Digital rights and the new era of world terrorism

AMONG THE MANY shock waves set off by the September 11 attacks is the one where law enforcement representatives dust off every surveillance plan that's been rejected for the last ten years and try to ram it through while people are still rawly frightened.

Britain's foreign minister, Jack Straw, was the bane of civil libertarians when he was at the Home Office, and unfortunately now gets to repeat his performance in a role where privacy activists had thought he was safely out of the way.

When in doubt, blame the media. According to the September 27 issue of ntk.net, Straw's enemy number one was "the secret, pro-encryption agenda of Radio Four's Today programme. Apparently, when Jack was at the Home Office, Radio 4 together with "large parts of the industry, backed by some people who I think will now recognise they were very naive in retrospect, said: ‘You mustn't do [key escrow]'."

Well, I spent six years arguing against key escrow in every publication (See here) and forum I could get my hands on, and I don't think I was naïve. I think that Straw is disingenuous. It's not possible that law enforcement personnel are not smart enough to grasp the chief argument against curtailing citizens' right to use strong cryptography: that strong crypto, deployed correctly, prevents fraud, and that outlawing strong crypto will make it easier to catch only stupid criminals. The people who planned the September 11 attacks were not stupid: on the contrary, the planning, understanding of psychology, patience, and intelligence that went into the plan were extraordinary. You can be sure they would not have been using crypto designed to let governments snoop on them.

What restricting crypto would do is make ordinary citizens far more vulnerable to fraud. Around the world crypto helps human rights, rather than the opposite. See, for example, Phil Zimmermann's polite but firm rebuttal of a recent Washington Post article claiming that he was wracked with guilt for having developed the leading free crypto program, < a href="http://www.philzimmermann.com/news-Response_WashPost.shtml" target=_blank">PGP.

The fact is they were unlikely to use crypto at all. Cryptography, excellent though it is for protecting my credit card details when I send them to Amazon.com or for hiding the content of an email message I want a friend, but not the people who share his email account, to read. But it is absolutely useless in terms of hiding who you are in contact with. Police arguably learn far more from creating friendship trees and patterns of relationship from traffic data - email headers, telephone bills, Web logs, and soon mobile location services (thefeature) - than they do from the actual content of email. (Because, let's face it, most email, even encrypted email, says stuff like, "See you Friday at 5. OK?")

A smart criminal uses one-time pre-pay cellphones or pre-arranged classified ads, or apparently innocent postcards, or…well, you go read Agatha Christie, and you'll see it's all there. She was not only clever, she lived through two World Wars.

Carping about past campaigns is pointless in any case unless, as NTK suggested, you're trying to shift the blame. Because, let's face it, the intelligence services completely missed this one. But they'd still like to punish the rest of us for that failure by creating the kind of regime that would greatly aid a police state if one ever came to power.

National ID cards. More surveillance cameras. Back doors in all crypto (except that used by the entertainment industry for digital rights management). And while we're at it: let's be extra tough on those Web-site-defacing low-lifes.

How exactly are national ID cards going to prevent terrorism? Had national ID cards been required in the US where the hijackers were living, no doubt they'd have had valid ones, just as they had ordinary and unremarkable lives until the day of the attack. We all have some form of government-issued ID - passports, driver's licenses, Social Security cards. Do they act as a deterrent? Do they stop anyone in France or Turkey?

Fortunately, the US government has rejected this approach. But instead they're pushing the Mobilization Against Terrorism Act (MATA), which includes such fun provisions as defining all computer intrusions as terrorism (put them in jail and throw away the key), and broad pre-conviction asset seizure powers and serious criminal threats to those who "materially assist" or "harbor" terrorists (which arguably could include, say, the mother of that weird teen who spends all his time giggling furiously in his bedroom over the holes he and his friends found in that Department of Justice Web site).

Even less appealing is watching companies jostle for position in this big, new market they hope they see opening up in front of them. Oracle CEO Larry Ellison, for example, made his pitch for national ID cards.

Visionics, the folks who make facial recognition systems, announced a week after the attack that they're going to commercialize their systems for use in airports and other facilities. There's a snide analysis of why this won't work in The Register ( here) - briefly, such systems don't work well in uncontrolled systems, and so to catch the likely number of terrorists you'd have to raise the system's sensitivity so high that you'd be getting an unacceptably high rate of false positives.

The problem with all these things - along with banning strong cryptography - is that they make people feel safer because they seem to be doing something high-tech and proactive. In fact, what all these systems enable is passive surveillance - not prevention. Such systems may - *may* - make it easier for law enforcement to catch perpetrators after a crime or terrorist attack has taken place or to criminalize people who fit certain stereotypes that arouse prejudice. But in all cases active law enforcement tends to withdraw to a distant TV screen somewhere. What most people want is not the feeling that if they are mugged, raped, or murdered their attacker will be punished. They want not to be mugged, raped, or murdered. The way to achieve that is not to throw technology at the problem or to criminalize people who forget to carry a particular piece of chip-laden plastic. The way to achieve that is to bring back people. Air marshals, guards on the London Underground, the police car that drives down your street at random intervals. ID cards don't help people. People help people. µ

Wendy M. Grossman, whose Web site is pelicancrossing.net, is author of From Anarchy to Power: the Net Comes of Age (NYU Press, 2001), net.wars (NYU Press, 1998), and the Daily Telegraph A-Z Guide to the Internet (Macmillan, 2001). She can be reached at this email address.