If ever Congress wanted to tighten the reins on access to the Internet, now would be a good time to do it. As it becomes ever more clear that Osama bin Laden's terrorist networks are using our modern communications technologies to organize their atrocities — including those that took place last week in New York, Washington, D.C. and Pennsylvania — the question before our legislators is: What are we going to do about it?
There's a lot they could do. They could limit private citizens' access to strong encryption. They could, in order to give access to law enforcement, require mandatory "back doors" in encryption software. They could install eavesdropping equipment that would let law-enforcement agents easily access our e-mail boxes. All this is possible today; our government need only give the word.
There's just one problem, though. None of these steps will put a stop to terrorism. What they will do, however, is restrict individual freedom, impede industry and compromise our civil rights.
Cause for Caution
Already, President Bush and others have compared last week's tragedies to Pearl Harbor. And there can be little doubt that in this case, as in Pearl Harbor, intelligence failures are at least partly to blame for our failure to anticipate what took place.
But while the comparison to Pearl Harbor may be a patriotic one, the picture it paints isn't entirely rosy, and the solutions it suggests present thorny problems. "We know what happened post-Pearl Harbor," People for the American Way's Ralph Neas told the New York Times. "Many times there are overreactions, not based on fact or careful analysis, that lead to a violation of the Constitution."
Most law-enforcement experts agree that the best way to anticipate terrorists' movements is to intercept their transmissions. The practice of signals intelligence has been going on probably as long as there has been warfare. But, as authorities have begun to discover, in the Information Age we're talking about a whole new ball game. How can we hope to trace our enemies across as vast, malleable and relatively masterless a medium as the Internet without transgressing constitutionally protected freedoms?
Among the FBI's chief Internet-intelligence tools is the surveillance device known as Carnivore. Carnivore is capable of intercepting anyone's e-mail as it passes across their ISP's routers, a fact that has already drawn a lot of attention from civil rights activists.
But putting aside the question of individual privacy for a moment, let's assume Carnivore is successful in intercepting crucial messages. The problem still remains that, though the device is capable of gathering information, that information is often encrypted.
That's no good, according to a National Commission on Terrorism report. "Until the information is in plain English," it warns, "it's almost impossible to determine whether it's relevant to a terrorism operation."
Tales From the Crypto
Brute-force attacks on cryptography are seldom effective. The more complex the cryptography used, the more computing power it takes to crack the code, and the slower the results. Successfully decoding encrypted transmissions in a timely manner typically requires a little more ingenuity. The FBI has already begun experimenting with new tactics — but its recent attempts raise serious doubts.
Take the case of reputed mob boss Nicodemo Scarfo, for example. The FBI brought a case against Scarfo based on evidence gleaned from encrypted e-mail messages. How it got access to those documents remains a sticky point, however.
What agents did was secretly install on Scarfo's computer what's called a "key sniffer," software that records every keystroke he typed. By analyzing those sequences, agents were eventually able to determine the password to the PGP-encryption program Scarfo was using to scramble his e-mail messages. There's concern now, however, that the key sniffer may have been installed illegally by agents who accessed Scarfo's hard drive without a proper warrant.
And there's another point that hasn't been as widely discussed. PGP-encrypted documents can't be decoded merely by giving the decryption password. You also need the recipient's "private key," a secret file that ordinarily is not transmitted under any circumstances. Even if installation of the key sniffer was legal in this case, it still seems probable the FBI conducted an illegal search of Scarfo's hard drive to obtain his private key without his knowledge.
The FBI has asked that it not be required to disclose in open court the exact details of how it conducted its investigation. This request is hardly a confidence builder, and the implications are troubling. For the FBI to continue such practices against terrorists implies that a significant broadening of its powers of search and seizure would be called for.
One alternative that's often been proposed is to simply allow a back door into encryption systems used domestically, which would let the FBI access encrypted documents without cracking the code by force. But most experts agree that such shortcuts effectively render encryption worthless. If personal security were to be compromised, even worthy applications like e-commerce would become inherently insecure. What's more, who's to say a foreign terrorist would use only domestically produced encryption software?
Hidden in Plain Sight
Another problem with Carnivore is the sheer volume of the information it gathers. One of the chief criticisms leveled at the device is that it isn't particularly selective about the intelligence it amasses. Such selectivity — in this case, recording only information relevant to a given case — is a requirement of other forms of surveillance.
Ironically, encryption can actually lend a hand with this problem. An encrypted message, versus one transmitted in plain English, is easy to identify, and it's a fairly safe assumption that an encrypted message is one that has something to hide. Thus, when encryption is in play, spotting which messages to capture and which to ignore is relatively simple.
This fact isn't lost on the terrorists, however, and so they have reportedly begun turning to alternate methods of concealing their transmissions. It's rumored that bin Laden's agents have become experts in the use of steganography, the process of concealing a secret message within an otherwise innocuous-looking one.
Using digital steganography techniques, messages can be hidden inside ordinary-looking text, in graphic images or even in MP3s. Bin Laden is rumored to be fond of concealing his transmissions inside some of the very same "anti-Islamic" content that prompted the Taliban to ban Internet use in Afghanistan: pornography.
Given that a message could potentially be hidden anywhere, how can any message be considered exempt from capture by Carnivore? When you consider that law enforcement's assumption is that other terrorist "sleeper agents," like the ones responsible for last week's airline attacks, are to be found on U.S. shores, will any of us be exempt from e-mail monitoring by the FBI?
Making It Work
All this isn't to say that these hurdles are insurmountable. In fact, the FBI has successfully pursued suspects using information gathered from e-mail monitoring without transgressing any constitutional boundaries. The case of Brian Regan is one example.
Regan, trained as a cryptanalyst by the Air Force, leaked secret documents to various foreign nations in encrypted e-mails. He reached his contacts using a free Web-based e-mail account, which he accessed from a terminal at a public library near his home.
One day, while being tracked by an agent, Regan forgot to log out. As he walked away, the agent tailing him was able to access a complete record of all his messages. Informed of his error, Regan, in exchange for a life sentence, pleaded guilty to spying for Moscow for 15 years.
While it would be unrealistic to always expect such good fortune, Regan's case points out a valuable lesson. Rather than applying more and more resources to information gathering and brute-force decryption attempts, agents must instead learn to work smarter against these new kinds of challenges.
Standing on Principles
Banning, restricting or compromising technologies such as e-mail and private encryption software isn't the answer. Though it's clear that e-mail helped terrorists organize the crimes they perpetrated last week, it's merely a tool. We should no more blame the technology for those tragedies than we should point the finger at Henry Ford every time a terrorist drives a truck full of explosives into a public building.
Some analysts have admired the complexity of the planning involved in the plot to destroy the World Trade Center. I don't. The Twin Towers took six years to build and incredible human ingenuity to conceive. It's always easier to destroy something than to create it.
Let's remember that fact when we consider undoing some other feats of human engineering, like encryption, e-mail and, by extension, the Internet itself. All three are tools that have contributed immensely to human society over the past years. They thrive on the same principles as U.S. society itself: privacy, individual freedom and security in our persons and speech.
Rather than making rash political decisions that could plant the seeds of their undoing now, let's instead turn our ingenuity to a new task: a rational means of ending the irrational. A constructive way — rather than a destructive one — of ending the threat of terrorism once and for all.
