28 January 1998

Date: Wed, 28 Jan 1998 13:40:46 -0500
To: John Young <jya@pipeline.com>
From: Vin McLellan <vin@shore.net>
Subject: EuroParl Rpt re NSA, Echelon, Trade, & Crypto


Yesterday and today I posted two mini-essays on David Farber's IP list, one on Netscape and Fortify, and the one below on the excepts from the EuroParl STOA report on the NSA, Echelon, and prospects for European control of strong cryptography. They both seems to be creating a little stir;-) If you have any use for either or both, you are welcome to repost them as you wish.




Date: Wed, 28 Jan 1998 07:21:37 -0500
To: ip-sub-1@majordomo.pobox.com
From: Dave Farber <farber@cis.upenn.edu>
Subject: IP: EuroParl Rpt re NSA, Echelon, Trade, & Crypto

Date: Wed, 28 Jan 1998 03:30:35 -0500
To: farber@cis.upenn.edu
From: Vin McLellan <vin@shore.net>

A draft ("consultation version") of a report by the European Parliament's Office for Scientific and Technological Option Assessment (STOA) entitled "AN APPRAISAL OF TECHNOLOGIES OF POLITICAL CONTROL" has been submitted to the EuroParl's Civil Liberties and Interior Committee.

Several IT-relevant excerpts are now available at John Young's widely respected crypto-politics website: <http://www.jya.com/atpc.htm>

(STOA regs apparently require a document to be distributed only on paper while it is a "working document." A hardcopy can be ordered by e-mail with a request to the office of British MEP Glyn Ford <jford@europarl.eu.int> or with a fax to STOA in Luxembourg at: 352-4300-22418)

According to Mr. Young's correspondents, the report covers:

- The Role & Function of Political Control Technologies

- Recent Trends and Innovations

- Developments in Surveillance Technologies

- Innovations in Crowd Control Weapons

- New Prison Control Systems

- Interrogation, Torture Techniques and Technologies

- Regulation of Horizontal Proliferation

- Further Research

As expected, the report highlight's the NSA's Echelon surveillance system, developed and managed in conjunction with its sister SigIntel agencies from the UK, Australia, New Zealand, and Canada. Snippets:

"[...] unlike many of the electronic spy systems developed during the cold war, ECHELON is designed for primarily non- military targets: governments, organisations and businesses in virtually every country. The ECHELON system works by indiscriminately intercepting very large quantities of communications and then siphoning out what is valuable using artificial intelligence aids like Memex to find key words."
"[...] Within Europe, all email, telephone and fax communications are routinely intercepted by the United States National Security Agency, transferring all target information from the European mainland via the strategic hub of London then by satellite to Fort Meade in Maryland via the crucial hub at Menwith Hill in the North York Moors of the UK."

The priority targets of this surveillance system are selected by the participating intelligence agencies -- only one of which is European -- on the basis of their individual military and political interests, notes STOA. "Whilst there is much information gathered about potential terrorists, there is a lot of economic intelligence, notably intensive monitoring of all the countries participating in the GATT negotiations...."

The report seems to briefly summarize a wealth of earlier media reports on the Echelon network, but offers no apparent evidence of an independent inquiry. The report seems to suggest that these intelligence agencies have become a law unto themselves, and operate in a context where all presumably-private communications are effectively transparent and accessible to them. "With no system of accountability, it is difficult to discover what criteria determine who is not a target," the STOA adds in a dry summary.

There were some startling revelations about technology that already seems familar, useful, and tame:

"[...] Some systems even lend themselves to a dual role as a national interceptions network. For example the message switching system used on digital exchanges like System X in the UK supports an Integrated Services Digital Network (ISDN) Protocol. This allows digital devices, e.g. fax to share the system with existing lines. The ISDN subset is defined in their documents as "Signalling CCITT1-series interface for ISDN access". What is not widely known is that built in to the international CCITT protocol is the ability to take phones 'off hook' and listen into conversations occurring near the phone, without the user being aware that it is happening."

STOA recommends a new European Parliament study of the "constitutional issues" raised by the American eavesdropping practices, and of the impact of Echelon upon (a) the "constitutional safeguards" of the individual European states, and (b) "the political, cultural and economic autonomy" of EU's nation states.

The report also recommends that the European Parliament should address and explicitly reject "proposals from the United States for making private messages via the global communications network (Internet) accessible to US Intelligence Agencies. Nor should the Parliament agree to new expensive encryption controls without a wide ranging debate within the EU on the implications of such measures."

The "implications" of the proposed controls over free access to strong cryptography -- declares STOA -- "encompass the civil and human rights of European citizens and the commercial rights of companies to operate within the law, without unwarranted surveillance by intelligence agencies operating in conjunction with multinational competitors..."

That last phrase -- with its explicit reference to the commercial or economic intelligence which can be gleened from unversal surveillance (and the value of such intelligence to "multinational" corporations aligned with each of the intelligence agencies cooperating in Echelon) -- lies in the dense gray text of the report like an unlit fuse.

One of the inevitable problems for a nation which fosters both intelligence prowess and commercial prowess is that success in the former can undermine the legitimacy of whatever success it achieves in commerce and industry. International finance and trade rely, in some measure, upon a general acceptance that the terms of such trade are overt, if not necessarily "fair." Without that minimal trust, the successful competitor is viewed not with respect, or even jealousy; but with scorn and bitterness. Commercial failures will inevitably attribute their losses not to the skill or ingenuity of their international competitors, but rather to the competence and bias of the mysterious cyberspooks who, all acknowledge, probably watched the deal unfold.

The MEPs wouldn't be European if they didn't consider the possibility of that sort of frustration fueling a backlash against the European Union and EU governments which appear either unable or unwilling to protect the integrity of their economic infrastructure.

Americans worry about future InfoWar: the corruption of the American economic infrastructure by tech-savvy foreigners. A Presidential Commission studies the threat today, and generates headlines by the ream.

Europeans might fairly ask if they are not already the victims of such malovelent prowess. And what guarantees could they be offered that this is not the case?



Date: Tue, 27 Jan 1998 03:00:13 -0500
To: risks@csl.sri.com
From: Vin McLellan <vin@shore.net>
Subject: Netscape, Fortify & the NSA

In a recent post to RISKS, John Wilson <jowilson@mtu.edu> worried about what unscruprilous folk, unwilling to acknowledge or respect interests other than their own, might inflict on the public now that Netscape has decided to release the source code for the Netscape 5.0 browser.

> [ ... } I wonder how many Trojan horses will
>have to be dealt with then. "Oh, look, the latest version of Netscape
>... click here." Possibilities include tracking software built in the
>browser, routines to copy personal information, including credit card
>numbers, as well as the more "mundane" risks of simple file deletion/disk

What the Mr. Wilson overlooks, perhaps, is what some unscrupulous folk, unwilling to acknowledge or respect interests other than their own, have already done to tens of millions of Internet users -- and what they were able to get away with largely because Netscape's source code was unavailable.

By forbidding the export of web servers and browsers with strong crypto to non-American users (with a few narrow and humiliating exceptions,) US policymakers have left the commercial, professional, and personal correspondence and web-based transactions of millions of non-American citizens all but naked to eavesdropping by criminals (petty and organized,) industrial spies, gossip-mongers, aggressive office-pols, wannabe blackmailers, rogue cops, managers with feudal delusions, and curious 14 year-olds with access to a contemporary PC (or -- if they they want to pop secrets free within hours -- the computational resources of a typical college computer lab.)

The image and reputation of the US, and of American engineering and technology, has suffered grevious harm so as to allow the NSA to gain what transient enlightenment it could from it's world-wide "Echelon" sweeps of the data lines and communications spectrum. Reaction to the scheduled release, today, of a report by the Civil Liberties and Interior Committee of the European Parliament on the NSA's systematic snooping on all European telephone, fax, and digital communiations may indicate how bitter that resentment has become. (Swedish parliamentarians were outraged recently to discover that the confidentiality of encrypted traffic on their Lotus Notes system was apparently dependent on the self-restraint of the NSA -- which demanded partial access to the Notes crypto-key before the product was shipped abroad.)

The web -- and in particular, Netscape's browser, due to its popular success and widespread use -- has become the focus of much concern and attention from those who believe that privacy and optional confidentiality are fundamental to the dignity and liberty of any man or woman, anywhere. SSL, the encrypted channel built into the WWW spec, offered the first encryption systems that was universially available, to the far reaches of the global Internet. The problem was, only Americans got strong (128-bit) crypto. US export policy allowed vendors to ship only weak easily-broken 40-bit crypto in browsers exported to non-Americans -- so the browsers freely downloaded off the Microsoft and Netscape ftp sites world-wide were almost always insecure, providing security of poor quality by design and government fiat.

Non-American webservers can offer strong-crypto alternatives to the innovative American products which paced the technology -- and even the crippled export-level American webservers can have their weak SSL encryption enhanced by java applets (Brokat's Xpresso <www.brokat.de>) or proxy/translators (C2's SafePassage <www.c2.net>) -- but it was only a few months ago that Farrell McKay's remarkable freeware product, Fortify, became widely available. <http://www.fortify.net>

Fortify allows anyone anywhere to upgrade a Netscape browser (Navagator v3 or Communicator v4) with weak or export-strength crypto into one with the 128-bit SSL capabilities for confidentiality (and secure e-commerce) that Americans take for granted when they do business on the web. An executive with one of the big international auditing firms told me a month ago that Fortify is "all over Africa," particularly in banking. "It's free, and it's legally available from its British website. They'd be idiots not to use it! I recommend it to all my international clients."

McKay's program installs itself directly in the Netscape browser to upgrade it's SSL code, so that anyone with an export-quality browser can get a 128-bit strong-crypto link when he connects to a webserver that is itself capable of establishing a strong SSL connection.

Unfortunately, McKay's magic did not extend to strengthening the S/MIME crypto has added encryption for electronic mail to recent versions of both the Netscape and the Microsoft browsers. McKay gave international users of Netscape a secure 128-bit SSL channel, but neither he -- nor, apparently, anyone else -- has been able to do the same with the S/MIME routines which were also crippled and weakened to 40-bit crypto, by government order, before export.

The web is popular, but e-mail is still the "killer app."

Strong SSL, now universally available, enables many types of form-based transactions on the Web -- but freely-available strong S/MIME for private mail will break the dam. Some dream it could change the world. Farrell McKay fervently believes that getting the Netscape source in circulation among those who can pick it apart is the gateway to a future in which everyone can expect their mail to be confidential (at least until some local lawmen shows up, with proper authority to demand access from one of the correspondents.)

"I live in the hope that there will be entire armies of enthusiatic programmers all busily building strong crypto facilities into the v5.x releases," he exulted in a note he sent me yesterday from Australia. "This move really opens up a huge number of possibilities for the international community."

Many American think that's just great, on balance. ("All men are created equal," and stuff like that.) Virtually all non-Americans have no doubt. Much of the world is hoping that electronic commerce will be the backbone of the 21st Century economy -- and you practically have to rate a limousine in Washington, D.C., before you can believe that international finance and trade will go online if the merchants, bankers, and businessmen believe that American spooks have rigged a party-line, and may or may not be listening.

Having Netscape browser source-code in circulation won't change much overnight, of course. Given US restrictions on the export of privacy products, the release of the Netscape source code will doubtless be restricted too. Netscape's cryptographic modules will either not be released in source, or will be forbidden for export. Still, with all but the Netscape privacy code accessible to clever programmers world-wide, it becomes all but certain that -- as Netscape cryptographer Tom Weinstein suggested yesterday -- "some enterprising individuals outside the US (will) replace the missing pieces."

Odd what Americans have to do to get a quality product to the world market, huh?



"Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege."

_ A thinking man's Creed for Crypto/ vbm.

* Vin McLellan + The Privacy Guild + <vin@shore.net> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548

Date: Mon, 26 Jan 1998 19:26:53 -0800
From: Tom Weinstein <tomw@netscape.com>
Organization: Netscape Communications, Inc.
To: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
CC: cypherpunks@cyberpass.net
Subject: Re: Netscape 5 will be GPL'ed

Markus Kuhn wrote:
> root wrote on 1998-01-23 01:29 UTC:
>> [Press Releases]
>> http://www.netscape.com/newsref/pr/newsrelease558.html?cp=nws01flh1
> Excellent!
> Finally mainstream software companies start to understand that security
> critical software has to be provided to the customer in full compilable
> source code to allow independent security evaluation.

Don't hold your breath.  We're still bound by US export regulations, so
we won't be able to export crypto-relevant source code.  We'll release what
we can, but you probably won't be satisfied.

Of course, there's always the option for some enterprising individuals
outside the US to replace the missing pieces.

What is appropriate for the master is not appropriate| Tom Weinstein
for the novice.  You must understand Tao before      | tomw@netscape.com
transcending structure.  -- The Tao of Programming   |