Security
Volume II Issue 4 Editorial

When I was growing up in the plains of Nebraska, I became quite familiar with haystacks. A haystack is an impressive structure. Haystacks are very, very large, and if you were actually to search for a needle buried inside one, you'd gain new appreciation for the metaphor. And, were you to search for a real needle inside an actual haystack, the advice I would give you is: Before you begin your search, stop dumping hay onto the stack.

September 11, 2001, changed everything. A great many people went to bed on September 10th feeling safe and secure. Many of those same people on September 12th felt like they'd never be safe again.

The problem with people who do not feel safe is that these people are willing to do, or agree to, most anything to feel safe again--and, unfortunately, that includes things that are profoundly unwise, completely ineffective, unethical, or any combination thereof.

In the wake of the terrorist attacks on the United States, many Federal agencies have asked for unprecedented authority to engage in activities which they claim will help them root out terrorists. These agencies have also asked for unprecedented leeway in how they are allowed to engage in these activities. The problems with this push for new anti-terrorist measures are twofold: They violate the freedom and liberty of every law-abiding American, and they are largely ineffective against terrorism.

Yet they have broad, deep support nonetheless. To even criticize these proposals is to appear anti-American.

Why?

Because the truth is, in the final analysis, not really relevant to the way people behave. People behave based on what they believe to be true, not on what is actually true. They want to feel safe. If a proposal seems reasonable on first glance--if it creates the illusion that it will make people safer--then it will be supported, regardless of how effective, or ineffective, it may be.

And so it is today. Many people inside and outside the government are calling for restrictions on secure cryptography, unfettered access to Internet traffic (including email and logs of Internet Web usage), and the ability to monitor communications with little or no judicial oversight.

These measures all have one thing in common: They infringe on the rights of law-abiding citizens without making anyone any safer. The press has breathlessly reported, for example, that terrorists use encrypted telephone and email communications to coordinate and exchange information; but how, exactly, do they know this? If intercepted encrypted communications are known to contain terrorist plans, then obviously, the encryption did not prevent anyone from gaining access to the content! And if these intercepted encrypted communications cannot be decrypted, then how does anyone know what they contain? They might be terrorist plans, but they could just as easily be recipes for apple pie.

The fact of the matter is, terrorists don't talk about what they intend to do on the phone, or in email. They talk about these things face to face. Terrorists don't trust email, even encrypted email. And, more to the point, it's very difficult to talk someone into killing himself in an email message!

Broader monitoring of email and telephone communications, and government-mandated access to encrypted communications, together create more problems than they solve. Every day, billions of conversations take place over telephone lines and email, and yet very few of these conversations concern terrorist activity. By blindly intercepting all the conversations you can possibly eavesdrop on, you pour hay onto the haystack at a ferocious rate. The problem is not in technology; computers are now capable of monitoring and recording vast quantities of information--more information than any human being can ever possibly hope to sort through and process. Rather, the problem is in people.

Human intelligence is, and always has been, the deciding factor in security. One does not become more secure by watching more people; some of the people responsible for the September 11 attacks were already on FBI watch lists! Yet they succeeded anyway. If the FBI cannot adequately watch the people already on its watch list, we're supposed to feel more secure by giving it the authority to watch even more people?

Furthermore, weakening cryptographic systems puts all of us at risk. Your credit card records and your medical history are protected by encryption. Wire transfers, bank records, and government records are protected by encryption. Every time you weaken that encryption, you make it easier for someone--a hacker, a thief, a terrorist--to crack the encryption and steal or destroy the data. Imagine a terrorist who sneaks through a cryptographic back door and destroys the financial records of major banking institutions--does that help you sleep better at night?

There is, of course, an unspoken reason that law enforcement agencies want these new powers. But it isn't to stop terrorists, any more than it is to combat child pornographers, the favored phantom menace before September 11. If you'd like to know what the real truth of the matter is, consider that the strongest advocate of insecure cryptography is the oppressive Chinese government. Then remember what happens when unarmed students go toe to toe with tanks.

Every society, regardless of how progressive it may be, has speech that is popular and speech that is not. In any free society, it is unpopular speech, not popular speech, that needs to be protected. And sometimes, a government can't be relied on to protect that speech. And this is more destructive to a free society than any terrorist ever could be.

Franklin Veaux 23-October-2001


Home : About : Excerpts : Editors : Art : Submit : News
Model Search : Franklin : Links : Email