• Buro Jansen & Janssen is een onderzoeksburo dat politie, justitie, inlichtingendiensten, de overheid in Nederland en Europa kritisch volgt. Een grond-rechten kollektief dat al 30 jaar publiceert over uitbreiding van repressieve wetgeving, publiek-private samenwerking, bevoegdheden, overheids-optreden en andere staatsaangelegenheden.
    Buro Jansen & Janssen Postbus 10591, 1001EN Amsterdam, 020-6123202/06-34339533, info@burojansen.nl.
    Steun Buro Jansen & Janssen. Word donateur, NL56 INGB 0000 6039 04 ten name van Stichting Res Publica, Postbus 11556, 1001 GN Amsterdam.
  • Publicaties

  • Europa

  • Politieklachten

  • The key to success

    Combating encryption

    In recent years, western governments have created new powers to allow them to intercept e-mail and Internet correspondence. Internet providers are obliged to make their systems capable of being intercepted, as telephone companies are. However, the authorities have been struggling with the problem of encryption for years. Tapped messages are not much use if they cannot be read or listened to. For years, the United States in particular tried to regulate the export of encryption by the introduction of strict regulations. In the meantime the judicial authorities have had a change of thought about cryptography.

    For years, the United States tried to impose international restrictions on the use of cryptography via the Wassenaar Arrangement. The Wassenaar Arrangement stems from the Coordinating Committee for the Multilateral Export Controls (COCOM). The goal of the 17 participating countries, most of which are NATO members, was the use of export controls to combat the dissemination of weapon systems. In 1996, the Wassenaar Arrangement was extended to include former east block countries. With the end of the cold war, the aim shifted to the promotion of “regional and international stability and safety”. The Wassenaar Agreement works with a long list of goods that are seen as a strategic danger. The member states have laid down controls on the export of these goods in their national legislation.[1]
    Encryption products are on the list of so-called “dual use goods and technologies”; goods and technologies that can be used for both civilian and military purposes. The military aim of cryptography is, of course, the protection of national security. In the so-called General Software Note, an exception was made for cryptography for the consumer market and for public domain cryptography, like PGP. However, Australia, France, New Zealand, Russia and the United States have maintained control of the export of these forms of cryptography in their national legislation.
    In America, only light cryptographic equipment is allowed to be exported and then only with permission. In practice, this cuts both ways. On one hand, heavy cryptography is not exported and therefore cannot fall into the hands of criminals, terrorists or rogue states. On the other hand, this regulation has long hindered the development and dissemination of good encryption for civilian use. It is often not economically viable for American companies to make two versions: one with good encryption for the domestic market and one with weak encryption for export. This is why we have been saddled with such weak encryption in widely distributed computer programmes like Windows. Not that this bothers either the NSA or branch investigation agencies like the FBI.

    Controversial
    The United States was eventually unable to maintain this strict international policy. In recent years, the control of cryptography has come under debate. The member states of the EU, under pressure from the business world, began to oppose the export restrictions increasingly vociferously. Good encryption is essential to the business community, both for digital communication and as a weapon against economical espionage. It is significant that France, which for years forbade the use of encryption for both domestic use and export, liberalised its policy extensively in January 1999. The business community is receiving more and more support from the European Commission, which considers that it is essential that Europe can compete to the full in the developing cyber-economy. The European Commission, which had considered a total ban on the use of cryptography in the early 90s, concluded in 1997; “the public needs access to technical means that can offer effective protection against invasions of the confidentiality of their communications. Encrypting data is often the only effective and affordable manner to accomplish this.” [2]
    Encryption is also being quietly removed from the agenda of the European ministers for Justice and Home Affairs ( JHA council). Ideas on the introduction of an order to hand over keys in the case of a criminal investigation were still circulating in 1998. The Netherlands also considered imposing conditions upon providers of cryptographic services, in order to “preserve the possibility of authorising interception in the interests of the maintenance of law and order and national security.”[3]
    On 28 May, the JHA ministers adopted a resolution to work toward a Trusted Third Party System; the entrusting of the encryption key to a third party. Law enforcement agencies would then, on request, be able to obtain legal access to encryption keys “without the user of the cryptography service being aware”. There has been nothing more heard of the planned resolution which was to request member states to keep the needs of law enforcement in mind whilst developing their national policy.[4]

    One way of protecting information against undesired snoopers is the use of cryptography.
    Cryptography has two important uses: the encryption of data and the placing of a digital signature.
    Encryption makes messages illegible to third parties. A specific algorithm transforms plain text into illegible, ciphered text. The plain text can only be recovered through the use of a specific key. Only those in possession of the right key can decode and read the message.
    A digital signature ensures authenticity and confirms the origin of the message.
    Different sorts of algorithms can be used for encryption. The most important distinction is that between symmetrical and asymmetrical systems. Symmetrical systems use the same key for both encoding and decoding messages. This makes it necessary for the communicating parties to agree beforehand upon a key that is then subsequently used by both parties. The disadvantage is that it is first necessary to find a safe canal where one can exchange the secret key. This problem is avoided by the asymmetrical system, which uses keys that are connected to each other mathematically. One key encodes the information, whilst the second key can only be used for decoding. As only the second key can recover the plain text, anyone can have access to the first (or public) key. Logically enough, the second key is called the “private” or “secret” key; only those for whom the message is meant need to be in possession of that key. Often used symmetrical algorithms include Data Encryption Algorithm (DEA), Triple DES, International Data Encryption Algorithm (IDEA), CAST and RC4. Strong asymmetrical algorithms whose uses include electronic transactions (often in combination with symmetrical algorithms) are RSA, Diffie Hellman and Elliptic Curve Cryptosystem (ECC )
    The security of a cryptographic system depends upon the quality and bit length of the key as well as upon a strong algorithm. The quality depends upon how the key is made; the more unpredictable elements placed during the generation, the better the key. In symmetrical systems, the difficulty of finding the key increases exponentially with every bit added: for example 128 bits provides 2128 possibilities. In asymmetrical systems, every bit provides less than a quadratic increase in possibilities; a key of 512 bits is roughly equivalent to a key of 64 bits in a symmetrical system.
    With authentication, the message itself is not encoded, but signed digitally with a private key. This is verified using the public key.

    At the end of 1998, an open confrontation occurred between the United States and the member states of the European Union during a meeting of the Wassenaar Arrangement to discuss a revision of the list of strategic goods. The General Software Note, which deals with cryptography, was adapted.
    Crypto products with a strength of 56 bits and asymmetrical crypto products up to strength of 512 bits were exempt from export control. All other cryptography remained within the license regulations. No agreement was reached on the distribution of (heavy) cryptography via the Internet.
    The American government continued to exert pressure on the other Wassenaar countries to maintain the control on cryptography. In May 1999, Germany decided to liberalise its policy on cryptography. The American government considered this to be an undermining of the Wassenaar Arrangment of December 1998. “I believe we must soon address the risks posed by the electronic distribution of encryption software. Although the Wassenaar countries have now reached an agreement to control the distribution of mass market encryption software of certain cryptographic strength, some Wassenaar nations continue not to control encryption software that is distributed over the Internet, either because the software is in the “public domain” or because those nations do not control distribution of intangible items. While I recognise that this issue is controversial, unless we address this situation, use of the Internet to distribute encryption products will render Wassenaar’s controls immaterial”, wrote Janet Reno, the American Attorney General, in a letter to her German counterpart in May 1999.[5]
    Werner Muller, the German Minister of Economy and Technology declared in October 1999 that the Germans had made special efforts to keep the liberalisation of the export regulations of cryptographic products within the terms of the Wassenaar Arrangement. According to him, the benefit gained by the Wassenaar negotiations of December 1996 was that encryption was no longer classified as being “particularly sensitive”. [6]

    Liberalisation
    Many people were surprised when the US government announced plans in 1999 to liberalise its export controls. The first concrete changes were revealed in January 2000. Organisations concerned with civil rights and freedom of the Internet were disappointed. On the whole, critics found that the changes were a small step in the right direction, but still left a lot to be desired. It was still compulsory to inform the government whenever cryptographic products were exported “electronically”. Export to several countries remained prohibited. This ruling applied to the usual suspects; Cuba, Iraq, Iran, Libya, North Korea, Sudan, Syria, Serbia and the areas in Afghanistan under Taliban control.[7]
    Furthermore, it is still compulsory to apply for a one-off license for most crypto products. This means that the authorities must be notified which products are sent where and that the American government then checks whether this is permissible. There is also a one-off inspection of the cryptographic products. In this way, the government remains informed about who is using which cryptographic products. Cryptographic source codes may, from now on, be placed on the Internet, except when it can “be known” that these codes will be read by people in the forbidden countries. It is also still forbidden to provide information on how to use cryptography. The export of very strong cryptography remains subject to heavy restrictions.[8]
    These cautious moves by the American government point to a global liberalisation of the policies around cryptography. Two factors are of prime importance with respect to this development. Competition between businesses in the electronic world market has put governments under great pressure to lift strict regulations. Businesses are threatening to move to countries where they can have access to good encryption. Furthermore, largely thanks to the Internet, strict controls on the availability of cryptographic products are almost impossible to maintain.
    Judging from surveys carried out by Bert-Jaap Koops and the Electronic Privacy Information Centre (EIC), it seems that an increasingly small number of states are still trying to regulate foreign and domestic use of cryptography in the old-fashioned way. Koops observes, however, that in the Wassenaar Arrangement, restrictions on the export of cryptography are still on the agenda.[9]

    Keys
    A similar development can be seen with respect to another one of the police and judicial authorities’ pet topics; compulsory key escrow or key recovery. Key escrow means that the keys to cryptographic products are in the keeping of so-called Trusted Third parties. With key recovery, there is an access point that can bypass the encryption built into the encryption system. In the business world, this has already been done voluntarily in a number of cases, because it would be disastrous to lose the keys and be unable to access one’s own business information. This system potentially offers unprecedented possibilities for the police and law enforcement to obtain keys to encoded messages. The business community considers the standardised and compulsory inclusion of such back doors to be much too risky. They reason that if the police and law enforcement can look into the contents of an encrypted message, so can criminals and competitors. If the international organised high-tech criminals are half as terrifying as law enforcement makes them out to be, it would be child’s play for such criminals to hack into a Trusted Third Party to corrupt or steal data. Although this is merely throwing the authorities’ own reasoning back in their faces, it is nevertheless an effective argument. Beside this, it is still unclear if the key recovery system is technically viable whenever modern cryptography is applied on a large scale. The business word is also worried that the authorities could abuse key recovery to benefit their own national companies.[10] The European Commission also supports the objections made by the business world in this matter. In 1997, it announced; “key escrow or key recovery raise a number of practical and complex questions that policy makers would need to solve, in particular issues of privacy, vulnerability, effectiveness and costs. If at all required, regulations should be limited to what is absolutely necessary”. [11]
    In January 1998, Detlef Eckhart of directorate XII of the European Commission declared during the RSA Data Security Conference that the Commission had decided not to make any rules with respect to key recovery and key escrow. This was to be left to the national policy of the member states.[12]
    During the Wassenaar Arrangement of December 1998, the US tried to shift the issue of key recovery to the foreground by offering to drastically soften export regulations on cryptographic products on the condition that key recovery would be possible with these products. Under the leadership of Germany and the Scandinavian countries, the proposal was vetoed. In October 1999, Werner Muller, the German minister of economy and technology, declared in a speech on this subject; “in the face of enormous pressure, we prevented – virtually fighting on the front line – the international imposition of key recovery requirements. Our position is clear – we did not and do not want them.”[13]
    Recent developments in various countries suggest that law enforcement and intelligence services accept their defeat on this point. That does not, however, mean that they will leave cryptography alone. They are merely busy with searching for other ways in which to achieve the same results. There are signs of a remarkable international consensus on this issue. The recently adjusted English Interceptions of Communications Act (IOAC) gives the government the right to intercept e-mail and listen in on Internet communication on a wide scale. In addition to this, the government also wants to have the capacity to be able to bug 500 Internet connections at the same time. Many critics see the handiwork of the intelligence services in this law, as such a gigantic interception mechanism is way beyond the needs of the police.
    Instead of being restricted to the Home Secretary, the order to intercept messages can also, under certain circumstances, be given by high-ranking civil servants. In addition to this, service providers are obliged to provide information about their clients and their communication if requested by the authorities. Furthermore, the definitions of “serious criminality”, one of the grounds upon which interception is permissible, are extremely vague. One of the definitions of “serious criminality” include “offences involving a large number of persons in pursuit of a common purpose” Civil rights groups regard this as legitimising the bugging of political activists.[14]
    The Electronic Communications Bill in England, which was recently presented to the Commons, introduces a new point. The bill proposes that the police and intelligence services receive the authority to tap e-mail messages and to search through computers. Citizens would be obliged to hand over their encryption keys if the authorities so desired. Anyone refusing to comply with this demand, or who had simply forgotten their password, could expect a spell of up to two years in one of Her Majesties’ prison cells. The burden of evidence would also be placed upon the “suspect’. This would involve a dramatic turnabout from the general principle upheld in states under rule of law that one is innocent until proven guilty. It would furthermore be possible to force a suspect to cooperate with his own conviction, a reversal that is at odds with the basic principles of a state of law.
    Undeterred by these drawbacks, the British government went further; if the bill were to become law, it would make it possible to impose a ban on suspects against speaking in public. This would mean that if, for example, the police were to sniff about in your computer or e-mail, you would not be allowed to tell any one else, or risk a prison sentence of five years. If you were still to complain about the unwelcome visit, you would stand a chance of facing a secret trial that handled the case and the evidence presented behind closed doors.[15]
    During the Scrambling for Safety Conference in London, the minister for e-commerce Patricia Hewitt declared that there was no real reason to be worried. She admitted that government activities sometimes posed a threat to civil liberties, but said that “the authorities only act to protect individuals”.[16]
    Privacy and civil liberty organisations point out that the proposed legislation is in conflict with the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). According to this convention, one is innocent until proven guilty, and suspects cannot be forced to cooperate with their own conviction.
    After much criticism, the controversial passages were removed from the law. In February 2000, the Home Secretary proposed a new piece of legislation, the Regulation of Investigative Powers (RIP) in which the scuppered passages from the Electronic Communications Bill reared their heads again. Although some small changes have been made, the basic premises are the same. The judicial authorities must now have “sound reasons” to suspect that someone has or had a key in their possession, but the inversion of the burden of evidence principle remains intact; anyone who does not comply with the order to decrypt is liable to be punished. The onus is on the suspect to prove that he never had a key or has genuinely forgotten it.
    According to Casper Bowden, director of the Foundation for Information Policy Research, in this way, the British government is trying to introduce key recovery all the same. “After trying and failing to push through first mandatory key-escrow, then voluntary key-escrow, it now looks like the government is resorting to key-escrow through intimidation.”[17]

    Breaking and Entering
    In Australia, a piece of legislation that allows all forms of encryption and does not make key recovery compulsory is in the last stages of going through parliament. In order to give the authorities access to encrypted data, the law gives the Australian secret service AISO, the right to access computers directly and change data in them. They are also permitted to break in secretly
    and to install equipment that can intercept data before it is encrypted. The ASIO, which just like other secret services has been given more and more “ordinary” policing duties since the end of the Cold War, says that it needs the new powers to prevent terrorist attacks during the Olympic Games which will take place in Australia in 2000.[18]
    The United States is on a similar wavelength. Law enforcement wants permission to break into houses and offices in order to be able to plant bugging equipment in computers and obtain access to passwords. This wish is stated in the Cyberspace Electronic Security Bill. Similar powers already exist in the United States, but only for the intelligence services. The assistant Attorney General Jon Jennings warned the Senate emphatically about the use of encryption. “While under existing laws, law enforcement has various means of collecting evidence on illegal activities at its disposal, these means are rendered wholly insufficient when encryption is used.”[19]
    Following a storm of protest, the American government withdrew the contested passages. However, other passages that propose giving the authorities the power to demand keys via a court order, are still the subject of criticism. This would not be permissible if “the privacy guaranteed in the Constitution is in danger”. Unfortunately many of the laws around privacy in America are not laid down in the Constitution, but in legislation.
    Furthermore, a technical centre of the FBI with a budget of 80 million dollars is working on producing ways and techniques to develop and crack encryption. The methods used are strictly secret, and are not even to be disclosed in court cases.
    Earlier, it was revealed that the American government wishes to introduce a national observation system that will control government and private networks for hacking activities: the Federal Intrusion Detection Network (FIDNET). Internet traffic of non-military government services and crucial private sectors such as banking, telecommunications and transport would be permanently monitored for irregularities in order to discover possible intruders as early as possible. To accomplish this goal, it would be necessary to systematically intercept all this Internet traffic. Civil servants involved with this plan have given assurances that the content of the messages will not be examined, but only be controlled by pattern. “We are greatly worried about an organised cyber attack,” said Jeffrey Hunker of the National Security Council. “We know of an array of
    hostile governments who are developing the potential to carry out cyber-attacks, and we have good reason to believe that similar possibilities are also being developed by terrorists”. [20]
    This seems to be the dominant approach. In February 2000, the German Minister of the Interior Otto Schily announced the intention to establish a similar task force that would investigate the extent of the threat to Germany’s critical infrastructure.[21] Europol has also discussed the American example, but has not yet decided whether it is worthwhile establishing similar centres in European member states to map out the vulnerability of the digital infrastructure, to observe Internet communication for suspicious patterns, and to produce analyses of possible threats and warnings for the authorities and business community.[22]

    Tracking
    In July 1999, president Bill Clinton created a prominent working group, which under the command of Janet Reno, the Attorney General, will investigate whether or not the current legislation is adequate to combat Internet criminality. The crimes targeted are fraud, child pornography and the sale of weapons, explosives, medicines and drugs.[23]
    During a Senate hearing, Reno announced that her department had prepared a set of legislative proposals that would make it easier to locate, identify and prosecute cyber criminals. She named three specific proposals: an amendment of the Computer Fraud and Abuse Act to introduce heavier punishments for hackers who affected a large number of computers, even if no individual computer sustains damage above the current $5000 barrier; new powers for district courts to enable them to issue observation and interception orders to internet providers throughout the country, and higher punishments for intrusions into data stored in private computers.
    FBI director Louis Freeh suggested during the same hearing that the existing Racketeer Influenced and Corrupt Organisations Act could also be applied to computer crimes. According to this law, two crimes committed within ten years of each other can be seen as a “criminal pattern” and can lead to confiscation and a twenty-year prison sentence.
    Freeh repeated the dangers of encryption. According to him, the FBI had encountered 53 cases of encryption during the previous year.[24] “Without the ability to gain court-ordered access to plain text, law enforcement agencies will be unable to investigate large numbers of cases” he said.[25] Freeh refused to say whether the use of encryption in those 53 cases had prevented suspects from being prosecuted or sentenced. Officially commenting, the Electronic Privacy Information Centre pointed out that in most cases, there was enough other evidence available to put the accused behind bars without relying on encrypted material.[26]
    In response to the recent spate of denial of service attacks on a number of large commercial sites like Yahoo! and Amazon.com the American government announced its intention to take measures to combat anonymity on the Internet. One draft report writes of “the need for real-time tracing of Internet communications across the traditional jurisdictional boundaries, both domestically and internationally, and the need to track down sophisticated users who commit unlawful acts on the Internet while hiding their identities.”[27]
    Internet providers should also be “encouraged” to maintain records on their clients’ surfing behaviour. According to the draft report, “some companies do not retain certain system data long enough to permit law enforcement to identify on-line offenders”.[28]

    Secret Doorways
    Besides legal authorisation to break into computers and intercept computer messages or to retrieve passwords, there are other, more sinister means of decoding encrypted messages.
    One of these methods is to sneakily place “secret back doors” in encryption products. It is known that the American National Security Agency (NSA) maintains intensive contact with crypto companies with a view to persuading them to equip their crypto products with a secret decoding enabler. Cryptography that is meant to be uncrackable is, in reality as clear as daylight to the NSA. Amongst crypto companies the question “Have you had a meeting with Lew Giles” is the code for “Has NSA asked you to surreptitiously build a weak link into your product?” Giles is the agent who asks companies to install back doors, in exchange for which he offers preferential treatment. Companies that install these decoding enablers are rewarded by being allowed to export their products.[29]
    The best-known illustration of these sorts of tactics is the Swiss company Crypto AG, which thanks to its impeccable image of neutrality and respectability was the chief supplier of crypto equipment to approximately 120 counties. That was until it was revealed that for decades, there had been a secret agreement between NSA and Crypto AG, whereby the NSA could effortlessly intercept all the encrypted messages and read them as easily as if they had been the morning newspaper. It later emerged that the crypto keys of the exported program of Lotus Notes were also in the hands of the American government. Lotus is used in large number of European countries. Users include Sweden, the German Ministry of Defence, the French Ministry of Education and Research and the Letlands’s Ministry of Education. In 1996, representatives of Lotus admitted that NSA could easily crack their encryption products. However, they did not consider this a cause for concern as the US government would not actually abuse its knowledge; after all, for the NSA to intercept the Swedish government’s communication would be illegal![30]

    In September, commotion broke out when a secret key entitled NSAKEY was discovered in Windows 98’s encryption program. According to various security experts, this secret key enabled the NSA to crack the encryption.[31] A recent report by the intelligence service of the French Ministry of Defence, the DAS, also accused Microsoft of close collaboration with the NSA. According to Intelligence World, the report claims that the NSA is responsible for the installation of secret programs in Microsoft software, which make it unsafe. It also claims that NSA personnel are employed by the computer giant. According to the report, “it would seem that the creation of Microsoft was largely supported, not least financially, by the NSA, and that IBM was made to accept the (Microsoft) MS-DOS operating system by the same administration”.[32]
    Earlier it had been made known that Microsoft had provided Windows 98 with a privacy bug at the request of the American Government. Every Word File would be automatically marked with the identification number of the p.c. on which it was written. This is how the FBI found the spreader of the Melissa virus during the Kosovo war. The FBI compared the secret number of the original infected files with Word files on the Internet, and so found the culprit. Microsoft has emphatically denied placing secret keys in its software, but these protestations of innocence have so far failed to impress.[33]
    The NSA also appeared in a rather bad light in Denmark. In 1996, the Danish government sold the state owned company Datacentralen to the American computer company CSC. With this deal, CSC gained responsibility for running a large part of Denmark’s data network, including the national social security files, police files, the Danish intelligence service’s computer network and a large part of the Ministry of Defence’s computer networks. One month after the sale of Datacentralen, talks were held between 9 employees of CSC and 15 members of the NSA.
    According to their own homepage, CSC had been providing the NSA with hardware and software for twenty years. The minutes of that meeting between CSC and the NSA revealed that security standards for computer networks had been discussed. Whilst answering journalist’s questions, the Ministry of Research and the Danish Registration Centre both had to admit that they had known nothing about the collaboration between the NSA and CSC. The same Danish journalists discovered that Denmark also participates in global interception activities. Wayne Masden, a former employee of the NSA told journalists that Danish citizens, entrepreneurs, pressure groups and politicians had all been bugged.[34]

    Peace and Security
    It is generally customary for the authorities to seek to cooperate closely with the business community. Such cooperation can result in deliberate “weakening” of encryption products; it can also be directed towards developing better equipment for decrypting messages and tracing and identifying users. It furthermore includes a strong military aspect. Authorities want to be sure that they have the latest technological gadgets necessary for maintaining a lead over their opponents. The problem with this is that computer factories are now producing for mass consumption. Only 15 years ago, the Pentagon bought approximately 60% of IT products made in America. That number has since dropped to approximately 2%. The military consequently now have less influence on the commercial sector’s activities and this is viewed as a national security problem.
    Cooperation with the development of new technologies, whereby military needs are taken into consideration, and cooperation in developing ways of staying one step ahead of the enemy’s high- tech equipment, go hand in hand. It is clear that encryption and the cracking of encryption play a major role in this arena. In February 1999, the American State Secretary of Defence Cohen made an appeal to Microsoft’s patriotic sensibilities, despite the fierce struggle that was then being waged between Microsoft and the judicial authorities. Cohen wanted the digital elite to show more understanding for the needs of the military. “Some soldiers in the high tech revolution do not fully understand or appreciate the soldiers in camouflage”, he said. “The security they protect is your security. And the prosperity they enable is your prosperity.” Cohen called Microsoft and the Pentagon the “two most striking examples of American success, areas in which the United States is undisputedly superior”.
    “Peace and stability are the very cornerstones of prosperity. When our diplomats and military forces combine to help create stability and security in a nation or a region, that same stability and security attracts investments, and investments generate prosperity. And prosperity strengthens democracy, which creates more stability and more security. There is only one country in the world with the power and scope to fulfil this role. We must invest in the next generation of weapons and technology if we are to maintain our ability to shape and respond to world events in the 21st century” [35]
    The cooperation between the public and private sector is also illustrated by the recent founding of all sorts of advisory boards specialised in issues such as the vulnerability of the digital infrastructure and the danger of cyber attacks.

    The American CIA eventually tried a different approach, setting up their own capital venture company to support high-tech businesses and researchers. The fund, called In-Q-It, is geared towards research in four areas of particular interest to the CIA: the integration of Internet
    technologies into the CIA’s work, the development of new technologies to make personal information secure, data mining and the modernising of computer systems used by the authorities. Where the government previously invested in enterprises and specific technologies, In-Q-It tracks down new developments in the market and tries to make them useful for the intelligence services. John MacMahon, former deputy director of the CIA and an IN-Q-It board member said, “there is a tremendous information explosion today, and this has led to the authorities being constantly one step behind. We realised that what we needed was not only something that met our needs, but also an umbilical cord connecting us to the brightest minds in Silicon Valley”.[36]


    [1] In The Netherlands, the entire list is summed up in the Export Ruling on Strategic Goods of 1963 and later amendments. In the European context, a similar list has been drawn up by European member states.
    [2] European Commission, Towards a European Framework for digital signatures and encryption, COM (97) 503, October 1997
    [3] Parliamentary pieces 23 490 nr. 99, 14-5-1998
    [4] Draft conclusions from the Council on Encryption and Law Maintenance, Comite K4 at Coreper/Raad, 8116/98 Enfopol 69, Limite, Brussel 4-5-1998.
    [5] Christiane Schulski-Haddouti, USA drangen auf Internetverbot fur Kryptoprodukte, Telepolis 27 July 1999
    [6] Dr. Werner Müller, speech for the Conference on international security solutions Europe, Berlin, 4 October 1999
    [7] Christiane Schulski-Haddouti, Kontrollierte Liberalisierung, Telepolis 13 January 2000; q/depesche, US-Krypto: Liberalisierung und Kritik, 13 January 2000
    [8] Christiane Schulski-Haddouti, Kontrollierte Liberalisierung, Telepolis 13 January 2000; q/depesche, US Krypto: Liberalisierung und Kritiek, 13 Janurary 2000
    [9] See: http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm and http://www.epic.org/reports/crypto1999.html
    [10] See: Lawful Access, Room Paper, EMEF Workshop Switzerland, Paris 9-10 December
    [11] European Commission, Towards a European Framework for digital signatures and encryption, COM (97) 503, October 1997
    [12] See: http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
    [13] Dr.Werner Muller, speech for the Conference on international security solutions Europe, Berlin, 4 October 1999
    [14] ZDNet UK, Surveillance: a special report, 30 September 1999.
    [15] Danny Penman, Cops in your computer, Daily Express, 28 September 1999
    [16] Jane Wakefield, e-Minister defends government action on encryption, while privacy-rights experts blasts e-commerce bill, ZDNet UK September 1999
    [17] FIPR news release, 10 February 2000
    [18] Florian Rötzer, Lizens zum Abhoren, Telepolis 20 September 1999
    [19] Maria Semineiro, US furor rises over PC wiretap plan, ZDNet UK, 23 August 1999
    [20] Florian Rötzer, US Regierung plant ein umfassendes Uberwachungssystem, Telepolis 28 July 1999
    [21] Christiane Schulski-Haddouti, Schilys Cyberwar, Telepolis, 15 February 2000
    [22] Multidisciplinary group on organised crime, Report on the second informal high-tech crime meeting of representatives of international fora, 13838/99 CRIMORG 1888, Limite, Brussels 8 December 1999
    [23] Florian Rötzer, Bekampfung der Internetcriminalitat, Telepolis 10 August 1999
    [24] CDT Policy Post, 4 February 2000
    [25] Declan Mc Cullagh, Everything hacked but the Budget, Wired 16 February 2000
    [26] See: http://www.eff.org/pub/Censorship/epic_fbi_crypto_childporn.alert
    [27] Declan McCullagh, US wants to trace Net users, Wired 4, March 2000
    [28] Declan McCullagh, US wants to trace Net users, Wired 4, March 2000
    [29] q/depesche 99.2.17/2
    [30] Groene Amsterdammer 25 February 1998; Crypto AG: The NSA’s Trojan Whore? Covert Action Quarterly, Wayne Madsen, Winter 1998; Duncan Campbell, Nur die NSA kann zuhoren, das ist OK, Telepolis 8 June 1999
    [31] Mark Honingsbaum, Microsoft’s “secret link to Big Brother”, Observer, 5 September 1999; Duncan Campbell, How NSA access was built into Windows, Telepolis, 4 September 1999; Marie-Jose Klaver, Debat over achterdeur in Windows ter spionage, NRC, 8 Septemebr 1999
    [32] US secret agents work at Microsoft: French Intelligence AFP, 19 February 2000
    [33] Vrij Nederland, 19 February 2000
    [34] Bo Elkjaer and Kenan Seeburg, Politicians overlooked spy connection, Ekstra Bladet, 21 September 1999
    [35] Defence-links, Remarks as Prepared for Delivery Secretary of Defence William S. Cohen Redmond, Washington, Thursday, February 18, 1999; Special to washingtonpost.com, Monday, March 1, 1999
    [36] Florian Rötzer, Q – Tuftler in James Bond Filmen – wird Pate von CIA, Telepolis 29 September 1999