IP: Worthwhile reading for Corp Officers and Security folk --

[Dave Farber <farber () cis upenn edu>]

Date: Sun, 23 Aug 1998 18:46:03 -0400
From: Vin McLellan <vin () shore net>
Subject: Re: Computer hard disc scanning by HM Customs & Excise
To: Dave Farber <farber () cis upenn edu>
Sender: owner-el-democracy () www ispo cec be


        Reading the comments of the UK Customs and Excise spokesfolk about
their new policy of routinely scanning the digital memories carried by
travellers, one is struck by their apparent naivete, e.g.:
<http://www.open.gov.uk/customs/discscan.htm>


        Nothing bad could be happening since it is all done in the presence
of the traveller. The traveller is allowed to watch.  It's only a "scan"
for appalling digital smut -- although the process, as described, involves
copying the disk (and almost any "scan" allows that, overtly or covertly.)
It makes me wonder if they had any idea of what kind of Pandora's Box they
were opening.


        Two years ago, a gentleman at Hewett-Packard Labs in California --
the former head of R&D at Apple, as I recall -- mentioned on one of the
Internet newsgroups that senior HP executives had been warned by US
intelligence agencies that big-number cash bounties that had been posted
(where and by whom, it was not clear) for anyone who could obtain the
travel laptop of particular US computer industry executives. The targets
were identified by name and position.


        I suspect that the UK bureaucrats who thought up this search for
illicit images never considered that the digital soup they were straining
for porn in this low-level bureaucratic process might be worth $100K or
$500K or $1M on the black market. (They may not have thought about how
useful and productive their data-trap might look to Her Majesty's own intel
chaps either, although many suspect C&E's naivete in that regard was
brief.)


        Such casually intrusive and randomized search procedures are used
for low-value valuables. (I suspect DeBeer's couriers don't get their wares
pawed by junior staff who can't tell a diamond from a rhinestone.)
Information has always had potentially high value, of course -- but even
the post-industrial societies are still adjusting to the way computers
concentrate and create such value in data.  HM C&E is not likely on the
cutting edge here.  C&E officials have probably been amazed at anger and
passionate resentment many knowledge-workers have shown toward their new
policy.


        The C&E baggage inspector who only barely computer-literate is not
likely to realize how profoundly a traveller may feel violated by a process
which, by it's nature, necessarily offers Her Majesty's government an
opportunity to copy one or two Gigabytes of personal and professional
memories -- with the traveller forced to open encrypted files as it they
were just another "locked suitcase."


        At least until this UK initiative raised the possibility of routine
data searches, many of us typically travelled with almost all our personal
messages, diaries, as well as all our professional work for the past two or
three years in a laptop hanging from a shoulder strap. (With my RSA
SecurPC, it seemed safe, as well as readily accessible.)  My outrage at the
invasiveness and indignity of such a search would probably shock someone
who doesn't live and work online, the way I and many others do.


        Corporate execs and couriers may have far more valuable files:
business plans, negotiation options, strategic plans, industrial plans,
prototype products, competitive analyses, corporate records of all types.
(Old and deleted files -- even unsaved data like remote-access passwords
and encryption keys dropped in swap or temp files on a PC -- are often
retrievable from a copy of a hard disk.) A business traveller planning to
negotiate a deal in the City, offer a contract to a British firm, or set up
a plant or office in the UK, may now risk corporate treasure, as well as
personal indignity, in subjecting himself to such a C&E search.


        For some of us, a strip search and sodium pentathol session at the
C&E post would be less invasive -- but even the British bureaucrats who
came up with this policy would probably consider routine truth-serum
interrogations of travellers over the top: unreasonable, uncivil,
disprespectful, and likely to drive off tourists, merchants, bankers, and
traders who bring money and jobs to the UK.


        Most of us, of course, will immediately jump to Cyberspace, where
ready access to encrypted files on a server or website anywhere in the
world leaves them available, but largely secure from government
eavesdroppers (even when the recipient of the data transfer is in a London
hotel!) It only will be a very very stupid smut merchant who gets caught by
C&E's memory trap. On the other hand, damage done to the British economy by
C&E's routine searches of travellers' digital memories may be apparent
rather quickly.


        I know of several large multinational corporations that have
regular couriers who (daily or several times a week) carry sensitive
material -- usually in digital form, on a laptop or Zip disks -- from their
Paris offices to London, where it is encrypted and transmitted to their
corporate offices around the world. These firms, and others with similar
requirements, restrict the size of their French installations (and
investments) too.


        This happens because French law forbids any firm, operating within
France, from using strong encryption for either domestic or international
data transfers... unless they give the French authorities the crypto keys
that would allow the SCSSI to access, copy, and potentially exploit those
messages or data files.


        (French intelligence agencies -- like their counterparts in most
governments today -- are widely suspected of trying to steal commercial and
industrial secrets from non-French businessmen, and using them to benefit
French industrial and commercial interests. France, not being a beneficiary
of the Echelon net like the US and UK, maybe has to try a little harder. In
recent years, rumors have also led many international flyers to believe,
rightly or wrongly, that the first class seats on Air France are wired by
those same French agencies for commercial espionage.)


        Now, I wonder if those corporate couriers will be taking the
Eurostar through the Chunnel next week? The couriers may lug briefcases
full of paper (which C&E is unlikely to read, or Xerox) for a few days.  I
suspect, however, that many of those firms are even now urgently reviewing
their telecom alternatives.  As the recent GILC survey
<http://www.gilc.org/crypto/crypto-survey.html> and the EC's Copenhagen
Hearings <http://www.fsk.dk/fsk/div/hearing/krypt.html> make clear, more
business-sensitive governments abound, even in Europe.


        For the past two years, the dominant policies of the OECD and the
European Commission have been to foster electronic commerce by respecting
the legitimate needs of consumers and businessmen for crypto-enabled
confidentiality.  Some correlations between policy and investment have been
reported. Ireland recently announced what appears to be one of the most
liberal national policies, allowing for the use and trade in
crypto-enhanced software, among the Wassenaar signatories:
<http://www.irlgov.ie:80/tec/html/signat.htm> At the time, a senior Irish
official noted that his government believes that its progressive stance on
corporate requirements for crypto-based confidentiality has led over 700
foreign firms to set up plants and offices in the Emerald Isle.


        It makes you wonder at the cost-benefits of this British government
campaign to nail a few closet perverts?


        Suerte,
                _Vin


-----
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto  _vbm.


*     Vin McLellan + The Privacy Guild + <vin () shore net>    *
      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548