Cybercrime, Encryption, and Government Surveillance

The crime sounded alarming: an audacious theft of 1 million credit card numbers from numerous e-commerce sites stretched across twenty states. This disturbing incident, announced by law-enforcement authorities in March 2001, was described by the FBI as the largest organized criminal attack on the Internet to date. The FBI devoted considerable resources to this case, but so far its quarry proved to be too erratic. At first, some thought this had to be the work of ingenious hackers, but as the FBI untangled the details of this crime it discovered that these hackers were not so ingenious after all. They merely exploited security flaws, unpatched vulnerabilities in the Windows NT operating system. Microsoft had provided patches (or fixes) for these problems in 1998, but the victims carelessly failed to install them. Had these e-businesses been more assiduous about security it is quite likely that this costly theft could have been prevented (Levitt 2001).

High-profile cybercrimes that underscore the Net's vulnerability are frequently the subject of headlines in major publications. The Wall Street Journal proclaimed the Internet "Under Siege" (Hamilton and Cloud 2000) as it described how cyberterrorists had temporarily paralyzed some of the country's biggest Web sites through a denial-of-service attack. The technique is relatively simple, but the results can be catastrophic. Denial of service now joins a long list of other weapons that "black hat" hackers or crackers use to disrupt Web sites. These include packet sniffers, trojan horses, and malicious applets. Many companies fall prey to these damaging technologies despite their renewed vigilance and their heavy investment in security systems.

Privacy and intellectual property rights will be meaningless unless we can adequately secure the Net and thwart the efforts of those who engage in criminal activity. Also, as observed in Chapter 4, Internet commerce is unlikely to flourish in an environment rife with crime and theft. There must be a level of trust, but how can we achieve this trust with the opaqueness of so many Internet relationships and transactions?

In this final chapter we will cover some of the legal and technical background central to developing a lucid analysis of security and related policy issues. After a cursory overview of the Net's vulnerabilities and cybercrime, we turn to the new frontiers for law enforcement in cyberspace. Special focus will be on the encryption controversy in the United States, the uneasy issues raised by government surveillance, and the use of technologies such as the FBI's Carnivore. These issues have obviously assumed greater import thanks to the events of September 11. The problem is that some of the architectures used to secure the Net and protect privacy give succor to criminals and terrorists. Society must make difficult trade-offs between privacy and anonymity and the need for an Internet infrastructure that permits electronic surveillance by law-enforcement authorities. We will carefully look at how these tradeoffs have been managed so far and how the balance between security and liberty may need to be recalibrated to help in the struggle against terrorism.

We then shift focus to the topic of digital identity as a way to promote trust and security. Mandating digital identity as a means of assuring authentication appears to have the force of inevitability, but is it a sound and responsible idea? We will argue that code has a role to play in resolving this problem, since there are architectures that can authenticate without creating a privacy hazard. Finally, we conclude with a laconic discussion on whether security achieved through architectures is the best path to a more trustworthy Internet.

Cybercrime, Encryption, and Government Surveillance