The Crypto Dilemma
---------------------------------
Clipper:
How much privacy can we afford?
How much security do we need?
by Shayne Weyker
weyker@wam.umd.edu
Three cheers for Bruce Sterling. Finally someone on the privacy
side of the Clipper debate has the courage to admit that Clipper
might indeed provide some needed protection against crooks and
terrorists. I want to try and do a bit more of what Bruce has done:
to try and pin down what the real dangers are both of strong crypto
and of bans on strong crypto.
To date, the anti-clipper faction has tried to deny the force of
the "law enforcement needs wiretaps" argument. They have claimed that
wiretaps aren't truly necessary and that law enforcement officers
will just have to work a bit harder.
This often-repeated argument has a flaw in it that I've heard no one else
mention. It doesn't acknowledge the fact that more and more crimes that
used to be susceptible to discovery through means other than wiretapping
(witnesses, visual or audio surveillance, physical searches) may soon be
concealed to all forms of discovery *except* wiretapping and its variants.
More and more of our life will take place over the wires, so it is no
surprise that more and more crime will take place there as well.
FROM PAPER TO DIGITAL VAPOR
Criminals who wanted to share things like military secrets, monthly
sales reports for drugs or stolen merchandise, and lists of stolen
credit card numbers used to have to keep a lot of this stuff on
paper. But more and more folks own computers and modems, and
software will eventually make using and sharing the computer files
even easier than paper. How long will it be before cops long for
the days when they could arrest someone and search their premises
for incriminating documents and actually expect to find anything
that isn't encrypted with RSA or PGP? Cops will be less able to
find incriminating paper evidence if crooks are smart enough to
keep things on computers and encrypted. And while I think privacy
advocates too often tend to make the criminal in their own image,
the privacy advocates' argument is that crooks are indeed smart and
careful with incriminating data.
"IF YOU WANNA ROB A BANK YOU MUST BEWARE,
YOU'VE GOTTA USE THE COMPUTER UPSTAIRS"
Criminals who want lots of quick cash now often go stick-up a bank.
And even if hacking into and diverting money from banks' Electronic
Funds Transfer (EFT) systems or a company's billing system is more
their style, they still have to work at it. The hackers who claimed
to have diverted funds from an EFT system gave an involved story
about how they went to multiple banks, used phony identities, and
altered their appearance and handwriting each time when they opened
an account and again when they went back to withdraw their loot
over several visits. Somewhere in all those visits they may have
slipped up and given a clue as to who really picked up the money.
But if those hackers could bypass all this by just transforming
other people's bank deposits into their own digital cash with a few
keystrokes, all these opportunities to screw up and leave clues
behind go away.
BACK TO THE FUTURE:
TWENTY-FIRST CENTURY GRIFTERS
[Con artists' schemes in the 1800s] often presupposed the
anonymities of a mobile society. Con men slipped from
place to place; geographically speaking; they also milked
the fact of social ambiguity. . . . boundaries between
classes (of every sort) were more porous than before. It
was possible to pass oneself off as a lord, a professor,
or a rich investor, which simply could not have been done
in a tight, controlled, barnacled society where the
markers of class are more obvious, if not indelible. . .
. Technology permitted the more obvious forms of
emulation [of the upper class]: cheap copies of hats or
dresses; mass-produced artifacts and furniture.
Lawrence Friedman noted that in 1800s America fraud skyrocketed.
Two of the reasons he gives for this have fascinating parallels
with the social environment of the net.
The first was the anonymity of people in communities with a high
turnover in their membership. There was no opportunity to develop
a moral track-record on the community's members which people could
use when deciding who to trust. The second was the new high-tech
mass-produced objects, furniture, and fashionable clothes could be
used to let the con artist appear in all ways to be a member of the
respected upper class.
Does any of this sound familiar? Modern people have adapted to the above
circumstances, but the net society with crypto looks like it's going to
give us heightened anonymity and entirely new means to simulate
respectability which will lead to another whole generation getting being
ripped off.
Privacy advocates have been saying, with some good reason, how nice
the anonymity of the net is. And indeed it is good in some ways
that we judge professors, high schoolers, and street people only by
their words. It is also empowering for some to be able to use the
net to create virtual personas for themselves in communication with
other people that will appear to be real.
But there's a dark side to this. Yes, anonymity does mean one can
escape retribution for whistleblowing and avoid unfair prejudices
of others based on one's appearance and surroundings. But anonymity
also means one can escape retribution for actions that fully
deserve punishment like spamming the net, e-mail bombing, or
forging nasty posts in widely-read newsgroups. This can be done by
hiding behind chains of anonymous remailers or getting a new
account with a new name when too many folks have started to warn
others about you.
Also, one can create a virtual persona for oneself in e-mail and
postings, such as that of a cancer victim, designed to elicit trust
and confidence from those of a similar background who may be
emotionally vulnerable. This trust is undeserved and subject to
abuse, while the eventual discovery of the lie damages the tricked
person's (and others') ability to trust people they meet on the
net. If this kind of abuse becomes common, the cloud of suspicion
hanging over people's communications on the net will hinder the
very trust needed to form those kinds of associations of private
individuals that Bruce Sterling and others are so fond of.
Finally, returning to con artists, there may be increased
gullibility on the users' part once teleconferencing becomes common
and buying stuff on the net is an everyday practice. Con artists
could then use set design and image processing for the video end of
the scam and fancy programming to appear established and credible
to folks checking out their site on the net. So, the con artist
never has to meet the victim in person and anonymity based on
encryption makes it nigh-impossible to connect the grifter with the
victim's money.
REACH OUT AND TOUCH SOMEONE
For an extreme, if unlikely, case, consider the murderer who
remotely reprograms some victim's household robot to electrocute
him. No hope of witnesses or physical evidence there. Finding out
who made the suspect call to the house to plant the code is the
only hope. Sometimes the cops will be lucky and have a suspect who
happens to be a programmer, but convicting this person without his
being caught with the killer program code or being identified as
party to the suspect communication to the victim's house will be
tough.
THE RUN-DOWN
People interacting with others using cryptography-aided
telecommunications are currently expected to be able to:
- be totally anonymous in cyberspace
- create multiple pseudonymous virtual identities for themselves--
each with separate and un-crosscheckable personal associations and
finances
- secretly conduct financial dealings
- secretly exchange valuable commercial or government secrets
- secretly exchange socially-disapproved-of (or illegal)
information
Libertarians and anarchists may think all these things sound great.
They may be excited by opportunities for whistleblowing, anonymous
political expression, secret political organization for oppressive
environments, riskless sharing of erotica and other sometimes-legal
data, and so on.
But responsible adults should spend equal amounts of time thinking
about opportunities for easier planning of terrorism, easier
evasion of punishment for abusing innocent people on the net, and
very real benefits for con artists, money launderers, embezzlers,
tax cheats, and other white-collar crooks.
THE OTHER SIDE OF THE COIN:
Remember though, it was said earlier that more and more of human
life is going to take place over the wires. Clipper advocates may
well say that they're only trying to maintain the same ability to
wiretap that the government has had for decades. But if more and
more of our lives are there to see in our telephone and data
communications, and those communications remain less protected than
other forms of communication such as face to face, then our overall
privacy is going to be eroded.
Bulletin Board Systems aren't as private as the local coffeehouse
or bar. 900-number sex lines aren't as private as a visit to a
lover. Videoconferences aren't as private as face to face meetings.
E-mail and ftp aren't as private as postal mail. The list goes on.
This erosion of privacy is rightly thought to be a bad thing in and
of itself, and unrestricted crypto looks like the only way to stop it.
THE SEEMING ALL-OR-NOTHING DILEMMA OF CRYPTO
We seem to have two choices.
We can let crypto run free. This probably means more terrorism,
some of it with really impressive body-counts. It means lots more
white collar crime, and somewhat more distrust on the net. The
terrorism and crime may mean that the public hastily agrees to give
up other freedoms if they think the government has suddenly become
ineffective in protecting them.
Or the developed nations can get together and ban crypto and watch
most people's privacy quickly disappear. The technology-elite
corporations and individuals will still develop their own, and some
criminals will pay hackers for secure internal communications.
Meanwhile, in the developing world, oppressive governments gain a
powerful new weapon. Heavy regulation of crypto will have much the same
effect.
It's an ugly choice. And I've heard too many people dismiss the folks on
the other side as either voyeuristic fascists or paranoid anarchists with
a "don't worry, be happy" attitude towards public safety. Both sides are
doing public who depend upon the quality of the debate a disservice. The
debate should have less fear-mongering about what is goin to happen if
"the other side" wins, and more brainstorming about exactly what new
technology, new laws, and new behaviors we can develop which will protect
us against the very real dangers of a world with too much or too little
crypto in the public's hands.
----------------------------
addenda:
It's probably worth noting that I wrote David Chaum, the leading advocate
of Digital Cash, and asked for some ideas on how "validating authorities"
and other stuctures he mentions in his Scientific American article might
be able to deal with some of the concerns I express above. I did this
hoping I could revise the article and make it more constructive and less
alarmist about crypto's possible realtionship to future white-collar
crime. Unfortunately Mr. Chaum never wrote back.
Much of this piece is raw speculation and I welcome corrections from
people who are better informed about the intricacies of crypto,
net.privacy, and computer/financial crime.
----------------------------------------
Shayne Weyker
weyker@wam.umd.edu
Here are some replies I received to the above article:
Reply 1
Reply 2
Reply 3
Reply 4