EFFector Vol. 11, No. 11 July 23, 1998 editor@eff.org
A Publication of the Electronic Frontier Foundation ISSN 1062-9424
See http://www.eff.org for more information on EFF activities & alerts!
Electronic Frontier Foundation, +1 415 436 9333, ask@eff.org
Laste minute update: In addition to the McCain & Coats Internet censorship bills, a piece of legislation to ban most forms of online gambling Web sites also passed as an amendment to the appropriations bill below (which was passed in full by the Senate, July 22, 1998). There is presently no action alert issued regarding these bills, but one will be forthcoming shortly, when action on the House side is clear and we know where to direct our activism. Check http://www.eff.org/blueribbon.html periodically for updates.
This afternoon the Senate passed two draconian bills that would ultimately prevent access to a wide array of content on the Internet. The two bills were passed as amendments to an appropriations bill for the Commerce, Justice and State Department. They were brought up without any notice to those members of the Senate who opposed them and without any opportunity for meaningful debate. In effect, free speech on the Internet was the victim of an ambush.
The initial amendment offered by Senators John McCain (R-AZ) and Patty Murray (D-WA) would require schools and libraries that receive federal funds for Internet connections to install filtering software to block "inappropriate" material. The second, "the CDA II" bill sponsored by Senator Dan Coats (R-IN) would enact a wide ranging ban on Web posting of material deemed "harmful to minors."
The two bills represent a real and present danger to free speech on the Internet. The McCain/Murray amendment will force libraries and schools to use all-too-frequently crude and overbroad filters that block out a wide array of non-"harmful" speech -- everything from the Quaker home page to the American Association of University Women has been blocked by these programs.
Indeed, you can no more create a computer program to block out one community's view of "indecency" or "obscenity" than you can devise a filtering program to block out misguided proposals by members of Congress. Both may be desirable, but neither are possible.
At first glance, the Coats' CDA II bill appears to be a relatively benign provision that purportedly applies only to commercial pornographers who market to minors. But it is a Trojan horse. Beneath the veneer, it covers any Web site that has a commercial component and which has material that some community will consider "harmful to minors", even if that is not the material for sale. This ranges from the electronic bookseller Amazon.com to EFF's site, which sells books and T-Shirts.
The Electronic Frontier Foundation is one of the leading civil liberties organizations devoted to ensuring that the Internet remains the world's first truly global vehicle for free speech, and that the privacy and security of all on-line communication is preserved. Founded in 1990 as a nonprofit, public interest organization, EFF is based in San Francisco, California. EFF maintains an extensive archive of information on encryption policy, privacy, and free speech at http://www.eff.org.
Electronic Frontier Foundation, +1 415 436 9333, ask@eff.org
SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today raised the level of honesty in crypto politics by revealing that the Data Encryption Standard (DES) is insecure. The U.S. government has long pressed industry to limit encryption to DES (and even weaker forms), without revealing how easy it is to crack. Continued adherence to this policy would put critical infrastructures at risk; society should choose a different course.
To prove the insecurity of DES, EFF built the first unclassified hardware for cracking messages encoded with it. On Wednesday of this week the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize. It took the machine less than 3 days to complete the challenge, shattering the previous record of 39 days set by a massive network of tens of thousands of computers. The research results are fully documented in a book published this week by EFF and O'Reilly and Associates, entitled "Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design."
"Producing a workable policy for encryption has proven a very hard political challenge. We believe that it will only be possible to craft good policies if all the players are honest with one another and the public," said John Gilmore, EFF co-founder and project leader. "When the government won't reveal relevant facts, the private sector must independently conduct the research and publish the results so that we can all see the social trade-offs involved in policy choices."
The nonprofit foundation designed and built the EFF DES Cracker to counter the claim made by U.S. government officials that governments cannot decrypt information when protected by DES, or that it would take multimillion-dollar networks of computers months to decrypt one message. "The government has used that claim to justify policies of weak encryption and 'key recovery,' which erode privacy and security in the digital age," said EFF Executive Director Barry Steinhardt. It is now time for an honest and fully informed debate, which we believe will lead to a reversal of these policies."
"EFF has proved what has been argued by scientists for twenty years, that DES can be cracked quickly and inexpensively," said Gilmore. "Now that the public knows, it will not be fooled into buying products that promise real privacy but only deliver DES. This will prevent manufacturers from buckling under government pressure to 'dumb down' their products, since such products will no longer sell." Steinhardt added, "If a small nonprofit can crack DES, your competitors can too. Five years from now some teenager may well build a DES Cracker as her high school science fair project."
The Data Encryption Standard, adopted as a federal standard in 1977 to protect unclassified communications and data, was designed by IBM and modified by the National Security Agency. It uses 56-bit keys, meaning a user must employ precisely the right combination of 56 1s and 0s to decode information correctly. DES accounted for more than $125 million annually in software and hardware sales, according to a 1993 article in "Federal Computer Week." Trusted Information Systems reported last December that DES can be found in 281 foreign and 466 domestic encryption products, which accounts for between a third and half of the market.
A DES cracker is a machine that can read information encrypted with DES by finding the key that was used to encrypt that data. DES crackers have been researched by scientists and speculated about in the popular literature on cryptography since the 1970s. The design of the EFF DES Cracker consists of an ordinary personal computer connected to a large array of custom chips. It took EFF less than one year to build and cost less than $250,000.
This week marks the first public test of the EFF DES Cracker, which won the latest DES-cracking speed competition sponsored by RSA Laboratories ( http://www.rsa.com/rsalabs/ ). Two previous RSA challenges proved that massive collections of computers coordinated over the Internet could successfully crack DES. Beginning Monday morning, the EFF DES Cracker began searching for the correct answer to this latest challenge, the RSA DES Challenge II-2. In less than 3 days of searching, the EFF DES Cracker found the correct key. "We searched more than 88 billion keys every second, for 56 hours, before we found the right 56-bit key to decrypt the answer to the RSA challenge, which was 'It's time for those 128-, 192-, and 256-bit keys,'" said Gilmore.
Many of the world's top cryptographers agree that the EFF DES Cracker represents a fundamental breakthrough in how we evaluate computer security and the public policies that control its use. "With the advent of the EFF DES Cracker machine, the game changes forever," said Whitfield Diffie, Distinguished Engineer at Sun Microsystems and famed co-inventor of public key cryptography. "Vast Internet collaborations cannot be concealed and so they cannot be used to attack real, secret messages. The EFF DES Cracker shows that it is easy to build search engines that can."
"The news is not that a DES cracker can be built; we've known that for years," said Bruce Schneier, the President of Counterpane Systems. "The news is that it can be built cheaply using off-the-shelf technology and minimal engineering, even though the department of Justice and the FBI have been denying that this was possible." Matt Blaze, a cryptographer at AT&T Labs, agreed: "Today's announcement is significant because it unambiguously demonstrates that DES is vulnerable, even to attackers with relatively modest resources. The existence of the EFF DES Cracker proves that the threat of "brute force" DES key search is a reality. Although the cryptographic community has understood for years that DES keys are much too small, DES-based systems are still being designed and used today. Today's announcement should dissuade anyone from using DES."
EFF and O'Reilly and Associates have published a book about the EFF DES Cracker, "Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design." The book contains the complete design details for the EFF DES Cracker chips, boards, and software. This provides other researchers with the necessary data to fully reproduce, validate, and/or improve on EFF's research, an important step in the scientific method. The book is only available on paper because U.S. export controls on encryption potentially make it a crime to publish such information on the Internet.
EFF has prepared a background document on the EFF DES Cracker, which includes the foreword by Whitfield Diffie to "Cracking DES." (See http://www.eff.org/descracker/ ). The book can be ordered for worldwide delivery from O'Reilly & Associates via the Web ( http://www.ora.com/catalog/crackdes ), or phone (1 800 998 9938, or +1 707 829 0515.)
The Electronic Frontier Foundation is one of the leading civil liberties organizations devoted to ensuring that the Internet remains the world's first truly global vehicle for free speech, and that the privacy and security of all on-line communication is preserved. Founded in 1990 as a nonprofit, public interest organization, EFF is based in San Francisco, California. EFF maintains an extensive archive of information on encryption policy, privacy, and free speech at the EFF Web site ( http://www.eff.org ).
July 17, 1998
The Honorable Ted Stevens
Chairman
Committee on Appropriations
United States Senate
Washington, D.C. 20510
Dear Mr. Chairman:
We are writing to urge you to reject any efforts by the Federal Bureau of Investigation to use the appropriations process to expand its electronic surveillance powers through amendments to the Communications Assistance for Law Enforcement Act (CALEA). Four years ago, FBI Director Freeh hailed CALEA as achieving "a delicate but critical balance between public safety and privacy and constitutional rights." Director Freeh praised CALEA:
"I think we have reached a remarkable compromise and achievement in preserving that tool [wiretapping] as it has existed since 1968 and yet balancing all the technology and privacy concerns which are so precious to all of us."
- FBI Director Louis Freeh, Congressional testimony, August 1994.
But ever since the law was enacted, the FBI has tried to use it not merely to preserve its surveillance capabilities as Congress intended, but to expand them, demanding that companies build expensive new surveillance features. Using the checks and balances in the law, the undersigned privacy groups have asked the FCC to reject the FBI's demands.
We understand that the FBI is now asking Congress for major revisions of the 1994 law, to mandate the FBI's requests for expanded surveillance capabilities and strike from the Act key provisions intended to ensure a balance between privacy and law enforcement. We understand that the FBI has asked that there be attached to the CJS appropriations bill an amendment that would:
Codify the FBI's entire list of enhanced surveillance capabilities -- For over a year, industry and privacy groups have opposed the FBI's efforts to use CALEA to expand government surveillance capabilities. The FBI's proposed expansions are now being challenged before the FCC. The FBI amendment would terminate the FCC proceeding by ordering the Commission to adopt without revision the entire FBI wish list, including the capabilities to track wireless phone users without meeting constitutional standards and to continue monitoring all parties to a conference call after the suspect has dropped off the call.
Eliminate public accountability - The proposed amendment states that the FCC shall enact the FBI wish list immediately and "without notice and comment." This means that privacy groups would have no right to have their concerns heard. When Congress set up the CALEA process, it required the FCC to protect privacy and minimize cost. The FBI amendment would render those considerations irrelevant.
Require carriers to disclose "the exact physical location" of wireless phone users without any court approval - In 1994, FBI Director Freeh testified that CALEA "does not include any information which might disclose the general location of a mobile [phone]... There is no intent whatsoever...tto acquire anything that could properly be called 'tracking' information." Now the FBI is seeking "exact" physical location, going beyond even the cell site information industry has offered to provide law enforcement in its CALEA plan now under challenge on privacy grounds at the FCC.
Furthermore, the FBI amendment, in a provision that purports to address privacy concerns, requires carriers to provide tracking information on any wireless phone user for up to two days without a court order, upon the mere request of any police officer. This is less protection than current law.
Establish a bogus standard for access to location information - In what the FBI will undoubtedly characterize as a concession to privacy, the amendment would require wireless carriers to provide location information whenever presented with a court order "based upon a finding that there is probable cause to believe that the location information is relevant to a legitimate law enforcement objective." This is actually weaker than current law, which requires at least that the information be relevant and material to an ongoing investigation. "Legitimate law enforcement objective" doesn't even require that police have an ongoing case. The use of the words "probable cause" do not make this provision acceptable. The issue is "probable cause" to believe what?
Write "reasonableness" out of the statute - In 1994, Director Freeh testified that CALEA "reflects reasonableness in every provision." The statute specifically said that carriers could be required to modify their systems for law enforcement purposes only if the changes were "reasonably achievable." Now the FBI amendment would amend the Act to state that compliance with the FBI's wish list is "deemed reasonably achievable." To "deem" something means that we pretend it is so even when it isn't. This amendment deprives the FCC of jurisdiction to assess the feasibility and cost of CALEA compliance.
Packet networks - In another provision that will be characterized as a concession to privacy, the amendment states that carriers "to the extent possible" shall separate call-identifying information from content when transmitted as packet-mode data. Privacy groups have asked the FCC to determine how and when this can be done. By depriving the Commission of authority over implementation of CALEA, the FBI amendment may be precluding privacy groups and others from having any input in deciding how surveillance is to be conducted in the packet networks that represent the future of telephony.
In short, the FBI is trying to rewrite CALEA to get what it failed to get from Congress four years ago, and what it has failed to get since from industry and through the FCC. The FBI's efforts are under challenge at the FCC and in the courts. The FBI's proposed amendment is an effort to cut off those challenges.
It is appropriate for Congress at this time to extend the CALEA compliance and "grandfather" dates, in order to allow resolution of the substantive issues pending before the FCC. It would be inappropriate for Congress to grant FBI the authority that it was denied four years ago after a lengthy hearing and negotiation process.
The FBI may try to characterize its proposal as a compromise. It is not. The granting of a one-time extension to industry and the purported concessions to privacy do not come close to justifying a fundamental rewriting of CALEA, which is what the FBI amendment would do.
We would be happy to meet with you or your staff to discuss our concerns more fully.
Sincerely,
Laura W. Murphy
American Civil Liberties Union
James P. Lucier, Jr.
Americans for Tax Reform
Jerry Berman
Center for Democracy and Technology
Barry Steinhardt
Electronic Frontier Foundation
Marc Rotenberg
Electronic Privacy Information Center
Lisa S. Dean
Free Congress Foundation
Cc: The Honorable Robert C. Byrd
The Honorable Judd Gregg
The Honorable Ernest F. Hollings
The Honorable Patrick J. Leahy
EFFector is published by:
The Electronic Frontier Foundation
1550 Bryant St., Suite 725
San Francisco CA 94103 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Editor: Stanton McCandlish, Program Director/Webmaster (mech@eff.org)
Membership & donations: membership@eff.org
Legal services: ssteele@eff.org
General EFF, legal, policy or online resources queries: ask@eff.org
Reproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. Press releases and EFF announcements may be reproduced individually at will.
To subscribe to EFFector via email, send message body of:
subscribe effector-online
to listserv@eff.org, which will add
you to a subscription list for
EFFector. To unsubscribe, send a similar message body, like so:
unsubscribe effector-online
Please tell ask@eff.org to manually remove you from the list if this does not work for some reason.
Back issues are available at:
http://www.eff.org/pub/EFF/Newsletters/EFFector
To get the latest issue, send any message to
effector-reflector@eff.org
(or er@eff.org), and it will be mailed to
you automagically. You can also get:
http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html
Return to EFFector Newsletter Menu
![[*]](/Icons/home_blue_icon.gif){kind=icon}
EFF Welcome Page
Please send any questions or comments to webmaster@eff.org