Some want government to have 'keys'; others say that's unnecessary

10/12/2001

By DOUG BEDELL / The Dallas Morning News

The Sept. 11 attacks have put an emotional edge on the struggle between law enforcement and civil liberties groups over an obscure method of concealing coded messages inside e-mail, music, and photo files on the Internet.

Some experts raise a provocative scenario: Could terrorists be communicating with each other worldwide by means of the encryption?

Civil libertarians counter that wartime passions and knee-jerk solutions are being used in an unnecessary effort to restrict Internet privacy.

Part of the debate centers on an encryption process called steganography – Greek for "covered writing," and a method of hiding communications that goes back 2,500 years.

Getting the keys

The senator said he is developing legislation to create a "quasi-judicial entity" appointed by the Supreme Court to control access to his proposed national encryption key repository.

Independent experts say that encryption is essential for all sorts of commerce, and outright bans are doomed to failure. Beyond that, steganography and encryption do not necessarily prevent detection of terrorist activity on the Internet, they say.

"People are willing to give up liberties for vague promises of security because they think they have no choice," said Bruce Schneier, nationally recognized cryptography program author and founder of Counterpane Internet Security (www.counterpane.com).

"What they're not being told is that they can have both."

Terrorist use of the Internet and encryption has been the subject of debate for years.

Throughout the 1990s, computer scientists and academics sparred with the authorities over proposed requirements that any software using encryption should also use "escrow" – a database holding decryption keys. Exporting cryptographic tools from the United States was restricted. Some programs were even classified as munitions.

But the government had to retreat from some of its stands, in part because of international commercial pressure.

Today, more than 50 publicly available "stego" programs are now available for download from a variety of worldwide sources (www.cotse.com/tools/stega.htm). They can hide data inside larger files available on the Internet.

Message-bearing files can include images, such as JPEG or GIF formats. Music and other sound files can also be loaded with messages and made available on Internet newsgroups, Web sites, chat rooms and peer-to-peer file-exchange networks like Napster.

To everyone else, such files appear to be normal pictures, text or music downloads. Intended recipients, however, can move those files to their hard drives and open them using steganographic programs and a designated password to reveal hidden instructions.

Ancient steganography

In espionage terms, Internet steganography is the equivalent of a "dead drop." The correspondents never meet, they don't have to coordinate a rendezvous, and they don't have to know each other's identities.

Although federal agencies have refused to detail evidence of active steganography use by Osama bin Laden, security experts believe it is logical to assume.

"It doesn't surprise me that terrorists are using this trick," said Mr. Schneier. "The very aspects of steganography that make it unsuitable for normal corporate use make it ideally suited for terrorist use."

FBI was concerned

"We are very concerned, as this committee is, about the encryption situation, particularly as it relates to fighting crime and fighting terrorism," Mr. Freeh said. "Not just bin Laden, but many other people who work against us in the area of terrorism, are becoming sophisticated enough to equip themselves with encryption devices."

In February, USA Today quoted unnamed officials claiming "extremists hide maps and photographs of terrorist targets – and post instructions for terrorist activities – on sports chat rooms, pornographic bulletin boards and other popular websites."

Although some digital "fingerprints" are left with by steganographic alterations, the question remaining for intelligence agencies is the same as it was in the time of Herodotus: Where do you look?

A University of Michigan research effort this year couldn't settle the question.

A team of researchers studied 2 million images from the eBay auction site for evidence of the digital fingerprints left by the three most popular steganography programs.

They didn't find any. But neither was their work exhaustive, they caution. The Web contains an estimated 28 billion images.

"I've see a lot of newspaper articles that are trying to make it look like we are saying Osama bin Laden does not use steganography," said Peter Honeyman, the lead researcher.

"If someone were able to say to me, 'We've got a little bit more precise information. Look there and look for this kind of steganography,' then we might be able to help," said Dr. Honeyman.

Tug of war continues

Mr. Gregg wants "the manufacturing community and the inventive community of the Western world" to help in combating Internet-enabled communication by terrorists.

Mr. Schneier, the security expert, agrees on the need for more Internet security, but says it needs to be thoughtfully done.

Banning cryptography won't work, he says, because it is, at its elemental level, just mathematics. The government, he says, should focus instead on better detection tools and ways to monitor Internet traffic patterns.

"As more and more of our nation's critical infrastructure goes digital," he said, "we need to recognize cryptography as part of the solution and not as part of the problem."