Law Enforcement and
Government Surveillance
November 15, 2007
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
1
Research and Communication Skills
Organizing a research paper
Decide up front what the point of your
paper is and stay focused as you write
Once you have decided on the main point,
pick a title
Start with an outline
Use multiple levels of headings (usually 2
or 3)
Don’t ramble!
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
2
Research and Communication Skills
Typical paper organization
 Abstract
•
Short summary of paper
 Introduction
•
Motivation (why this work is interesting/important, not your personal motivation)
 Background and related work
•
Sometimes part of introduction, sometimes two sections
 Methods
•
•
What you did
In a systems paper you may have system design and evaluation sections instead
 Results
•
What you found out
 Discussion
•
•
Sometimes called Conclusion
May include conclusions, future work, discussion of implications,etc.
 References
 Appendix
•
Stuff not essential to understanding the paper, but useful, especially to those trying
to reproduce your results - data tables, proofs, survey forms, etc.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
3
Research and Communication Skills
Road map
 Papers longer than a few pages should
have a “road map” so readers know where
you are going
 Road map usually comes at the end of the introduction
 Tell them what you are going to say, then say it, (and then
tell them what you said)
 Examples
• In the next section I introduce X and discuss related work. In
Section 3 I describe my research methodology. In Section 4 I
present results. In Section 5 I present conclusions and possible
directions for future work.
• Waldman et al, 2001: “This article presents an architecture for
robust Web publishing systems. We describe nine design goals
for such systems, review several existing systems, and take an indepth look at Publius, a system that meets these design goals.”
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
4
Research and Communication Skills
Use topic sentences
 (Almost) every paragraph should have a topic sentence
• Usually the first sentence
• Sometimes the last sentence
• Topic sentence gives the main point of the paragraph
 First paragraph of each section and subsection should
give the main point of that section
 Examples from Waldman et al, 2001
• In this section we attempt to abstract the particular implementation
details and describe the underlying components and architecture
of a censorship-resistant system.
• Anonymous publications have been used to help bring about
change throughout history.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
5
Research and Communication Skills
Avoid unsubstantiated claims
 Provide evidence for every claim you make
• Related work
• Results of your own experiments
 Conclusions should not come as a surprise
• Analysis of related work, experimental results, etc. should support
your conclusions
• Conclusions should summarize, highlight, show relationships,
raise questions for future work
• Don’t introduce new ideas in discussion or conclusion section
(other than ideas for related work)
• Don’t reach conclusions not supported by the rest of your paper
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
6
Research and Communication Skills
Creating a research poster
Any word processor, drawing, or page
design software will work
• PowerPoint is well-suited for making posters
Design poster as single panel or modular
units
• Single panel posters
 Have a professional look (if well designed)
 Should be printed on large format printers
• Modular units
 Easier to design and transport
 Print on letter paper (optionally, mounted on
construction paper)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
7
Research and Communication Skills
Research poster content
 Don’t try to present your whole paper
• Convey the big picture
• Don’t expect people to spend more than 3-5 minutes reading your
poster
• 500 words, maximum
 Introduce problem, your approach, and results
 Provide necessary background or glossary
 A picture is worth 1000 words
• Graphs, diagrams, etc.
 Use bullets and sentence fragments, similar to making
slides
 Don’t forget to include title and author
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
8
Research and Communication Skills
Research poster design
Use a modular design
Each section of your poster can go in a box
Use a large, easy-to-read font
• Most text should be at least 20 point font
• No text less than 14 point font
• Headings should be larger and in bold
Use color consistently
Arrange elements for a sensible visual flow
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
9
Research and Communication Skills
Presenting your research poster
Be prepared to give a 1-minute overview of
your poster and answer questions
Let people read your poster without
interrupting them
Consider bringing a laptop if you have
software to demo or a video to show
Consider making handouts available with
abstract, web URL for obtaining your paper,
and your contact information
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
10
December 4 Poster Fair
During class, location TBA
32x40 inch foam core boards, 9x12 inch
construction paper, glue sticks, and thumb
tacks will be made available
• You can get them from me in advance if you
want
Present your preliminary project results and
get feedback you can use as you finish
your paper
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
14
Donald Kerr’s comments
CNN Commentary:
http://rawstory.com/news/2007/Cafferty_Int
el._official_wants_to_redefine_1113.html
http://www.dni.gov/speeches/20071023_sp
eech.pdf
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
17
US Crypto Regulation
Slides courtesy of Hal Abelson
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
18
There is a very real and critical
danger that unrestrained public
discussion of cryptologic matters
will seriously damage the ability of
this government to conduct signals
intelligence and the ability of this
government to carry out its mission
of protecting national security
information from hostile
exploitation.
-- Admiral Bobby Ray Inman
(Director of the NSA, 1979)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
19
FBI Director Louis Freeh,
Congressional testimony
March 30, 1995
Unless the issue of encryption is
resolved soon, criminal conversations
over the telephone and other
communications devices will become
indecipherable by law enforcement.
This, as much as any issue,
jeopardizes the public safety and
national security of this country. Drug
cartels, terrorists, and kidnappers will
use telephones and other
communications media with impunity
knowing that their conversations are
immune from our most valued
investigative technique.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
20
CALEA, October 1994
… a telecommunications carrier … shall ensure that its
equipment, facilities, or services … are capable of …
expeditiously isolating and enabling the government,
pursuant to a court order or other lawful authorization,
to intercept … all wire and electronic communications
carried by the carrier within a service area to or from
equipment, facilities, or services of a subscriber of
such carrier concurrently with their transmission to or
from the subscriber's equipment, facility, or service, or
at such later time as may be acceptable to the
government …
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
21
Clipper
 Designed by the NSA: “For telephones only”
 Authorized by classified Clinton directive in April 1993
(publicly announced only that they were evaluating it).
Standards released in Feb. 1994
 “Voluntary” (but government will buy only Clipper phones)
 Built-in (“back door”) key that is split: each half held by a
different government agency (“key escrow”)
 Encryption algorithm classified: Clipper chips must be
tamperproof and therefore expensive
 Clipper phones do not interoperate with non-Clipper
phones
 “Capstone” chip for computer data and communications
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
22
Crypto export controls
 Pre-1995: Encryption technology classified by State
Department as a munition
• Illegal to export hardware, software, technical information, unless
you register as an arms dealer and adhere to stringent regulations
• Illegal to provide material or technical assistance to non-US
personnel, including posting on the internet to be available outside
the US
 1995: Bernstein v. US Dept. of State, et. al., suit filed
challenging the Constitutionality of export regulations
 1996: Jurisdiction for crypto exports transferred to
Commerce Department, but restrictions remain.
 1996-2001: Crypto regulations modified and relaxed, but
still exist (e.g., can’t export to the CIILNKSS countries)
 2003: Bernstein case dismissed, October 16, 2003
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
23
Industry claims and issues (1995)
Customers want security for electronic
commerce, for protecting remote access,
for confidentiality of business information.
Export restrictions are a pain in the butt.
There is plausible commercial demand for
“exceptional access” to stored encrypted
data (e.g., is someone loses a key); but
little demand for access to encrypted
communications, and no commercial
demand for surreptitious access.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
24
Law enforcement claims and issues (1995)
 Wiretapping is a critical law-enforcement tool.
 Wiretaps are conducted on specific, identified targets
under lawful authority.
 For wiretapping, access to escrowed keys must occur
without knowledge of the keyholders.
 Many criminals are often sloppy and/or stupid: They won’t
use encryption unless it becomes ubiquitous. Some
criminals are far from sloppy or stupid: They will use
encryption if it is available.
 Evidence obtained from decryption must hold up in court.
 There is a need for international cooperation in law
enforcement.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
25
National security establishment
claims and issues (1995)
We can’t tell you, but they are really
serious.
NSA “is rumored to be” carrying out
blanket interceptions of
communications on a massive scale,
using computers to filter out the
interesting traffic.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
26
Civil libertarian claims and issues (1995)
 As computer communication technology
becomes more pervasive, allowing government
access to communications becomes much more
than traditional wiretapping of phone
conversations.
 How do we guard against abuse of the system?
 If we make wiretapping easy, then what are the
checks on its increasing use?
 There are other tools (bugging, data mining, DNA
matching) that can assist law enforcement.
People have less privacy than previously, even
without wiretapping.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
27
NIST meetings with industry, Fall 95
Allow export of hardware and software with
up to 56-bit algorithms, provided the keys
are escrowed with government approved
“escrow agents”
But
• no interoperability between escrowed and nonescrowed systems
• escrow cannot be disabled
• escrow agents must be certified by US
government or by foreign governments with
whom US has formal agreements
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
28
Interagency working group draft, May 96
 Industry and government must partner in the
development of a public key-based key
management infrastructure and attendant
products that will assure participants can transmit
and receive information electronically with
confidence in the information's integrity,
authenticity, and origin and which will assure
timely lawful government access.
 Escrow is the price of certification (CA might be
also function as an EA)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
29
Courting industry, Fall 96 - ...
 Shift jurisdiction of crypto exports from State to
Commerce
 Allow export of any strength, so long as it has key
escrow (now known as “key recovery” - KR)
 Immediate approval of export for 56-bit DES,
provided company files a plan for installing KR in
new 56-products within two years
 Increased granting of export licenses for
restricted applications (e..g, financial
transactions)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
30
Legislation, 1997
Bills introduced all over the map,
ranging from elimination of export
controls to bills that would mandate
key recovery for domestic use.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
31
 Hal Abelson
 Ross Anderson
 Steven M. Bellovin
 Josh Benaloh
 Matt Blaze
 Whitfield Diffie
 John Gilmore
 Peter G. Neumann
 Ronald L. Rivest
 Jeffrey I. Schiller
 Bruce Schneier
Some technical observations
 If Alice and Bob can authenticate to each other, then they can
use Diffie-Hellman to establish a shared key for communications
 The security requirements for CAs are very different from those
for escrow agents
 Implementing basic crypto is cheap, adding a key recovery
infrastructure is not.
 Crypto is necessary not only for electronic commerce, but to
protect the information infrastructure. But key escrow may make
things less secure, not more:
• Repositories of escrowed keys could be irresistible targets of attack
by criminals
• If thousands of law enforcement personnel can quickly get access
to escrowed keys, then who else can??
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
33
More recently …
 Jan, 2000: Commerce Department issues new
export regulations on encryption, relaxing
restrictions
 Sept. 13, 2001: Sen. Judd Gregg (New
Hampshire) calls for encryption regulations,
saying encryption makers “have as much at risk
as we have at risk as a nation, and they should
understand that as a matter of citizenship, they
have an obligation” to include decryption methods
for government agents.
 By Oct., Gregg had changed his mind about
introducing legislation.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
34
Surveillance systems you should know about
Clipper
Echelon
CAPS II
TIA
Carnivore
CALEA
MATRIX
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/
35