Interesting People mailing list archives
IP: Worthwhile reading for Corp Officers and Security folk --
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 24 Aug 1998 10:32:42 -0400
Date: Sun, 23 Aug 1998 18:46:03 -0400 From: Vin McLellan <vin () shore net> Subject: Re: Computer hard disc scanning by HM Customs & Excise To: Dave Farber <farber () cis upenn edu> Sender: owner-el-democracy () www ispo cec be Reading the comments of the UK Customs and Excise spokesfolk about their new policy of routinely scanning the digital memories carried by travellers, one is struck by their apparent naivete, e.g.: <http://www.open.gov.uk/customs/discscan.htm> Nothing bad could be happening since it is all done in the presence of the traveller. The traveller is allowed to watch. It's only a "scan" for appalling digital smut -- although the process, as described, involves copying the disk (and almost any "scan" allows that, overtly or covertly.) It makes me wonder if they had any idea of what kind of Pandora's Box they were opening. Two years ago, a gentleman at Hewett-Packard Labs in California -- the former head of R&D at Apple, as I recall -- mentioned on one of the Internet newsgroups that senior HP executives had been warned by US intelligence agencies that big-number cash bounties that had been posted (where and by whom, it was not clear) for anyone who could obtain the travel laptop of particular US computer industry executives. The targets were identified by name and position. I suspect that the UK bureaucrats who thought up this search for illicit images never considered that the digital soup they were straining for porn in this low-level bureaucratic process might be worth $100K or $500K or $1M on the black market. (They may not have thought about how useful and productive their data-trap might look to Her Majesty's own intel chaps either, although many suspect C&E's naivete in that regard was brief.) Such casually intrusive and randomized search procedures are used for low-value valuables. (I suspect DeBeer's couriers don't get their wares pawed by junior staff who can't tell a diamond from a rhinestone.) Information has always had potentially high value, of course -- but even the post-industrial societies are still adjusting to the way computers concentrate and create such value in data. HM C&E is not likely on the cutting edge here. C&E officials have probably been amazed at anger and passionate resentment many knowledge-workers have shown toward their new policy. The C&E baggage inspector who only barely computer-literate is not likely to realize how profoundly a traveller may feel violated by a process which, by it's nature, necessarily offers Her Majesty's government an opportunity to copy one or two Gigabytes of personal and professional memories -- with the traveller forced to open encrypted files as it they were just another "locked suitcase." At least until this UK initiative raised the possibility of routine data searches, many of us typically travelled with almost all our personal messages, diaries, as well as all our professional work for the past two or three years in a laptop hanging from a shoulder strap. (With my RSA SecurPC, it seemed safe, as well as readily accessible.) My outrage at the invasiveness and indignity of such a search would probably shock someone who doesn't live and work online, the way I and many others do. Corporate execs and couriers may have far more valuable files: business plans, negotiation options, strategic plans, industrial plans, prototype products, competitive analyses, corporate records of all types. (Old and deleted files -- even unsaved data like remote-access passwords and encryption keys dropped in swap or temp files on a PC -- are often retrievable from a copy of a hard disk.) A business traveller planning to negotiate a deal in the City, offer a contract to a British firm, or set up a plant or office in the UK, may now risk corporate treasure, as well as personal indignity, in subjecting himself to such a C&E search. For some of us, a strip search and sodium pentathol session at the C&E post would be less invasive -- but even the British bureaucrats who came up with this policy would probably consider routine truth-serum interrogations of travellers over the top: unreasonable, uncivil, disprespectful, and likely to drive off tourists, merchants, bankers, and traders who bring money and jobs to the UK. Most of us, of course, will immediately jump to Cyberspace, where ready access to encrypted files on a server or website anywhere in the world leaves them available, but largely secure from government eavesdroppers (even when the recipient of the data transfer is in a London hotel!) It only will be a very very stupid smut merchant who gets caught by C&E's memory trap. On the other hand, damage done to the British economy by C&E's routine searches of travellers' digital memories may be apparent rather quickly. I know of several large multinational corporations that have regular couriers who (daily or several times a week) carry sensitive material -- usually in digital form, on a laptop or Zip disks -- from their Paris offices to London, where it is encrypted and transmitted to their corporate offices around the world. These firms, and others with similar requirements, restrict the size of their French installations (and investments) too. This happens because French law forbids any firm, operating within France, from using strong encryption for either domestic or international data transfers... unless they give the French authorities the crypto keys that would allow the SCSSI to access, copy, and potentially exploit those messages or data files. (French intelligence agencies -- like their counterparts in most governments today -- are widely suspected of trying to steal commercial and industrial secrets from non-French businessmen, and using them to benefit French industrial and commercial interests. France, not being a beneficiary of the Echelon net like the US and UK, maybe has to try a little harder. In recent years, rumors have also led many international flyers to believe, rightly or wrongly, that the first class seats on Air France are wired by those same French agencies for commercial espionage.) Now, I wonder if those corporate couriers will be taking the Eurostar through the Chunnel next week? The couriers may lug briefcases full of paper (which C&E is unlikely to read, or Xerox) for a few days. I suspect, however, that many of those firms are even now urgently reviewing their telecom alternatives. As the recent GILC survey <http://www.gilc.org/crypto/crypto-survey.html> and the EC's Copenhagen Hearings <http://www.fsk.dk/fsk/div/hearing/krypt.html> make clear, more business-sensitive governments abound, even in Europe. For the past two years, the dominant policies of the OECD and the European Commission have been to foster electronic commerce by respecting the legitimate needs of consumers and businessmen for crypto-enabled confidentiality. Some correlations between policy and investment have been reported. Ireland recently announced what appears to be one of the most liberal national policies, allowing for the use and trade in crypto-enhanced software, among the Wassenaar signatories: <http://www.irlgov.ie:80/tec/html/signat.htm> At the time, a senior Irish official noted that his government believes that its progressive stance on corporate requirements for crypto-based confidentiality has led over 700 foreign firms to set up plants and offices in the Emerald Isle. It makes you wonder at the cost-benefits of this British government campaign to nail a few closet perverts? Suerte, _Vin ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A Thinking Man's Creed for Crypto _vbm. * Vin McLellan + The Privacy Guild + <vin () shore net> * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
Current thread:
- IP: Worthwhile reading for Corp Officers and Security folk -- Dave Farber (Aug 24)