Whitfield Diffie says your privacy is on the line
According to one of the inventors of public-key encryption, when it comes to Internet security we should be less concerned with cyberfraud than with the FBI
Whitfield Diffie and Susan Landau's Privacy on the Line: The Politics of Wiretapping and Encryption studies the history of U.S. encryption policy since World War I. At times illuminating, at times unreadable, the book sees encryption as an important way of restoring our privacy.
Plus: If you've read a good book on cryptography, it just might win you a SunWorld Mini Maglite. (2,000 words)
"Now, how many of you give your credit card number over the phone?" The hands stay up. "How many bother to verify that the person on the other end of the phone line is actually at L.L. Bean or Land's End, and not someone spoofing them?" You can hear some murmurs starting; very few hands stay up. "And how many of you do this over a cordless phone?" A few embarrassed hands go up at half-mast, and the murmurs increase, as the audience begins to see Hal's point. He finishes them off: "And you're worried about security over the Internet?"
Privacy on the Line's second lesson is that the most likely invader of your privacy on electronic communications is not some credit-card-stealing cyber-criminal, but the FBI. This book sounds some important alarms about privacy and security in electronic media as it takes over more and more of our everyday communications. Too bad its style does not rise to the urgency of its message.
The book begins badly, with a murky, unsatisfying chapter on cryptography. The authors have attempted to condense the basics of cryptography into a single chapter, introducing the most important concepts while sparing the reader too much technical detail. But instead of a lucid explanation, Diffie and Landau give us a litany of terminology and taxonomy, bypassing the real explanation and clarification. It comes out sounding like a heart bypass surgery specialist trying to teach anatomy to pre-med students.
Diffie and Landau are not the first to fail at this task. Cryptography seems to be a subject that is mostly un-covered by quality writing. In fact, the situation is so bad, that this month I'm challenging all of you to find me a decent book on the subject.
Privacy on the Line's next chapter improves matters by giving an illuminating history of cryptography and U.S. public policy since World War I. It explains various important inventions along the way, such as the idea of key escrow -- a system in which a central agency (such as the government) serves as a custodian of cryptographic keys -- and public-key encryption, a way of doing encryption without escrowed keys proposed by Diffie and Martin Hellman at Stanford University and later perfected by Ronald Rivest, Adi Shamir, and Leonard Adleman ("RSA") at MIT. The chapter also describes how the National Security Agency (NSA) tried to squelch not only each technological invention but even some writings about cryptography in general.
Then it's back to the murk with a chapter on communications intelligence in the context of national security. Communications intelligence is actually quite interesting, having several aspects that you might not have considered. What makes an intelligence agency want to listen in on some form of communication? What do they listen for? What's possible to decipher in real-time and what isn't? How do they do it? And once they eavesdrop on some form of communication, what do they do with the information?
Most people don't think about all these things; they just think about the B-movie fodder: the lone wiretapper on stake-out, listening patiently in silence, or the genius code-breaker feverishly deciphering some vital message.
The communications intelligence chapter has some interesting discussion of approaches to intelligence, but overall, it gets bogged down with dreary taxonomies of government terms.
Privacy versus law enforcement
Things get more interesting as Privacy on the Line moves into discussions of privacy and the law and the use of wiretaps by law enforcement. The U.S. Constitution does not explicitly guarantee citizens the right to privacy; most legal decisions on this have been based on interpretations of various amendments, including the First (free expression), Fourth (protection from search and seizure), Fifth (testimony against oneself), and Fourteenth (due process of law). Diffie and Landau claim that, taken together, these principles (and others) constitute a legal basis for protecting privacy. But enough room is left to interpretation so that privacy as a legal right has waxed and waned at the hands of various politicians and government officials.
Wiretapping has provided an interesting focal point for privacy legislation. How relevant is wiretapping to law enforcement? How effective is it at catching criminals? How relevant is it to national security? Ultimately, how much privacy should we trade off so that law enforcement can do its job?
Diffie and Landau have compiled an impressive body of evidence that shows two things: Wiretapping is not much help in catching criminals, and yet law enforcement has constantly pushed for increased legal latitude to employ wiretaps. Rationales cited range from fighting organized crime to stopping communism, and generally fall under the somewhat pathetic rubric of domestic security. In fact, as the authors show, bugging and wiretapping have done little to stop organized crime and have resulted in outrageous, flagrant breaches of privacy.
of this drama, particularly
Directors J. Edgar Hoover in
the 50s and 60s and Louis Freeh
in the present day.
Good guys and bad guys emerge from this discussion -- the good guys being politicians and lawmakers who have moved to protect privacy, the bad guys being law enforcement officials trying to curb it in the name of national security and crime prosecution.
On the good-guy side, Supreme Court Justice Louis Brandeis emerges as a true visionary -- almost up there with the framers of the Constitution -- on the subject of privacy protection amid advancing information technology. As early as 1890, when the emerging technology was newspaper photography, he predicted that new technologies would give people increasing means to invade the privacy of others, and he called for legislation that would nip this trend in the bud. Privacy looked safe for a while, until it eroded around World War II.
Darth Vader is watching you
The FBI emerges as the Darth Vader of this drama, particularly Directors J. Edgar Hoover in the '50s and '60s and Louis Freeh in the present day. This book describes Hoover's almost laughable attempts to crack down on the Mafia, Rev. Martin Luther King Jr., and various other "subversives" through surveillance. Nicholas Katzenbach, attorney general under the Johnson administration (and subsequently IBM general counsel), emerges as another good guy, someone who tried to curb Hoover's excesses during the mid-'60s. Another bad guy, of course, was Watergate wiretapper Richard Nixon.
This book builds its case from statistics about the percentage of wiretaps that result in convictions and the cost of tapping, and it reaches the conclusion that not only does wiretapping invade privacy, but the money used to pay for it could be better spent on other more effective law enforcement methods.
Recently, we have technologies that make would-be privacy invaders' jobs harder: things like fiber optics, digital telephone switching, and easily accessible encryption. Perhaps the first mass-market secure communications technology was the STU-III device, designed in the late 1980s, which cost $1500, used DES encryption, and has sold in the hundreds of thousands. Nowadays, effective software-based encryption is easily available and free: It ships with every Web browser.
Meanwhile, the FBI has responded to all this freely available technology by lobbying Congress for laws to stop its proliferation and to add more technology that lets the FBI do what it considers to be its job. It has pushed for laws requiring phone switch makers to install "trap doors" through which the FBI could wiretap. Phone switch makers have balked at this, so far with success. The government has also tried other tactics to limit the proliferation of privacy-protection technology, such as the Clipper Chip and export controls on public-key encryption.
piece of writing I read about
cryptography leaves me either
bored or numb with befuddlement?
Privacy on the Line ends with the conclusion that online privacy protection is necessary to maintain historic human levels of privacy. In the days before electronic communications media, achieving privacy was easy. It was physically difficult for anyone to intercept a message delivered by letter or voice conversation. But as more and more human interaction takes place over electronic media, it becomes less and less possible to guarantee one's privacy; therefore we must restore the balance through encryption technology.
I would love to be able to say nicer things about this book, given my various personal connections with it: Whitfield Diffie works for the same company as I, Susan Landau is a professor at the graduate school I attended, and I played a minor role in the STU-III project 12 years ago.
Yet as interesting and meticulously researched as the book is, it is a struggle to read. The authors' dense academic style smothers the book's impact. It's fairly obvious that, despite their "what kind of society do we want to be?" hand-waving, Diffie and Landau are passionate advocates of privacy protection through encryption and of denying law enforcement most of its special privacy-invasion rights. If only they allowed themselves to express this passion as the overarching theme of Privacy on the Line, it would have been a much more compelling work.
Cryptography without confusion: A contest
Cryptography is a topic that is taking on greater and greater importance nowadays, on the Internet and elsewhere. The subject ought to be tractable. So why is it that every nontrivial piece of writing I read about cryptography leaves me either bored or numb with befuddlement? This stuff couldn't be any harder to read if it were run through a 128-bit triple-DES algorithm.
When will someone write a book on cryptography that is clear, understandable to a somewhat technical audience, does not read like a government tax accounting manual, and yet thoroughly covers the topic? Is cryptography really one of those subjects that has an event horizon such that, once you cross it, it becomes a black hole?
I refuse to believe it. Surely there must be something readable out there. If you've read such a book, e-mail me its title. I will look at all entries (where I can find them), select a winner (if I feel there is one), and review it in a future column. The winner will receive a highly coveted SunWorld Mini Maglite. Good luck!
Title: Privacy on the Line: The Politics of Wiretapping and Encryption
Authors: Whitfield Diffie and Susan Landau
Publisher: MIT Press
List price: $25.00
About the author
Bill Rosenblatt is market development manager for media and publishing industries at Sun Microsystems Inc. Reach Bill at email@example.com.
If you have technical problems with this magazine, contact firstname.lastname@example.org