In a world growing increasingly dependent on technology and the desire for privacy in the virtual realm, data encryption techniques have become widely used to insure the protection of important information, such as credit card numbers, e-mail messages, and students' test scores. As much as we value our perception of privacy online, and as powerful as modern data encryption programs are, our privacy may still be compromised.
This paper is an addendum to a paper written in 1999 on this topic that can be accessed at http://lrs.ed.uiuc.edu/wp/privacy/index.html.
Encryption is the complex mathematical technique of encoding a message into a format that is unreadable until its recipient decrypts (decodes) the data with a key that converts the data into a readable format. Scrambled messages were commonly used in World War II to prevent the enemy from intercepting instructions regarding battle. Today, encryption is used for online shopping, online bank transactions, stock trading, in ATM machines, in e-mail, and in other transactions between two or more parties (Smith, 2002).
Secure Sockets Layer, or SSL, is the most commonly used form of encryption used during secure Internet transactions. SSL generally is available in 40-bit and 128-bit, which refer to the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. To give you a figure, the 128-bit variety of SSL is literally trillions of times stronger than the earlier, 40-bit standard (Secure Sockets Layer, 2002). SSL is built into most Internet browser applications.
Another mode of encryption, Pretty Good Privacy, or PGP, is used to encrypt files and e-mail messages and is widely available as freeware on the Internet. PGP uses the public key method of encryption, which requires the sender to first encrypt the message using the recipient's public key, which is widely known and can be easily obtained from a company or Internet public key server. The data is then sent in an unreadable format that can be unlocked by the recipient only by using a private key which is confidential to everyone other than the holder of that key (Smith, 2002).
In December, 2001, the U.S. government formally adopted the Advanced Encryption Standard, or AES, an algorithm developed by two Belgian cryptographers designed to better safeguard government data than the old standard and works on multiple platforms. The old standard, Data Encryption Standard, or DES, used only a 56-bit key to decode data, which was vulnerable to code cracking or guessing in only a few hours. The new standard works with 128-bit, 192-bit, and 256-bit key lengths. According to the U.S. government's fact sheet, it would take more than 149 trillion years to crack an AES key (Smith, 2002)!
As mentioned in the 1999 version of this paper, encryption provides a means for securing information. E-mail messages, for example, are very vulnerable to interception. Certain web sites may require a password for access to those sites, but without encryption those sites are easy targets for computer hackers. Also, with the increased use of Internet commerce, consumers need to be able to purchase goods and services online using a credit card and be safe from having their credit card numbers intercepted during the transaction. In fact, using your credit card online through the SSL standard is much safer than giving your number to a salesperson over the telephone or handing your credit card to a clerk at a grocery store checkout line. The perception of the safety of this data is almost as important to consumers as the encryption technology itself.
Also noted in the 1999 paper, encryption can provide "message authentication." A sender of an e-mail, for example, can make a digital signature using using his or her own private key, proving to the recipient the authenticity of the source of the message and that the message was not altered or viewed by anyone else (Bennett, et al., 1999, 2002).
The following sections are intended as updates to the sections of the 1999 paper, as much has transpired in the way of encryption development and world events (e.g. the September 11, 2001 terrorist attacks in the U.S.) that begs mentioning. For the original discussion of these issues, please read the 1999 white paper at http://lrs.ed.uiuc.edu/wp/privacy/index.html.
In the 1999 paper, the questions "Does encryption guarantee security?" and "Is e-mail security an oxymoron?" were asked. The opinion of the authors in the 1999 paper was that encryption is only as effective as the level of encryption utilized, and cited an article by John Perry Barlow in which he stated that the Internet sites that hide behind the most security are the ones that will be targeted by hackers, as they see breaking into such a site as a challenge. Regarding e-mail, the authors of the 1999 paper state that e-mails are highly vulnerable to being read by other parties, such as system administrators and web postmasters, and forums such as newsgroups place messages on the Internet for anyone to see. (Bennett, et al., 1999, 2002)
So, in 2002, have the answers to these questions changed? While encryption has improved, and encryption technologies such as SSL are safely used by millions of online consumers each year, the truth is that no data we send online is safe from interception any longer. The reason for this is a program called "Carnivore."
Developed and instituted by the FBI on July 11, 2000, Carnivore is an Internet monitoring system that is installed at the facilities of an Internet Service Provider (ISP) and can monitor all traffic moving through that ISP. According to the Electronic Privacy Information Center (EPIC), "The FBI claims that Carnivore "filters" data traffic and delivers to investigators only those "packets" that they are lawfully authorized to obtain. Because the details remain secret, the public is left to trust the FBI's characterization of the system and -- more significantly -- the FBI's compliance with legal requirements" ("The Carnivore FOIA Litigation," 2002).
The FBI, on its website, provides it own description of the Carnivore program:
"The use of the Carnivore system by the FBI is subject to intense oversight from internal FBI controls, the U. S.Department of Justice (both at a Headquarters level and at a U.S. Attorney's Office level), and by the Court. There are significant penalties for misuse of the tool, including exclusion of evidence, as well as criminal and civil penalties. The system is not susceptible to abuse because it requires expertise to install and operate, and such operations are conducted, as required in the court orders, with close cooperation with the ISPs" ("FBI Programs and Initiatives-The Carnivore Diagnostic Tool," 2002).
So, the FBI, who has been well-known for catching criminals through electronic surveillance for many years, now can essentially view any transmission made through an ISP. This would include what web sites at which you are browsing, e-mail messages being sent, files that are being uploaded or downloaded, and so on.
Since the September 11, 2001 terrorist attacks on the U.S., in which more than 3,000 people were killed after terrorists with ties to the Al-Qaeda terrorist organization hijacked four commercial airliners and aimed them at key targets, including the Pentagon in Washington D.C. and the World Trade Center towers in New York City, the government has reportedly increased its surveillance for suspicious activity that could be tied to terrorism. The Senate has passed legislation making warrants for electronic computer searches easier to obtain, and the Bush administration is preparing a package of proposals that could include restrictions on encryption (Kurtz, 2001).
Carnivore appears to be the perfect program to use in this objective. The question is, how much of our personal privacy is being violated in the process?
In 1999, the export of encryption devices or programs was illegal, as encryption was classified as a munition under the Internation Traffic in Arms Regulations (ITAR).
In June of 2002, the U.S. Department of Commerce published an updated "U.S. Encryption Export Control Policy" that states:
"For the first time, 'mass market' encryption commodities and software with symmetric key lengths exceeding 64 bits may be exported and reexported under Export Control Classification Numbers (ECCNs) 5A992 and 5D992, following a 30-day review by the Bureau of Industry and Security (BIS)." (U.S. Department of Commerce, 2002)
The report contains an important disclaimer: "This rule does not change any of the existing restrictions on exports and reexports of encryption items to designated terrorist supporting countries and nationals of such countries" (2002).
The U.S. has obviously relaxed some restrictions on the exchange of commercial encryption devices and programs, but it is very concerned about the use of encryption by terrorist groups, a valid concern since it has been revealed since 9/11 that communications between terrorist members alluding to the upcoming attack were transmitted but not caught by U.S. intelligence agencies until after the fact. Using encryption, these groups could be even more secretive about their communications.
Encryption programs, PGP, SSL, and other technologies have been around for years, but they are only getting better. For example, PGP, the freeware e-mail encryption program, has released twenty-nine updates to the program for the Windows platform and 19 updates for the Mac platform since 1991 ("Freeware PGP Versions," 2002). More recent developments include Hushmail.com, the "World's First Web-Based Email with End-to-End Security" (Hushmail.com, 2001). The system uses the OpenPGP key management algorithm. It's like a Hotmail or Yahoo email account, only it's encrypted. "ShyFile" software claims to offer 6144 -bit file encryption, "Military security for your email and file encryption" (ShyFile-6144bit Secure Email Encryption Software, 2002). Finally, a research team at Ottawa University have created "Cryptobox," a secure virtual network on the Internet. "From the information that we've been seeing, Cryptobox would have no problem circumventing all of Carnivore's attacks," said Nikola Bobic, leader of the research team (McDonald, 2001). Advances continue to be made in encryption as time progresses.
How does encryption work in an educational setting? In the 1999 paper, the authors stated, "Teachers and parents need to keep the 'lines of communication' open. These 'lines' now include computer modems as well as telephone and postal service! To be able to discuss the important issues affecting our students and their success in school, e-mail must be secured" (Bennett, et al., 1999, 2002). However, the authors offered no examples of any programs or devices that could facilitate open communication between parents, teachers, students, and administrators. In the interim, products intended for this purpose have been developed.
SchoolCruiser is an online service through which:
"Teachers can interact with students, easily post and publish assignments, grades and attendance, host discussion groups, accept assignments on-line and have access to e-mail. All community members receive an e-mail account, communication with parents is just a click away" ("SchoolCruiser Frequently Asked Questions," 2002).
Participants in the service must log in with an ID and password to access the service, and these are protected by SSL, which provides "data encryption, server authentication, message integrity and optional client authentication for a TCP/IP connection" ("SchoolCruiser," 2002).
Another way schools are benefiting from encryption technology is the ability for administrators to access standardized test scores online. The Educational Testing Service's (ETS) Internet Delivery of Scores program offers this technology, which utilizes the PGP algorithm ("ETS Internet Delivery of Scores," 2002). This is an alternative to the much less secure method of mailing test scores to each respective school, which leaves the scores much more vulnerable to interception.
Encryption technology has advanced rapidly over time, and its practical uses have been expanded, even into schools. While we are continually developing new and easy ways to ensure our privacy online, some groups, such as the U.S. government, are using their own innovations, such as Carnivore, to remove some of that privacy. More damaging, though, is the fact the government is removing our perception that our privacy online is guaranteed, whether we are each being monitored by the FBI or not. As with any fairly new technology, there are advantages and disadvantages that must be weighed. Less privacy, in the case of the FBI's Carnivore, is in the interest of increased personal and national security. Even without Carnivore on our ISPs, no data is one hundred percent safe, a reality we must accept. While 128-bit encryption has made cracking data keys impractical, it cannot be dismissed as impossible.
Encryption technology has shown much promise for the educational environment. Services like SchoolCruiser and the ETS's "Internet Delivery of Scores" have been designed with the interest of personal privacy and information encryption mind. With student privacy and anonymity online both inside and outside school such an important issue to parents and educators, the protections inherent in these new systems put us at greater ease.
Bennett, Karen, et al., 1999, 2002. An Educator's Guide to Privacy. Retrieved from the World Wide Web on July 7, 2002 at http://LRS.ED.UIUC.EDU/WP/privacy/index.html
"Carnivore FOIA Litigation, The," 2002. Electronic Privacy Information Center. Retrieved from the World Wide Web on July 7, 2002 at http://www.epic.org/privacy/carnivore/
"ETS Internet Delivery of Scores." Educational Testing Service. Retrieved from the World Wide Web on July 23, 2002 at http://www.ets.org/esr/elscorep.html
"FBI Initiatives and Programs-Carnivore Diagnostic Tool." Retrieved from the World Wide Web on July 14, 2002 at http://www.fbi.gov/hq/lab/carnivore/carnivore2.htm
"Freeware PGP Versions." The International PGP Home Page. Retrieved from the World Wide Web on July 23, 2002 at http://www.pgpi.org/products/pgp/versions/freeware/
Hushmail.com, 2001. Retrieved from the World Wide Web on July 30, 2002 at https://www.hushmail.com/?PHPSESSID=c698c6005df195fd170eea3c72378496
Kurtz, Howard, 2001. "Big Brother No Longer So Scary." Washingtonpost.com. Retrieved from the World Wide Web on July 23, 2002 at http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A55059-2001Sep19
McDonald, Tim, 2001. "Carnivore 'No Problem' for New E-Mail Encryption." NewsFactor Network. Retrieved from the World Wide Web on July 23, 2002 at http://www.newsfactor.com/perl/story/11281.html
"SchoolCruiser Frequently Asked Questions." Retrieved from the World Wide Web on July 30, 2002 at http://www.schoolcruiser.com/faq.html
"Secure Sockets Layer," 2000. Retrieved from the World Wide Web on July 23, 2002 at http://wp.netscape.com/security/techbriefs/ssl.html
ShyFile-6144bit Secure Email Encryption Software. Retrieved from the World Wide Web on July 30, 2002 at http://www.shyfile.net/
Smith, Sandy, 2002. "CPE & Training: Articles: An Education on Encryption." Intuit Advisor. Retrieved from the World Wide Web on July 23, 2002 at http://www.intuitadvisor.com/tools_resources/cpe_training/articles/ss_educationonencryption.html
U.S. Department of Commerce, 2002. "U.S. Encryption Export Control Fact Sheet." Retrieved from the World Wide Web on July 23, 2002 at http://www.bxa.doc.gov/Encryption/EncFactSheet6_17_02.html