Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, R-19.62)

[T Bruce Tober]

FYI

  ------- Forwarded message follows -------
The statement made by Carl Ellison <cme@cybercash.com>, 06 Mar 1998
(RISKS-19.62), "How come Dorothy Denning didn't find any significant use of
crypto by criminals in her survey of law enforcement officers?", is
inaccurate.  The Denning-Baugh report, referenced below, did find
significant use of encryption by criminals, 500 current cases worldwide,
over 20 cases were presented in detail, and they estimate that the number is
growing at annual rate of 50-100% (some cases from the report are listed
below).  In more than one of the cases, the encrypted information could not
be deciphered by law enforcement.

The report does make clear that encryption could pose problems for law
enforcement in the future.  "Our findings suggest that the total number of
criminal cases involving encryption worldwide is at least 500, with an
annual growth rate of 50 to 100 percent."  And "Quite a few people are
technically sophisticated."
                                    
Instead, the study's main conclusion was that it was unable to find any
current incident where the use of cryptography significantly hindered an
investigation or prosecution.  "Most of the investigators we talked to did
not find that encryption was obstructing a large number of investigations.
When encryption has been encountered, investigators have usually been able
to get the keys from the subject, crack the codes, or use other evidence,"
states the report.

The statements that criminals have not used Crypto AG or CyLink encrypting
telephones are also incorrect.  The Denning-Baugh report did not even
address this topic.  But, evidence was presented in the late 1980's that
possible foreign Terrorist organizations and Drug Cartels were using Crypto
AG Voice Ciphering products.  According to an ex-employee's legal filings,
and "tell-all" book, Crypto AG was requested to insert flaws and weaknesses
into their equipment that could be falling into criminal hands.

An interesting observation about the report is that when encryption is
encountered by law enforcement, they are unprepared to deal with it and
forced to use in-house computer forensic specialists (with little training
in cryptography), consultants, academics, and/or private companies to attack
the problem.  While the U.S. Government spends at least $7 to $10 billion
per year on "code breaking" at Military-Defense and Intelligence
organizations, under current law ("posse comitatus" on up) it is illegal for
these resources to be used for domestic law enforcement.  We could change
these laws, and increase funding to these agencies to handle their new
mission? We could create similar agencies inside domestic law enforcement at
equivalent cost? Therefore, the requests by law enforcement, to promote and
have access to corporate and local Key Recovery systems, can be seen as a
low-cost solution to the problem and an effort to save money for the
U.S. taxpayer.

The cases examined include:

* "The Japanese death cult, Aum Shinrikyo, which used encryption to store
records on its computers.  Authorities were able to decrypt the files in 1995
after finding the decryption key on a floppy disk.  And found evidence of
plans to launch attacks in the U.S. and Japan."

* The New York subway bomber, Edward Leary, who had created his own
encryption system to scramble files on his computer.  According to the
report, after Manhattan police "failed to break the encryption, the files
were sent to outside encryption experts.  These experts also failed.
Eventually, the encryption was broken by a federal agency.  The files
contained child pornography and personal information which was not
particularly useful to the case."

* "A police department in Maryland encountered an encrypted file in a drug
case.  Allegations were raised that the subject had been involved in
document counterfeiting, and file names were consistent with formal
documents.  Efforts to decrypt the files failed, however, so the conviction
was on the drug charges only."

* "The head of a California gambling ring kept his records in a commercial
accounting program encrypted with a code word.  The maker of the program
refused to help law enforcement break the code, but access to the files was
gained by exploiting a weakness in the computer system.  This yielded four
years of bookmaking records which resulted in a guilty plea on criminal
charges and payment of back taxes."

* The espionage case against former CIA employee Aldrich Ames, who was
directed by his Soviet handlers to encrypt computer file information that
was passed to them, "and was eventually convicted of espionage against the
U.S., was aided because the investigator handling the case was able to
decrypt Ames's files using AccessData Corp. software (an automatic
de-encryption program)."

References :

 * National Strategy Information Center, Dorothy Denning and
   William Baugh, "Encryption and Evolving Technologies as Tools
   of Organized Crime and Terrorism," July, 1997.

 * The Washington Post - WashTech, Elizabeth Corcoran, "Around
   the Beltway, Encryption: Who will Hold the Key? Two Bills
   Reflect the Split over Restrictions", Aug-04-1997.

 * Mercury News, Simson Garfinkel, "Denning unable to confirm FBI
   Assertions; alters her position", 31-Jul-1997.

Robert Perillo, CCP, CNE     Richmond, VA     perillo@dockmaster.ncsc.mil
Staff Computer Scientist                      perillo@gibraltar.ncsc.mil

[Usual disclaimers]

  [The Ames case strikes me as a bad example, and a classic case of 
  trying to oversell the impediments of crypto, considering the long 
  history of incriminating phone calls in the clear and the long trail
  of other evidence that would seem to have been ignored or perhaps 
  suppressed in an effort to gather more evidence.  PGN]




tbt -- Sign all messages with non-escrowed keys, don't give in to government 
tyranny. Commentary at http://www.homeusers.prestel.co.uk/crecon/Escrow.htm

-- 
|Bruce Tober, octobersdad@reporters.net, Birmingham, England +44-121-242-3832|
|       Freelance PhotoJournalist - IT, Business, The Arts and lots more     |
|               Website - http://www.homeusers.prestel.co.uk/crecon/         |
|                          PGP Key Details follow:                           |
| RSA key ID 0x94F48255 Fingerprint 0907 EBCD 1B37 91F5  D15C 0D2E C617 2671 |
| DSS/DH key ID 0xB1445118                                                   |
| DSS/DH key Fingerprint CBB5 8BF8 2CCC 9B86 41EB  1788 6930 78FB B144 5118  |