Department of Electrical Engineering and Computer Science, University of Wisconsin-Milwaukee, WI 53201-0784, U.S.A., e-mail: desmedt@cs.uwm.edu

Establishing Big Brother using covert channels and other covert techniques

Yvo Desmedt

Abstract:

Weiser's vision about computers in the next century is that they will be ubiquitous and in MIT's Media Lab project, called Things That Think, they will be embedded in such objects as shoes, belt buckles, tie clasps, etc. In this paper we explain how covert technology, such as covert channels, covert sensors and covert computing facilitates the set up of Big Brother, for example in a society where computers are ubiquitous. Detecting the absence of covert hardware and covert software is actually undecidable and cryptography alone seems inadequate to protect against the abuse of covert technology, extending the work of Anderson regarding the limitations of cryptography. Also, the use of covert technology to protect copyright can be abused to suppress freedom of expression.

1 Introduction

 In September 1995, Fred Guterl reported about MIT's Media Lab project called Things That Think [7] (see also [23]), which is a generalization[*] of ubiquitous computing [24]. The idea is to put sensors and microcomputers in objects, in particular clothes, e.g. in ``sneakers, belt buckles, tie clasps, and wristwatches'' [7, p. 44]. These chips would communicate among themselves and with sensors. They would for example allow a user to be identified when arriving in the lobby of an hotel, and ``the elevator knows which floor to take him to, and the door to his room swings open as if by magic when he approaches'' [7, p. 44]. Additionally, [7, p. 44]:
skiers will get electronic IDs instead of lift tickets. ... sensors around the resort ...will keep track of where visitors are at any given moment and eventually, automatically route telephone calls to the nearest phone ... The devices will communicate with one another through a ``body net,'' a weak electric current sent through the wearer's body, and, via radio, with other computers placed in the ``environment''-- which means virtually anywhere.
It is clear that the above example is a variant of the Olivetti Cambridge research laboratory employee I.D. card [24], but there are several differences that are important in our context. The Olivetti Cambridge I.D. is a badge, while MIT's is hidden in clothing as shoes. This implies for example that the Olivetti Cambridge one can easily be removed, while not everybody wants to run around without shoes! Another property of Things That Think which should further be noted is that [23]:
using batteries or beaming in remote power is frequently unacceptable. We are developing the materials and mechanisms to recover the watts of energy discarded by a person (for example, by walking) and use this to power personal systems.

Our paper has two goals. First to state that the appropriate combination of modern covert (embedded) channels, covert hardware, covert computation, covert sensors, covert computer viruses can be used by Big Brother against society at large. Traditionally the threat of covert (embedding) techniques has focussed on covert communication from man-to-man with computers as potential media (as cover). We will see that machine-to-man communication based on the combination of different covert techniques can pose even larger threats (as a cover). The second goal of our paper is to be a black paper against Things That Think and to a certain extent a black paper against Ubiquitous Computing, by demonstrating that these dramatically facilitate the set up of Big Brother. We will additionally see that cryptographic protection alone is inadequate against such threats. In some sense this adds a new chapter to the work by Anderson who has demonstrated that cryptography is not enough to obtain security [1].

Let us now overview the organization of this paper. Several known and not so well-known technologies that allow one to hide information are overviewed in Section 2. In Section 3 we discuss how Big Brother could use covert technology to achieve covert identification of a fraction of the population and/or how to monitor their behavior. This fraction will increase depending on how popular Things That Think get to be. We also discuss how techniques to copyright digital objects may be used by Big Brother to suppress freedom of expression. We conclude in Section 4.

2 Covert techniques

 In this section we overview known and not so well-known covert (embedding) techniques. The classical methods to hide information through covert channels [12], e.g., by timing channels, are only one of many other techniques to hide information. The most classical ones, but now outdated in a digital age, are invisible inks. Traditionally covert channels have been studied within a multilevel computer [8,16] but covert channels are also possible between computers. For example, computer viruses have been suggested for hiding communication [25], since a ``well'' designed virus must have covert properties to avoid detection. In general, covert transmission can be between two devices, and techniques ranging from well known electrical engineering principles to advanced mathematics can be used. Of the last approach Simmons' subliminal channel technique [19,21,20] is an illustration.

Not only can information be hidden but also the processing of information and this might have worse consequences to society. This can occur on a software or a hardware level. On a hardware level a chip may have been designed purposely to perform differently (on occasion or on demand) than specified in the specifications of the chip (see, e.g., [5]). Although it may seem easy to detect that the hardware is different than the specified one, the problem is actually undecidable [9, p. 281]. On a software level one speaks about covert computation, which is a computation of which the legitimate users/owners of an unmodified computer are unaware (see, e.g. [17,13,25]). Clearly it is undecidable as well to detect whether a program is free of covert computation. The effects of covert hardware and covert software are similar, but a covert computation on a hardware level affects moreover non-programmable chips. In both, the covert processing capability could have been planned by the designer of the hardware/software or could have been installed by a third party, using for example a computer virus only targeting the CAD program/operating system used to develop the chip/software [5]. The result of this covert processing can be transmitted to its intended destination encrypted and/or using covert channels.

Covert hardware is not only important in the context of computation, but also in the context of covert sensors. Is the hardware able to perform the role of a sensor when it should not, or is the hardware able to perform a non-specified sensor function which it should not? An illustration of covert sensors is given in Section 3.

3 Covert identification

 We discuss three methods in which covert techniques can be used to covertly identify a certain part of the population and/or to monitor their behavior.

First, any technique using covert channels to copyright digital objects may be used to covertly trace the author or distributor of a document, e.g. in some country where there is no free press. To realize this, the program that prints the data could run a covert subroutine (see Section 2) that covertly inserts the login name (or full identification if possible) of the person who prints the data. Clearly, a higher resolution of the printout (nowadays 600 dpi printers are quite common) induces a higher bandwidth of the potential covert channel [11]. A variant scenario to accomplish covert identification relies on the fact that data itself is often a program and that programs can be fingerprinted to protect copyright. Postscript data, latex files, etc., are such illustrations. Moreover such data is often converted from one format to another. The editor, the text-processor, the data converter, the e-mail program, etc. can all be used to covertly fingerprint the data to identify the author of documents which are supposed to be anonymous. (Clearly, encryption techniques should be used to prevent the name of the author to be readable in the clear.)

The next two methods are related to the ideas of Things That Think and ubiquitous computing. As Weiser pointed out [24, p. 94] writing is ubiquitous, e.g., in ``books, magazines, newspapers, ..., street signs, billboards, shop signs ....'' He predicts that next century computers will be too. In this context, we can indeed envision that in the future books will have a chip embedded in the cover to give the buyer access to a private multimedia environment while maintaining copyright, in a similar way as chipcards do today. To interact with their environment, communication equipment, such as an antenna[*], will be in the cover of the book. Suppose that an agency wants to find out, secretly, who buys books about a topic considered of interest to national security. Covert hardware could be used to reach this goal to a certain extent. The Global Positioning System (GPS) [18] allows pinpointing one's location with an accuracy of a few meters. Since the aforementioned hardware has an antenna built-in, it may be used[*] to obtain the positioning of the book on earth and the covert hardware would compute the location. So the antenna and the covert hardware become a covert sensor. The positioning information may be covertly transmitted when the book is used in its multimedia context. This may enable one to trace the location of the owner. Observe that in countries where one has to register where one lives, this identifies the owner of the book. In several European countries this mandatory registration is enforced in several ways. (The use of GPS to identify oneself purposely was proposed in [3].)

Our next illustration is similar to the last one. Instead of using chips embedded in the cover of a book, we use the Things That Think scenario in which chips are in sneakers, belt buckles, tie clasps, etc. We also use the GPS system in this example and if enough chips are at fixed locations in the ``environment'' a higher accuracy can be achieved than with normal GPS and the need to rely on GPS can be diminished. It should be noted that a global positioning (with a precision of 2 meters) only requires 6 bytes, as one can easily verify. This means that it only takes roughly 1.5 Gbytes to store the global positioning of the whole U.S. population (approximately 250 million) while an inexpensive 8 mm ``videotape'' can store (roughly) 5Gbytes. If one is not interested in recording such travel as commuting between home and work, but only to track who travels further away and to where, and who approaches sensitive locations which may be targets for terrorist activities or places where one can buy material to make bombs, etc., then the data can easily[*] be compressed significantly. The things-that-think need communication equipment, as mentioned in Section 1. So they could covertly sensor the positioning of its bearer, as explained in the previous example and covertly transmit it to the computers in the ``environment''. These send the data to their intended destination and/or could replace the need to rely on GPS. If the things-that-think know the identity of its bearer (as in the examples we overviewed in Section 1), the identification is straightforward, otherwise it might be deduced when correlating the data with other databases.

Even if one travels to remote locations that do not have an abundance of ubiquitous computers, at regular time intervals the things-that-think could store the exact positioning of the bearer under compressed form and transmit this at a later time. It is clear that the sooner a high bandwidth network is installed and the more omnipresent computers become, the more frequently the global positioning of persons can be updated. This then facilitates the more detailed monitoring of individuals. Traffic monitoring which nowadays mainly monitors who communicates electronically with whom can then be extended to its full power.

The scenario worsens if one takes into consideration that modern technology replaces after a while -- when it is no longer an expensive exclusivity -- the old and the old technology is no longer produced, even if the new has several disadvantages. Indeed, the reliable and powerful Saturn V rocket (which placed a man on the moon, i.e. roughly 380,000 kilometers from earth) was replaced by the more expensive Space Shuttle (which can only travel to a few hundred kilometers from earth [6]). Also, commercial vacuum tube based radio sets are no longer produced, even though these are more resistant against EMP [14,22] than the transistor based ones. So, if ubiquitous computing and Things That Think become more popular they will replace old technology such that it will be inevitable to wear clothing with chips, which may enable covert identification.

We remark that the authors of Things That Think [23] are somewhat aware of privacy related issues:

As more and more things develop a sense of identity, it will be important to define standards for thingness ... The issue of standards is connected to the many cryptographic questions associated with guaranteeing privacy, security, and authenticity for communications and commerce.

Modern cryptography is not able to solve the several issues related to covert technology such as covert hardware and covert computation. Moreover, not any type of cryptosystem provides the desired privacy. If no freshness is used and if the monitoring agency is willing to give up accuracy, then the encrypted data will leak whether a person is traveling away from home or not, and how often a person travels to a certain (but unknown) destination. Moreover, even if cryptography would protect the privacy one can wonder whether the cryptographic protection will be escrowed [2,15,4], covertly-escrowed, or escrow-free?

4 Conclusion

 We conclude by saying that modern chips are much too powerful and have so many transistors (several million [10, p. 61] nowadays) that using them in an ubiquitous way may pose an extreme danger to society, in particular it makes Orwell's 1984 Big Brother scenario technologically feasible in the next century. One should definitely restrict the use of chips in such articles as sneakers, belt buckles, tie clasps, books, magazines, newspapers, street signs, billboards, shop signs, etc. and if an item contains a chip, it should be clearly labeled. The question as to how one can guarantee that the few chips being used do not have covert technology, is not easy to answer. The development of covert technology to protect the right of individuals, such as copyright, may backfire and be used against individuals.

Acknowledgement

The author thanks Jean-Jacques Quisquater (University of Louvain) for having informed the author, before the author was working on subliminal channels, about the technology of flexible antenna and to point out that these fit into a cover of a book. The author also thanks him, Mike Burmester (University of London), Toshiya Itoh (Tokyo Institute of Technology), Kouichi Sakurai (Kyushu University), Gus Simmons, and Moti Yung (IBM) for several discussions about covert channels. He also thanks Moti Yung for pointing out the work of Mark Weiser.

References

1
Anderson, R.:
Why cryptosystems fail.
In Proceedings of the 1st ACM Conference on Computer and Communications Security (November 3-5, 1993) pp. 215-227

2
Beth, T.: Zur Sicherheit der Informationstechnik.
Informatik-Spektrum 13 (1990) 204-215

3
Beth, T., Desmedt, Y.:
Identification tokens -- or: Solving the chess grandmaster problem.
In Advances in Cryptology -- Crypto '90, Proceedings (Lecture Notes in Computer Science 537) (1991) A. J. Menezes and S. A. Vanstone, Eds. Springer-Verlag pp. 169-176

4
A proposed federal information processing standard for an escrowed encryption standard (EES).
Federal Register July 30, 1993

5
Desmedt, Y.:
Is there an ultimate use of cryptography?
In Advances in Cryptology, Proc. of Crypto '86 (Lecture Notes in Computer Science 263) (1987) A. Odlyzko, Ed. Springer-Verlag pp. 459-463

6
Encyclopedia of science & technology.
McGraw-Hill New York 1992

7
Guterl, F.: Personal tech: Reinventing the PC.
Discover 16 (1995) 42-47

8
Haigh, J. T., Kemmerer, R., McHugh, J., Young, W. D.: An experience using two covert channel analysis techniques on a real system design.
IEEE Transactions on Software Engineering SE-13 (1987) 157-168

9
Hopcroft, J. E., Ullman, J. D.:
Introduction to automata theory, languages, and computation.
Addison-Wesley Reading, MA 1979

10
Hutcheson, G. D., Hutcheson, J. D.: Technology and economics in the semiconductor industry.
Scientific American 274 (1996) 54-62

11
Kurak, C., McHugh, J.:
A cautionary note on image downgrading.
In Proceedings of the 8th Computer Security Applications Conference (December 1992)

12
Lampson, B. W.: A note on the confinement problem.
Comm. ACM 16 (1973) 613-615

13
Lenstra, A. K., Manasse, M. S.:
Factoring by electronic mail.
In Advances in Cryptology, Proc. of Eurocrypt '89 (Lecture Notes in Computer Science 434) (1990) J.-J. Quisquater and J. Vandewalle, Eds. Springer-Verlag pp. 355-371

14
Lerner, E. J.: Electromagnetic pulses: potential crippler.
IEEE Spectrum 18 (1981) 41-46

15
Micali, S.:
Fair public-key cryptosystems.
In Advances in Cryptology -- Crypto '92, Proceedings (Lecture Notes in Computer Science 740) (1993) E. F. Brickell, Ed. Springer-Verlag pp. 113-138

16
Poras, P. A., Kemmerer, R. A.:
Covert flow trees: a technique for identifying and analyzing covert storage channels.
In Proc. of the 1991 IEEE Symposium on Security and Privacy (May 1991) IEEE Computer Society Press pp. 36-51

17
Quisquater, J.-J., Desmedt, Y. G.: Chinese lotto as an exhaustive code-breaking machine.
Computer 24 (1991) 14-22

18
Ramsey, N. F.: Precise measurement of time.
American Scientist 76 (1988) 42-49

19
Simmons, G. J.:
The prisoners' problem and the subliminal channel.
In Advances in Cryptology. Proc. of Crypto 83 (1984) D. Chaum, Ed. Plenum Press N.Y. pp. 51-67

20
Simmons, G. J.: Subliminal channels; past and present.
European Trans. on Telecommunications 5 (1994) 459-473

21
Simmons, G. J.:
Subliminal communication is easy using the DSA.
In Advances in Cryptology -- Eurocrypt '93, Proceedings (Lecture Notes in Computer Science 765) (1994) T. Helleseth, Ed. Springer-Verlag pp. 218-232

22
Teller, E.: Electromagnetic pulses from nuclear explosions.
IEEE Spectrum (1982) 65

23
The TTT vision.
http://ttt.www.media.mit.edu/vision.html

24
Weiser, M.: The computer for the 21st century.
Scientific American 265 (1991) 94-104

25
White, S. R.:
Covert distributed processing with computer viruses.
In Advances in Cryptology -- Crypto '89, Proceedings (Lecture Notes in Computer Science 435) (1990) G. Brassard, Ed. Springer-Verlag pp. 616-619

About this document ...

Establishing Big Brother using covert channels and other covert techniques

This document was generated using the LaTeX2HTML translator Version 97.1 (release) (July 13th, 1997)

Copyright © 1993, 1994, 1995, 1996, 1997, Nikos Drakos, Computer Based Learning Unit, University of Leeds.

The command line arguments were:
latex2html -split 1 -no_math -no_navigation -show_section_numbers IH1.

The translation was initiated by Dr. Yvo Desmedt on 3/10/1999


Dr. Yvo Desmedt
3/10/1999