This (rather long) message was posted to the Internet Societal Task Force (ISTF) discussion list. The ISTF has recently formed a workgroup on privacy and security which is referred to as PAPSPI. Some of the material discussed at the symposium on surveillance might be of interest to this list. ---------- Forwarded message ---------- Date: Mon, 25 Sep 2000 19:22:13 +0100 From: Christian de Larrinaga <[EMAIL PROTECTED]> Reply-To: ISTF Discussion <[EMAIL PROTECTED]> To: ISTF Discussion <[EMAIL PROTECTED]> Cc: "Davies,SG" <[EMAIL PROTECTED]> Subject: News on Interntational Forum on Surveillance by Design Simon Davies and his colleagues at the London School of Economics provided an excellent day on Friday. I outline a brief and subjective overview. I was pleased to be joined during the day by ISTF colleague the newly appointed chair to the PAPSPI Jonathan Robin. This was an authoritative day long overview and discussion of the state of surveillance on the Internet and telecommunications networks with a number of noted experts in the field giving presentations. Areas discussed are in the programme (copied below), although the running order varied on the day. Particular attention at the start was paid to the global picture of interceptions by security services deployment of the Echelon network, the French equivalent nicknamed "frenchelon" etc and many programmes by governments around the world to establish satelllite evesdropping technologies, undersea cable taps, microwave interceptions etc. This moved into more detailed information on national initiatives such as Carnivore and the "little black box" of the RIP Act. Vint's and other submissions on inspecting Carnivore was not available at the conference and I did not get an opportunity to submit. Jon Crowcroft of UCL and the IETF / IAB gave an overview of the role of the IETF and dismissed the ability of the security services to intercept anything like the amount of traffic that the Internet is producing let alone store it. Duncan Campbell asked Jon whether this in his view hindered the potential for governments to intercept in a more targetted way, for instance by filtering for key headers, then for keywords etc until only a very small subset of the original data flow is actually intercepted and then stored. Jon Crowcroft admitted that that scenario was feasible although the placement of intercepts on the Internet may be routed around. There was also an interesting talk by encryption expert Dr. Ross Anderson of Cambridge University on the security regime and comparisons of analogue, UMTS, G3 cellular which appeared to indicate that the encryption regime of such networks is open to interception, although to varying degrees. The standards work of ETSI in particular came in for a considerable critique so much so that their use of the word "user" being synonymous with "security service". Many ETSI standards documents were presented which revealed the level of backdoors for interception built into ETSI based standards. This contrasted very strongly with the IETF response to such security service requests - No. The rationale that backdoors to technologies create security weaknesses. ETSI standards are so defined that they provide multi user interceptions on the basis that no two agencies simultaneously intercepting traffic are allowed to be capable of knowing the other is listening too! It might be noted (but wasn';t at the conference) that ETSI is one of the standards organisations recognised as a "global" standards organisation by ICANN. This was followed by an exposition by Gus Hosein of the LSE and Betty Shave of the Dept of Justice (USA) on the European Union Cybercrimes consultation. There are issues for privacy and security of Internet users and a potential impact on exsting human rights legislation in Europe. ISOC England will be making a submission on this when the new draft comes through. I would be happy to see a joining of forces on this to make this a larger perhaps ECC or ISOC submission. I had the honour to sit next to the mutli imprisoned Boris Putsinov who is still speaking out for citizens rghts and who later gave a talk on the Russian SORM programme. There were also up to date analyses on the Dutch and British intiatives at internal interception laws. The Dutch in particular are preparing new draft laws which look very intrusive if enacted. The session ended with the sponsors providing a commercial view of how technology is providing answers to interception attempts. Starium presented their encryption phone which promises global protection with built in triple DES encryption. Zero Knowledge presented an overview of their proxy network technology which provides an untraceable anonymous Internet underlay. My comment We continue to face a short term future of organised paranoia on the part of governments and organisations. Their determination to have access to the information flows and data stores of our emerging hyperspatial society is focussed on fear. Fear of losing control of society, and society becoming subject to criminal behaviour. This is leading agencies to commit actual crimes by intercepting material to which they are not allowed access. Sometimes this is inadvertent, caused by ignorance and inappropriate technology models and sometimes it is blatant and deliberate. The idea of "privacy" is then subsumed by the need of the greater good. We only have privacy until we turn up in a filter, or until our webserver is interrogated and indexed. But answers are not being given to questions such as who is responsible?, how do you seek redress? what sanctions can one have on those who misuse intercepted material? What makes a fair and workable law? Indeed laws such as the UK RIP Act have been placed on the statute book in defiance of technological reality, as well as privacy. It is in anonymity that privacy can be protected and where technology plays a role. We are at the beginning of an arms race between privacy activists and security agencies. I don't think this is a comfortable long term situation. We need to find a societal resolution. For ISTF and PAPSPI we have a challenge ahead which is to focus on the need for privacy as a fundamental need for a successful business world and for society globally. It is clearly going to be difficult to convince government legislators around the world of the relationship between a prosperous successful safe society and the ability of its members to have privacy but it needs to be done. We also need to point out to western governments that their actions are being watched by other less sophisticated governments who use the precedence to enact highly repressive legilsation. The first step is in us having access to information as to what is happening and for this I am indebted to SImon Davies and colleagues at the LSE for organising this event. The US Dept of Justice in particular should be commended for attending. ALthough the Home Office of the UK did not and this was a pity. The second is to get to work. best regards, Christian de Larrinaga http://www.cs.ucl.ac.uk/staff/I.Brown/ifsd.html International Forum on Surveillance by Design A one day public meeting on the development of global surveillance strategies for law enforcement and national security The Old Theatre The London School of Economics Houghton Street London WC1A 2AE PROGRAMME 9.15 Chairman's welcome and introduction 9.25 Setting the landscape of engagement. A overview of the main players and key initiatives: Tony Bunyan (Statewatch) 9.45 Developing the Telephone System Chair: Steve Wright (Omega Foundation) An overview of global National Security arrangements: Wayne Madsen (EPIC), Duncan Campbell (IPTV) The International Law Enforcement Telecommunications Seminar: Tony Bunyan (Statewatch) 11.00 (De)Constructing Mobile Phone Security Mobile phone fraud: Ross Anderson (Cambridge University) European Telecom Standards and 'lawful interception'" in the age of UMTS: Erich Moechel (Quintessenz, Austria) 11.30 BREAK 12.00 International collaboration Chair: Barry Steinhardt (American Civil Liberties Union) G8 and Council of Europe action: Betty Shave (US DoJ), Gus Hosein (LSE) Global Protocols: Jon Crowcroft (IETF) 1.00 LUNCH 2.00 National initiatives The Russian SORM system: Boris Pustinsev (Citizens Watch, Russia) The Regulation of Investigatory Powers Act: Ian Brown (UCL) The Netherlands interception arrangements: Maurice Wessling (Bits of Freedom) 3.15 BREAK 3.45 Fighting for privacy Chair: Ian Brown Secure telephony: Eric Blossom (Starium) Secure Internet communications: ZeroKnowledge Privacy Risks of PKI: Stefan Brands (ZeroKnowledge) Unlawful conduct and the FBI Carnivore system: Kurt Wimmer (Covington and Burling) 4.45 Industry action Chair: Gus Hosein Peter Harter (Securify) Stephanie Perrin (ZeroKnowledge Systems) Christian de Larrinaga
