By Jared Chausow
By Katie Toth
By Elizabeth Flock
By Albert Samaha
By Anna Merlan
By Jon Campbell
By Jon Campbell
By Albert Samaha
Gregg may not be content to stop at key escrow. In a Senate speech immediately after the attacks, he hinted that he wanted future cryptography products to be outfitted with "back doors"secret access points that only the National Security Agency could enter. The suggestion incenses cryptographers, who point out that intentional security holes would be exploited by parties other than the NSA. "Building systems where the ability for third parties to audit is a requirementparticularly third parties without participants knowing that auditing is taking placeis inherently dangerous," says Matt Curtin, a privacy expert and founder of the security consulting firm Interhack. "A system where the government can read communication is a system where terrorists can read communication."
This is not the government's first attempt to rein in cryptography. In 1997, a House committee approved a bill that would have banned the manufacture, distribution, or import of any encryption product that didn't include a back door. The bill never reached the full House, but the FBI has been keen to revive the matter ever since. Yet given the increasingly international flavor of the software market, Bruce Schneier, author of Applied Cryptography, believes such a crusade is misguided. "There are probably 1000 products that use strong cryptography in 100 countries," he says. "Banning them in the U.S. won't affect any of those. And people forget, cryptography also helps the good guys." It is encryption, after all, that makes secure transactions over the Internet possible, and the back-dooring of those products would mean a golden age for digital criminals. No crypto, no Amazon.com.
Pure cryptography is not the only privacy-enhancing tool that might face the wrath of security-minded legislators. "We were probably poised to have much better privacy protections, and I think this is going to create a lot of resistance," says Jamie Love, executive director of the Consumer Project on Technology. He foresees a backlash against programs that enable anonymous Web browsing, or perhaps an end to anonymous surfing on public-access terminals; the hijackers, after all, made use of library-based PCs in Florida. There is considerable worry in the world of anonymous remailers, which cleanse messages of identifying information before forwarding them to their intended recipients. Immediately following the attacks, Len Sassaman, a prominent remailer operator, posted a message to his fellow operators, explaining a common anxiety: "I don't want to get caught in the middle of this. I'm sorry. I'm currently unemployed and don't have the resources to defend myself. At this point in time, a free-speech argument will not gain much sympathy with the Feds, judges, and general public."
Privacy watchdogs also predict a mainstreaming of biometrics in response to September 11. Already familiar to fans of spy thrillers, biometric technology measures physical characteristicshand geometry, iris patternsin order to authenticate a person's identity. Such a system was recently installed at London's Heathrow Airport, where selected transatlantic travelers can bypass conventional customs queues by having their eyes scanned. If an iris scanner could be correlated with a database of suspected terrorists, perhaps the hijackers would have been nabbed before carrying out their ghoulish plans. Instead, they were able to evade detection with forged or stolen paper documents, the kind of fake IDs that are within the reach of even the pettiest thieves.
"What our technology can do is it can eliminate badges and PIN numbers and those kinds of devices that are easily lost or stolen," says Tom Colatosti, president of Viisage Technologies, which makes a facial recognition system. Both the Tampa police and Viisage came under fire this past January, when the company's face scanner was used to check the Super Bowl crowd for known felons. But in light of the attacks, the criticism has been replaced with a keen interest from safety-conscious corporations. "In a typical day, we would get one or two callsfor the most part, we were calling people, trying to interest them in our technology," says Colatosti. "But certainly this week it's been hundreds and hundreds and hundreds, from every corner of the globe and [about] every imaginable application."
It is the archiving of biometric data that especially troubles privacy advocates. If biometric systems become ubiquitous in airports and office buildings, the government could soon have a database of everyone's physical markers. "We focus too much on the initial acquisition of information, and too little on what happens to that information after it's been collected," says Harold Krent, a professor at the Chicago-Kent School of Law. He believes that privacy laws must be formulated that mandate the destruction of biometric data after a certain period, lest that information be abused by overzealous authorities.
But for the moment, such concerns are bound to sound like ivory-tower prattling to many Americans. And most cyber-libertarians understand that they'll have to compromise, at least in the short run. "Privacy advocates are going to have to say, Things have changed in terms of what's realistic," says Love. "It's not whether or not the government is going to have the right to snoop and things like that. I think it's going to be things like, What are the accompanying safeguards that minimize the amount of problems that predictably happen?" The geeks accept that they'll have to contend with some Orwellian flourishes in their techno-paradise, but for how long? When will the terrorist threat finally be declared over, and things can return to "normal"?