Cybercrime Dilemma: Is it Possible to Guarantee Both Security and Privacy?

Internet regulation—from taxation to censorship—has been a legislative nonstarter in Washington. Yet change the name from regulation to cyber security and one finds an array of legislation that could affect web users in fundamental ways.

Internet security is of much greater concern to the government than to most Americans. Take Internet sabotage. What for many public officials—and some computer security experts as well—is a potentially ominous threat is, for many desk-bound office workers, merely a day’s minor excitement. With the advent of each new e-mail-borne virus, firms shut down links to the outside world and wait. Within a few hours everyone is back on line, an anti-virus is in place, and a new cyber war story makes the rounds. Indeed, this pattern of spontaneous disruption has become so commonplace in today’s computer-driven businesses that for many of us, it seems an acceptable cost of operating in the digital age.

Yet more than simple complacency is at work here. Popular resistance to greater government involvement in cyber security reflects the same tension that exists in the physical world. Americans certainly could minimize the likelihood of being victimized by robbers if they allowed the local sheriff to camp out in the living room, but for most of us, the resulting loss of privacy wouldn’t be worth the marginal increase in security. The same holds true on the Internet. Along with its efficiency, Internet users clearly cherish the anonymity and privacy the new technology affords them. Many users fear that their privacy rights will be diminished if the FBI is out hunting for cyber crooks.

Protecting Critical Infrastructure

Critical infrastructure protection, as posited by the Clinton administration, involves enlisting the private companies that run the nation’s energy, transportation, communication, water, and emergency services to help improve the security of the computer systems on which all rely. These services are critical, the theory goes, because they are essential not only to our economy but also to national defense. They can therefore be targeted and, by virtue of their interconnectedness and low security, shut down—by spies, terrorists, hackers, criminals, or even disgruntled employees. Yet this hydra-headed threat hasn’t materialized in such a spectacular way as to raise great public alarm and vindicate the government’s warnings.

Attacks last February that shut down Yahoo, eBay, and other popular e-commerce sites demonstrated that our computers remain vulnerable and that the possibility of serious economic, if not security, harm does exist. But the only arrest to date suggests that a familiar kind of villain, a teenage computer phenom in his basement, may have been responsible for taking down at least one of the sites. So the threat that government officials worry about, the disabling or destruction of a major service infrastructure, still appears remote. The lack of any enduring damage appears once again to have calmed public fears.

New Technology, Familiar Challenges

The February attacks did get Congress’s attention, eliciting several bills in both the House and the Senate to augment law enforcement capabilities to investigate and prosecute computer crime. At the heart of the legislation, and of the administration’s plan for infrastructure assurance, is the proposition that the advance of digital communications and information networks has complicated the job of law enforcement—and by corollary that of intelligence agencies as well. But even if that proposition is accepted, privacy concerns will remain, if not grow.

The problem that best makes this case is encryption. No longer the sole province of governments and spies, effective, easy-to-use encryption allows any computer user to communicate and exchange information in a highly secure manner. In an age when vast amounts of personal data are stored in networks—and not at home or in bank vaults-encryption offers privacy protection that is increasingly important to many Americans. Yet their increased personal security may come at a price in apprehending criminals. Criminals and terrorists are now encoding communications and records using the same ubiquitous commercial encryption products. The FBI, the Drug Enforcement Administration, and other law enforcement agencies are hard pressed to break increasingly sophisticated codes used by wrongdoers.

The idea that technological innovations make it harder to catch crooks or spies is not new. The advent of the telephone also forced law enforcement to reexamine its investigative tools. Calls today for expanded cyber crime-fighting authority reveal a great deal about how the government views the challenges to law enforcement in the Digital Age. Sophisticated terrorists might take down the nation’s electrical grid, so new security standards are necessary. The nation’s telephone system is going digital, so major adjustments must be made to ensure law enforcement’s continued ability to wiretap criminals and spies. Denial-of-service attacks against Internet businesses must be prevented, so the scope of existing computer crimes must be expanded to cover damages caused by loss of business.

All these changes can be useful additions to the electronic protections both industry and law enforcement need today. Yet the basis for their justification is also important, because of what it accepts as reasonable and what it will justify in the future. So is it true that technology has increased threats to the American way of life that must be countered by new government surveillance authority? And must government needs and personal privacy expectations be rebalanced?

These questions are hard to answer. Technology is advancing so swiftly that often we cannot perceive how it will affect our lives. In such a climate, it takes genuine prescience or unshakable convictions to know what a proper balance should be. Take, for example, a key weapon in the government’s arsenal against computer crime, the Electronic Communications Privacy Act. Enacted in 1986, it governs the protection of, as well as government access to, electronic communications such as e-mail. But in 1986, very few Americans understood the potential of either e-mail or the Internet. The idea that e-mail would greatly displace written and telephone communications between businesses, or even within a business, was entirely foreign. Perhaps as a result, despite the undeniably growing reliance of both businesses and individuals on e-mail, the legal protections afforded e-mail do not match those that apply to either paper records or telephone conversations.

Another government tool whose application to the Digital Age has raised concerns is the pen register, a device used to record the numbers dialed to begin a telephone conversation. Intercepting the actual conversation requires a warrant based on a high evidentiary showing. Obtaining the number dialed requires only the government’s certification that the number is relevant to an ongoing criminal investigation. Amendments made in 1986 to the pen register law have been interpreted by the government to extend pen register orders to e-mail messages. Because there is no well-defined parallel between a telephone number and an e-mail address, applying pen register orders to e-mail has raised concerns about the ever-widening scope of government intrusion into Internet communications.

The debate about how to balance government and law enforcement needs with privacy expectations was given a high-voltage jump start in June when it was revealed that the government is using a new Internet sniffing device to monitor web traffic. Called “Carnivore,” the device is essentially a stand-alone computer installed at a key node in the system of an Internet service provider. It monitors all traffic carried over the system at that point and selects and stores communications the government is authorized to intercept-sometimes the full text, sometimes only the Internet address. The trouble is that Carnivore is a black box controlled by the government, its programming and selection criteria known only to those who operate it.

Carnivore gives government much more control than Ma Bell ever did. In the predigital age, the government presented its warrant or court order to the telephone company, which in turn routed the specified information to the government listening post. The FBI didn’t attach the tap itself, and the common carrier was responsible to the court to ensure that the government got only what the court authorized. Carnivore changes that relationship and with it several independent checks on government action.

The government argues that these shifts in privacy protection are not intentional. It points out that Carnivore is used only by court order and only when an Internet service provider lacks diagnostic and monitoring capabilities to perform the surveillance ordered. Yet in partial recognition of the privacy issues raised by Carnivore, the attorney general recently ordered an independent review by a major university. In the same vein, the Clinton administration has suggested both a “clarification” of the pen register statute’s application to the Internet and a requirement that a federal judge weigh the factual basis for a pen register’s relevance to a criminal investigation.

The Debate in Congress

These steps are welcome news to personal privacy advocates, but the seriousness of cyber crime and critical infrastructure protection suggests that this debate is just beginning. The Clinton administration and Congress put forth a dizzying range of proposals, including new Internet surveillance provisions, Freedom of Information Act exemptions, regulation of commercial use of consumer information and, inevitably, the creation of a commission to study all the above. Though the 106th Congress did not enact comprehensive legislation affecting Internet privacy, cyber crime, and critical infrastructure protection, the new Congress will address these issues quickly.

What that Congress will take up seems clear enough. Yet unless it is guided by several basic principles, Congress risks addressing them inadequately and without balance.

The first category of issues to be addressed, law enforcement, encompasses two related goals. One reflects a bipartisan consensus to spend money on the problems du jour. In other words, expect Congress to allocate ever more resources for law enforcement to investigate and prosecute hackers and other cyber criminals. The other law enforcement effort likely will strengthen penalties for various computer crimes and expand government authority to police them.

The second category concerns continuing government efforts to get its own house in order. Specifically, look for Congress to fund efforts by federal agencies to better protect their information systems. Most urgent is the shortage of highly trained information technology specialists within the government to protect critical networks, a need just now beginning to be addressed.

Third, Congress undoubtedly will move to protect individuals’ privacy rights in the cyber world. In some cases, this step might involve simply applying the same standards from the physical world; in others, it might mean expanding protections to account for the public’s growing reliance on electronic communication and record keeping.

Finally, expect Congress to try to create a better climate for information sharing between the government and the private sector, especially concerning threats and attacks on the nation’s critical information infrastructure. Bills to accomplish this goal won widespread support in Congress and in industry this year, but fell victim to time.

Principles for Drafting New Laws

How Congress will resolve these matters is critical. Many factors will come into play, ranging from new technological developments to the political makeup of the next Congress and administration. Here are some suggestions as to how Congress, the executive, and the public should think about and work through these important and complex issues.

What is first required is a recognition that technology has changed the nature of individual privacy in fundamental ways. What the founding fathers sought to protect from unreasonable intrusion by the government-the privacy of a citizen’s home and personal papers-is no longer found in the home or even on paper. Nowadays, our private information is as likely to be stored on computers, often computers that are part of a network, in electronic files, and often with third parties that many Americans either cannot identify or of whom they are unaware. Communications course through a much more diverse electronic medium than did telephone calls just a dozen years ago. This kind of change is likely to continue-and in ways not easily foreseeable to most of us.

Second, the law, especially federal laws with national scope and application to the government itself, must adjust not only to changes in technology, but to the effect those changes clearly have had on the protection of individual privacy. This task will require dogged perseverance on the part of lawmakers. The law enforcement community will not easily cede surveillance capacity now or in the future. Its battle cry will be preservation, even improvement, of current capability in the face of ever more sophisticated cyber-criminal enterprise. After Congress passed the 1995 Communications Assistance to Law Enforcement Act to require common carriers to modify their equipment to permit government wiretapping of new digital telephone equipment, the industry spent years developing the necessary technical standards, only to have the Justice Department reject them on the grounds that more capabilities could be, and therefore should be, included. When the Federal Communications Commission then largely approved the broad new requirements the Justice Department demanded, a federal appeals court had to point out that the balance between what was technically possible and the protections against unreasonable intrusion had not been struck. Congress had required just such a balancing test in the law, but had not reckoned with the tenacity shown by law enforcement in protecting and expanding its powers.

Third, there will be a great deal to get right the first time among all the issues that are likely to be addressed. For instance, “clarifying” how the pen register law applies to e-mail should make clear whether the subject line is more akin to a telephone number or to message content and to what extent an individual’s Internet browsing must be disclosed. A Freedom of Information Act exemption for sharing cyber security information with the government should encourage information sharing not just with law enforcement agencies but between other parts of the government and among private-sector entities. And making computer crime laws tougher should not discourage prosecution, as current juvenile sentencing guidelines do. In the area of commercial privacy protection, a host of issues must be addressed, fleshing out just what notice, disclosure, and consent mean.

Fourth, there is much that neither Congress nor a new administration should try to do. In the area of critical infrastructure protection, cyber security should be improved through voluntary, private-sector- organized mechanisms. This will frustrate some in government, particularly at those times when fresh cyber attacks appear to threaten our use of Internet services. Yet the networks at risk, and the essential service industries they support, are largely designed, built, operated, and maintained by the businesses that own them. To be effective, critical infrastructure protection policy cannot be dictated by government, especially given the government’s admitted failure thus far to improve security within its own ranks. Private-sector solutions, not public regulations, are most likely to work best for industry and, ultimately, consumers.

Finally, to return to the point on which I began, the national debate on new cyber law must avoid the dangers of label oversimplification. All the issues discussed above can be grouped together under the rubric of privacy protection. Yet, in the case of cyber crime initiatives, real care will have to be taken to achieve even modest gains in privacy protection. And ensuring effective personal privacy in commercial use of the Internet may well hinge more on better uses of the same software technologies that created the threat in the first place than on new federal laws. Thus, calling what we are doing by its real name-Internet surveillance or increased wiretapping powers in the case of some cyber crime provisions-may be the best way to deal both with the advance of technology and with protecting what remains of our electronic privacy.