US crypto plan aims to bug PCs
'Plumbers' to be legalised -- if it gets through Congress...
Crypto works the same horrifying voodoo on government control-freaks the world over, but cultural distinctions will colour their response. If the British Nanny State would become a cruel bully, its American companion aspires to become a twitchy, sweaty sneak thief. Or such is the impression we get from the Department of Justice's recent draft proposal for what it calls a "Cyberspace Electronic Security Act". Whereas Her Majesty's Government might rudely chuck you into the slammer for defying a warrant to decrypt files it chooses to examine and be done with you, Auntie Sam prefers to tiptoe into your house under cover of night and secretly install a device or an application to disable your crypto scripts and record your online communications and personal files in plain text. This would be made possible by expanding a little-used law enabling the Feds to obtain a warrant to sneak into private premises and install hidden listening devices. Only 50 such warrants were issued last year in the US, making it perhaps the least popular law-enforcement tactic known. It's a bit clumsy: the first warrant merely authorises installation of the device; a second warrant is required to examine the evidence it collects. For the proposed PC bug, a "recovery agent" would perform the dirty deed and maintain the data in a secure manner until such time as a judge empowers a law-enforcement agent or an officer of the court to view it. We weren't sure just what's meant by a "recovery agent". Is it some spymaster sysadmin working for our local ISP? A local police detective posing as an incontinent computer repairman cheerfully performing "free system upgrades"? A cat burglar who owes the DoJ a favour? The DoJ wasn't quite sure either. This is one of the bits of the proposal still being worked out. It would be fair to imagine that a recovery agent could be any of the above, but most likely a lab-coated technician examining a confiscated hard drive for potential evidence in a more-or-less IT workshop environment down at police HQ. American libertarians are alarmed, but we find the proposal more comical than sinister. We were much amused by Assistant Attorney General Jon Jennings' letter to House Speaker Dennis Hastert, entreating him to drum up congressional support for the scheme. Jennings appeals to the need for speedy action in such emergencies as "stopping a terrorist attack or seeking to recover a kidnapped child, [where] time is of the essence and may mean the difference between success and catastrophic failure." The Reno DoJ rarely fails to exploit the vast American cult of infant worship when paddling near the falls with due process, and there we have a classic example. Nice try, but in situations where a kidnapper's computer can be located and physically modified without his knowledge, finding the brat would be a no-brainer. Or does the DoJ expect kidnappers to communicate ransom demands to traumatised parents via ICQ? The most amusing flaw in this plan is not legal but rational. Auntie Sam may have got herself so worked up over innocent children in bondage that she fails to grasp the obvious: users sophisticated enough to employ IT in high-level crime are those least likely to be tripped up by an anti-crypto application, or the sudden materialisation within their computers of an unidentified black box. But what are the Feds to do? The Reno DoJ has been in fits over crypto for the past three years. Its preferred goal is to assemble a library of keys to be used as needed, but Congress has thus far been dragging its feet as only Congress can. This proposal may be something of a "Plan B" for Justice in case it fails to achieve the holy Grail. To be fair, the surreptitious installation of applications and devices would be a most unusual tactic under the proposal. The act, if it were passed, would be used chiefly to prevent any data not considered evidence from being made available to law enforcement agents. Sound paradoxical? Not at all: this is a pre-emptive strike at legal objections which might convince a judge that seizing a computer exposes too much of its owner's private data to law enforcement agents. Hence the clause, "recovery information shall be used to decrypt data and communications only as specified in the order, warrant, or other determination." These limitations are standard in US law, stretching back to the Constitution. Article IV of the Bill of Rights states in delightfully unambiguous language that, "no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." In other words, if the police serve a warrant to search your flat for a stolen piano, they've got no business mucking about in your medicine cupboard. The seizing of a computer and subsequent wholesale decrypting of its contents would amount to searching the medicine cupboard for a stolen piano, and no decent judge would authorise it. What Justice is aiming at here is not the authority to seek a warrant to seize or otherwise monitor a computer -- it already has that authority. The real aim here is to improve the odds that a judge would issue a warrant upon request, simply by limiting the amount and kinds of information to be revealed. It's an extremely clever tactic. When Congress returns from holiday in September, the DoJ will comb the Hill in search of a sponsor for this, its newest siege engine against the crypto bastion. Certainly there are members with simplistic enough law-and-order mentalities to bite the hook; but a bill such as this would be political poison to most, and the chance it would pass both houses is remote. The mainstream press have already stigmatised it as blanket authorisation for a plethora of black-bag jobs. A pity, really. If the alarmists would take a moment to think clearly, it would soon dawn on them that bureaucratic confusion, government incompetence, and jurisdictional disputes will render this amusing bit of legislation harmless, at least in comparison to the alternative. ®
Sponsored: Customer Identity and Access Management