SUMMER SALE — 20% off everything but our deeply discounted vogels!

Privacy in the Digital Age

By Curtis Lang on Apr 2, 1994

Originally published in New Media Magazine

(First published in the April 1994 issue of New Media)

    Welcome to the digital frontier, where network by network, metaphor by metaphor, a splendid, global, multimedia palace is being built through trial and error.  You won't need to take a long and winding road to this frontier, though, it's coming soon to your home.  You'll know it has arrived when you can read messages on your telephone, have a dialogue with your television and watch beautiful movies on your PC.

    AT&T has already established a giant encampment on this digital frontier, and it is now concentrating on building a virtual community.  In advertisements, the company paints seductive pictures of fully wired--and wireless--consumers interacting in the cyberspace equivalent of Hemingway's clean, well-lighted place.  A happy couple in a jumbo kitchen uses a computerized telephone to take and receive electronic messages and make reservations for the ball game.  A nomadic businessman in an airport shuttle bus tells his PDA how much he's willing to spend on a used car for his son, what makes he prefers and the maximum acceptable mileage.  He sends his PDA on a shopping trip around the region with a single touch.

    It all sounds thrilling--empowering for consumers and businesses alike.  But in the 21st-century world of interactive television, broadband Internet access and ubiquitous multipurpose communications gizmos, every message you send and each dollar you spend could be an unbidden messenger as well.  Electronic traces of your passage will remain in data banks of cable, telephone and on-line service providers.  And the government wants to install a trap door in software and hardware used to encrypt messages and data from medical smart cards, IRS records, digital cash transfers and plain old e-mail.

    These databases will be digital gold in the world of direct marketing, where vendors and advertisers will tailor special offers to individuals based upon this information and deliver coupons that will issue from your smart cable TV set-top box.  What's to prevent unscrupulous third parties—or underpaid government workers with access to the software trap door--from obtaining information that could be used to harm consumers?  Not much, judging from stories like that of black-data buccaneer Al Schweitzer, who bought and sold confidential government files for a living (see "Penetrating Uncle Sam's Data," page 68).  Unless government agencies, infrastructure suppliers, software wizards and producers of programming can guarantee privacy in the rapidly expanding web of cyberspace, it may be impossible for the trust upon which a virtual community depends to develop sufficiently to make the grand digital experiment a success.

    Without this assurance there will be no secure business communications, and the kind of transactional data that is currently gathered by insurance firms, credit companies and banks might fall into the hands of anyone with the skills to track it across the global network.  Security of transactions over cable networks is already a concern to American consumers, according to surveys by Viacom Cable and others.  And the lack of secure transaction methods may already be hampering buying and selling via modem.  Consumer's unwillingness to put it on their Visa when traveling in cyberspace has slowed public acceptance of such services as American Airlines' Easy Sabre ticket service, available on Prodigy, America Online and other on-line services.  Consumers, like businesses, are  eager to take advantage of the digital highway, but they are leery of financial data and other sensitive information falling into the wrong hands.Encryption may be the key

When you make a phone call or send a letter, you can be fairly certain that the contents of your communications will remain private.  Such trust makes our postal and phone systems possible. AT&T hopes to give customers that same sense of security about wireless communications.  It is the first company to implement General Magic's new Telescript communications software in its PersonaLink Services, which will be the foundation for AT&T's multimedia web of services that include smart messaging, electronic shopping and custom news delivery.

    "Telescript...is a technology which creates something called agent-based communication," explained Marc Porat, chairman and CEO of General Magic, at a winter conference on electronic consumer appliances in New York.  Such software agents will be able to travel throughout wired and wireless networks searching for information, like-minded individuals or bargain prices on PCs.  Agents will act as your virtual doorman, your e-mail bozo filter, tossing mail on subjects you nix into the trash.

    "General Magic is a really good idea," contends Jerry Michalski of the industry newsletter, Release 1.0.  "You can create a little agent that... [will] go out there and look for things for you.  Let's say you're a stamp collector--it can look for a particular kind of stamp, or a bubble-gum card or whatever, and maybe even buy the thing for you automatically.  Now, gosh, you're putting that upon AT&T's network.  They could find out within very small fractions of activity what you're doing, what your preferences are, what kind of agents you've decided to broadcast into the world.  So you're only going to do that if you have some kind of confidence that they're not going to misuse that information."

    To that end, AT&T and General Magic intend to set up "trusted spaces," secure virtual meeting rooms where your agent can meet with another agent, representing a vendor or an individual, and communicate, shop, cut deals or consummate business transactions free from prying software.

    But what about the security of these networks?  And how will you know the identity of the entity lurking behind the virtual agent that your virtual agent is schmoozing up in supposedly secure cyberspace?

    "Most wireless communications systems are security nightmares," says Jim Bidzos, president of RSA Data Security Inc., a giant in the global cryptography business.  "They have no real encryption, no authentication.... General Magic realized that for a lot of people, wireless services of any kind simply can't be trusted.  So they built RSA encryption and authentication services right into the foundation of Telescript and Magic Cap [the interface for General Magic's PDA]."

A Different View

Advocates of civil liberties such as the cypherpunks, the grassroots encryption experts who have developed widely distributed personal encryption shareware for e-mail, worry that even in such a security-conscious system, the government will find a way to snoop.  They see alternatives to AT&T's vision of tomorrow.

   "The issue of digital money is going to be key," argues Tim May, "so that people can buy access codes."  May, formerly a physicist with Intel and one of the most visible cypherpunks, envisions a future i n which digital cash is used for most transactions.  In such a system encryption schemes would be floating through the computer community that could make most financial transactions virtually untraceable.   "Imagine a satellite dish on your roof," he continues.  "You decide to buy an X-rated movie, and you don't want records kept of that on your monthly bill.  [There will be] mechanisms by which you can buy  coupons' that are usable on a one-time basis to decrypt a packet, and the vendor of the service--say, the seller of the X-rated movie--has no idea that you, in particular, are decrypting his packet.  I think that'll be essential."

Do You Trust Uncle Sam?

After months of review, during which a torrent of digital complaints flooded the White House from multinational corporations, the Software Publishers Association, cypherpunks and civil libertarians, President Clinton announced that he wants the National Security Agency (NSA) to implement secret standards for encryption to be used in computerized communications systems to facilitate e-mail surveillance.

    The Computer Security Act of 1987 mandated that the National Institute of Standards and Technology (NIST), a civilian agency, develop appropriate standards for digital communications networks.  At the time it was clear that there would be a need for digital envelopes (cryptography), digital signatures and other technologies to provide security and enable legally enforceable digital transactions on the Internet, and eventually across fiber-optic cables and wireless systems connected to telephones, computers, TVs and PDAs.  However, during the Bush administration, a series of executive orders placed authority for developing those standards in the hands of the NSA, America's largest and most secretive spy organization, which has a checkered history that includes a large-scale illegal surveillance of Americans.  Thus it was no surprise that the agency's proposal to provide digital encryption systems focused on easy wiretap surveillance rather than privacy, security and other civilian needs.

    The NSA produced a 64-bit encryption algorithm, classified "Secret" and called Skipjack.  The NSA declined to make the algorithm public, prompting concern that, given the NSA's track record, there might be a "trap door" in Skipjack that would allow secret surveillance of all Skipjack-encoded messages.  In April 1993, the White House outlined plans for a microcircuit called the Clipper chip, which would scramble telephone conversations.  Each chip, encoded with Skipjack, would generate an encryption session key, a chip unique key and a chip family key, all of which are sent to the receiver. The White House asks users to register their chip unique key with the government, which will then split each key into two parts and "escrow" the parts with two different gencies, so that law enforcement agencies can unscramble suspects' messages.Surveillance on the Upswing

The White House claims that the system would be used by government officials with legal authorization to conduct wiretaps and thus represents no intensification of government surveillance. But in NIST's letter inviting five hand-picked cryptography experts to do a quick survey of Skipjack, the agency says that key components will be made available "only to authorized government officials under proper legal authorizations, usually a court order."

    They said usually, not always.  The distinction was not accidental.  For the last several years, the FBI has been increasing its surveillance of all Americans at a dizzying pace as part of a mind-boggling expansion of its powers and activities.  This includes increased access to computerized data on Americans, which now often no longer requires a court order to be accessed.  The Bush average of 332 wiretap applications per year was double that of the Reagan administration, and state agencies' wiretaps also increased during the Bush years.  Despite the rapid increase of such requests, wiretaps are far from widespread, and according to the June 1993 issue of the Privacy Journal, the FBI has publicized no instances in which its investigations were hampered because a suspect had used encrypted e-mail or other digital security devices.

    The Clinton administration asked for an amendment to the Fair Credit Reporting Act that would allow the FBI to obtain credit information, without a court order, by issuing a "national security letter."   The rationale is that although the FBI has access to your bank records, it will not know which banks' records to obtain without ready access to your credit reports, as David MacMichael reports in the National Security Alumni Association Magazine, Unclassified (October/November 1993).Operation Root Canal

Meanwhile, the FBI continues to move forward with "Operation Root Canal," also known as the 1992 Digital Telephony Proposal, which encourages service and equipment providers to design their computerized systems in such a way that the government can easily "obtain the plain text contents of voice, data and other communications," according to FBI memoranda obtained by the nonprofit Computer Professionals for Social Responsibility (CPSR) from the Commerce Department in November of last year.

    The threat of the Digital Telephony Proposal to telecommunications companies is very real. CPSR reported that Rep. Jack Brooks, a Texas Democrat, said that Root Canal "could obstruct or distort telecommunications technology development by limiting fiber-optic transmission, ISDN, digital cellular services and other technologies until they are modified...and could impair the security of business communications...could facilitate not only lawful government interception, but unlawful interception by others [and] could impose on industries' ability to offer new services and technologies."

    And the NSA, which oversees export-control regulations of weapons of war—including encryption products--has signaled its intent to prevent grassroots cryptography from enlisting enough users to constitute a de facto standard.  Recently Phil Zimmerman, the creator of Pretty Good Privacy, a popular and widely available piece of encryption shareware, was busted for export-control violations (see "Penetrating Uncle Sam's Data," below).  After all, if everyone has access to encryption techniques, when law enforcement agencies decrypt the Skipper algorithm on someone's intercepted message, they'll find a secondary layer of encryption that could be more difficult to crack.  That would render Skipjack pointless; some Clinton critics worry that the logical outcome of Skipjack implementation will be the criminalization of other forms of encryption.

    Never mind the implications for secure business communications.  With a government-imposed Skipjack standard, the feds would be able to do something they have never been able to do before--easily conduct mass surveillance.

The Right to Privacy

"No right of private conversation was enumerated in the Constitution," said Sun Microsystems' Whitfield Diffie, one of the pioneers of modern civilian encryption, in June 1993 testimony before the House Subcommittee on Telecommunications and Finance.  "I don't suppose it occurred to anyone at the time that it could be prevented.  Now, however, we are on the verge of a world in which electronic communication is both so good and so inexpensive that intimate business and personal relationships will flourish between parties who can, at most, occasionally afford the luxury of traveling to visit each other.  If we do not accept the right of these people to protect the privacy of their communication, we take a long step in the direction of a world in which privacy will belong only to the rich."

    Canada and most European countries regulate public and private data collection.  By contrast, direct marketers and credit and insurance companies in the United States are able to obtain large amounts of data about the buying habits and lifestyles of most citizens.  U.S. law provides no redress for the individual who complains of privacy violations, other than the right to sue the violator.

    That great amounts of information are being gathered about each of us is hardly news.  And the evidence that privacy has become a commodity has been accumulating for years.  Want an unlisted number?  You pay for it.  Want to restrict direct marketers' ability to target you over cable TV?  You may pay again.

    "If you don't want to be intruded on at home, don't have a home phone," advises Esther Dyson, a policy consultant on all things digital for the Clinton administration.  "Which is what I do.   If you really are worried about this, take action.  That's very difficult on a lot of things, but people sort of act like they're helpless, and they're not."

While the media and the feds focus on the dangers to the digital superhighway posed by hackers and illegitimate purveyors of Pretty Good Privacy, (a public key encryption program originally made available on the Internet), a potentially greater threat goes unnoticed.  Apparently, the government can't keep its data to itself.  The case of Al Schweitzer proves that conclusively.

    West Coast private eye Al Schweitzer gained fame working for The National Enquirer and other tabloids, digging up phone numbers and addresses of elusive Hollywood stars.  He made his money mainly from pulling stunts to gain access to private databases and by selling government-computer data he "acquired" from government employees on the take.  Schweitzer became the Bluebeard of America's black-data pirates, able to provide anything and everything you wanted to

know about someone that was not part of the public record.  Providing bootleg data has become a $5 billion-a-year industry, so Schweitzer is hardly a lone wolf; he calculates his client list at 500 private investigators, "plus corporate America."

    "Bank [records], credit card activity, long-distance tolls, nonpublished addresses can all be done by pretext," Schweitzer brags.  With the help of a far-flung network of profit-minded private detectives and their sources in corporate and governmental computer rooms around the country, Schweitzer routinely tapped into the FBI's National Crime Information Commission computer system, buying tens of thousands of records for as little as $20 a pop and selling them for a couple hundred dollars each.  Social Security files and military files became big business for Schweitzer, who earned several million dollars during three years of doing business in the netherworld of black-data retrieval.

    In 1991, Schweitzer, his wife and 17 others were charged with stealing information from government computers.  Schweitzer was found to have sources everywhere: at local sheriff's offices, in the Secret Service computer room, on a military base in Indiana and in the U.S. Attorney's office in St. Croix, Virgin Islands.  Only Schweitzer and two others received prison sentences; their far-flungnetwork of contacts remains untouched. 

    To sum up, in the immortal words of Count Niccol• Machiavelli, counselor of princes: "Only those means of security are good, are certain, are lasting, that depend on yourself and your own vigor."  We have seen the future, where everyone plays James Bond in the palatial network that composes tomorrow's worldwide digital web.  In such a world, the Count could become a best-selling author again.

Curtis Lang has written about multimedia for Advertising Age, Worth and other magazines.