Why You Should Use it.
Why the Feds Want it Stopped.
October 10, 1999
Mankind has been encrypting messages and important private information since at least the time of the Pharaohs. The first known cipher was produced about 1900 BC, by an Egyptian scribe, who used non-standard hieroglyphs in an inscription. Julius Caesar used a simple letter-shift cipher in government communications around 60 BC. Several great pairs of lovers are said to have used ciphers in their communications, to keep their affairs secret. Even so, encryption is most often associated with the military or governments.
Today, banks, stock markets and other financial institutions, as well as international business and e-business use strong encryption as an essential part of their day-to-day operations. Every time that you see a secure internet page, your browser uses its internal encryption mechanism to communicate with that site. Also, millions of individuals worldwide now use the popular PGP (Pretty Good Privacy) encryption program to secure their personal communications. In fact, Microsoft Outlook, Microsoft Entourage, Mac Mail and a host of other email programs can be easily configured to automatically encrypt mail to those with a published PGP key and decrypt and verify signatures of PGP encrypted email. (You can download PGP freeware here or their commercial products here.)
But, before we go any further, you must understand that there is one truism about encryption.
>>> ANY CODE CAN BE BROKEN! <<<
During World War II, the Germans thought that they had created an unbreakable code, designated by the British as "ULTRA". Encryption and decryption were accomplished with what is called the "Enigma Machine". Fortunately, the Germans were wrong and codebreakers in Poland and at Bletchley Park, England managed to break each major permutation of the German ULTRA code. Throughout the war we were, in effect, reading most of their mail.
On the other side of the world, only six months after Pearl Harbor, the United States Navy dealt the Japanese the most stunning naval defeat in history. Due almost exclusively to the fact that the US codebreakers had deciphered the Japanese "JN25" military code just two months earlier and knew where the Japanese were planning to attack, the weakened US Navy positioned their three remaining Pacific carriers near Midway and lay in wait. Severely outnumbered, the US Navy bombers sunk three Japanese front line carriers in four minutes and sunk a fourth carrier a few hours later, representing a total loss of over 3000 men. The US lost only one carrier. The decisively superior Japanese task force lost the battle that turned the tide of the war in the Pacific, only six months after Pearl Harbor, because US codebreakers were able to give the decimated US fleet the advantage of surprise at Midway. The lesson to be learned is, ANY CODE CAN BE BROKEN.
So Why Should You Use Encryption?
Encryption can only make it difficult for an unauthorized party to access the source data and delay the exposure of that data to unintended persons. Today, even the military expects that sooner or later, today's codes will be broken. Breaking the German "Enigma" codes sometimes took months. With today's computers and deciphering programs, that process would only take seconds. Ten years from now, the best of today's codes will be broken as easily. For that reason, encryption should only be considered to be a temporary tool for securing data.
You should use encryption to keep out prying eyes. Let me ask you, when you are out of town and use the US Mail to send a letter back to your better half, do you seal it? Of course you do. Why? The obvious answer is that you don't want some weirdo at the post office reading your private correspondence. You put your mail in an envelope and seal it, because you want to make it unlikely that anyone, whose hands it passes through will read it. That envelope does not insure that your letter will not be read by anybody except the recipient, It just makes it UNLIKELY.
The Email Equivalent of an Envelope
Think of Encryption as the email equivalent of an envelope. In the past, anyone wanting to read your mail would have to physically steam open EVERY piece of your mail, read it and reseal it. Just the time required to read, even unsealed mail, made that unlikely. Now, with the proliferation of email, a new problem has emerged.
An email message that is sent in clear text over the Internet from your office to your home across the street may pass through 6, 8, 10 or more computers. Each of those computers has at least one person who has "Postmaster" privileges. If any one (or several) of those persons wants to scan EVERY piece of mail that crosses his system for certain types of words, he can easily have the computer do it for him. All that he has to do is have the computer make a copy of any email that may be of interest to him, before sending it on to its destination.
If just one of the several people at each server along the way is looking for financial information, he will simply have the computer make a copy any email that contains words such as "Social Security Number", "SS#", numbers in the form 999-99-9999 (Social Security numbers), "Amex" (or other credit card names) or 9999-9999-9999-9999 (Visa, MasterCard numbers) and so on. A sex pervert might search for words like "sex", "love", "bed", "body", etc. Then, all he has to do at the end of the day is download those files and read them at home. The only files that he physically reads are only those that are likely to contain what he is looking for.
In other words, the Internet has made it possible for one person to scan thousands or even millions of email messages per day, increasing the likelihood that some or all of your email will be scanned by someone, somewhere. And we have not even begun to considered how government agencies can and do use this technology.
Encryption is the email equivalent of an envelope. Even weak encryption will prevent most Internet postmasters from being able to scan your email. Strong encryption will prevent even the more advanced hackers from being able to scan your email. If the government wanted to break your encryption, they probably could, in time. But, that would require costly computer time which would leave an accounting trail, so they would not be likely to do so if they did not have a Court Order to read your email. By encrypting your email, you have in effect, put it in an electronic envelope and sealed it. It also serves to keep the Feds honest, which is becoming an important issue what with Bush's warrantless searches.
An Added Benefit
Using such modern methods of encryption as the de-facto standard, PGP, you can electronically sign your email and other files in such a way that the reader can verify conclusively that the file was written, sent or verified by you and nobody else. The chances that someone could forge a PGP signature are much less than the chances that someone could forge your written signature. Many wives learn to forge their husband's signature so well that handwriting analysts sometimes cannot tell the difference. To forge a PGP signature would require weeks of expensive supercomputer time. Even though a man's wife might have physical access to his computer, if he does not tell her his PGP password, then even she cannot forge his PGP signature (unless, of course, she is a world class hacker).
To give you an idea of how secure the experts believe PGP signatures are, Network Associates, who administers the US Domain Name Registration process on the Internet, uses PGP signatures to verify change requests to Domain Registrations.
Government Suppression of Encryption Technology
The United States Government, through various agencies, is doing everything in their power to thwart the use and spread of strong Encryption Technology. Many people may remember the government's push to create the "Clipper Chip" a few years ago. The concept was to create this chip that would use strong encryption to encrypt and decrypt data faster than any software program. Hey, what could be wrong with that?
The glaring problem with the "Clipper Chip" was that the US government would have what was referred to as an "Escrowed Key" to EVERY "Clipper Chip". In other words, they would be able to use their Escrowed Key to read your email and private files as easily as you could. But, to make matters worse, they planned to make the use of any other form of encryption illegal. Fortunately, the project fell apart when it was discovered that hackers could easily bypass the chip's security and subvert its use. Oops!
Actually, that is the problem with EVERY Escrowed Key System. Furthermore, it was pointed out that a government agency might get Court Ordered Access to the Escrowed Key for a legitimate use once and then use that key at a later date without gaining a Court Order. Big Oops!
But that has not stopped the US government from doing everything that they can to thwart the widespread use of Encryption Technology. There have even been attempts by federal law enforcement agencies to make the simple use of Encryption Technology sufficient cause for obtaining Court Ordered Surveillance. These attempts failed (at least, to my knowledge). But, the fact that they were even attempted shows how arrogant and autocratic these agencies have become.
To top it off, the US government has placed severe restrictions on the export of Encryption Technology. There is no good reason for such export restrictions. The fact is that foreign Encryption Technology is at least as good as US Encryption Technology. The only possible reason for such export restrictions is to intimidate US citizens who may have offshore investments. Did I mention that they had become arrogant and autocratic?
Indiscriminate Monitoring of US Citizens' Communications
Until recently, the indiscriminate monitoring of communications would have been so difficult and would have required such enormous amounts of manpower that it was not feasible. But, with the evolution of digital technologies like the Internet and high quality OCR (Optical Character Recognition) for fax communications, such monitoring has not only become easy, but has even become commonplace (see Echelon, below).
A voice recognition system called "Oratory" has even been used with limited effectiveness at spotting certain key words in intercepted telephone conversations.
Now that effective Encryption Technology threatens to take this indiscriminate monitoring capability away from them, these out-of-control government agencies are in a panic. It's sort of like discovering that your 2-year-old got into the cookie jar and has already eaten a dozen cookies and now you have to take the cookie jar away from him. He may throw a fit, but you have to do it.
Or How Governments Get Around Their Own Laws
(This is SCARY!)
Since 1947, the United States, along with several of our World War II Allies, under the secret UKUSA Agreement, has been engaged in the monitoring of its own citizens, under the project name of "Echelon" (Click to learn more). The UKUSA Agreement was not acknowledged publicly until March 1999, when the Australian government confirmed that its COMINT (Communications Intelligence) organization, Defense Signals Directorate (DSD) "does co-operate with counterpart signals intelligence organizations overseas under the UKUSA relationship". We now know that the UKUSA Agreement signatory countries are the UK and the USA, with Canada, Australia and New Zealand signing as "Second Parties".
Under Echelon, the COMINT organizations of each country routinely and indiscriminately monitor countless PRIVATE phone, fax and email messages of other countries, including those of the other signatory nations.
So for example, a US businessman can find himself the target of an IRS investigation because a COMINT group in Canada intercepted an email message that he sent to his US attorney, asking if a certain tax structure was legal. The Canadian COMINT group intercepts the message and, in the spirit of "cooperating" with its US counterparts, then forwards that information, legally obtained in Canada, to the US authorities, who are legally allowed to accept unsolicited information about its citizens from foreign governments. In doing so, the US law enforcement agencies are, in effect, routinely receiving exactly the same type of indiscriminate information about US citizens that they are specifically prohibited from obtaining themselves under the 4th Amendment to the Constitution, prohibiting unwarranted search and seizure.
In other words, the US authorities are, through third parties, indiscriminately monitoring their own citizenry without the backing of a court ordered wiretap. But, since that information is obtained from a foreign source, the US agencies are able to claim that they are not engaged in such routine and indiscriminate monitoring of US citizens. They simply claim, quite truthfully I might add, that they received a tip from foreign law enforcement authorities.
By the way, this works the same way in reverse. The USA shares such collected information about the citizens of the other signatory nations with those nations, as well. So, if you make a sarcastic remark in an email to a friend, stating that you will have to pick up a kilo or two next week, you will likely find yourself the target of a federal investigation for drug trafficking. They will even be able to obtain a Court Order for a wiretap on your house, since they are "cooperating with a drug investigation of a foreign government involving a US citizen."
Besides our own government monitoring everything that we send over the wires, there at least 30 other nations operating major COMINT organizations. The Russian FAPSI, with over 54,000 employees is the largest and operates large ground stations in Cuba, among other places. Guess who they are monitoring. Germany's BND and France's DGSE allegedly operate a collection site at Kourou, Guyana, targeted on American and South American satellite communications. Even the Swiss intelligence service has recently announced a plan for two COMSAT interception stations. On top of all of this, there are countless criminal organizations that are scanning email for Social Security numbers and credit card numbers. What this all boils down to is that the chances are very strong that:
Someone You Don't Know Is Reading Your Email.
With over 30 countries spending BILLIONS of DOLLARS every year on the indiscriminate monitoring of all types of private (non-governmental) communications and countless criminal monitoring schemes, it is very likely that a good portion of your email is being scanned by somebody in one or more of those organizations.
Since the passage of the Patriot Act and more recently, Bush's warrantless searches, it is entirely possible that if some normal action of yours trips some government profile, you could become a victim of a "Sneak and Peak" warrant. In fact, because of the very nature of sneak and peak warrants, you may already have been a victim of a "Sneak and Peak" search and don't even know it.
The point of all of this is that:
If You Are Not Using Encryption,
YOU HAVE NO PRIVACY.
There are three things that every one of us should do.
Download PGP now and use it whenever you can. If you have a PC, begin by encrypting the files on your hard drive, with PGP. If you have a Mac, it is easier and faster to use the "File Vault" that is in your Security Preference Panel. Either way, configure your email to use PGP.
Get your friends and associates to use PGP in their communications with you. The more people who use Encryption, the harder it will be for the government to outlaw it.
Contact your Congressman and Senators and tell them that you support the lifting of export restrictions on Encryption Technology.