Cybersense—Today’s Encryption Bypass May Avert Later Restrictions

0

Most detectives aren’t real fond of secrets.

They keep a few of their own, of course. But professional crime solvers spend most of their time trying to discover the exact things that criminals don’t want them to find.

So you can imagine what these folks think of encryption. The idea that people can use software to scramble their e-mail and other computer files and stop them from being read without their permission is enough to send guys like “NYPD Blue’s” Andy Sipowicz back to the bottle.

Actually, real-life detectives from the FBI and other law enforcement agencies have run straight to Congress, asking for new laws to restrict the use of encryption. It’s only a matter of time, they’ve said, until terrorists and organized crime figures start using crypto to frustrate the authorities who might intercept their communications.

It seems that time has arrived. Federal prosecutors in Philadelphia say the son of a former mob boss was using PGP, the Net’s most popular encryption program, to hide evidence of a gambling and loan-sharking operation. If they’re right, he probably isn’t the only wise guy who’s grown wise to the potential uses of data-scrambling technology.

But the case against Nicodemo S. Scarfo doesn’t prove the need to restrict encryption, which plays a critical role in protecting privacy online. In fact, it proves just the opposite that police can work around strong crypto when the need arises.

Federal agents seized a computer from Scarfo’s business in January 1999 but were unable to access possible evidence stored in an encrypted file, the Philadelphia Inquirer reported. So when they sought another search warrant a few months later, they also secured a court order allowing them to install a new kind of surveillance device on his computer.

This device the feds won’t say if it was software, hardware or both recorded the keys pressed on the computer’s keyboard. That allowed detectives to figure out the password to decrypt Scarfo’s files as though they were sitting over his shoulder when he typed it.

Encryption experts see the incident as a case study in the vulnerability of even strong data-scrambling programs. The program that Scarfo used is called PGP, which stands for Pretty Good Privacy. Slightly paranoid Net users frequently employ PGP to protect their e-mail, and the program generally lives up to its name.

Anyone who intercepts a PGP-encrypted message en route to its recipient won’t be able to read it without the password. But there are many ways of discovering passwords, including rummaging through someone’s trash or installing a program on their computer that tricks them into revealing it.

“Instead of building a defensive wall, we’re planting a huge stake in the ground and hoping the attacker will only take the path that runs into the stake,” wrote Bruce Schneier, a well-respected crypto guru who runs Counterpane Internet Security Inc. “A smart attacker will simply go around the stake.”

Such vulnerabilities are actually beneficial for those who would make legitimate use of encryption. As long as police have a shot at working around a criminal’s use of strong data-scrambling technology, there’s no reason to stop the rest of us from using it to sign online contracts, send secure messages and store critical files out of a hacker’s reach.

Privacy advocates complain that the key-tracing device installed on Scarfo’s computer is too invasive. His defense attorney also is expected to argue that current laws don’t authorize such methods. It’s possible they’ll succeed, since the judge who authorized the device relied on laws designed for listening devices.

In the long run, though, it would make sense for Congress or the courts to make sure that police have the power to install encryption workarounds in circumstances similar to those that authorize traditional “bugs.” The process is invasive, to be sure, but there’s no particular reason our computer files should be considered more sacrosanct than our spoken words. Besides, it’s a reasonable price to avoid further restrictions on a technology that is becoming more useful every day.

We should all have the right to keep our secrets safe, even on the Net. And unless we give police a reasonable chance to sniff out a few of them, Congress may feel compelled to leave us with none at all.

To contact syndicated columnist Joe Salkowski, you can e-mail him at [email protected] or write to him c/o Tribune Media Services Inc., 435 N. Michigan Ave., Suite 1400, Chicago, IL 60611.

No posts to display