US crypto plan aims to bug PCs

'Plumbers' to be legalised -- if it gets through Congress...

  • alert
  • submit to reddit

Mobile application security vulnerability report

Crypto works the same horrifying voodoo on government control-freaks the world over, but cultural distinctions will colour their response. If the British Nanny State would become a cruel bully, its American companion aspires to become a twitchy, sweaty sneak thief. Or such is the impression we get from the Department of Justice's recent draft proposal for what it calls a "Cyberspace Electronic Security Act". Whereas Her Majesty's Government might rudely chuck you into the slammer for defying a warrant to decrypt files it chooses to examine and be done with you, Auntie Sam prefers to tiptoe into your house under cover of night and secretly install a device or an application to disable your crypto scripts and record your online communications and personal files in plain text. This would be made possible by expanding a little-used law enabling the Feds to obtain a warrant to sneak into private premises and install hidden listening devices. Only 50 such warrants were issued last year in the US, making it perhaps the least popular law-enforcement tactic known. It's a bit clumsy: the first warrant merely authorises installation of the device; a second warrant is required to examine the evidence it collects. For the proposed PC bug, a "recovery agent" would perform the dirty deed and maintain the data in a secure manner until such time as a judge empowers a law-enforcement agent or an officer of the court to view it. We weren't sure just what's meant by a "recovery agent". Is it some spymaster sysadmin working for our local ISP? A local police detective posing as an incontinent computer repairman cheerfully performing "free system upgrades"? A cat burglar who owes the DoJ a favour? The DoJ wasn't quite sure either. This is one of the bits of the proposal still being worked out. It would be fair to imagine that a recovery agent could be any of the above, but most likely a lab-coated technician examining a confiscated hard drive for potential evidence in a more-or-less IT workshop environment down at police HQ. American libertarians are alarmed, but we find the proposal more comical than sinister. We were much amused by Assistant Attorney General Jon Jennings' letter to House Speaker Dennis Hastert, entreating him to drum up congressional support for the scheme. Jennings appeals to the need for speedy action in such emergencies as "stopping a terrorist attack or seeking to recover a kidnapped child, [where] time is of the essence and may mean the difference between success and catastrophic failure." The Reno DoJ rarely fails to exploit the vast American cult of infant worship when paddling near the falls with due process, and there we have a classic example. Nice try, but in situations where a kidnapper's computer can be located and physically modified without his knowledge, finding the brat would be a no-brainer. Or does the DoJ expect kidnappers to communicate ransom demands to traumatised parents via ICQ? The most amusing flaw in this plan is not legal but rational. Auntie Sam may have got herself so worked up over innocent children in bondage that she fails to grasp the obvious: users sophisticated enough to employ IT in high-level crime are those least likely to be tripped up by an anti-crypto application, or the sudden materialisation within their computers of an unidentified black box. But what are the Feds to do? The Reno DoJ has been in fits over crypto for the past three years. Its preferred goal is to assemble a library of keys to be used as needed, but Congress has thus far been dragging its feet as only Congress can. This proposal may be something of a "Plan B" for Justice in case it fails to achieve the holy Grail. To be fair, the surreptitious installation of applications and devices would be a most unusual tactic under the proposal. The act, if it were passed, would be used chiefly to prevent any data not considered evidence from being made available to law enforcement agents. Sound paradoxical? Not at all: this is a pre-emptive strike at legal objections which might convince a judge that seizing a computer exposes too much of its owner's private data to law enforcement agents. Hence the clause, "recovery information shall be used to decrypt data and communications only as specified in the order, warrant, or other determination." These limitations are standard in US law, stretching back to the Constitution. Article IV of the Bill of Rights states in delightfully unambiguous language that, "no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." In other words, if the police serve a warrant to search your flat for a stolen piano, they've got no business mucking about in your medicine cupboard. The seizing of a computer and subsequent wholesale decrypting of its contents would amount to searching the medicine cupboard for a stolen piano, and no decent judge would authorise it. What Justice is aiming at here is not the authority to seek a warrant to seize or otherwise monitor a computer -- it already has that authority. The real aim here is to improve the odds that a judge would issue a warrant upon request, simply by limiting the amount and kinds of information to be revealed. It's an extremely clever tactic. When Congress returns from holiday in September, the DoJ will comb the Hill in search of a sponsor for this, its newest siege engine against the crypto bastion. Certainly there are members with simplistic enough law-and-order mentalities to bite the hook; but a bill such as this would be political poison to most, and the chance it would pass both houses is remote. The mainstream press have already stigmatised it as blanket authorisation for a plethora of black-bag jobs. A pity, really. If the alarmists would take a moment to think clearly, it would soon dawn on them that bureaucratic confusion, government incompetence, and jurisdictional disputes will render this amusing bit of legislation harmless, at least in comparison to the alternative. ®

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.