An Editorial on USA-PATRIOT Act
( part duex )

SAN FRANCISCO - The title of USA-PATRIOT Act reads as follows;

"Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001"

The widely questioned law, often simply called “the PATRIOT Act” for short, has greatly expanded law enforcement and intelligence agencies’ authority to invade privacy. Alarmed civil libertarians and even some conservatives have raised numerous constitutionality questions, especially regarding the expanded surveillance and secret trials that PATRIOT enables. Despite this outcry, the US Department of Justice is poised to ask Congress for even broader powers of surveillance over citizens and aliens, and an unprecedented level of government power to data-mine about us, in a draft bill named the Domestic Security Enhancement Act of 2003, which was leaked to the public, and subsequently dubbed “PATRIOT II,” or as the Attorney General calls it “VICTORY.” The broader ramifications of this bill are for others to address; the CryptoRights Foundation turns its attention to the proposed restrictions on encryption and the transformation of decades of data gathering for commercial purposes into a new tool for government surveillance. Looking for Needles, Finding HaystacksOne of the primary contentions over both USA-PATRIOT and its draft successor is that the authority prescribed simply doesn’t produce successful results. Public testimony shows, for example, that U.S. intelligence agencies already had enough data to have anticipated the disasters of 9/11, but were unable to connect the dots and prevent the attacks. Installing turbo-charged information pipes into an aging ship-of-state with information engines from a bygone era will not help navigate the swift datastreams of our modern electronic environment. The Attorney General’s justification for quick and unquestioning changes to law enforcement powers has been “homeland” security, especially against terrorism. Yet USA-PATRIOT has produced no visible improvement of domestic security, with virtually all real terrorists being apprehended abroad. So why this new drive to increasingly spy on fellow Americans?

The countless ways encryption is employed throughout computer software and hardware systems, let alone our society at large, such as in ATM machines and at every e-commerce site, from Amazon.com to Zappa.net, make this a tripwire with extreme sensitivity. Encryption has remained obscure in the public mind - an arcane art relegated to the distant world of spies, narcotraffickers, terrorists, militaries and embassies. But it has become essential to maintain free speech and commerce in the digital age. We all use encryption - whether we know it or not - every time we make a credit card purchase online, use an ATM card at the bank or at a sales counter, log in to a computer or Website (unless it was set up insecurely), or play a “region-coded” DVD (whether we like it or not.)
Leaving aside just for a moment the problems related to encryption being removed from our control and used instead to control us and our movements and choices without our knowledge or approval, the fact is that crypto is ubiquitous in an internetworked society. Cryptography is the “lock and key” of the digital environment. Do you know who hods the key to your virtual space? Most of us do not, and in a rather unpleasant way the draft “PATRIOT II” legislation would make us all potentially liable, regardless.

Another, incredibly important use is in the protection of human lives and the investigation of crimes against humanity. Imagine a human rights investigator taking down witness testimonials regarding a horrific massacre in a country where border guards will happily search and confiscate the notes, disks and/or tapes naming names and places, thereby endangering the lives of witnesses and investigators. Only if the data had already been digitized, encrypted and transmitted securely to a human rights organization would those witnesses have a hope of remaining safe.
The “crypto-in-a-crime” provisions would tack on an extra five (or more) years to the sentencing for ANY federal felony, no matter how obscure, minor, or even justified in the minds of the people, if ANY encryption was used in any way, wittingly or unwittingly, at any phase of breaking the law in question while using a computer device of any kind. For example, if you failed to pay your state “use tax” when shopping online, you are technically guilty of federal wire fraud (unless the transaction took place entirely within your state). And if you shopped securely (who wouldn’t these days?), you could get an extra 60 (or more!) months in prison -- probably longer than the sentence for the actual crime (a minor one that probably would have resulted in probation if ever prosecuted at all). Or suppose you run a medical cannabis program for terminal cancer victims in California, where a clear majority of the state’s voters democratically decided this should be legal, regardless of the federal government’s position on the matter, and you happened to digitally sign e-mail to your patients. Federal law enforcement would already have you on their radar for what you do. Having the ability to almost certainly add 5 years to your sentence without any effort would give them a very big stick to hit you with, and compelling reason to single you out for special punishment.
But couldn’t terrorists use encryption if we don’t do something about it? Certainly, and there isn’t anything to do about it other than for our intelligence agencies to focus their efforts on codebreaking and human intelligence (“HumInt”, something oversight committees are roundly condemning them for failing to do well), and for our police forces to concentrate on traditional law enforcement, instead of stripping us all of the remaining shreds of privacy we still may have. The encryption genie is long out of the bottle. US laws that hamper everyday Americans in their efforts to secure their own systems, information and conversations do nothing to thwart terrorism or to make American infrastructure more secure. Much of the best encryption technology available was, and continues to be, developed entirely outside the US, so a new PATRIOT II crackdown on encryption isn’t going to solve anything. An extra 5-year sentence doesn’t scare a suicide bomber, a hostage-taker, or an organized crime boss. It simply scares law-abiding citizens away from using the technology they need to protect themselves from identity theft, credit card fraud, corporate espionage, system crackers, viruses, and illegal communications eavesdropping.

And what of the data-gathering? PATRIOT II aims to open a Pandora’s Box containing vast amounts of commercially-collected personally identifiable information -- what you buy, where, when, and even which automobile you drove to get there through which tollbooth -- and make it available to intelligence and police agencies with effectively no checks and balances at all. A giant electronic vacuum cleaner capturing the minutiae of our lives only adds more haystacks to sift for relevant data -- something our intelligence community evidently cannot effectively do with the much smaller collection of data they already have access to on international and domestic terrorists and suspects -- meanwhile while subjecting citizens to arbitrary scrutiny by invisible officials using unquantifiable sources of vast invasiveness, with little public oversight. The PATRIOT II draft would also create new powers to obtain financial information, to monitor voice and e-mail communications over Web-enabled phones, and much more. It is impossible to predict what else would be added to this legislation by the time it ever came up for a vote. (The bill has yet to be officially introduced as of press time, and the Attorney General has backed away from the legislation, publicly anyway. But its clear that a lot of work went into the bill, and many of its provisions have been floated before, including the anti-crypto sections. These are things that the FBI and other agencies have been quietly seeking for many years, and only a concerted public outcry is likely to prevent it.) The negative implications of this proposal to your individual privacy and electronic security are astonishing in the extent of the damage they could lead to, and far outweigh any real benefits they might provide to our national security.

The vague and effectively undefined term “terrorism” adds further mystery when divining future intentions from the examples of current events. How will such amorphous understandings of danger serve the public? How will the growth of online commerce, touted as a breakthrough for economic globalization, be facilitated by burdensome rules and unneeded costs? Even scientific advancement will surely suffer, as it already has by earlier “national security” concerns that attempted to thwart the open publication of encryption research.
Establishing secret lists and spying on “political interest” groups without accountability inevitably erodes trust between citizenry and officials. Ultimately, this intimidation can only lead to a decline in participation of citizenry in government and public institutions, and further expand the divide between the actions of government and the needs of the people.
Clarity of Purpose We have freedoms, rights, and responsibilities that we must constantly secure and live up to, as well as the need to protect our physical persons and our economy from threats of many kinds, both internal and external. Fear is certainly a motive when international terrorism looms, but there are other concerns society must weigh when confronting terrorist threats, including the subtler types of terrorism we and our governments and either intentionally, or out of ignorance of good security practices, commit against ourselves. How can we understand the definition of “terrorist” when the term is so malleable, so equivocal, as the Attorney General recently asserted, when he used the USA-PATRIOT’s anti-terrorism provisions to pursue “regular” criminals.

If encryption is outlawed, as the “Cypherpunk” aphorism goes, only criminals will have privacy. Real security begins at home. The CryptoRights Foundation is explicitly dedicated to developing and integrating trustworthy private communications technologies that protect your fundamental, universal human rights (not to mention U.S. or other localized constitutional and legal rights). CRF does this work in the belief that a strong society built on trust and real security, and one with justice for all, can best withstand the body blows of mindless terrorist aggression from within and without. Thought Crimes of Future-PastWhat you write, say, and do may be evidence of treason for the crimes of tomorrow. What if financial contributions to an organization are in essence declared retroactively illegal (i.e. the Oregon Harawi detention case)? How could one know what to do in advance, except to choose to do nothing? This is yet another way these policies can affect the mutual trust among citizenry and public institutions. Wouldn’t this influence you to write, say and do a whole lot less? To be less “political”?

PATRIOT II is (in the last draft that was made public) shorter, at 86 pages, than its predecessor, but nearly as recklessly expands government power as did the hundreds of pages of the original USA-PATRIOT Act, which appeared somehow just a few short weeks after 9/11. For example, PATRIOT II’s Section 404 would amend Chapter 123 of the U.S. Code to create a new “crypto-in-a-crime” provision, which reads:

(a) Any person who, during the commission of a felony under Federal law, knowingly and willingly encrypts communication or information relating to that felony ...

and goes on to list mandatory minimum sentencing starting at five years for a first offense.

Here is the heart of the security problems in PATRIOT II:

(b) The terms ‘encrypt’ and encryption’ refer to the scrambling (and de-scrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentially, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information.

Even at first glance these provisions are completely unreasonable. Business needs to send confidential information without a small army of couriers on call day and night. Secure encoded packets of data have replaced pageboys, and cryptographic signatures now serve as the digital proxies for physical handshakes or a paper contracts in some cases (at CRF, we use them internally dozens of times daily). Millions use encryption every single day to protect their credit card numbers and passwords online and on their home computers. The next-generation Internet protocol, IPv6, has encryption built right in, and so do all “modern” operating systems.