Ottawa Citizen » Ottawa » Ottawa Citizen » Specials » Business Hi-Tech
Business Hi-Tech
Privacy's champions or a security threat?
Full-page photo of RGB on the front cover of the Tech Weekly section
Three cypherpunks from Ottawa are part of a six-member Canadian team coding encryption software that will make it more difficult for the FBI to monitor the Internet.
Peter Hum
The Ottawa Citizen
The Ottawa Citizen
FreeS/WAN is a group of cryptographers that writes code used to encrypt computer messages. From left, Hugh Redelmeier (Toronto), Claudia Schmeing (Toronto), Richard Guy Briggs (Ottawa), Michael Richardson (Ottawa), Henry Spencer (Toronto).

Even with its gleaming kitchenettes, rooftop hot tubs and impressive Toronto skyline, the Grand Hotel and Suites fell short of the encryption team's requirements.

A month ago, when they -- three Torontonians and two Ottawa network security experts -- gathered for a quarterly face-to-face meeting, they quickly removed a painting from the wall of their 16th-floor suite and put up their whiteboard, soon to be inked with to-do notes, checkmarks and network diagrams. They set up a wireless Ethernet access point to the hotel's network so that they had the freedom to move around the suite with their laptops. They also attached a voice encryption device to the telephone so that calls to their project leader in California could be scrambled beyond the telephone eavesdropping abilities of any nosy law enforcement agency.

"Not that we have anything to hide," says Richard Guy Briggs, one of two Ottawa men who met for two days at the hotel, which only by coincidence happens to be the former Ontario headquarters of the RCMP.

Voice encryption simply goes with Briggs' job, more as a matter of principle than precaution. Four years ago, Briggs signed on to the all-Canadian team developing FreeS/WAN (as in Secure Wide Area Network), a privately funded project meant to transform the online world into an environment in which message privacy is the default setting. Privacy is a big, big deal for Briggs' employer on the project, John Gilmore, the former Sun Microsystems employee No. 5 who uses his fortune to advance such decidedly techno-libertarian causes as freedom of electronic speech and freedom from unwarranted government surveillance.

FreeS/WAN's "goal is to increase the work factor of (Internet) wiretapping, such that the government cannot effectively wiretap all the citizens. Or even a large percentage of them,'' Gilmore says. "We can prevent corrupt governments from merely tapping large numbers of innocent people, doing 'fishing expeditions' looking for evidence without having any idea that the people being tapped are involved in any crimes.''

FreeS/WAN, a Linux-based, open-source effort that deals with security at the Internet protocol level, is one of Gilmore's more recent projects. Many preceded it. After leaving Sun, the alternative-minded entrepreneur founded Cygnus Solutions (which was acquired by leading Linux seller Red Hat two years ago for $674 million U.S.), the Electronic Frontier Foundation, and the Usenet's "alt" newsgroups in which speech about taboo and fringe topics flourishes. All kinds of users and businesses have incorporated FreeS/WAN into their own technologies and products as it has evolved (this week saw the release of version 1.93) to make the communications of users secure and private. FreeS/WAN is included in Conectiva, a Linux version for Latin and South America. It is also part of the German-based SuSE Linux operating system. AT&T makes use of FreeS/WAN. The FreeS/WAN team believes the U.S. Navy and Army are users, too.

Yet in the wake of Sept. 11, American authorities in general and the FBI in particular have worked to boost the high-tech surveillance capabilities that FreeS/WAN, in principle and practice, opposes. Even before the terrorist attacks, the U.S. National Security Agency's Echelon system intercepted as many as three billion communications each day, including phone calls, e-mail messages, Internet downloads and satellite transmission, according to the American Civil Liberties Union. Some sources, the ACLU notes, claim that Echelon, which operates in conjunction with intelligence gathering agencies in the United Kingdom, Canada, Australia and New Zealand, sifts through 90 per cent of all Internet traffic to cull information of interest to U.S. intelligence. Not to be left out, the FBI has its own Carnivore software technology, which also intercepts and collects Internet communications.

But in the aftermath of Sept. 11, the U.S. has passed the Patriot Act, making it easier for the FBI to deploy Carnivore. Agents are allowed now install the software onto the system of an Internet service provider such as America Online after obtaining an order from a U.S. state attorney general, without requiring a judge's order.

As well, MSNBC recently reported that the FBI is developing so-called "Magic Lantern" software, capable of inserting a computer virus onto a suspect's machine and obtaining encryption keys. With the World Trade Center in ruins and the hunt for terrorists consuming law enforcers worldwide, life increasingly resembles the heavy-handed police state that FreeS/WAN was meant to foil.

Among the FreeS/WAN team, Briggs, at least, has no problem with the laws allowing court-sanctioned telephone wiretapping, but he questions why Internet communications do not require a judge's order. "Why should the Internet be any different from telephone calls?" he says.

Some members of the FreeS/WAN team wonder if their activities will increasingly be stigmatized by authorities who regard their work not as privacy for the people but as secrecy for terrorists and evil-doers.

Ask Ottawa's Sandy Harris, FreeS/WAN's documentation expert, how authorities would regard his team's work, and his response is terse: "Probably subversive as hell. Probably dangerous."

In the mid-1990s, when Gilmore wanted to assemble a band of tech-subversives to tackle the FreeS/WAN project, he had, in theory, many cryptographers to choose from. In the San Francisco Bay area where he lived, he and like-minded people gathered regularly to discuss cryptography and how it could be applied to advance the privacy of the then-burgeoning Internet. Casting further afield, Gilmore had only to look to the membership of a global electronic mailing list that had been created for crypto-enthusiasts. Because of their expertise in code-building and code-breaking, and because of their anti-authoritarianism, someone dreamt up the perfect name for Gilmore and his peers: "Cypherpunks." The May/June 1993 issue of Wired magazine celebrated the exploits and mindset of cypherpunks with its cover story, complete with pictures of masked, hippie-ish nerds proclaiming their high-tech freedom fighting.

There was, however, one huge hitch. Gilmore wanted FreeS/WAN to be freely available to as many people as possible. U.S. law would thwart that ambition if Gilmore were to employ any American cypherpunks. Under the law, cryptography is regarded as a "munition," the legal equivalent of cruise missile research. Unless government permission is given, American laws forbid the export of most U.S.-based cryptographic software in machine-readable form. The law also forbids American citizens, regardless of where they live or may be visiting, from providing technical assistance or advice for foreign "munitions" projects. Gilmore had to employ foreigners to develop FreeS/WAN outside of the U.S. When he started his project in the mid-1990s, he first tapped two Greek programmers, who began the project that the Canadians inherited.

Ultimately, Gilmore called upon Henry Spencer in Toronto, a veteran Unix systems programmer and Usenet pioneer in Canada, to lead the project. Also from Toronto came Hugh Redelmeier, who specializes in one chunk of FreeS/WAN's programming. The team's third Torontonian is Claudia Schmeing, who oversees the project's mailing lists and user support.

The Ottawa FreeS/WAN member who first encountered Gilmore and Daniel was Richardson, a 30-year-old Carleton University graduate who has been involved in Internet and Internet security matters for a decade. He helped set up, one of Ottawa's first Internet service providers, 10 years ago and ran one of the city's first Web servers in 1993 for Carleton University's biology department. He was employee No. 4 at Milkyway Networks, a west-end Internet security software company that was sold to SLM software Ltd. in Toronto in 1998. After leaving Milkyway, Richardson spent 15 months doing contract work for the Finnish Internet security company SSH, before joining Solidum (again as employee No. 4), where he worked on systems integration of integrated circuits devoted to policy-based networking, including security policy.

As Richardson developed his expertise in Internet protocols, he came to meet Gilmore and Daniel. They rubbed shoulders at Internet Engineering Task Force (IETF) meetings in Los Angeles and Montreal in the 1996. Subsequently, Richardson wanted to join FreeS/WAN, and the Americans were keen to hire him, but the timing was never right until this summer, soon after Richardson left Solidum. On the FreeS/WAN project, he is a programmer without portfolio.

For Richardson, who operates under the name Sandelman Software Works, FreeS/WAN is his main contract, for which he is paid the going rate for Canadian consultants. "If I can get paid to do something I like to do, I'm doubly happy," he says.

Politically, Richardson says he falls short of the hard-line libertarianism that drives his employers, but he is nonetheless deeply sympathetic to the core values of his project.

"I believe strongly in the right of free speech, the right of anonymous speech, the right to have privacy if that's what you want," he says. "I don't know if I'd call myself a rebel, but I'm not lining up to work for CSIS, or anything like that."

Richardson introduced Briggs to Gilmore's lieutenant, Hugh Daniel, years before he himself joined the team. In the fall of 1997, Richardson threw a party after an Internet Protocol Security gathering hosted by TimeStep Corp. in Kanata. Among the invitees were Briggs, a computer consultant who graduated from the University of Ottawa with a computer engineering degree in 1993, and Daniel, a loud, Paul-Bunyanesque man whom Gilmore had designated as FreeS/WAN's manager. (He remains in that position, and visits Ottawa several times a year to see his troops.) Daniel interviewed Briggs for the FreeS/WAN job on the front porch of Richardson's apartment.

"He was looking for some experience in doing kernel work (work with Linux's essential centre), a little bit of experience in cryptography and commitment to issues of freedom," Briggs says. Daniel so clearly wanted people of a similar political stripe on his team that he had Briggs take a quickie political attitudes test, beloved by libertarians, that measured his notions of social and economic freedom. He passed, and signed an encrypted, electronic contract.

Briggs, 35, writes FreeS/WAN code for the Linux kernel. It is concentrated work, sometimes as much 200 hours a month. Not that he is complaining. "Technically, this is really cool stuff," he says. "I haven't had any other offers of employment nearly as interesting as this." He adds: "I hadn't realized the extent of the political and philosophical content that would hold my attention."

Briggs prefers to tackle the workload when most people are asleep, slogging away until an hour or so before dawn. "Some people are night people. It's much quieter at night," he says. "The phone doesn't ring. People don't knock at the door."

Harris, a 53-year-old self-taught cryptographer, practically muscled his way onto the FreeS/WAN team. About three years ago, when the team members was readying version 1.0 for release, they made clear that they had to improve their documentation. Harris contacted team leader Spencer and proposed that he was the man they needed. "I sort of piped up and said, 'Hey, I can do that.'" He was right.

The three Ottawa men

illustrate a curious contradiction, in that even while they as cryptographers are dedicated to privacy, they are altogether public about their personal lives. As Briggs says, they have nothing to hide.

His own Web site lets it all hang out, giving readers a full profile of its creator, inculding his FreeS/WAN work. Briggs is an avid cyclist (and opponent of car-use). He lives in the Conservation Co-operative, a Sandy Hill housing community. He has run twice in recent years as the Green Party candidate in Ottawa-Vanier in provincial and federal elections. His wedding photos (which include a solar-powered car with a "Just Married" sign) and travel pictures from Asia and Australia are online.

Richardson's Web site gives his contact information, notes his support for cycling as a commuter choice, lists his hobbies (Baroque music, folk festivals, woodwind quintets, triathlons, ham radio, cross-country skiing and debating), and shows pictures from his backpacking trip to Greece with his partner. "I'm not shy," says Richardson.

Harris has no Web site, but he tells all during an interview at a coffeeshop near his downtown Ottawa apartment. He was a math and science whiz at Brookfield High School in the 1960s, but went to Carleton University, "partied a lot," and graduated with a psychology degree in 1969. He worked with disturbed young people in Children's Aid Society group homes, but wasn't good at it and burnt out. In the mid-1970s, he loaded a Volkswagen micro-bus and drove the hippie trail from Amsterdam to Calcutta. He taught English to francophone public servants when he return to Canada. After the break-up of his marriage, he taught English in Singapore and Saudi Arabia, and then did graduate work in England at the University of Birmingham, where he used computers to crunch text. When he ran out of money and enthusiasm, he returned to Ottawa. Here at home, he took computing jobs in training and technical writing, and eventually became a self-taught cryptographer. After all, codes had interested him since he read about them in a Hardy Boys book.

Like the rest of his peers, he is as upfront as the bumpersticker glued to the back of his leather jacket, which reads: "Coding is not a crime."

What, then, is coding, TO the FreeS/WAN team? For starters, it's certainly difficult. The project was never meant to last as long as it has. "I saw working on it for four to eight months," says Briggs. "There's just more stuff to do." Adds his colleague, Harris: "We're breaking new ground ... It's probably going to be fairly hard to get it right."

Gilmore had been overly ambitious even before Briggs was hired. He had hoped that by the end of 1996, FreeS/WAN would have been deployed to secure five per cent of all Internet traffic against wholesale monitoring.

"We are trying to build infrastructure that requires the government to work to wiretap citizens," Gilmore says. "There is no perfect security and never will be. But our goal is to increase the work factor of wiretapping, such that the government cannot effectively wiretap all the citizens. Or even a large percentage of them." However, Richardson says that his boss's target might still be a year or so away, and the group's hope is still to grow in use far beyond that five per cent.

Other types of Internet security abound, working in different ways. Unencrypted Internet traffic is comparable to a postcard which everyone along the way can read. Mail which has been encrypted with a product such as PGP (Pretty Good Privacy) is comparable to a sealed letter. SSH, the Finnish company that employed Richardson, specialized in remote login security, which Briggs compares

to the Net-traffic equivalent

of a registered courier's delivery. The physical equivalent of FreeS/WAN, he says, would be an inter-city armoured truck.

One of the most ambitious aspects of FreeS/WAN is that the project is meant to provide "opportunistic encryption." This encryption scheme relieves users of having to set up each secure link. Users whose version of Linux includes FreeS/WAN (which may be downloaded separate from a vendor's version) will enjoy automatically encrypted and authenticated Net traffic (be it Web access, Telnet, file transfers, e-mail, Internet Relay Chat or Usenet feeds) if the machine they connect to is also equipped with FreeS/WAN.

"Whenever you connect to a machine that does support this kind of encryption, this box automatically encrypts all your packets, and decrypts the ones that come in," Gilmore has written. One advantage of opportunistic encryption is that it eases the work of system administrators who would otherwise have to manage the details and configuration of encryption. As well, FreeS/WAN's proponents hope that as their technology becomes more popular, the "fax effect" will come into play. "As each person installs one for their own use, it becomes more valuable for their neighbors to install one, too, because there's one more person to use it with," Gilmore has written. "The software automatically notices each newly installed box, and doesn't require a network administrator to reconfigure it."

There are commercial implementations of similar encryption technology at the Internet protocol level. RSA Data Security

came up with the term S/WAN, and allowed FreeS/WAN to incorporated it in its free software

version. One constant issue for FreeS/WAN is to ensure interoperability of its product with other technologies. Gilmore hopes that FreeS/WAN and associated security measures will move into the operating systems and networking protocol stacks of major vendors, although the vendors will have to figure out what they want to do given the restrictions posed by U.S. export controls.

"Anyone who runs Linux on a standalone PC will also be able to secure their network connections, without changing their application software or how they operate their computer from day to day," Gilmore writes.

Gilmore has written that FreeS/WAN would make good sense for businesses securing their networks. All a company would have to do is put two Ethernet cards into an IBM PC, install Linux on it, and plug it in between its Ethernet and its Internet link or firewall. "That's all they'll have to do to encrypt their Internet traffic everywhere outside their own local area network," Gilmore writes. As well, FreeS/WAN would suit the company's road warriors, allowing business travelers to who run Linux on their laptops to secure their connection back to their home network and to anywhere else that they connect to, such as customer sites.

However, with the United States and its allies making war against terrorists, authorities have set their sights on the worst kind of road warrior who might employ cryptography -- terrorists.

In the 1990s, law enforcers said they wanted the keys to cryptography, broadly speaking, to wage their battles against organized crime, drug dealers and pedophiles. But as a cause, cryptography remained strong as lawmakers and public opinion valued privacy more than making the job of police easier. Rather than fret about what lawbreakers could do with cryptography, people such as Briggs would extol the virtues of strong encryption that, for example, could assist human rights organizations that monitor oppressive governments so that their communications would not tip off regimes against their enemies.

The tide has turned. Says Sandy Harris: "A lot of fights we thought we had won are coming back."

For instance, just two days after the Sept.11 attacks, anchordesk.

com columnist David Coursey wrote: "Want to run my e-mail or telephone calls through some automated system that looks through key words and phrases? Go to it.

"I hope people who criticize the National Security Agency's Echelon, the FBI's Carnivore, and other electronic eavesdropping tools will appreciate the true nature of the threat to our way of life... I have a much greater fear of my government's enemies than of my government itself."

Almost two weeks later, Interactive Week columnist Randy Barrett wrote: "Our task... will require the use of every communications surveillance tool in our arsenal. Wireless, wireline, satellite and Internet communciations must all be monitored closely.

"Desperate times call for desperate measures," he continued. "I am willing to give up my own cyberprivacy for the greater good of stopping future terrorist acts and saving lives -- with one caveat. Government surveillance must be focused only on those suspected of planning or pertretating terrorist acts against the U.S. or its allies."

In the weeks since, the public willingness to give up privacy has not waned.

Nor is this new mood an exclusively American group-think.

A Gallup Canada poll conducted in mid-October indicated that almost three-quarters of Canadians think it more important for police to intercept communication between suspected terrorists than to protect the privacy of the public.

The Canadian government's anti-terrorism bill C-36 was subjected to considerably more scrutiny that its American counterpart which sped its way through passage. So far, privacy advocates are mixed as to whether the Canadian bill as drafted would set the stage for increased Canadian monitoring of domestic Internet communication.

"I do not expect the government to engage in widespread trawling randomly through everyone's telephone calls or Internet activities because that would be beyond any reasonable measure and certainly violate the Charter of Rights and Freedoms," says Michael Taylor, president of the Canadian advocacy group Online Privacy.

"The bill is supposed to be targeting terrorism, and anything attempting to piggyback other types of investigations such as organized crime or cyber crime, with the expanded powers to combat terrorism is an abuse of those powers granted in the name of combatting a specific threat," Taylor wrote in an e-mail interview.

However, FreeS/WAN's team members do not know what new circumstances might flow from the American legislation -- especially if it is found that terrorists made extensive use of encryption.

Reports vary on this point. Some experts asserted earlier this year, before Sept. 11, that Osama bin Laden employed steganography, a technology that allowed him to conceal messages in the pixels of graphic files posted on the Net. However, two separate FBI reports have stated that hijackers in the September attacks used throwaway, freebie e-mail accounts accessed from public libraries.

Ross Anderson, who leads the security group at the Cambridge University Computer Laboratory has commented at his Web site: "Only a stupid criminal will encrypt his traffic, as it will bring him to the attention of authority. The technologies the police ought to have been worried about are not 'encryption on the Internet' but things like pre-paid mobile phones.

"Al-Qaeda's communications security was fit for purpose, in that their attack took the agencies completely by surprise. It did not involve encryption. It did involve hiding messages -- among the zillions of innocuous e-mails that pass across the Internet each day."

Just the same, Richardson acknowledges that "FreeS/WAN could be used by anybody -- good, bad, or evil."

He and his colleagues speculate about what could happen if terrorists were found to have used their product. They wonder if Gilmore could be accused of aiding terrorists or be made to cut funding to the FreeS/WAN project. Briggs ventures that if Gilmore were so restrained, there are like-minded people outside the U.S. who would immediately step in and keep the project alive. Richardson says that he and other team members may now be a little more cautious about what they say on unecrypted telephones. "We're already cautious to the point of paranoia," he says.

Briggs says that since Sept. 11, he's grown more aware of the need to continue his work. He says that he was "disgusted" by the U.S. government's "need for retribution" in the weeks after the attacks. "If they really cared about cracking down on terrorism, maybe they shouldn't piss people off (through foreign policy)," he says.

Briggs and Richardson both fear that a full-court press on dissent in general is in the offing. "We knew 10 o'clock on Sept. 11 that this was going to be used as an excuse to remove freedoms, all sorts of freedoms that have nothing to do with what really happened," Richardson says.

"As recent events attest, there is a strong tendency in law enforcement to do exactly that -- such as searching every person who enters an airport, whether there is any reason to suspect them of a crime or not,'' Gilmore agrees.

"Whether we're talking about the U.S. Bush Administration, the U.S. Nixon Administration, or the legitimate governments of Burma, Mexico, or France, history clearly shows that if you hand those levers of power and control to high officials, many of them will use them to corrupt democracy, equal protection, and rule of law. When a society has to confront these problems, it's a much bigger deal and a much harder task than dealing with a few buildings smashed and a few thousand people dead.''

FreeS/WAN remains their contribution in what they see as a fight against a slippery slide from sanctioned wiretapping to a Big Brother state, unchecked by judicial oversight. Speaking broadly about efforts such as FreeS/WAN, Briggs says: "This is what keeps the government in check so they don't abuse their power."

© Copyright 2001 The Ottawa Citizen

About Us | Contact Us | Advertising | Privacy | Terms | FAQ | Site Map | Our Cities | U.S. Cities
Copyright © 2001 CanWest Interactive, a division of CanWest Global Communications Corp. All rights reserved.