Will terrorism make online privacy extinct?

Personal privacy has always been a stalwart pillar of our basic democratic rights. For years, hardliners in governments all over the world, especially certain figures in the United States, have pushed for legislation allowing Federal employees to

Personal privacy has always been a stalwart pillar of our basic democratic rights. For years, hardliners in governments all over the world, especially certain figures in the United States, have pushed for legislation allowing Federal employees to have free reign when reading people's electronic communications.

The argument for this drastic reduction (some would say elimination) of privacy has always been to prevent terrorists and criminals using the Internet in the planning of their crimes. The perceived anonymity and safety of Internet communications, coupled with nearly unlimited potential access points across the globe, is extremely attractive to those who seek to break our laws.

The primary focus of each successive government's attack on our privacy has always been encryption. Encryption of email, encryption of business transactions, encryption of real time communications – all can and are used by terrorists to make their activities a little bit easier to carry out. Knowing this, governments such as the current Bush administration, and the previous Democrat government led by Bill Clinton, have attempted (and in some cases succeeded) to introduce new laws allowing them to do virtually anything they want when it comes to electronic communication, regardless of existing privacy laws.

A perfect example of an early, failed attempt at making privacy redundant was the Clipper chip. Touted as a totally secure hardware method of encryption suitable for use at the corporate level, the Clipper chip was the US Government's answer to providing business (and to a lesser extent, individuals) with secure communications, while still addressing the terrorism problem. The Clipper chip worked using a 'key in escrow' system, whereby each person or organisation's private decryption key was held in a secure system by a third party – in this case, by two government controlled agencies.

Ordinarily, most people would have no problem with this, as they could simply opt not to use the Clipper chip for their secure communications. However, when the Government attempted to introduce law making it compulsory for people to use the Clipper chip for all their encryption, there was a huge public outcry. The possible privacy implications of government agencies holding a key to unlock all encrypted electronic traffic in the US were staggering. The US Government immediately pointed out that it required appropriate legal authorisation before any Federal employee could retrieve an encryption key. Despite this, the damage was already done. People were incensed that a government could even think of taking away their right to privacy. Furthermore, people (and particularly business) did not trust the US government to always obtain legal authorisation before using its new powers; one look at the track record of the Federal Bureau of Investigation in matters relating to surveillance and wire-tapping was all that was needed to convince people that any encryption solution that allowed a government to read their communications at will, regardless of any stated legal restrictions, was deeply flawed. Thus, the Clipper chip died a well-deserved death.

Governments realised that it was not the right time to attack people's right to encryption. However, other methods were on the drawing boards, aimed at making mass electronic eavesdropping an easy task for law enforcement officials.

The Carnivore project was designed to parse hundreds of millions of emails that were passed through it, in an attempt to flag communications that contained details of potential crimes. Originally named 'Omnivore', the project was renamed after massive public outcry, but the re-christening proved pointless as concern continued to grow among both computing professionals and the general populace.

Despite massive initial public opposition to the implementation of Carnivore, the US Government managed to instate law that required network service providers to install the system upon request from the FBI. Thus, a little black box sits in certain ISPs from time to time, watching all the tiny packets that fly past and occasionally gobbling up a few for later analysis.

And now we come to the crux of the issue. After recent events in New York, there were reports of FBI agents installing new Carnivore devices at ISPs and major backbone provider's facilities, where previously there were none. Whether they have adequate legal approval for these actions or not, once installed, the new Carnivore devices are likely to stay indefinitely. If the FBI deems that this terrorist incident is reason enough to start installing new Carnivore equipment, what other methods of surveillance are currently being put in place in order to capture and sort through our personal Net-based communications?

'So what?' you may ask. 'That's America, it's not happening here'. That may or may not be true, but either way it is irrelevant. Despite the nature of the Web, where information can reach its destination regardless of what parts of the network are taken offline, the majority of Australian international traffic is currently (and will most likely continue to be) routed through the United States. If our communications are routed through the US, then they fall under the same mass surveillance that US citizens' traffic does. Quite aside from the issue that US laws are actually affecting Australians, the real implication is simply this: if the United States decides an invasion of electronic privacy is warranted, than the entire world will feel the effects of that decision.

Outside of the US, it will be interesting to see how other governments will react to recent events. Governments around the globe must be looking at this latest act of terrorism, asking themselves: 'How can we ensure that the Internet is not used to the advantage of terrorists planning actions in our countries?' Naturally, they will once again turn to the issues of encryption and anonymity, and how best to limit these in order to help gain intelligence on terrorist acts before they occur.

Could we perhaps see similar laws passed in Australia, which enable police and other governmental agencies to conduct widespread surveillance of the population's electronic communications? It is certainly possible, but luckily not too hard to circumvent; the use of proper encryption makes tools such as Carnivore redundant. Tools such as these may see encrypted traffic and automatically flag it for analysis, but when the encryption is of a suitable strength, it makes decryption unviable. Four years to decrypt a single RC5-64 encrypted message means that even if the government does find your email, it will be a long time before it can read the contents. When you couple this with widespread general use of good encryption algorithms, to the point where nearly all communications being examined are encrypted, then it becomes an impossible task for anyone to single out and read your communication.

Of course, this defence becomes redundant if governments use the World Trade Centre incident to force new laws into existence governing the use of encryption. If the government has access to your crypto keys, then regardless of politicians waffling about legal oversight, your electronic communication is compromised and the concept of privacy – in any context – becomes a fallacy. Benjamin Franklin perhaps said it best: 'Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.'

Brad Webb