Wire-tapping the Internet

Don't believe what I saw. A hundred million bottles washed up on the shore.
--The Police, "Message In a Bottle"

In the weeks after the World Trade Center tragedy, many government officials were actively lobbying for increased Internet surveillance as a method of restricting terrorist activity.

This is likely the direct result of numerous reports that Osama bin Laden and his many supporters are heavy users of the Internet for organizational and informational purposes.

From the floor of the U.S. Senate, Sen. Judd Gregg of New Hampshire called for "a global prohibition on encryption products without backdoors for government surveillance." In addition, many large Internet service providers, including America Online, EarthLink and @Home, have reported that the FBI approached them after the tragedy and served them with Federal Intelligence Surveillance Act (FISA) orders to search for communications that may have aided the attacks in New York and Washington.

Protection of freedom? This type of activity sends shivers down the spines of many pro-privacy technology activists. It should be noted, however, that these outspoken and knowledgeable people are not pro-terrorist. In fact, many are terribly disturbed by the terrorist action.

That said, they do not believe that you can protect freedom through the process of restricting or destroying it. As ammunition, they are quick to quote constitutional contributor Benjamin Franklin: "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety."

Disregarding these strong-minded, civil liberties-based perspectives, a closer look at Internet surveillance uncovers many problems in both implementation and potential effectiveness.

For starters, there is a huge predicament with just how much of the genie is already out of the bottle. So-called "strong" encryption techniques (those that are nearly impossible to decipher) are broadly available on the Internet. Moreover, these "programs" are cataloged and archived in many forms: software executables, source-code listings, and simple algorithms that describe the general concepts. Also importantly, many of these algorithms have been developed outside the United States.

Another perhaps disturbing but real development is the increased use and availability of Steganography. Steganography is the act of embedding or hiding a message in another transport. Several programs on the Internet, many that are shareware and free to download, make it easy for you to embed one file in another. Typically the transport file (that which hides) is a large, dense file type such as a JPEG photo or an MP3 file. Interestingly, these encoding techniques are so slick that the resulting file is indistinguishable to the human eye (JPEG) or ear (MP3).

As a result of this "conversion," a covert communication may appear as innocent as two parties sharing a Britney Spears song over the Internet. USA Today has reported that Osama bin Laden and his followers are heavy users of Steganography.

As mentioned earlier, Sen. Gregg has suggested that we implement a "global prohibition on encryption products without backdoors for government surveillance." This type of proposition has many difficulties once you look under the covers:

• Whom do we trust? We can't get a majority of leading countries to join a coalition against terrorism, and we think we can line everyone up in an organized assault on encryption? Many countries have much stronger perspectives on personal privacy and are therefore unlikely to participate. Other less industrialized countries are going to have a hard time considering this a relevant priority. More importantly, how will we implement the dissemination of government keys? Do we trust all governments that join the effort? Who gets to see cross-border communications?

• Outlaw a T-shirt? Many in the scientific community have pointed out the silliness in outlawing an algorithm--basically a flow chart of how the code works. First, any good programmer can convert a detailed algorithm into software code, and as such, the algorithm, or formula, is the tersest representation of the offending material. Second, these algorithms are everywhere. They're on the Internet, they're on hard drives all over the world, they're in books, and they have even been printed on T-shirts to highlight the free-speech implications of such an attempted prohibition. There is absolutely no way to rein in all the copies of these ideas, or to restrict their trade among those determined to do so. It's like trying to outlaw the story of "The Three Bears"--too many people already know it at this point.

• A sauna in the desert. Once again, Sen. Gregg wants encryption software makers to implement government backdoors in their products. The only people I know who actually use encryption products are those who hate, loathe, or at the very least mistrust the government. Government-issued encryption programs will see about as much use as a sauna in the desert. They might as well put a sticker on the box that says "don't buy me." This would be a colossal waste of time.

• Not so intelligent. Many have suggested that the terrorists are "more intelligent than you think" due to their clever use of these technologies. Another Senator, Jon Kyl of Arizona, has commented frequently on the "sophistication" of the terrorists for this very reason. This presumed intelligence might be more a factor of their accusers' own ignorance rather than of their own aptitude. This stuff is ridiculously easy to obtain. Go to Google.com, type "Steganography program," and start downloading. You will be able to put an e-mail message into a family photograph within five minutes. You must know the magnitude of the problem you are trying to solve.

• "Your hands can't hit what your eyes can't see." Muhammad Ali used this quote to refer to his lightning-fast hands, but the same statement is true for messages embedded using Steganography. How will the government identify potentially hazardous communications if every photo, music and video file on the Internet is an unidentifiable transport? And even if you found the transport and decoded it, the message could still be encrypted using "strong encryption." Seems impossible. It probably is.

• One big haystack. There are an increasing number of ways to move files on the Internet. To name a few: e-mail, FTP, instant messaging, chat, file lockers, Napster and Gnutella. In the next few years, the number of e-mails and instant messages sent each year will be measured in the trillions (for each). Peer-to-peer file transfers will easily number in the billions. How do you monitor all of this? Where could you even store the log data? The pin is small, the haystack is large, and astute cryptographers can use Steganography to increase the size of the haystack.

The government should not give up on computer surveillance. In fact, as a tool that is used to track down a particular offender after isolation and identification, these technologies can be extremely effective. However, we should not be unrealistic about what type of "magical" spy technologies are at our disposal. We are only going to spend a lot of money, waste a lot of time, and create a false sense of security.

J. William Gurley 2001. All rights reserved. Above the Crowd is a monthly publication focusing on the evolution and economics of high-technology business and strategy. This column can also be found on CNET online and in Fortune magazine. The information contained herein has been obtained from sources believed to be reliable but is not necessarily complete, and its accuracy cannot be guaranteed. Any opinions expressed herein are subject to change without notice. The author is a general partner of Benchmark Capital, a venture capital firm in Menlo Park, Calif. Benchmark Capital and its affiliated companies and/or individuals may, from time to time, have positions in the securities discussed herein. ABOVE THE CROWD is a service mark of J. William Gurley.