Encryption, secrets, and spies
Encryption was devised so that a message sent to the recipient could be read only by the recipient. The encryption could be done in a variety of ways, including numbers, letters, etc. Without knowledge of the method or the key, the message is intended to be rendered unintelligible by unauthorized viewers.
Secrets are those things we most wish to have others, usually very specific and certain others, not know about us and our actions.
Spies are those people or entities that obtain the secrets — confidential information and communications that might better have been encrypted — and transmit those secrets to those not entitled or authorized to have them.
Currently, many governments require that encryption keys used by private enterprise be given to those governments on the theory that the government is protecting the country’s and its citizenry’s interests in the world. This is a good argument and a valid point. It assumes, of course, that no government employee is corruptible, and that the government and its representatives always work for the benefit of all its citizens, rather than for more self- serving interests (both sometimes rash assumptions).
Many new e-commerce sites are choosing not to locate in those countries that have such disclosure polices. It is a business decision, perhaps based on the fact that market surveys show that customers would prefer to deal with a company that values their privacy. The costs of complying with the regulations are just another procedural tax and do not in any way enhance the quality of the economic environment in which they are located. Thus many businesses are choosing countries like Ireland, which requires a company to decrypt a document only under court order. No keys are disclosed.
As an interesting side note, while some e-commerce sites are relocating to avoid government oversight, some programs — varying from children’s software to downloading software — capture data from your computer to be used, without your knowledge, for marketing or tracking purposes. A class action lawsuit has been filed against Netscape/AOL, which may influence this practice. In the meantime, software such as OptOut (available at http://grc.com/) is designed to help deal with these web spies.
To insure that a country’s security bureau has a key to all your data, no matter how stored or sent, you as a company (and as individuals) are forced by lack of allowed alternatives to use a low encryption standard, just as you are not allowed to use other communications tools that cannot be easily monitored by your government. You must use technology that is less capable. This can leave the corporation vulnerable to attacks from competitors and criminals. Thus, for example, a country desiring to protect itself from criminals, terrorists, and its citizens may be willing to sacrifice the intellectual property and jobs of its commercial sector to do so.
In addition to requiring keys and low levels of acceptable encryption technology, many governments actively participate in monitoring civilian communications. We have discussed (in the April 2000 issue of the e- Journal) the U.S. participation in Echelon. In addition, the FBI’s Carnivore system is reputed to be able to scan millions of (unencrypted) e-mails a second when hooked an ISP. The government also does quite a bit of wiretapping: Indeed, the FBI objected to the acquisition of Verio by Japan’s NTT because it might interfere with FBI wiretapping activities.
What do we know about encryption, secrets, and spies? That they exist. And that even the best encryption system maybe of no use, since the access to keys has been abused, and the abuse is well documented. Governments and businesses do what is in their best interests — and so do humans who are the decision-makers in government and companies.
We need to be aware and act accordingly. Most of the row we are hearing about privacy is from those people or companies that have been uninformed and have been shocked into awareness.