent future similar incidents. It's easy, but it's wrong.
Its easy to list the tools that were used in horrific acts and to argue that depriving ourselves of those tools will prevent future similar incidents. Its easy, but its wrong.
Following last weeks terrorist attacks on symbols of U.S. economic and military strength, the IT community needs to help the nation focus on mitigating future threatsnot on closing the doors that the horse got through. Knee-jerk reactions, all too likely from historically ill-informed legislators, could easily cripple commercial and personal applications of encryption, wireless communications, digital cash and media technologies, with little inconvenience to criminals.
No information technology has been more demonized than cryptography, especially since the advent of mathematically robust "strong" techniques that all but defy even theoretically possible attacks. Free access to encryption techniques, and unrestricted trading in crypto products, "will be devastating to law enforcement and damage national security," warned then-FBI Director Louis Freeh in a 1999 testimony before the House Armed Services Committee.
But top law enforcement officials often reveal superficial understanding of exactly what encryption does and of which public threats are actually tied to cryptos use. For example, former Attorney General Janet Reno warned of the hazards of crypto by saying, "Terrorists are now actually using encryption, which means that in the future we may wiretap a conversation in which the terrorists discuss the location of a bomb soon to go off, but we will be unable to prevent the terrorist act because we cannot understand the conversation."
Unless future terrorists are thoughtful enough to speak English, crypto controls wont solve this problem. According to James Bamfords book on the National Security Agency, "Body of Secrets," published earlier this year, U.S. analysts are often unable to make prompt use of even plain-language communication intercepts due to shortage of translation staffespecially for Middle Eastern and African languages. Even English-language communications are easily rendered incomprehensible by judicious use of pronouns: "Well do it at the second place we talked about," for example, can cover a lot of ground.
Terrorists dont have medical plans, 401(k) accounts or other information assets requiring specific and confidential transaction capabilities to maintain. Ordinary citizens do have these things, and "most presently deployed encryption systems support rather than hinder the prevention and detection of crime," according to the 1998 white paper, "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption," by eleven authorities including Ronald Rivest (the "R" in the RSA algorithm). Strong encryption, the group observed, "helps to protect burglar alarms, cash machines, postal meters, and a variety of vending and ticketing systems from manipulation and fraud."
If terrorists cant get state-of-the-art crypto tools, they can undetectably embed their messages in digital photos or music, using software such as OutGuess (www.outguess.org) or Steghide (steghide.sourceforge.net). Or are we prepared to ban all digital media?
Here is the fundamental paradox of modern strong encryption: Its most irreplaceable function is enabling confidential transactions, via public networks, among parties previously unknown to each other. Criminals and terrorists can use other methods, such as one-time pads or book codes, that are equally unbreakable but that require previous arrangementto them, a minor nuisance.
If deprived of strong crypto, criminals and terrorists have alternative means of secure communication, but freedom of commerce is badly crippledand the terrorists work is done for them.
Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.