13 April 1998: Add Denning message
10 April 1998: Add message and link
9 April 1998
[Selected messages from the thread]
Date: Fri, 3 Apr 1998 12:25:53 +0100
To: ukcrypto@maillist.ox.ac.uk
From: T Bruce Tober <octobersdad@reporters.net>
Subject: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, R-19.62)
FYI
------- Forwarded message follows -------
The statement made by Carl Ellison <cme@cybercash.com>, 06 Mar 1998
(RISKS-19.62), "How come Dorothy Denning didn't find any significant use of
crypto by criminals in her survey of law enforcement officers?", is
inaccurate. The Denning-Baugh report, referenced below, did find
significant use of encryption by criminals, 500 current cases worldwide,
over 20 cases were presented in detail, and they estimate that the number is
growing at annual rate of 50-100% (some cases from the report are listed
below). In more than one of the cases, the encrypted information could not
be deciphered by law enforcement.
The report does make clear that encryption could pose problems for law
enforcement in the future. "Our findings suggest that the total number of
criminal cases involving encryption worldwide is at least 500, with an
annual growth rate of 50 to 100 percent." And "Quite a few people are
technically sophisticated."
Instead, the study's main conclusion was that it was unable to find any
current incident where the use of cryptography significantly hindered an
investigation or prosecution. "Most of the investigators we talked to did
not find that encryption was obstructing a large number of investigations.
When encryption has been encountered, investigators have usually been able
to get the keys from the subject, crack the codes, or use other evidence,"
states the report.
The statements that criminals have not used Crypto AG or CyLink encrypting
telephones are also incorrect. The Denning-Baugh report did not even
address this topic. But, evidence was presented in the late 1980's that
possible foreign Terrorist organizations and Drug Cartels were using Crypto
AG Voice Ciphering products. According to an ex-employee's legal filings,
and "tell-all" book, Crypto AG was requested to insert flaws and weaknesses
into their equipment that could be falling into criminal hands.
An interesting observation about the report is that when encryption is
encountered by law enforcement, they are unprepared to deal with it and
forced to use in-house computer forensic specialists (with little training
in cryptography), consultants, academics, and/or private companies to attack
the problem. While the U.S. Government spends at least $7 to $10 billion
per year on "code breaking" at Military-Defense and Intelligence
organizations, under current law ("posse comitatus" on up) it is illegal for
these resources to be used for domestic law enforcement. We could change
these laws, and increase funding to these agencies to handle their new
mission? We could create similar agencies inside domestic law enforcement at
equivalent cost? Therefore, the requests by law enforcement, to promote and
have access to corporate and local Key Recovery systems, can be seen as a
low-cost solution to the problem and an effort to save money for the
U.S. taxpayer.
The cases examined include:
* "The Japanese death cult, Aum Shinrikyo, which used encryption to store
records on its computers. Authorities were able to decrypt the files in 1995
after finding the decryption key on a floppy disk. And found evidence of
plans to launch attacks in the U.S. and Japan."
* The New York subway bomber, Edward Leary, who had created his own
encryption system to scramble files on his computer. According to the
report, after Manhattan police "failed to break the encryption, the files
were sent to outside encryption experts. These experts also failed.
Eventually, the encryption was broken by a federal agency. The files
contained child pornography and personal information which was not
particularly useful to the case."
* "A police department in Maryland encountered an encrypted file in a drug
case. Allegations were raised that the subject had been involved in
document counterfeiting, and file names were consistent with formal
documents. Efforts to decrypt the files failed, however, so the conviction
was on the drug charges only."
* "The head of a California gambling ring kept his records in a commercial
accounting program encrypted with a code word. The maker of the program
refused to help law enforcement break the code, but access to the files was
gained by exploiting a weakness in the computer system. This yielded four
years of bookmaking records which resulted in a guilty plea on criminal
charges and payment of back taxes."
* The espionage case against former CIA employee Aldrich Ames, who was
directed by his Soviet handlers to encrypt computer file information that
was passed to them, "and was eventually convicted of espionage against the
U.S., was aided because the investigator handling the case was able to
decrypt Ames's files using AccessData Corp. software (an automatic
de-encryption program)."
References :
* National Strategy Information Center, Dorothy Denning and
William Baugh, "Encryption and Evolving Technologies as Tools
of Organized Crime and Terrorism," July, 1997.
* The Washington Post - WashTech, Elizabeth Corcoran, "Around
the Beltway, Encryption: Who will Hold the Key? Two Bills
Reflect the Split over Restrictions", Aug-04-1997.
* Mercury News, Simson Garfinkel, "Denning unable to confirm FBI
Assertions; alters her position", 31-Jul-1997.
Robert Perillo, CCP, CNE Richmond, VA perillo@dockmaster.ncsc.mil
Staff Computer Scientist perillo@gibraltar.ncsc.mil
[Usual disclaimers]
[The Ames case strikes me as a bad example, and a classic case of
trying to oversell the impediments of crypto, considering the long
history of incriminating phone calls in the clear and the long trail
of other evidence that would seem to have been ignored or perhaps
suppressed in an effort to gather more evidence. PGN]
tbt -- Sign all messages with non-escrowed keys, don't give in to government
tyranny. Commentary at http://www.homeusers.prestel.co.uk/crecon/Escrow.htm
--
|Bruce Tober, octobersdad@reporters.net, Birmingham, England +44-121-242-3832|
| Freelance PhotoJournalist - IT, Business, The Arts and lots more |
| Website - http://www.homeusers.prestel.co.uk/crecon/ |
| PGP Key Details follow: |
| RSA key ID 0x94F48255 Fingerprint 0907 EBCD 1B37 91F5 D15C 0D2E C617 2671 |
| DSS/DH key ID 0xB1445118 |
| DSS/DH key Fingerprint CBB5 8BF8 2CCC 9B86 41EB 1788 6930 78FB B144 5118 |
From: "Yaman Akdeniz" <lawya@lucs-01.novell.leeds.ac.uk>
To: ukcrypto@maillist.ox.ac.uk
Date: Fri, 3 Apr 1998 14:36:13 GMT0BST
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
The Denning-Baugh report, referenced
> below, did find significant use of encryption by criminals, 500
> current cases worldwide, over 20 cases were presented in detail, and
> they estimate that the number is growing at annual rate of 50-100%
> (some cases from the report are listed below). In more than one of
> the cases, the encrypted information could not be deciphered by law
> enforcement.
See http://guru.cosc.georgetown.edu/~denning/crypto/index.html for
Denning's articles. The list of cases is at:
http://guru.cosc.georgetown.edu/~denning/crypto/cases.html
and as October 1997 there are 20 cases cited and a note states that
"New cases will be added to the database as we learn about them."
So I am not sure about the 500 cases even though that is their
findings according to that joint paper (Denning & Baugh) and a
summary of that paper is available at:
http://guru.cosc.georgetown.edu/~denning/crypto/oc-abs.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yaman Akdeniz <lawya@leeds.ac.uk>
Cyber-Rights & Cyber-Liberties (UK) at:
http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm
Read CR&CL (UK) Report, 'Who Watches the Watchmen'
http://www.leeds.ac.uk/law/pgs/yaman/watchmen.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 3 Apr 1998 08:52:30 -0500
From: denning@cs.georgetown.edu (Dorothy Denning)
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
This is the most relevant part of our report regarding the number of
computer forensics cases involving encryption. We made no estimate
for the number of wiretaps involving encryption.
Regards,
Dorothy
--------------
The FBI's Computer Analysis Response Team (CART) forensics lab reported
that encryption was encountered in 2% of 350 submissions to the
headquarters component in 1994 and 5-6% of 500 submissions (25-30 cases)
in 1996. This represents a quadrupling of cases from 1994 to 1996,
which averages out to an annual doubling or growth rate of 100%. A
submission could be anything ranging from a single floppy disk to
several boxes of disks or complete systems. CART also estimated that
about 5-6% of the 1,500 cases handled in the field involved encryption,
the largest categories being child pornography and computer crime cases.
This corresponds to about 75-90 cases. It does not include cases
handled by other federal law enforcement agencies, including the Drug
Enforcement Administration (DEA), Treasury (Secret Service, Customs, and
IRS), or state and local law enforcement agencies. It also excludes
national security cases (foreign intelligence, counter-intelligence, and
defense cases) and cases involving intercepts of encrypted telephone
communications. In his March 19 testimony before the Senate Committee
on Commerce, Science, and Transportation, FBI Director Louis Freeh
reported that the number of requests for decryption assistance
pertaining to communications interceptions had risen steadily over the
past several years [Freeh 97].
...
There is no central database recording the number of encryption cases
handled nationally or globally, or indeed even the number of computer
forensics cases. Mark Pollitt, program manager of CART, estimates there
are at least 5,000 computer forensics cases nationally, up to a maximum
of 10,000. World-wide, he estimates anywhere from 10,000 up to 20,000
cases. If about 5% of those involve encryption, then the total number
of cases would be 250 to 500 nationally and 500 to 1,000 globally. Eric
Thompson, president of AccessData Corporation, estimates that the total
number of cases involving encryption is on the order of 1,000 to 5,000.
The rate of 5,000 would be about a quarter to one half of all computer
forensics cases globally. This is a higher percentage than reported by
CART for the U.S., but it is lower than the near 100% figure attributed
to recent cases in Northern England. Thompson also estimates that at
least 100-200 are child pornography cases involving just PGP.
Date: Sat, 4 Apr 1998 6:41 +0000 (GMT)
From: hcorn@cix.co.uk (Peter Sommer)
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
To: ukcrypto@maillist.ox.ac.uk
The problem with the Denning / Baugh report is that some of the "cases"
are very difficult to verify. For example: the London Cryptoviral
extortion is attributed to "McCormack96" which turns out to be Elsevier's
Computer Fraud & Security newsletter (for which I am listed as an advisor,
btw) but the newsletter article is just a rehash of a discredited London
Sunday Times piece; few people here in London now believe the story. The
"Cali cartel" story, checked back to the cited source, has few details.
Nothing is cited for "Terrorist attacks on business". Emma Nicholson,
the former UK MP and presenter of the failed Anti-Hacking Bill and cited
as a source for a "British blackmailer" never produced her "large
dossier" of cases for any scrutiny.
There is simply too much unsupported "there is a rumor.." "we have also
heard..."
Academics, however distinguished, really should do more than simply
repeat convenient rumours.
On the question of CART's estimates of the numbers of computer forensics
cases - how on earth can anyone know? I don't publish the details of most
of the ones I handle - some of the criminal defence cases end up as guilty
pleas or are dropped by the prosecution before trial so that there is no
way anyone can guess whether computer forensics played a part or not. For
civil cases it is even more difficult to tell. Even though I know a fair
number of people in this field here in the UK I couldn't even begin to
make an estimate - there are 44 police forces, Customs & Excise have a
large specialist unit, many of the forensics labs now have facilities,
there are some private practitioners. As Donn Parker says, why do
people persist in providing "statistics" when it is obviously almost
impossible to produce anything remotely worthwhile?
FWIW: I have come across a few instances of encrypted or
partially-encrypted disks but none of encrypted comms.
|----> Peter Sommer ------------------------------------------->|
|----> hcorn@cix.co.uk P.M.Sommer@lse.ac.uk ------------------>|
|----> Academic URL: http://csrc.lse.ac.uk/csrc/pmscv.htm ----->|
|----> Commercial URL: http://www.virtualcity.co.uk ----------->|
From: "Brian Gladman" <gladman@seven77.demon.co.uk>
To: <ukcrypto@maillist.ox.ac.uk>
Cc: "Carl Ellison" <cme@cybercash.com>
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
Date: Sat, 4 Apr 1998 11:40:35 +0100
Thanks now to both Peter and Dorothy for their postings. It now appears
that we have an inaccurate response from Robert Perillo to an inaccurate
posting by Carl Ellison to an inaccurate study by Denning and Baugh! And
this is the ***best*** public evidence that we have to justify cryptography
policies that are critical to the development of the information society.
This is simply not an acceptable basis for policy development in such an
important area.
I have little doubt that Dorothy did her best to obtain clear, objective
evidence but the problem is that, if there really is any good evidence, the
authorities seem extremely unwilling to release it in a form in which we can
have any confidence in it.
In the UK this has led to government policy formulation on cryptography and
TTP services along the lines 'trust us, we know what is best for you, but we
can't (or won't) give you any evidence to justify what we intend to do'.
Such an approach to policy formulation might have worked in the distant past
but it is no longer acceptable in the 1990s - we now have a much better
educated population and one that is simply not prepared to be told what is
good for it by a series of governments whose policies on matters involving
technology make the 'Poll Tax' look like a stunning success.
For several years now the US and the UK governments have been pushing for
Key Escrow provisions on the thesis that society should accept limitations
on the benefits to be derived from cryptography in order to limit the damage
it might do to law enforcement. Both governments are asking us to accept
these policies 'on trust' with no evidence of any kind to justify them.
When the US government did allow some access to such evidence (in their NRC
study) the result was hardly a stunning endorsement of the government
position but it conveniently ignored these conclusons and continued on
regardless with its misguided policies as if nothing had happened.
It now seems possible that the UK government is again going to propose some
form of Key Escrow (despite their pre-election stance). And once more my
guess is that we will be asked to accept this without a shred of evidence to
justify it.
So, DTI, if you really are about to propose a policy with Key Escrow
features could we please have the following:
1. a clear, precise and complete statement of the objectives that you are
trying to meet by including Key Escrow features in such a policy;
2. evidence to show that these objectives serve the interests of UK
citizens;
3. evidence to show that Key Escrow is practical and capable of meeting
these objectives given an information society that is global in scope;
4. an assessment of all alternative policies that might meet these
objectives, showing clearly that Key Escrow is demonstrably the best option;
5. evidence to show that Key Escrow will provide benefits for society and
that these benefits outweigh its costs in individual, social and economic
terms;
If you can do this I feel sure that you will gain the widespread support of
UK citizens.
Brian Gladman
Date: Sat, 4 Apr 1998 12:00:41 -0500
From: denning@cs.georgetown.edu (Dorothy Denning)
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
Peter, thanks for the information to the effect that the cryptoviral
extortion case had been discredited.
Just to clarify a few points about the study.
Our objective was not to make or break the case for key escrow.
The cases that are presented without a reference and without qualifiers
such as "there is a rumor" are based on first-hand accounts from either
the law enforcement officers who handled the case or the person who
did the decryption. These people wished to remain anonymous, so there
is no citation.
I expect that most of the cases where encryption is encountered in
wiretaps are foreign intelligence cases. We were not able to get
any information on these cases, so did not draw any conclusions.
Regards,
Dorothy
Date: Sat, 04 Apr 1998 19:49:58 -0500
To: ukcrypto@maillist.ox.ac.uk
From: Carl Ellison <cme@cybercash.com>
Subject: Inaccurate crypto rhetoric (was Re: Inaccurate study quoting,
Re: anti-crypto rhetoric)
-----BEGIN PGP SIGNED MESSAGE-----
Following is my response to Mr. Perillo. I didn't realize until now
that UKCrypto was carrying this debate.
- Carl
- -----BEGIN PGP SIGNED MESSAGE-----
Mr. Perillo,
Thank you for taking the time to correct the exaggerations in my
comp.risks posting of 6 Mar 1998 (19.62). May I assume from your message
that you share my belief that the cryptography policy debate is far too
important to be conducted in exaggerated, black and white, doom-saying
rhetoric?
Of course criminals have used cryptography for a very long time.
Criminal invention and use of verbal codes is old enough that there is a
word in the English language for it: argot. This should not surprise us.
My own informal survey of even non-mathematical adults has shown that the
vast majority used some code or cipher as teenagers in order to keep
secrets from prying adults. In turn, this is consistent with David Kahn's
observation: "It must be that as soon as a culture has reached a certain
level, probably measured largely by its literacy, cryptography appears
spontaneously -- as its parents, language and writing, probably also did.
The multiple human needs and desires that demand privacy among two or more
people in the midst of social life must inevitably lead to cryptology
wherever men thrive and wherever they write." [The Codebreakers, p. 84]
As you emphasize, criminals are not limited to inventing their own
codes and ciphers. I am not familiar with your evidence that drug cartels
and terrorist organizations have used encryption products from
international sources (e.g., Crypto AG), but I am not surprised. I have
seen Jane's catalog of counterintelligence devices, including military grade
cryptography, and I would not be surprised if serious criminals shopped
from such catalogs [metaphorically speaking]. [I had heard of course about
the Crypto AG weakness allegation, but had understood this to be part of
"The Boris Project" by NSA, to weaken cryptographic devices sold to Iran
and other governments. It was also my understanding that the techniques
for exploiting such a planted weakness would not be shared by the NSA with
the FBI. However, you are probably in a better position to know the truth
about this last point than I am.]
So, instead of stooping to splashy rhetoric and exaggeration as
characterized by Director Freeh's testimony before Congress (which I
imitated in my RISKS 19.62 posting), let us consider the facts of
cryptography without inflammatory rhetoric.
The notion that criminals adopt cryptography very rapidly (which is
how Director Freeh summarized it), with the implication that very soon all
criminals will be using cryptography to frustrate law enforcement, is
stated a little more scientifically by Denning & Baugh in the finding of a
50-100% annual growth rate. However, it is clear that this can not be a
product of rapid criminal adoption of new technology, as implied by
Director Freeh. If that were true, we could start with a minimum of one
criminal organization using cryptography strong enough for the government
not to break, in April of 1927 [Kahn, p. 803], and take the minimum annual
growth rate of 50% to get 1.5^{71} = 3,180,382,777,245 organized crime
groups using cryptography in April of 1998. This is clearly impossible.
Therefore, the observed growth rate must be influenced by something other
than speed of adoption among criminals. It may, for example, be a side
effect of the recent rapid adoption of PCs by the general population. We
also do not know what limited the growth of the criminal use of
cryptography in the last 71 years, not to mention the hundreds of years
before that. These are topics deserving much study, but they show clearly
without further study that Director Freeh exaggerates improperly in his
claim that soon all criminals will use strong cryptography and all law
enforcement will be frustrated.
Perhaps the most important conclusion of the Denning-Baugh study was,
as you point out quite properly, ``instead, the study's main conclusion was
that it was unable to find any current incident where the use of
cryptography significantly hindered an investigation or prosecution. "Most
of the investigators we talked to did not find that encryption was
obstructing a large number of investigations. When encryption has been
encountered, investigators have usually been able to get the keys from the
subject, crack the codes, or use other evidence," states the report.''
This is a remarkable conclusion and one of which I was well
aware. As I have said numerous times in the past, I believe it is our job
as good citizens and policy makers to accept reality unemotionally and make
plans to help law enforcement:
We need to help Director Freeh accept that he will never have an FBI
keyhole into the cryptography of criminals. They can always make
their own strong cryptography. The usual counter-argument to that is
that even criminals will need to use cryptography to talk with their
bank or the IRS -- but the implied false assumption behind that
argument is that people will use only one kind of cryptography.
Cryptography is effectively free and there is no limitation on the
number of different systems one might keep on his PC and employ. Each
application will be specific to its use (banking, tax returns, ...)
and each will include its own cryptography.
We must resist with great effort the attempt to force honest citizens
to accept FBI keyholes, just as we would resist an attempt to force
honest citizens to leave house and car keys at the local police
station or to plant FBI microphones in all private bedrooms or other
places where some criminal might, someday, have an incriminating
conversation.
We must follow up on the Denning-Baugh study and attempt to discover
the true limits to growth of criminal adoption of cryptography. Why
wasn't the world flooded with it decades ago?
We must also pursue their very encouraging conclusion that even when
cryptography was used, it did not interfere seriously with
investigations. Why was this true and how can we help law enforcement
continue this record?
We should probably start a real research project to help the FBI find
ways to gain the intelligence it needs even in the unlikely
disasterized case that all criminals use strong cryptography with no
government access. I have a number of such thoughts and have offered
to share these with the FBI, to no avail so far. I will not publish
them, for obvious reasons.
We should keep in mind the NRC study conclusions that compared the
positives and negatives of strong cryptography. In particular, strong
cryptography helps thwart crime and that will become ever more true
as our lives move ever more on-line. At the same time, any government
keyhole into civilian privacy would become a more inviting criminal
target as this change in society progresses.
Mostly, I believe we need to do what we can to correct what appears to
me to be an inability on the FBI's part to withstand the childish taunt,
"Nyah, nyah, I've got a secret and I won't tell you."
- Carl
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
iQCVAwUBNRXYFxN3Wx8QwqUtAQEU5AP/aBPUGeLFg3E7Sbnx+yMA3Dmg/QBc9lT0
zCfhzq301EMCtfUkhLDoXjOO+nt45/RhxNtVV9Aw1OlURtbz4XSGSsosHEE3VRVV
V1NIfAen6tZrlgvuM5oc/0hokpmTZlIZzj8RUnyYoa0+7Gw64VgDRFIlvluT2n6I
U2TmV14rzKY=
=kxVO
- -----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
iQCVAwUBNSbVNRN3Wx8QwqUtAQFSnAP/QAvMTNjM/pjWbkFpyRbYGocMMQgrsA6f
LJDWfOBf4KQ6pkbGozHBEwgDcmm1GQG8SjNJCVKeq+ETCjiVf7UA6cHHooqDjSAd
oIMAYHE2kU7gmqH5rJuhvqmuG/I36XuKzL+xMdDFBotc5ubt52B4Zmy3kNKU/aJW
0upCzQP8HFg=
=bqqs
-----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
Date: Sun, 5 Apr 1998 8:26 +0100 (BST)
From: hcorn@cix.co.uk (Peter Sommer)
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
To: ukcrypto@maillist.ox.ac.uk
Dorothy:
Thank you for the clarification about your sources for your study. I am
not unsympathetic to the problem; I am always pleased when I have the
opportunity to talk to people "behind the veil" and not only for reasons
of self-importance - I think some of them need to be exposed to the
perspectives of those of us who operate in the open world.
But there is always a difficulty: ultimately what they tell you is often
unverifiable. They could be telling the truth, they could be telling
what they believe to be true but is the result of misdiagnosis or
misinformation, or they could be bending the truth in the never-ending
battle to create a policy climate favourable to them and the government
budgets they need to survive.
In particular I don't think one should under-estimate the extent to which
the spooks can get things wrong; quite apart from the well-known history
of "intelligence mistakes" I have my own experiences in the occasional
instruction as an expert in criminal proceedings to draw on. If I compare
the claims of Jim Christy and others in the matter of the Rome Labs
hackers with what I saw as evidence in the resulting UK cases, for
example, or compare the certainty with which commentators state that
Vladimir Levin was able to hack into Citibank without inside help with the
actual evidence tendered in London for his extradition ...... Both these
cases of course feature high in the ever-expanding, ever-shriller
"information warfare" agenda.
And all of this is why so many of us are asking for the specifics of the
need for LAK.
Here is the UK the total open budget for monitoring serious crime - the
annual budget of the National Criminal Intelligence Service is only £30m.
Its remit includes narcotics trafficking, money laundering (it receives
and collates the reports of unusual transactions), organised crime
including the Turkish, Russian, Italian and other mafias as well as our
own local heroes, paedophilia, extortion and soccer hooliganism. That's
under a $1 for every inhabitant of the UK. What puzzles me is this: if
on the one hand the problems of organised crime are so small to rate such
a low budget, why, on the other, are we being asked to accept such an
instrusive policy in relation to crypto? Is there really a case-book of
instances which, if revealed, would persuade us to accept the intrusion
as a necessary price for freedom?
As one of the many cliches in Private Eye has it: I think we should be
told.
The issue of what happens when digital evidence is seized in the
ordinary way (that is, through regular warrant) and turns out to be
encrypted should be distinct from LA requests to have LAK for intelligence
fishing expeditions. As you say, all your cases seem to refer to the
former situation. I have no difficulty in accepting the existence of
encrypted files and disks and the problems they create for law
enforcement. Interestingly enough, the "old" DTI TTP proposals
specifically excluded many of the devices / technologies that are used for
file and disk encryption. The alternative legal route here is to allow
/ extend the ability of the court to issue orders for decryption keys to
be released (under certain conditions) or to allow adverse comment to be
made if someone refuses to do so. (This takes us into the tricky area of
the right against self-incrimination etc, of course). The absence of
discussion of these matters is quite surprising.
rgds
Peter
|----> Peter Sommer ------------------------------------------->|
|----> hcorn@cix.co.uk P.M.Sommer@lse.ac.uk ------------------>|
|----> Academic URL: http://csrc.lse.ac.uk/csrc/pmscv.htm ----->|
|----> Commercial URL: http://www.virtualcity.co.uk ----------->|
Date: Fri, 10 Apr 1998 00:40:03 +0200
From: Anonymous <anonymous@netassist.se>
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
To: ukcrypto@maillist.ox.ac.uk
Peter Sommer says:
> The problem with the Denning / Baugh report is that some of the "cases"
> are very difficult to verify. For example: the London Cryptoviral
At least one entry was verifiably wrong:
http://infinity.nus.sg/cypherpunks/dir.97.07.10-97.07.16/msg00003.html
[Copy of the referenced cypherpunks message:]
To: Kevin.L.Prigge-2@tc.umn.edu
Subject: Re: Jim Bell reference
From: Eric Murray <ericm@lne.com>
Date: Wed, 9 Jul 1997 11:09:32 -0700 (PDT)
Cc: cypherpunks@cyberpass.net
Kevin L Prigge writes:
>
> Dorothy Denning taught a class (COSC 511) "Information Warfare"
> Spring 97. Apparently as an assignment, several students put
> together an infowar incident database at:
>
> http://www.georgetown.edu/users/samplem/iw/
>
> Jim Bell's case is mentioned under:
>
> http://www.georgetown.edu/users/samplem/iw/html/iw_database_92.html
Wow. This is the most blatant propaganda I've seen in a long time.
It's full of so much inaccurate info that it can't be an accident.
Their blurb on Bell says:
"In his "Assassination Politics," Bell suggests that IRS
agents are not protected against violent acts,
because they have stolen taxpayers' money. He also
initiates a betting pool as to what government
employees and officeholders would be assassinated."
If I remember correctly, Bell never 'initiates'[sic] anything, he
just talked about it.
They cites a Netly News article by Declan McCullagh
(http://cgi.pathfinder.com/netly/editorial/0,1012,800,00.html)
Declan's article doesn't say, or even imply, that Bell actually
set up his AP betting pool. The "database" authors apparently wanted
to make a point by making his crime seem to be real, and were willing
to stretch the truth to do so.
This fits in with the rest of the "database". Take a look
at the 'terrorisim' category. Most of the 'terrorists' crimes
(or more correctly, arrests- this database seems to assume that
being arrested or charged with a crime makes one guilty) are
horrible terrorist crimes like sending hate email, or suggesting that a state
senator who vociferously supports mountain lion hunting be
"hunted down and skinned and mounted". In that one the
California state senator somehow becomes a US senator...
(http://www.georgetown.edu/users/samplem/iw/html/iw_database_90.html)
The "database" is filled with inaccurately-labeled "data". I'd
be willing to bet that it will be used to support the "Info war"
military-industrial-complex money grab: "Look, a study at
Gorgetown shows that we've had three incidents of Internet terrorisom
in 1997 alone, one against a US senator!"
Feh. "Research" like this makes me puke.
BTW, you can add you own "IW incidents" via a form at
http://www.georgetown.edu/users/samplem/iw/html/feedback.html
--
Eric Murray ericm@lne.com Security and cryptography applications consulting.
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
[JYA Note:]
See also Professor Denning's course schedule and readings for Spring
1998 for an informative overview:
COSC 511 Information Warfare: Terrorism, Crime, and National Security
http://guru.cosc.georgetown.edu/~denning/cosc511/spring98/schedule.html
Date: Mon, 13 Apr 1998 08:26:36 -0400
From: denning@cs.georgetown.edu (Dorothy Denning)
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
The citation below is to something that some of my students wrote, not
to the Denning/Baugh report. When the students learned of their
mistake, they promptly corrected their error. The anonymous poster
evidently did not even bother to see what we had written or what was in
the student's database.
The clip in our study was based on the court document and a conversation
with a law enforcement officer involved with the case.
Dorothy Denning
Date: Fri, 10 Apr 1998 00:40:03 +0200
From: Anonymous <anonymous@netassist.se>
Subject: Re: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison,
To: ukcrypto@maillist.ox.ac.uk
Peter Sommer says:
> The problem with the Denning / Baugh report is that some of the "cases"
> are very difficult to verify. For example: the London Cryptoviral
At least one entry was verifiably wrong:
http://infinity.nus.sg/cypherpunks/dir.97.07.10-97.07.16/msg00003.html