Department of Electrical Engineering and Computer Science, University of Wisconsin-Milwaukee, WI 53201-0784, U.S.A., e-mail: desmedt@cs.uwm.edu
Yvo Desmedt
Weiser's vision about computers in the next century is that they will be ubiquitous and in MIT's Media Lab project, called Things That Think, they will be embedded in such objects as shoes, belt buckles, tie clasps, etc. In this paper we explain how covert technology, such as covert channels, covert sensors and covert computing facilitates the set up of Big Brother, for example in a society where computers are ubiquitous. Detecting the absence of covert hardware and covert software is actually undecidable and cryptography alone seems inadequate to protect against the abuse of covert technology, extending the work of Anderson regarding the limitations of cryptography. Also, the use of covert technology to protect copyright can be abused to suppress freedom of expression.
skiers will get electronic IDs instead of lift tickets. ... sensors around the resort ...will keep track of where visitors are at any given moment and eventually, automatically route telephone calls to the nearest phone ... The devices will communicate with one another through a ``body net,'' a weak electric current sent through the wearer's body, and, via radio, with other computers placed in the ``environment''-- which means virtually anywhere.It is clear that the above example is a variant of the Olivetti Cambridge research laboratory employee I.D. card [24], but there are several differences that are important in our context. The Olivetti Cambridge I.D. is a badge, while MIT's is hidden in clothing as shoes. This implies for example that the Olivetti Cambridge one can easily be removed, while not everybody wants to run around without shoes! Another property of Things That Think which should further be noted is that [23]:
using batteries or beaming in remote power is frequently unacceptable. We are developing the materials and mechanisms to recover the watts of energy discarded by a person (for example, by walking) and use this to power personal systems.
Our paper has two goals. First to state that the appropriate combination of modern covert (embedded) channels, covert hardware, covert computation, covert sensors, covert computer viruses can be used by Big Brother against society at large. Traditionally the threat of covert (embedding) techniques has focussed on covert communication from man-to-man with computers as potential media (as cover). We will see that machine-to-man communication based on the combination of different covert techniques can pose even larger threats (as a cover). The second goal of our paper is to be a black paper against Things That Think and to a certain extent a black paper against Ubiquitous Computing, by demonstrating that these dramatically facilitate the set up of Big Brother. We will additionally see that cryptographic protection alone is inadequate against such threats. In some sense this adds a new chapter to the work by Anderson who has demonstrated that cryptography is not enough to obtain security [1].
Let us now overview the organization of this paper. Several known and not so well-known technologies that allow one to hide information are overviewed in Section 2. In Section 3 we discuss how Big Brother could use covert technology to achieve covert identification of a fraction of the population and/or how to monitor their behavior. This fraction will increase depending on how popular Things That Think get to be. We also discuss how techniques to copyright digital objects may be used by Big Brother to suppress freedom of expression. We conclude in Section 4.
Not only can information be hidden but also the processing of information and this might have worse consequences to society. This can occur on a software or a hardware level. On a hardware level a chip may have been designed purposely to perform differently (on occasion or on demand) than specified in the specifications of the chip (see, e.g., [5]). Although it may seem easy to detect that the hardware is different than the specified one, the problem is actually undecidable [9, p. 281]. On a software level one speaks about covert computation, which is a computation of which the legitimate users/owners of an unmodified computer are unaware (see, e.g. [17,13,25]). Clearly it is undecidable as well to detect whether a program is free of covert computation. The effects of covert hardware and covert software are similar, but a covert computation on a hardware level affects moreover non-programmable chips. In both, the covert processing capability could have been planned by the designer of the hardware/software or could have been installed by a third party, using for example a computer virus only targeting the CAD program/operating system used to develop the chip/software [5]. The result of this covert processing can be transmitted to its intended destination encrypted and/or using covert channels.
Covert hardware is not only important in the context of computation, but also in the context of covert sensors. Is the hardware able to perform the role of a sensor when it should not, or is the hardware able to perform a non-specified sensor function which it should not? An illustration of covert sensors is given in Section 3.
First, any technique using covert channels to copyright digital objects may be used to covertly trace the author or distributor of a document, e.g. in some country where there is no free press. To realize this, the program that prints the data could run a covert subroutine (see Section 2) that covertly inserts the login name (or full identification if possible) of the person who prints the data. Clearly, a higher resolution of the printout (nowadays 600 dpi printers are quite common) induces a higher bandwidth of the potential covert channel [11]. A variant scenario to accomplish covert identification relies on the fact that data itself is often a program and that programs can be fingerprinted to protect copyright. Postscript data, latex files, etc., are such illustrations. Moreover such data is often converted from one format to another. The editor, the text-processor, the data converter, the e-mail program, etc. can all be used to covertly fingerprint the data to identify the author of documents which are supposed to be anonymous. (Clearly, encryption techniques should be used to prevent the name of the author to be readable in the clear.)
The next two methods are related to the ideas of Things That Think and
ubiquitous computing. As Weiser pointed out [24, p. 94]
writing is ubiquitous, e.g., in ``books, magazines, newspapers,
..., street signs, billboards, shop signs ....'' He predicts
that next century computers will be too. In this context, we can indeed
envision that in the future books will have a chip embedded in the cover to
give the buyer access to a private multimedia environment while maintaining
copyright, in a similar way as chipcards do today. To interact with their
environment, communication equipment, such as an antenna, will be in the cover of the book.
Suppose that an agency wants to find out, secretly, who buys books about a
topic considered of interest to national security. Covert hardware could
be used to reach this goal to a certain extent. The Global Positioning
System (GPS) [18] allows pinpointing one's location with an
accuracy of a few meters. Since the aforementioned hardware has an antenna
built-in, it may be used
to
obtain the positioning of the book on earth and the covert hardware would
compute the location. So the antenna and the covert hardware become a
covert sensor. The positioning information may be covertly transmitted
when the book is used in its multimedia context. This may enable one to
trace the location of the owner. Observe that in countries where one has to
register where one lives, this identifies the owner of the book. In
several European countries this mandatory registration is enforced in
several ways. (The use of GPS to identify oneself purposely was
proposed in [3].)
Our next illustration is similar to the last one. Instead of using chips
embedded in the cover of a book, we use the Things That Think scenario in
which chips are in sneakers, belt buckles, tie clasps, etc. We also use
the GPS system in this example and if enough chips are at fixed locations
in the ``environment'' a higher accuracy can be achieved than with
normal GPS and
the need to rely on GPS can be diminished. It should be noted that a
global positioning (with a precision of 2 meters) only requires 6 bytes, as
one can easily verify. This means that it only takes roughly 1.5 Gbytes to
store the global positioning of the whole U.S. population (approximately
250 million) while an inexpensive 8 mm ``videotape'' can store (roughly)
5Gbytes. If one is not interested in recording such travel as commuting
between home and work, but only to track who travels further away and to
where, and who approaches sensitive locations which may be targets for
terrorist activities or places where one can buy material to make bombs,
etc., then the data can easily be compressed
significantly. The things-that-think need communication equipment, as
mentioned in Section 1. So they could covertly
sensor the positioning of its bearer, as explained in the previous example
and covertly transmit it to the computers in the ``environment''. These
send the data to their intended destination and/or could replace the need
to rely on GPS. If the things-that-think know the identity of its bearer
(as in the examples we overviewed in Section 1),
the identification is straightforward, otherwise it might be deduced when
correlating the data with other databases.
Even if one travels to remote locations that do not have an abundance of ubiquitous computers, at regular time intervals the things-that-think could store the exact positioning of the bearer under compressed form and transmit this at a later time. It is clear that the sooner a high bandwidth network is installed and the more omnipresent computers become, the more frequently the global positioning of persons can be updated. This then facilitates the more detailed monitoring of individuals. Traffic monitoring which nowadays mainly monitors who communicates electronically with whom can then be extended to its full power.
The scenario worsens if one takes into consideration that modern technology replaces after a while -- when it is no longer an expensive exclusivity -- the old and the old technology is no longer produced, even if the new has several disadvantages. Indeed, the reliable and powerful Saturn V rocket (which placed a man on the moon, i.e. roughly 380,000 kilometers from earth) was replaced by the more expensive Space Shuttle (which can only travel to a few hundred kilometers from earth [6]). Also, commercial vacuum tube based radio sets are no longer produced, even though these are more resistant against EMP [14,22] than the transistor based ones. So, if ubiquitous computing and Things That Think become more popular they will replace old technology such that it will be inevitable to wear clothing with chips, which may enable covert identification.
We remark that the authors of Things That Think [23] are somewhat aware of privacy related issues:
As more and more things develop a sense of identity, it will be important to define standards for thingness ... The issue of standards is connected to the many cryptographic questions associated with guaranteeing privacy, security, and authenticity for communications and commerce.
Modern cryptography is not able to solve the several issues related to covert technology such as covert hardware and covert computation. Moreover, not any type of cryptosystem provides the desired privacy. If no freshness is used and if the monitoring agency is willing to give up accuracy, then the encrypted data will leak whether a person is traveling away from home or not, and how often a person travels to a certain (but unknown) destination. Moreover, even if cryptography would protect the privacy one can wonder whether the cryptographic protection will be escrowed [2,15,4], covertly-escrowed, or escrow-free?
This document was generated using the LaTeX2HTML translator Version 97.1 (release) (July 13th, 1997)
Copyright © 1993, 1994, 1995, 1996, 1997, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
The command line arguments were:
latex2html -split 1 -no_math -no_navigation -show_section_numbers IH1.
The translation was initiated by Dr. Yvo Desmedt on 3/10/1999