Why "carnivore" type systems can't be (entirely) open source

Brian Gladman Brian Gladman" <brg at gladman.plus.com
Fri, 2 Feb 2001 13:38:49 -0000 

From: "Ken Brown" <k.brown@ccs.bbk.ac.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Thursday, February 01, 2001 11:04 AM
Subject: Re: Why "carnivore" type systems can't be (entirely) open source


> Brian Gladman wrote:
>
> > Which is precisely how we should treat STO in respect of systems design.
>
> That is part of the point I was trying to make.  If the operation of the
> system *relies* on keeping the method used secret, then it is probably a
> bad choice of method.

Agreed - if the filter design has to be kept secret in order for it to work
it clearly then has an exploitable design vulnerability.

More importantly, since criminals have many easier ways of avoiding its
actions, it will not be sensible to hide the design if the result of doing
so has a serious detrimental impact on its effectiveness.

In the case of a filter applied in a 'RIP like situation' it will, by
definition, be applied to information owned by citizens who must be presumed
to be honest in the majority of cases of real use (AFAIK nobody claims
anywhere near to a 50% success rate for interceptions) .

If the public are to be convinced that the filtering is (a) within the law,
and (b) not engineered in a way that allows or promotes abuse, then the
design has to be subject to independent expert scrutiny involving public
reporting and accountability.  The best way of achieving this is through
open publication of all the details of its design and operation.

If the design is kept secret experience shows that it will contain
exploitable vulnerabilities that will be used to achieve unlawful
interceptions and abuse.  In this situation honest citizens hence have a
sound logical basis for developing countermeasures to avoid becoming subject
to its actions. And once honest citizens develop and deploy countermeasures
the chances of then using it to catch serious criminals would move from
negligible to non existent and this would negate any conceivable value in
its deployment.

Perhaps worse, if law enforcement authorities find themselves being seen by
honest citizens as working against rather than in support of their interests
they are then on a very slippery slope.  If such a device were to be
deployed it is hence in the interests of law enforcement authorities that
steps are taken to ensure that the public have confidence in the constraints
within which it is used.  Again, therefore, an openly published design would
provide a basis for policing by consensus whereas secrecy will provide a
basis for suspicion and mistrust.

It is different from a situation where revealing
> the method might give an attacker some useful clues (which might be the
> case in some cryptography algorithms).

In my view there are situations in which there is value in keeping
cryptographic algorithms secret. But in all such situations the most
important reason for secrecy has nothing to do with making an attacker's job
harder.

  Brian