EFFector Vol. 11, No. 11 July 23, 1998
editor@eff.org
A Publication of the Electronic Frontier Foundation ISSN 1062-9424
IN THE 139th ISSUE OF EFFECTOR
* SENATE PASSES 3 INTERNET CENSORSHIP BILLS
* EFF DES CRACKER MACHINE BRINGS HONESTY TO CRYPTO-POLICY DEBATE
* EFF & OTHER GROUPS WARN CONGRESS OF DANGERS IN NEW FBI WIRETAP
WISHLIST
* ADMINISTRIVIA
See http://www.eff.org for more information on EFF activities &
alerts!
_________________________________________________________________
FOR IMMEDIATE RELEASE
July 21, 1998
CONTACT:
Electronic Frontier Foundation, +1 415 436 9333, ask@eff.org
Laste minute update: In addition to the McCain & Coats Internet
censorship bills, a piece of legislation to ban most forms of online
gambling Web sites also passed as an amendment to the appropriations
bill below (which was passed in full by the Senate, July 22, 1998).
There is presently no action alert issued regarding these bills, but
one will be forthcoming shortly, when action on the House side is
clear and we know where to direct our activism. Check
http://www.eff.org/blueribbon.html periodically for updates.
ELECTRONIC FRONTIER FOUNDATION REACTS TO
SENATE PASSAGE OF TWO INTERNET CENSORSHIP BILLS
Statement of Barry Steinhardt
President of the Electronic Frontier Foundation
This afternoon the Senate passed two draconian bills that would
ultimately prevent access to a wide array of content on the Internet.
The two bills were passed as amendments to an appropriations bill for
the Commerce, Justice and State Department. They were brought up
without any notice to those members of the Senate who opposed them and
without any opportunity for meaningful debate. In effect, free speech
on the Internet was the victim of an ambush.
The initial amendment offered by Senators John McCain (R-AZ) and Patty
Murray (D-WA) would require schools and libraries that receive federal
funds for Internet connections to install filtering software to block
"inappropriate" material. The second, "the CDA II" bill sponsored by
Senator Dan Coats (R-IN) would enact a wide ranging ban on Web posting
of material deemed "harmful to minors."
The two bills represent a real and present danger to free speech on
the Internet. The McCain/Murray amendment will force libraries and
schools to use all-too-frequently crude and overbroad filters that
block out a wide array of non-"harmful" speech -- everything from the
Quaker home page to the American Association of University Women has
been blocked by these programs.
Indeed, you can no more create a computer program to block out one
community's view of "indecency" or "obscenity" than you can devise a
filtering program to block out misguided proposals by members of
Congress. Both may be desirable, but neither are possible.
At first glance, the Coats' CDA II bill appears to be a relatively
benign provision that purportedly applies only to commercial
pornographers who market to minors. But it is a Trojan horse. Beneath
the veneer, it covers any Web site that has a commercial component and
which has material that some community will consider "harmful to
minors", even if that is not the material for sale. This ranges from
the electronic bookseller Amazon.com to EFF's site, which sells books
and T-Shirts.
___________________________________
The Electronic Frontier Foundation is one of the leading civil
liberties organizations devoted to ensuring that the Internet remains
the world's first truly global vehicle for free speech, and that the
privacy and security of all on-line communication is preserved.
Founded in 1990 as a nonprofit, public interest organization, EFF is
based in San Francisco, California. EFF maintains an extensive archive
of information on encryption policy, privacy, and free speech at
http://www.eff.org.
EFF DES CRACKER MACHINE BRINGS HONESTY TO CRYPTO-POLICY DEBATE
ELECTRONIC FRONTIER FOUNDATION PROVES THAT DES IS NOT SECURE
CONTACT:
Electronic Frontier Foundation, +1 415 436 9333, ask@eff.org
SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today
raised the level of honesty in crypto politics by revealing that the
Data Encryption Standard (DES) is insecure. The U.S. government has
long pressed industry to limit encryption to DES (and even weaker
forms), without revealing how easy it is to crack. Continued adherence
to this policy would put critical infrastructures at risk; society
should choose a different course.
To prove the insecurity of DES, EFF built the first unclassified
hardware for cracking messages encoded with it. On Wednesday of this
week the EFF DES Cracker, which was built for less than $250,000,
easily won RSA Laboratory's "DES Challenge II" contest and a $10,000
cash prize. It took the machine less than 3 days to complete the
challenge, shattering the previous record of 39 days set by a massive
network of tens of thousands of computers. The research results are
fully documented in a book published this week by EFF and O'Reilly and
Associates, entitled "Cracking DES: Secrets of Encryption Research,
Wiretap Politics, and Chip Design."
"Producing a workable policy for encryption has proven a very hard
political challenge. We believe that it will only be possible to craft
good policies if all the players are honest with one another and the
public," said John Gilmore, EFF co-founder and project leader. "When
the government won't reveal relevant facts, the private sector must
independently conduct the research and publish the results so that we
can all see the social trade-offs involved in policy choices."
The nonprofit foundation designed and built the EFF DES Cracker to
counter the claim made by U.S. government officials that governments
cannot decrypt information when protected by DES, or that it would
take multimillion-dollar networks of computers months to decrypt one
message. "The government has used that claim to justify policies of
weak encryption and 'key recovery,' which erode privacy and security
in the digital age," said EFF Executive Director Barry Steinhardt. It
is now time for an honest and fully informed debate, which we believe
will lead to a reversal of these policies."
"EFF has proved what has been argued by scientists for twenty years,
that DES can be cracked quickly and inexpensively," said Gilmore. "Now
that the public knows, it will not be fooled into buying products that
promise real privacy but only deliver DES. This will prevent
manufacturers from buckling under government pressure to 'dumb down'
their products, since such products will no longer sell." Steinhardt
added, "If a small nonprofit can crack DES, your competitors can too.
Five years from now some teenager may well build a DES Cracker as her
high school science fair project."
The Data Encryption Standard, adopted as a federal standard in 1977 to
protect unclassified communications and data, was designed by IBM and
modified by the National Security Agency. It uses 56-bit keys, meaning
a user must employ precisely the right combination of 56 1s and 0s to
decode information correctly. DES accounted for more than $125 million
annually in software and hardware sales, according to a 1993 article
in "Federal Computer Week." Trusted Information Systems reported last
December that DES can be found in 281 foreign and 466 domestic
encryption products, which accounts for between a third and half of
the market.
A DES cracker is a machine that can read information encrypted with
DES by finding the key that was used to encrypt that data. DES
crackers have been researched by scientists and speculated about in
the popular literature on cryptography since the 1970s. The design of
the EFF DES Cracker consists of an ordinary personal computer
connected to a large array of custom chips. It took EFF less than one
year to build and cost less than $250,000.
This week marks the first public test of the EFF DES Cracker, which
won the latest DES-cracking speed competition sponsored by RSA
Laboratories ( http://www.rsa.com/rsalabs/ ). Two previous RSA
challenges proved that massive collections of computers coordinated
over the Internet could successfully crack DES. Beginning Monday
morning, the EFF DES Cracker began searching for the correct answer to
this latest challenge, the RSA DES Challenge II-2. In less than 3 days
of searching, the EFF DES Cracker found the correct key. "We searched
more than 88 billion keys every second, for 56 hours, before we found
the right 56-bit key to decrypt the answer to the RSA challenge, which
was 'It's time for those 128-, 192-, and 256-bit keys,'" said Gilmore.
Many of the world's top cryptographers agree that the EFF DES Cracker
represents a fundamental breakthrough in how we evaluate computer
security and the public policies that control its use. "With the
advent of the EFF DES Cracker machine, the game changes forever," said
Whitfield Diffie, Distinguished Engineer at Sun Microsystems and famed
co-inventor of public key cryptography. "Vast Internet collaborations
cannot be concealed and so they cannot be used to attack real, secret
messages. The EFF DES Cracker shows that it is easy to build search
engines that can."
"The news is not that a DES cracker can be built; we've known that for
years," said Bruce Schneier, the President of Counterpane Systems.
"The news is that it can be built cheaply using off-the-shelf
technology and minimal engineering, even though the department of
Justice and the FBI have been denying that this was possible." Matt
Blaze, a cryptographer at AT&T Labs, agreed: "Today's announcement is
significant because it unambiguously demonstrates that DES is
vulnerable, even to attackers with relatively modest resources. The
existence of the EFF DES Cracker proves that the threat of "brute
force" DES key search is a reality. Although the cryptographic
community has understood for years that DES keys are much too small,
DES-based systems are still being designed and used today. Today's
announcement should dissuade anyone from using DES."
EFF and O'Reilly and Associates have published a book about the EFF
DES Cracker, "Cracking DES: Secrets of Encryption Research, Wiretap
Politics, and Chip Design." The book contains the complete design
details for the EFF DES Cracker chips, boards, and software. This
provides other researchers with the necessary data to fully reproduce,
validate, and/or improve on EFF's research, an important step in the
scientific method. The book is only available on paper because U.S.
export controls on encryption potentially make it a crime to publish
such information on the Internet.
EFF has prepared a background document on the EFF DES Cracker, which
includes the foreword by Whitfield Diffie to "Cracking DES." (See
http://www.eff.org/descracker/ ). The book can be ordered for
worldwide delivery from O'Reilly & Associates via the Web
( http://www.ora.com/catalog/crackdes ), or phone (1 800 998 9938, or
+1 707 829 0515.)
_________________________________________________________________
The Electronic Frontier Foundation is one of the leading civil
liberties organizations devoted to ensuring that the Internet remains
the world's first truly global vehicle for free speech, and that the
privacy and security of all on-line communication is preserved.
Founded in 1990 as a nonprofit, public interest organization, EFF is
based in San Francisco, California. EFF maintains an extensive archive
of information on encryption policy, privacy, and free speech at the
EFF Web site ( http://www.eff.org ).
_________________________________________________________________
EFF & OTHER GROUPS WARN CONGRESS OF DANGERS IN NEW FBI WIRETAP WISHLIST
July 17, 1998
The Honorable Ted Stevens
Chairman
Committee on Appropriations
United States Senate
Washington, D.C. 20510
Dear Mr. Chairman:
We are writing to urge you to reject any efforts by the Federal Bureau
of Investigation to use the appropriations process to expand its
electronic surveillance powers through amendments to the
Communications Assistance for Law Enforcement Act (CALEA). Four years
ago, FBI Director Freeh hailed CALEA as achieving "a delicate but
critical balance between public safety and privacy and constitutional
rights." Director Freeh praised CALEA:
"I think we have reached a remarkable compromise and achievement in
preserving that tool [wiretapping] as it has existed since 1968 and
yet balancing all the technology and privacy concerns which are so
precious to all of us."
- FBI Director Louis Freeh, Congressional testimony, August 1994.
But ever since the law was enacted, the FBI has tried to use it not
merely to preserve its surveillance capabilities as Congress intended,
but to expand them, demanding that companies build expensive new
surveillance features. Using the checks and balances in the law, the
undersigned privacy groups have asked the FCC to reject the FBI's
demands.
We understand that the FBI is now asking Congress for major revisions
of the 1994 law, to mandate the FBI's requests for expanded
surveillance capabilities and strike from the Act key provisions
intended to ensure a balance between privacy and law enforcement. We
understand that the FBI has asked that there be attached to the CJS
appropriations bill an amendment that would:
* Codify the FBI's entire list of enhanced surveillance capabilities
-- For over a year, industry and privacy groups have opposed the
FBI's efforts to use CALEA to expand government surveillance
capabilities. The FBI's proposed expansions are now being
challenged before the FCC. The FBI amendment would terminate the
FCC proceeding by ordering the Commission to adopt without
revision the entire FBI wish list, including the capabilities to
track wireless phone users without meeting constitutional
standards and to continue monitoring all parties to a conference
call after the suspect has dropped off the call.
* Eliminate public accountability - The proposed amendment states
that the FCC shall enact the FBI wish list immediately and
"without notice and comment." This means that privacy groups would
have no right to have their concerns heard. When Congress set up
the CALEA process, it required the FCC to protect privacy and
minimize cost. The FBI amendment would render those considerations
irrelevant.
* Require carriers to disclose "the exact physical location" of
wireless phone users without any court approval - In 1994, FBI
Director Freeh testified that CALEA "does not include any
information which might disclose the general location of a mobile
[phone]... There is no intent whatsoever...tto acquire anything
that could properly be called 'tracking' information." Now the FBI
is seeking "exact" physical location, going beyond even the cell
site information industry has offered to provide law enforcement
in its CALEA plan now under challenge on privacy grounds at the
FCC.
Furthermore, the FBI amendment, in a provision that purports to
address privacy concerns, requires carriers to provide tracking
information on any wireless phone user for up to two days without
a court order, upon the mere request of any police officer. This
is less protection than current law.
* Establish a bogus standard for access to location information - In
what the FBI will undoubtedly characterize as a concession to
privacy, the amendment would require wireless carriers to provide
location information whenever presented with a court order "based
upon a finding that there is probable cause to believe that the
location information is relevant to a legitimate law enforcement
objective." This is actually weaker than current law, which
requires at least that the information be relevant and material to
an ongoing investigation. "Legitimate law enforcement objective"
doesn't even require that police have an ongoing case. The use of
the words "probable cause" do not make this provision acceptable.
The issue is "probable cause" to believe what?
* Write "reasonableness" out of the statute - In 1994, Director
Freeh testified that CALEA "reflects reasonableness in every
provision." The statute specifically said that carriers could be
required to modify their systems for law enforcement purposes only
if the changes were "reasonably achievable." Now the FBI amendment
would amend the Act to state that compliance with the FBI's wish
list is "deemed reasonably achievable." To "deem" something means
that we pretend it is so even when it isn't. This amendment
deprives the FCC of jurisdiction to assess the feasibility and
cost of CALEA compliance.
* Packet networks - In another provision that will be characterized
as a concession to privacy, the amendment states that carriers "to
the extent possible" shall separate call-identifying information
from content when transmitted as packet-mode data. Privacy groups
have asked the FCC to determine how and when this can be done. By
depriving the Commission of authority over implementation of
CALEA, the FBI amendment may be precluding privacy groups and
others from having any input in deciding how surveillance is to be
conducted in the packet networks that represent the future of
telephony.
In short, the FBI is trying to rewrite CALEA to get what it failed to
get from Congress four years ago, and what it has failed to get since
from industry and through the FCC. The FBI's efforts are under
challenge at the FCC and in the courts. The FBI's proposed amendment
is an effort to cut off those challenges.
It is appropriate for Congress at this time to extend the CALEA
compliance and "grandfather" dates, in order to allow resolution of
the substantive issues pending before the FCC. It would be
inappropriate for Congress to grant FBI the authority that it was
denied four years ago after a lengthy hearing and negotiation process.
The FBI may try to characterize its proposal as a compromise. It is
not. The granting of a one-time extension to industry and the
purported concessions to privacy do not come close to justifying a
fundamental rewriting of CALEA, which is what the FBI amendment would
do.
We would be happy to meet with you or your staff to discuss our
concerns more fully.
Sincerely,
Laura W. Murphy
American Civil Liberties Union
James P. Lucier, Jr.
Americans for Tax Reform
Jerry Berman
Center for Democracy and Technology
Barry Steinhardt
Electronic Frontier Foundation
Marc Rotenberg
Electronic Privacy Information Center
Lisa S. Dean
Free Congress Foundation
Cc: The Honorable Robert C. Byrd
The Honorable Judd Gregg
The Honorable Ernest F. Hollings
The Honorable Patrick J. Leahy
_________________________________________________________________
ADMINISTRIVIA
EFFector is published by:
The Electronic Frontier Foundation
1550 Bryant St., Suite 725
San Francisco CA 94103 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Editor: Stanton McCandlish, Program Director/Webmaster (mech@eff.org)
Membership & donations: membership@eff.org
Legal services: ssteele@eff.org
General EFF, legal, policy or online resources queries: ask@eff.org
Reproduction of this publication in electronic media is encouraged.
Signed articles do not necessarily represent the views of EFF. To
reproduce signed articles individually, please contact the authors for
their express permission. Press releases and EFF announcements may be
reproduced individually at will.
To subscribe to EFFector via email, send message body of:
subscribe effector-online
to listserv@eff.org, which will add you to a subscription list for
EFFector. To unsubscribe, send a similar message body, like so:
unsubscribe effector-online
Please tell ask@eff.org to manually remove you from the list if this
does not work for some reason.
Back issues are available at:
http://www.eff.org/pub/EFF/Newsletters/EFFector
To get the latest issue, send any message to
effector-reflector@eff.org (or er@eff.org), and it will be mailed to
you automagically. You can also get:
http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html
