Computers, Information Technology, the Internet, Ethics, Society and Human Values
Philip Pecorino, Ph.D.
Queensborough Community College, CUNY
Chapter 7 Secrecy and Security
How great a need is there for people to keep information and communications secret? Keep that secret from their government? Should government restrict encryption and other efforts to keep information in digital form secret?
Should employees have a legal right based on a moral right to keep secret from their employers what they do with their computer equipment and networks?
Should faculty have a legal right based on a moral right to keep secret from their college administrators what they do with their computer equipment and networks?
Should college staff have a legal right based on a moral right to keep secret from their college administrators what they do with their computer equipment and networks?
Should students have a legal right based on a moral right to keep secret from their college administrators what they do with their computer equipment and networks?
Should users of an ISP have a legal right based on a moral right to keep secret from their ISP network administrators what they do with their computer equipment and networks?
The following are remarks, reflections and responses to issues and questions related to this matters in this chapter. Each offering is proceeded by the authors name and institutional affiliation.
Chris Murphy, CUNY, SPS, 2007
Setting up the
problem as I see it:
Marie Lafferty, CUNY, SPS, 2007
Secrecy and Security
If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors, oil companies, and other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable "military grade" public-key cryptographic technology. Until now. PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it.
Phil Zimmerman Why Do You Need PGP? at http://swissnet.ai.mit.edu/6805/articles/crypto/cypherpunks/zimmermann-why-pgp.html
Privacy has a high value. With privacy (and its attendant value, secrecy) we have personal freedom. Without it, we have little control over our self, except as permitted by the holder of our privacy. Privacy affords us other instrumental values: protection from individual harm, freedom of speech, freedom of assembly. Through those values comes the core value of security, and safety. In the smaller societies we are more accustomed to, we have been able to establish relationships, and community. In other words, we were able to see each other, make judgments (right or wrong) about whom to trust with our personal information, thoughts, and actions and thus to protect ourselves as needed. With increased access via the internet, we come into contact with many people we don’t know, some who have their own interest above ours, and some who are malicious in their effort to use us for their own purposes. We give away access to our privacy more frequently and to a greater extent online. Sometimes intentionally, sometimes not, this distribution of information is indiscriminate, going electronically to whoever wants to access it. Encryption technology, as Zimmerman argues in the quote above, is an electronic solution to an electronic medium. With encryption technology, we are assured that the secrecy we want—whether it is from corporations, the medical industry, or government. We must maintain privacy in order to keep our person safe and to maintain our sense of self. These have value to us precisely because acting in society hinges on them, without secrecy and security we have greater difficulty in even looking beyond ourselves to the greater good of society. Beyond the utilitarian considerations, as humans we have the ability to know the truth that such values are inherent in our nature, and, in fact, contribute to determining it.
If it were so simple we could probably all agree that individual privacy should be protected.
Ethically speaking, it seems that the greatest good for the greatest number of people is realized when the citizens of this nation can live secure in the knowledge that their government will be able to combat and punish any attempt to harm them. Moreover, people should always be treated as means and not ends, and when this doesn't happen there needs to be some body (i.e. the government) which has the power to step in and make things right.
Digital Privacy, at http://rescomp.stanford.edu/~pweston/privacy.html
Where privacy and secrecy come into conflict is in our determination of the ordering of whose privacy takes precedence, i.e., whose privacy has an inherently higher value. Utilitarians and others might argue that the ultimate value of privacy is instrumental, and that the core value is security -- the protection of all-- and that the greatest number of individuals should be protected, regardless of whether some might have to give up some privacy. Any theory which evaluates consequences might say the same. In that way, privacy becomes subservient to protection or security. The government would like us to believe that they have the greater right, since they protect all. In a representative democracy, should all be perfect, that would be exactly the case and the argument won simply. But we all know that isn’t the case. The government has been known to overstep its boundaries. As individuals, we have the right to monitor government action and we should do so. But we have also agreed, as a part of this American society, to invest the government with the power to protect us, and if encryption technology blocks their ability to do so, then there should be some process for accessing what is on the other side of the encryption wall.
Both the pro and con of encryption technology come with inherent rights, and along with those rights, inherent duties. We cannot sit back and hope that we remain secure or that another entity (or program) will secure our right to privacy. We likewise can not hope that the government and its members will not be corrupted or unknowledgeable. We are obligated (an obligation we take on as citizens) to be secure, and to ensure that the other members are also secure. We do that in government through participation, through monitoring our representatives in government and in making decisions for the body whole.
Richard Vida, CUNY, SPS, 2007
To encrypt or not to encrypt that is the question. To the cryptic creator or cyberpunk it is their categorical imperative to design and enforce the use of encryption software for the safeguarding of all people in preventing the creation of a surveillance state. Keep the government out of our cyberspace.
Of course the critics of this encryption technology continue to challenge the device as an expanding threat to our government and national security. I’m not convinced of this warmongering American fear based presumption that this technology will fall into criminal hands being the reason to disallow encryption. History is overflowing with inventions developed for the common good of man that were utilized negatively for the benefit of the evil. Yet, we have consistently proceeded in generating safeguards, laws and deterrents to ward off and rectify these dark activities sometimes after-the-fact. Yet, I imagine a means of security will continue as we find our way through cyberspace.
Encryption has without a doubt been useful to our credit and financial institutions, especially in gaining our trust. However, the most ethically sound and rewarding achievement for our cryptic gurus is how encryption has brought justice and an equal playing field to individuals who through fear of retaliation and even death were not able to communicate in the past but now through an encrypted cyberspace they can. Ariana Eunjung Cha wrote in her article TO ATTACKS’ TOLL ADD A PROGRAMMER’S GRIEF defending Zimmerman’s development of PGP by saying:
“People warned Zimmermann back then that he could be putting powerful technology into the wrong hands. He knew that was theoretically possible, but he also knew that the program could do good: His work created a way for people in oppressed countries to communicate without fear of retribution.” (Washington Post, September 2002)
Zimmerman in his essay on why he wrote PGP elaborates on the idea of safeguarding our citizens from the eyes of a nosy government by explaining:
“Advances in technology will not permit the maintenance of the status quo, as far as privacy is concerned. The status quo is unstable. If we do nothing, new technologies will give the government new automatic surveillance capabilities that Stalin could never have dreamed of. The only way to hold the line on privacy in the information age is strong cryptography.” (http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html)
Whether we believe that the status quo changes as dramatically as he believes I feel the mere threat our government experiences by these so-called cyber-anarchists is beneficial to all of us in cyberspace. In making it more difficult to watch our every communication it keeps our government on the up and up. The communicating continues. But lest we forget American’s don’t’ seem to distrust this government or challenge it as often as in past decades, encryption is not there only to prevent our governing bodies from knowing all, but as Zimmerman continues:
“You don't have to distrust the government to want to use cryptography. Your business can be wiretapped by business rivals, organized crime, or foreign governments. Several foreign governments, for example, admit to using their signals intelligence against companies from other countries to give their own corporations a competitive edge. Ironically, the United States government's restrictions on cryptography in the 1990's have weakened U.S. corporate defenses against foreign intelligence and organized crime.” (http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html)
For all the good encryption and the crypto-anarchists may be in aiding our critical thinking of our new cyber frontier, one must also contemplate the dark side as there is potential to create a lawless cyberspace. This would not benefit society or the world.
The most alarming and negative realization is presented in Wikipedia.org’s definition of cyber-anarchism:
“Cryptographic software being used to evade prosecution and harassment while sending and receiving information in computer networks. Using such software, the connection between the identity of a certain user or organization and the pseudonym they use is almost entirely unprovable unless the user reveals the connection.” (Wikipedia.org)
When communicating cryptically and illegal activity is determined and we cannot identify the person or the country from which the illegality occurred, how would we be able to prosecute? Which or whose laws would apply? This would take away justice from being served to the victim and morally challenging our Bill of Rights. It would be a free-for-all. Everyone would lose. As in the Wild West we protected ourselves, depending on which side one was on by either guns or arrows. How would we defend ourselves from the untraceable cyber-entity causing us harm? The receiver will never know who the sender is. It reminds me of that scene in the movie where the babysitter is being threatened on the phone and receives word that the call is coming from inside the house. As chilling as it sounds, she can run away, imagine in a cyber encrypted world, we would never know where the threat is coming from so there would be no place to run.
Joseph Snellenberg, CUNY, SPS, 2007
Support for the Individual Use of Maximum Encryption
“Data transmitted by satellite can be ‘seen’ by anyone with a satellite dish. E-mail that goes through several computers on its way to its destination may be read on any of those intermediate systems. Messages and data in transit can be read by wiretaps. Information sent to and from Web sites can be intercepted. Industrial espionage has a whole bag of new techniques. The Internet and e-commerce have enormously increased the need for security and secrecy of communications. Encryption is one of the main tools for providing them.”
(Baase, Sara. A Gift of Fire: Social, legal and ethical issues for computers and the Internet. Pearson Education, Inc. Upper Saddle River, New Jersey 2003 Pg. 111)
This quote shows how much technology has grown in such a short amount of time, as well as one of the negative impacts of that growth. Half a century ago, only a few of the communication methods listed above could be intercepted and read by other people; today, it is a completely different situation. Information and data can be accessed so easily today thanks to computers and the Internet. This data is often stored and/or processed with very limited amounts of protection or no protection at all. Thus, it can be viewed by almost anyone you can think is able to view the data, ranging from neighbors to co-workers to scam artists. As computing and Internet technology continues to grow, the need for improved security and protection of data will grow at least the same amount as the technology, if not at a greater rate.
Data encryption is one such form of the kind of digital security that is demanded by the public. By encrypting personal data and information, you prevent strangers and hackers from stealing the data and either reading it or using to their own personal profit. What exactly is encryption? It is a code (or a group of several different codes) specifically generated to represent and protect individual data from being accessed illegally or without permission. The code is unique to that set of data and makes the data viewable only to a select group of people beyond the actual individual encrypting his or her personal information. This select group usually includes those who have gained the highest amount of that individual’s trust or who directly handle portions of that individual’s personal information (e.g., doctors, lawyers, accountants, etc.). If a hacker was to get his or her hands on someone’s encrypted personal data, they would then have to work even further to actually access the information and maliciously profit from the information. By that time, the authorities would most likely have been notified and that hacker arrested.
What this quote also brings up is how much communications technology has become reliant on computing technology. Cellphones, for example, are dependent on advances in computing technology to help improve a consumer’s ability to communicate with friends and family. The postal service relies on computers to catalog and keep track of letters and packages so that they don’t get lost or sent to the wrong individual. With the increase in reliance on computers and the growth of computing abilities, more and more people are demanding that communications outlets (like phone companies and ISP providers) as well as other areas where personal information is either transferred or stored (like banks and hospitals) protect their clients’ personal data from not just hackers, but also from government officials. The Fourth Amendment grants the government the right to seize documents and related material on a person, granted there is probable cause for the seizure. This material can include personal information and sometimes, the government does not always seize the right documents or the correct person. In those cases, people have their personal information made public for the government and the media to sift through and often make incorrect assumptions about a person. Data encryption prevents this from happening by forcing the government to not only spend time decoding the encryption, but help prove a person’s innocence.
In the end, the growth of personal communication technology has changed the world in both positive and negative ways. On one hand, people can be connected with each other, communicate and share information digitally and at very fast speeds. On the other hand, the information shared is more vulnerable and exploitable because of the new technology. The increased need for personal security over the Internet is not just a result of scam artists and hackers illegally obtaining personal information, but from federal agencies who also illegally obtain personal information because they think they are pursuing criminals or terrorists. With systems like data encryption, people can rest easier and know that their personal information is protected and kept private. Data encryption is just one of the many forms of security that ensure person information is kept secret and not left out in the open to be used improperly by both criminals and the very people who swear to protect people from malicious acts: the federal government.
Support for Government/Federal Limits on Encryption
“Supporters of Carnivore argue that the system is necessary because of differences in the technology of old-time analog telephones and modern e-mail. It was easy to tap a specific telephone line and, thus, intercept only the calls to or from the target of the court order. All e-mail from subscribers of an ISP go through the ISP’s lines; there is no way to tap one person’s e-mail stream alone. Thus intercepting e-mail is more difficult than tapping telephones was.”
(Baase, Sara. A Gift of Fire: Social, legal and ethical issues for computers and the Internet. Pearson Education, Inc. Upper Saddle River, New Jersey 2003 Pg. 104)
This quote from Sara Baase’s book brings to light an issue that many people who are against government eavesdropping programs tend to forget: the growth of communications technology over time. Back in the 1930s and 40s, when the FBI was first created, communications technology was at a level where it was both commonplace in society and relatively easy to eavesdrop on—provided the FBI or similar government institution had a court order and probable cause to do so. At the same time, the country only had two major forms of mass communication in the 30s and 40s: the mail and telephone lines. Thus, to observe or listen in on a form of mass communication was simple and more focused on keeping the target(s) unaware that the government was keeping an eye on their activities. As time went on, computers slowly began to grow in both use and capabilities; and with that growth came a new form of communication: e-mail. E-mail allowed people to communicate with each other almost instantaneously and digitally. Not everything associated with that new technology was beneficial or simple for people, though.
With the complexity of e-mail, surveillance by federal agencies of “persons of interest” became more difficult because they simply did not have the technology and/or capability to keep up with e-mail communications. Thus, effort was spent on creating such systems or programs to help federal agencies stay on top of e-mail. One such method proposed by the FBI was a system code-named “Carnivore”, known today as DCS1000 (Baase, 104). This would allow the FBI—under court order—to view the e-mail of a “person of interest” by installing the Carnivore system at the target’s ISP provider, then the system would review any e-mail sent to and from the target as well as any downloads or chat room conversations for anything suspicious. Thus, the FBI and other government agencies can monitor people who are suspected of committing a crime, people who have been associated with terrorism, etc.—all without having to be physically watching or listening to the individual. With the Carnivore system added to their complement of tools, federal agencies now have the capability to monitor all forms of communication—whether it is telephone records, letters in the mail, or e-mail messages—and help keep the country safe and secure.
With the rise of data encryption, these systems are faced with yet another obstacle in the digital age. Data encryption prevents the application or limits the effectiveness of systems like Carnivore by attaching a code that only certain approved machines or programs can read and fully access the encrypted data. Even with the latest technology for identifying and filtering suspicious e-mail, if the e-mail is encrypted and the information is protected, then Carnivore and similar programs are rendered useless because these systems are unable to read the e-mail messages and truly determine if a “person of interest” is really a threat to society or someone with a poor sense of humor. Also, encryption forces federal institutions to divert funds and manpower that would normally go to analyzing suspicious e-mail messages over to decoding the encrypted messages one by one. In a sense, encryption can be harmful because tax dollars that could be used to advance and improve technology is forced to remain on reading and decoding current technology and then play catch-up to advances in technology.
Overall, the growth and evolution of communications technology at the end of the 20th century and into the 21st century have revolutionized the way we communicate with each other. At the same time, it has also helped to increase the methods of secret communications to the point where it can be nearly impossible to detect someone with anti-government and/or terrorist feelings. Thanks to systems like the FBI’s Carnivore, those people can no longer fully rely on the anonymity of the Internet to conceal themselves. Also, those who rely on encryption to aid in concealing themselves on the Internet fail to realize the impact of their actions on the growth of technology. Sure, it may keep their personal information safe, but at the same time, their tax dollars are used to help confirm whether or not these people are terrorists instead being used for other federal programs. In the end, as much as people complain that systems like Carnivore are direct violations of their privacy, they do not see that their defenses against those programs hurt the government as much as it hurts scam artists.
Personal Feelings on Encryption
My feelings on the use of encryption to protect information are in support of its use. I actually do not use encryption, mainly because I do not have much in terms of personal information that warrants the need for encryption software or systems. Despite this, I do feel it is an important tool for people who want more personal security in their lives. Communication technology has grown to levels that both amaze people and make them more aware of how their personal information is handled and shared over communication systems like e-mail and the Internet. There are so many scams and fake offers online that one’s personal information needs to be protected in some form or another.
On top of scammers and hackers, our current presidential administration has decided to put money and effort behind a federal wiretapping plan that would allow the administration to listen in on telephone conversations. To me, this is another step that our government has taken to presenting itself as a form of “Big Brother”. I should not have to make a phone call and limit what I say simply because I might be labeled anti-patriotic or a “person of interest” for whatever words I may use. Personally, I am disappointed with our president on the subject of personal security because he really does not understand what he is attempting with this measure. He says it is to prevent terrorist attacks from catching America off-guard again; however, his plan is an outright violation of the First Amendment of the Constitution and is a blatant display of his abuse of presidential power. Also, since the Bush administration has no qualms about lying to the public’s face on matters of national security, what is to stop them from lying about not invading someone’s personal security?
One such example of the possible violations of personal security that the federal government could commit is the Carnivore system I described earlier. It created some controversy when it was made public in 2000. One of the criticisms about Carnivore is what it looks at specifically: the subject line or headers of an e-mail. If it contains a word that seems suspicious, it will filter a copy of the e-mail out of general traffic and isolate the e-mail. This would lead to an archive of “suspicious e-mail” seized by a federal institution without permission from senders. While I used it for my example for why the government should have some form of control over encryption, I do not fully support or approve of Carnivore. On one hand, I feel that it is a good system for something like the FBI to have. However, I feel it needs to be revised and changed based on how the system actually works. Instead of simply isolating suspicious e-mail based on the subject line, the system should view and isolate suspicious e-mail based on what is in the body text of an e-mail. For example, if I sent an e-mail to a friend with the subject line: “This game is the bomb!”, my e-mail would be isolated by the current Carnivore system because I included the word “bomb” in the subject line; if the system looked at what I wrote in the body text of the e-mail, it would see that I was talking about how great a video game was and not about me talking about explosives and/or bomb-making. In all honesty, I support the concept of Carnivore, not its current design and implementation.
In the end, I feel that unauthorized intrusion from the federal government should not be something people worry about constantly. I understand that the government has a right and duty to protect the citizens; however, I do not think that the government needs to go the extreme to protect the public. Violating personal security in order to ensure national security is protected should never be used by the federal government to justify illegal intrusions into people’s lives. By breaking that level of trust, I feel that the federal government would do more internal harm to itself than any external threat could do to it. Limits on the use of encryption should not be implemented by the government simply because they are trying to protect the public as well. I can only see it as a recipe for disaster and further problems for the federal government.
Web Surfer's Caveat: These are class notes, intended to comment on readings and amplify class discussion. They should be read as such. They are not intended for publication or general distribution. email@example.com @copyright 2006 Philip A. Pecorino
Last updated 8-2006 Return to Table of Contents