The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 41

Thursday 16 April 1992

Contents

o Re: Tapping/taping
Donn Parker
Mark Rasch
Joel Upchurch
Phil Karn
Mike Gore
John Mainwaring
Irving Wolfe
o FBI phone tapping bill
Steve Dever
o Info on RISKS (comp.risks)

Intercept legislation

"Donn Parker" <donn_parker@qm.sri.com>
16 Apr 1992 16:09:04 U
The Intercept law proposed by the FBI is in need of the full support of the
cyberspace community but requires some additions that are disturbingly absent.
The proposed amendment to the Communications act of 1934 is necessary to
perpetuate an essential capability of law enforcement to protect the public
from crime and particularly to protect the privacy of individuals whose
personal information is communicated.  However, it has serious shortcomings
that must be corrected that I hope organizations such as EFF and CPSR can
address that are needed to protect all the stakeholders from unauthorized use
and misuse of the interception capability.  Clearly, access and usage security
controls are needed.  In addition, recording of all intercept activity is
needed for audit and evidential purposes.  Finally, only the FCC rulemaking
proceedings should be kept secret that would aid and abet unauthorized persons
to abuse the capability to use the intercept capability for bad purposes; some
detailed information about the auditing and safeguarding must not be revealed.

The providers and PBX operators probably require the interception capabilities
anyway for maintenance and line quality testing.  However, my suggested
additions would help ensure that interception for whatever reasons would not be
misused, and abusers could more effectively be prosecuted.
                                                              Donn B. Parker


Taping without consent

<Rasch@DOCKMASTER.NCSC.MIL>
Thu, 16 Apr 92 16:59 EDT
There has been a lot of debate about whether a person can be videotaped (or
audiotaped) without consent.  The quick answer is it depends.  Of course you
can videotape people or objects if they are in the public view -- they have no
legitimate expectations of privacy.  Just look at The Star or other tabloids
that routinely photograph people on the streets.  There are limitations,
however.  There is a common law tort of interference with or invasion of
privacy, as well as exploitation of a person's likeness for financial gain.
(Suppose the "Coppertone" girl decided to sue).  From a Fourth Amendment
standpoint, a videotape in a public place is not an "unreasonable search or
seizure."

Videotapes in PRIVATE places are another matter.  Because they enable the
government to see what otherwise cannot be seen, and therefore impart
information to the government, they MAY constitute searches in Fourth Amendment
terms.  NOTE that the search (e.g., the videotaping) MUST entail some state
action -- be performed at the behest of law enforcement.  No state action -- no
fourth amendment violation.  (This does not prevent a private suit for
interference with privacy, however).  There is an exception recognized in Katz
v. United States.  That is, what Katz called the "invited ear" exception.  You
ALWAYS run the risk that the person you visit is videotaping you.  (OR, in
Katz, audiotaping you).  This has led to the development of the law of
one-party consent.  IN GENERAL, one party to a conversation may consent to its
being recorded.  Exceptions exist in many jurisdictions for TELEPHONE
conversations where the state law may require two party consent.

If the law always required two-party consent to video/audio recording, imagine
the effect on -- for example -- television news.  No more undercover recodings
-- no more 60 Minutes.  No more panoramic sweeps (consent from all the
pedestrians??).

Finally, in the electronic environment things are even more screwy.  Telephone
calls are covered by privacy laws, FCC regulations, wiretap and surveillance
laws, warrant requirements and the like.  Electronic communications may also be
covered by the Electronic Communications Privacy Act, the Privacy Protection
Act, and (a la Steve Jackson) the First Amendment.

The turgidity continues.


Re: Tapping phones, encrypting communication, and trust

Joel Upchurch <upchrch!joel@peora.sdc.ccur.com>
Tue, 14 Apr 92 04:52:49 EDT
I would like to address what Jerry Leichter <leichter@lrw.com> said in
RISKS-13.39. I agree with what he said about the ability of the FBI and other
police authorities to tap into phone conversations being curtailed by the
advances in technology. What I disagree with is that this is a bad thing. It
seems to me that if tapping a phone conversation is difficult and expensive and
the funding for such efforts comes out of the budget of the police agency
involved, then it is far more likely that such tapping will be used with
restraint, than if using it is cheap and easy.

If anything I'm worried that technology is going too far in the other
direction. I suspect that the major cost of any phone tap isn't the cost of
placing the tap and recording the conversations, but in paying people to listen
to them. It isn't collecting data that is expensive, but analyzing it. With the
advent of computer voice recognition in the next few years, it is quite
possible that this cost will decrease drastically, maybe by an order of
magnitude or more as the technology improves.

As the saying goes, government is a dangerous servant and a terrible
master.  A prudent citizen will try to ensure that powers of government
are strictly curtailed and a close eye is kept to make sure these powers
are neither abused or exceeded either through malice or an excess of zeal.

I keeping asking myself, how is the FBI proposal different from one that would
require audio and video surveillance equipment be placed in every home at the
expense of the home owner? Even if there were strict controls to make sure the
equipment was never used without a court order, I doubt that most people would
approve of it. What if the FBI required me to not seal my envelopes, since it
would inhibit their ability to surreptitiously read my mail? It's not so much
that idea that they want me to pay for it, it is the idea that want me to pay
to give them capabilities that I'd be willing to pay for them NOT to have.

As for Mr. Leichter's police analogy, it is rather flawed. A better question to
ask is should we forego the right of self-protection, because some criminals
misuse the technology involved and always trust that the government will be
able to protect us and will never oppress us? Some people think so, but I'm not
one of them.

Joel Upchurch/Upchurch Computer Consulting/718 Galsworthy/Orlando, FL 32809
joel@peora.ccur.com {uiucuxc,hoptoad,petsd,ucf-cs}!peora!joel (407) 859-0982


Re: wire tapping (Leichter, RISKS-13.39)

Phil Karn <karn@chicago.Qualcomm.COM>
Tue, 14 Apr 92 02:35:17 -0700
The debate over the FBI's proposal to ensure wiretappability of digital phone
technologies largely misses the point. This is especially true for Jerry
Leichter's recent comments.

I think it is reasonable to ask whether any proposed restrictive legislation
will be effective in its intended purpose.  If the answer is "no", then it is
entirely pointless to debate the merits of a bill's goals, no matter how
desirable they may seem.

I submit that the FBI's measure will ultimately prove ineffective, for one very
simple reason: user-provided end-to-end encryption. Like it or not, it is only
a matter of time before most criminals routinely use it to thwart wiretaps.
Encryption is uncontrollable because the encryption-specific parts of a system
can be implemented entirely in software if necessary. It need only use cheap,
readily available generic computer hardware that cannot be practically
controlled in a modern industrial society.

The means to protect textual communications from wiretapping are already
readily available. All it takes is a sufficiently motivated user. Someone, say,
with good reason to fear an FBI wiretap.  And before long the generic hardware
necessary for secure voice communications will be just as cheap and widespread.

Eventually, the FBI's wiretap facilities will be effective only against those
few remaining criminals too stupid to encrypt.  And they could also be quite
effective against those law-abiding companies and individuals who, instead of
providing their own cryptographic privacy, blindly trust whatever "safeguards"
(legal and/or technical) are supposedly in place to prevent their misuse.
Quite frankly, after the Nixon years it's hard to have much faith in legal
safeguards, and I know too much about telco technology to have much faith in
technical safeguards.

Most readers of this list are highly computer literate, so these may seem like
obvious statements. But they are apparently not so obvious to many in
government policymaking positions. Our real problem is how to educate these
people about the nature of cryptography, why it will be impossible for the FBI
to maintain its precious "status quo", and to begin thinking about how they can
*realistically* deal with the future instead of trying to force a return to the
past.

We urgently need to get these people to understand the following:

1. The use of cryptography by criminals to thwart wiretaps is inevitable in
anything remotely resembling a modern free society.  You don't even want to
contemplate living in a state with truly effective ways to prevent the private
use of encryption.  So we might as well promote, not restrict, the widespread
use of encryption so that law-abiding persons can benefit from it as well.

2. As the utility of the wiretap decreases, law enforcement will have to rely
other ways to collect evidence. Informers, for example, or testimony compelled
under grants of immunity.  Eventually the government might even have to
consider abandoning its attempts to penalize certain types of behavior that
consist largely or entirely of communications or the mere possession of
information.

Unfortunately, our government's historical inability to accept the inevitable
without a long, wasteful and futile fight does not give me much hope that we'll
avoid one this time.
                                               Phil


FBI Phone Taps (Re: RISKS-13.39)

Mike Gore <magore@icr2.waterloo.edu>
Tue, 14 Apr 92 11:58:18 -0400
    I submit that the biggest risks in dealing with a system that allows
single point phone tapping can be better addressed in questions far more basic
then of trusting the good intentions of any agency itself.  Rather we might
first examine:

    1) The number of lives and total value of all information  to
           be entrusted to such a system.
    2) The ability of such an agency to protect the proposed
       system from misuse by outside forces.
    3) The social and monetary costs including the risks generated
       from proposed system vs that of the former system .

    So even if one fully trusts the intentions of an agency we might not
sleep better knowing that we have in effect put up a big sign saying to all
would be criminals "in order to save you time we have placed all are eggs in
this basket right here"...

Mike Gore, Technical Support, Institute for Computer Research
1-519-885-1211, x6205 uunet!watmath!watserv1!magore
magore@watserv1.waterloo.edu  or  magore@watserv1.uwaterloo.ca


Re: Telephone system foibles - also cryptography

John (J.G.) Mainwaring <CRM312A@BNR.CA>
14 Apr 92 17:49:00 EDT
James Zuchelli seems surprised that he would have calls billed by Alternate
Operator Services companies from places he's never never been.  The practice is
known as 'Splashing', and arises from the arrangements among smaller long
distance carriers and operator services companies.  His call was presumably
handled by an operator company in Ada, Michigan who were unable to determine
the true point of origin of the call.  They would bill the call to a calling
card as being from their location to the actual called number.  Congress and
the FCC do not seem to feel that this practice was one of the benefits intended
to follow from the break up of the Bell System, and seem to have initiated
proceedings to ensure that all calls will be billed based on the true point of
origin.

The FBI/encryption/privacy debate has been interesting. Obviously the FBI will
only be successful in interpreting data from wiretaps if they can manage to
stay abreast of technology. The usual file archiving and compression schemes
are meant to be easy to use, so any reasonbly aware user will recognize from
file naming conventions what decompression techniques to use.  They could
become the basis for encryption schemes, but it seems reasonable to suppose
that they would tend to have signatures that a knowledgeable spook could
recognize fairly easily.  In the same way, the FBI would have to keep abreast
of technology and learn to use any widely used speech compression technology.
ISDN makes end to end encryption of speech a little easier than it once was,
since speech is readily available for manipulation in digital form at either
end.  However, it's possible to compress digital speech from the 64K bit/sec
rate ISDN normally uses to rates as low as 2400 bit/sec with some loss of
fidelity, and that would allow a digital stream to be encrypted and transmitted
on a fairly ordinary analogue line.  Any digital switch would allow the FBI to
wiretap such a call, but it would take them a good deal of effort to make sense
of it.

Ultimately it seems unlikely that laws against using encryption will deter
people who are already breaking more serious laws.  They will affect people
with legitimate needs for privacy such as protection of trade secrets and
financial information.  Restrictions on American trade will clearly not apply
abroad, and can only work to the disadvantage of American (free?) enterprise.
The FBI may wish for simpler times, but in the long run it seems like they'll
have to heat their buildings with Crays and learn to be as good at cryptography
as the bad guys.  After all, the first working electronic computer may have
been Colossus, which was built to do cryptography.


Re: Tapping phones, encrypting communication, and trust

Irving_Wolfe <irving@happy-man.com>
Wed, 15 Apr 1992 16:17:27 GMT
>I'm disturbed . . . .  The general approach seems to be based on
>the idea that government is not to be trusted, ever, with anything.
>Nothing government says is to be believed.

Many of us do feel that the history of government lies on issues large and
small preclude believing what government tells us without substantial
additional evidence.  Sure, there are many good people in government, and many
useful functions performed by it.  But we really do differ from you in having
enough concern for civil liberties to willingly, even enthusiastically accept
some inefficiency and some additional crime in return for stronger guarantees
of privacy and freedom for the great masses of people who are basically decent,
including ourselves and our friends.

>Let's take the FBI "phone tapping" proposal.

Many of us, while tolerant of occasional phone-tapping under a difficult-to-get
court order, might prefer no phone-tapping at all to tapping under
easy-to-obtain court orders or widespread tapping of any sort.

>Do they believe ... that we should banish policy [sic] departments
>and arm ourselves for our own protection against criminals ... ?

We might not advocate the abolition of police departments because they have not
yet become that extremely corrupt.  But for other reasons -- including the
physical inability of even a large police force to provide protection at the
level that could assure everyone's safety from assault, burglary, rape, and
murder -- we certainly support possession of firearms by adult citizens,
perhaps even required possession and required training.  This threat of
self-defense would produce a far greater reduction in violent crime than any
law could.

The risks issue, as I see it: I'm happy to assume the (perceived small) risk
that my neighbor will shoot me, in place of the (perceived much larger) risk
that either a criminal will attack my family and friends while we are
defenseless or that at some future time only a fully armed population could
save itself from a would-be-totalitarian government (either home-grown or
invading).  It is no accident that the Soviet Union's first action after taking
over Hungary, Czechoslovakia, and Poland was the seizure of privately owned
firearms.

 Irving_Wolfe@Happy-Man.com      Happy Man Corp. 206/463-9399 x101
 4410 SW Pt. Robinson Rd., Vashon Island, WA  98070-7399  fax x108
    [Commercial advertising deleted...  PGN]


FBI phone tapping bill

Steve Dever <Steve.Dever@eng.sun.com>
Wed, 15 Apr 92 10:06:55 PDT
Attached is a copy of the FBI's proposed law which would prevent telephone
companies and PBX operators from using equipment which would inhibit the
government's ability to perform wiretaps.  This was uploaded to the Well by
Mike Godwin of the EFF.
                                            Steve Dever
   102nd Congress
   2nd Session
                      Amendment  No.
                      Offered by M.

1.   SEC. 1. FINDINGS AND PURPOSES
2.   (a)    The Congress finds:
3.      (1) that telecommunications systems and networks are often
4     used in the furtherance of criminal activities including
5     organized crime, racketeering, extortion, kidnapping, espionage,
6     terrorism, and trafficking in illegal drugs; and
7       (2 ) that recent and continuing advances in
8     telecommunications technology, and the introduction of new
9     technologies and transmission modes by the telecommunications
10    industry, have made it increasingly difficult for government
11    agencies to implement lawful orders or authorizations to
12    intercept communications and thus threaten the ability of such
13    agencies effectively to enfore the laws and protect the national
14    security; and
15      (3) without the assistance and cooperation of providers of
16    electronic communication services and private branch exchange
17    operators, the introduction of new technologies and transmission
18    modes into telecommunications systems without consideration and
19    accommodation of the need of government agencies lawfully to
20    intercept communications, would impede the ability of such
21    agencies effectively to carry out their responsibilities.

1   The purpose of this Act are:
2      (1) to clarify the duty of providers of electronic
3   communication services and private branch exchange operators to
4   provide such assistance as necessary to ensure the ability of
5   government agencies to implement lawful orders or authorizations
6   to intercept communications; and
7      (2) to ensure that the Federal Communications Commission,
8   in the setting of standards affecting providers of electronic
9   communication services or private branch exchange operators, will
10  accommodate the need of government agencies lawfully to intercept
11  communications.

12    SEC. 2.    Title II of the Communications Act of 1934 is amended
13   by adding at the end thereof the following new sections:
14       "Sec__.  GOVERNMENT REQUIREMENTS
15       "(a) The Federal Communications Commission shall,
16    within 120 days after enactment of this Act, issue such
17    regulations as are necessary to ensure that the government
18    can intercept communications when such interception is
19    otherwise lawfully authorized
20      "(b) The regulations issued by the commission shall:
21        "(1) establish standards and specifications for
22         telecommunications equipment and technology employed by
23         providers of electronic communication services or
24         private branch exchange operators as may be necessary
25         to maintain the ability of the government to lawfully
26         intercept communication

1          "(2) require that any telecommunications
2         equipment or technology which impedes the ability of
3         the government to lawfully intercept communications and
4         and which has been introduced into a telecommunications
5         system by providers of electronic communication
6         services or private branch exchange operators shall not
7         expanded so as to further impede such utility until
8         that telecommunications equpment or technology is
9         brought into compliance with the requirements set forth
10        in regulations issued by the Commission;
11         "(3) require that modifications which are
12        necessary to be made to existing telecommunications
13        equipment or technology to eliminate impediments to the
14        ability of the government to lawfully intercept
15        communications shall be implemented by such providers
16        of electronic communication services and private branch
17        exchange operators within 180 days of issuance of such
18        regulations; and
19         "(4) prohibit the use by electronic communication
20        service providers and private branch exchange operators
21        of any telecommunications equipment or technology which
22        does not comply with the regulations issued under this
23        section after the 180th day following the issuance of
24        such regulations.
25    "(c) For the purposes of administering and enforcing
26     the provisions of this section and the regulations

1      prescribed hereunder, the Commission shall have the same
2      authority, power, and functions with respect to providers of
3      electronic communication services or private branch exchange
4      operators as the Commission has in administering and
5      enforcing the provisions of this title with respect to any
6      common carrier otherwise subject to Commission jurisdiction.
7      Any violation of this section by any provider of electronic
8      communication service or any private branch exchange
9      operator shall be subject to the same remedies, penalties,
10     and procedures as are applicable to a violation of this
11     chapter by a common carrier otherwise subject to Commission
12     jurisdiction, except as otherwise specified in subsection
13     (d).
14     "(d) In addition to any enforcement authorities vested
15     in the Commission under this title, the Attorney General may
16     apply to the appropriate United States District Court for a
17     restraining order or injunction against any provider of
18     electronic communication service or private branch exchange
19     operator based upon a failure to comply with the provisions
20     of this section or regulations prescribed hereunder.
21     "(e) Any person who willfully violates any provision
22     of the regulations issued by the Commission pursuant to
23     subjection (a) of this section shall be subject to a civil
24     penalty of $10,000 per day for each day in violation.
25     "(f) To the extent consistent with the setting or
26     implementation of just and reasonable rates, charges and


1      classifications, the Commission shall authorize the
2      compensation of any electronic communication service
3      providers or other entities whose rates or charges are
4      subject to its jurisdiction for the reasonable costs
5      associated with such modifications of existing
6      telecommunications equipment or technology, or with the
7      development or procurement, and the installation of such
8      telecommunications equipment or technology as is necessary
9      to carry out the purposes of this Act, through appropriate
10     adjustments to such rates and charges.
11     "(g) The Attorney General shall advise the Commission
12     within 30 days after the date of enactment of this Act, and
13     periodically thereafter, as necessary, of the specific needs
14     and performance requirements to ensure the continued ability
15     of the government to lawfully intercept communications
16     transmitted by or through the electronic communication
17     services and private branch exchanges introduced, operated,
18     sold or leased in the United States.
l9     "(h) Notwithstanding section 552b of Title 5, United
20     States Code or any other provision of law, the Attorney
21     General or his designee may direct that any Commission
22     proceeding concerning regulations, standards or
23     registrations issued or to be issued under the authority of
24     this section shall be closed to the public.
25     "(i) Definitions -- As used in this section --


1        "(l) 'provider of electronic communication
2     service' or 'private branch exchange operator' means
3     any service which professes to users thereof the ability
4     to send or receive wire, oral or electronic
5     communications, as those terms are defined in
6     subsections 2510(1) and 2510(12) of Title 18, United
7     States Code;
8        "(2) 'communication' means any wire or electronic
9     communication, as defined in subsection 2510(1) and
10    2510 (12), of Title 18, United States Code;
11     "(3) 'impede' means to prevent, hinder or impair
12    the government's ability to intercept a communication
13    in the same form as transmitted;
14    "(4) 'intercept' shall have the same meaning
l5    set forth in section 2510 (4) of Title 18, United States
16    Code;
17     "(5) 'government' means the Government of the
18    United States and any agency or instrumentality
19    thereof, any state or political subdivision thereof,
20    and the District of Columbia, and Commonwealth of Puerto
21    Rico; and
22     "(6) 'telecommunications equipment or technology'
23    means any equipment or technology, used or to be used
24    by any providers of electronic communication services
25    or private branch exchange operators, which is for the


1     transmission or receipt of wire, oral or electronic
2     communications."

3   SEC 3. Section 510, Title V, P.L. 97-259 is amended deleting the
4   phrase "section 301 or 302a" and substituting the phrase "section
5   301, 302a, or ____.


   DIGITAL TELEPHONY AMENDMENT
   (report language)

Significant changes are being made in the systems by which communications
services are provided.  Digital technologies, fiber optics, and other
telecommunications transmission technologies are coming into widespread use.
These changes in communications systems and technologies make it increasingly
difficult for government agencies to implement lawful orders or authorizations
to intercept communications in order to enfore the laws and protect the
national security.

With the assistance of providers of electronic communication services, these
technological advances need not impede the ability of government agencies to
carry out their responsibilities.  This bill would direct the Federal
Communications Commission (FCC) to issue standards ensuring that communications
systems and service providers continue to accommodate lawful government
communications intercepts.  The regulations are not intended to cover federal
government communications systems.  Procedure already exist by which the
Federal Bureau of Investigation amy obtain federal agency cooperation in
implementing lawful orders or authorizations applicable to such systems.
Further, there would be no obligation on the part of the service providers or
any other party to ensure access to the plain text of encrypted or other
encoded material, but rather only to the communication in whatever form it is
transmitted.  It is thus the intent and purpose of the bill only to maintain
the government's current communications interception capability where properly
ordered or authorized.  No expansion of that authority is sought.


   ANALYSIS

Subsection 2(a) and (b) would require the Federal Communications Commission
(FCC) to issue any regulations deemed necessary to ensure that
telecommunications equipment and technology used by providers of electronic
communications services or private branch exchange operators will permit the
government to intercept communications when such interception is lawfully
authorized.  The regulations would also require that equipment or technologies
currently used by such providers or operators that impede this ability until
brought into compliance with the regulations.  Compliance with FCC regulations
issued under this section would be required within 180 days of their issuance.

Subsection 2(c) provides that the Commission's authority to implement and
enforce the provisions of this section are the same as those it has with
respect to common carriers subject to its jurisdiction.

Subsection 2(d) would give the Attorney General the authority to request
injunctive relief against non-complying service providers or private branch
exchange operators.

Subsection 2(e) provides civil penalty authority for willful violations of the
regulations of up to $10,000 per day for each violation.

Subsection 2(f) would permit the FCC to provide rate relief to service
providers subject to its rate-setting jurisdiction for the costs associated
with modifying equipment or technologies to carry out the purposes of the bill.

Subsections 2(g), (h), and (i) require the Attorney General to advise the
Commission regarding the specific needs and performance criteria required to
maintain government intercept capabilities, require the FCC to ensure that the
standards and specifications it promulgates may be implemented on a royalty-
free basis, and authorize the Attorney General to require that particular
Commission rulemaking proceedings to implement the Act be closed to the public.

Subsection 2(j) provides definitions for key terms used in this section.

Please report problems with the web pages to the maintainer

Top