Keeping Up in the Fine Art of Eavesdropping

Modern electronic encryption has thrown the FBI a curve.

When the agency gets permission to tap phone calls of suspected criminals, conversations come through loud and clear.

But when crimebusters eavesdrop on the Internet, today's encryption technology can make electronic communications look about like this: @3*76#^&!#4.

And such communications would probably go undeciphered, even if intercepted by the FBI. FBI officials say flatly that laws in the United States do not enable their agency to keep up with burgeoning private use of the newest encryption technology.

As a result, the FBI and other US law-enforcement agencies are lobbying for legal changes that would allow them to monitor encrypted messages of suspected criminals. The Clinton administration has sought such access in a draft bill, but it died in Congress. Legislation has been stymied partly because of the complexity of encryption technology.

But the FBI's efforts are putting it squarely at odds with privacy advocates, who argue that the government is seeking overly broad eavesdropping powers. And the international community is weighing in as well with concerns about American law enforcement's ability to listen in on communications in other countries.

Big brother

Theodore Ts'o, a computer security expert at the Massachusetts Institute of Technology in Cambridge, Mass., says that the investigative powers the government is seeking over the Internet are too broad. ''They would amount to the right to fishing expeditions,'' Mr. Ts'o says.

In addition, business use of the Internet is exploding, and business wants the means to use secure communications. A whole industry is blooming to develop and market sophisticated encryption methods.

But the FBI argues that the Internet and its wizard-like technology has left law enforcement with a gaping information void.

FBI officials say phone wiretaps have proved essential in cracking some major criminal cases. Successful cases against the Mafia in recent years would not have been possible without them, they say.

And a case pending in New York illustrates that criminals are already using the Internet and that courts will grant the government wiretapping access to Internet communications.

Three suspects were arrested by federal authorities last month after their Internet mail was monitored under court order in 1995. The suspects are charged with conspiracy to sell illegal cellular-phone equipment that is of particular use to drug dealers. The communications were not encrypted, said Eric Friedberg, chief of the narcotics division of the US Attorney's office in Brooklyn.

Modern electronic cryptography was developed at Stanford University in Palo Alto, Calif., in the 1970s and enhanced at MIT, according to Ronald Rivest, a professor at MIT who teaches a course on the subject and had a hand in its development. Such software programs utilize repetitive calculations of algorithms to create a pair of unique electronic ''keys'' for every user.

Message recipients make their public keys available to anyone who might send them encoded messages, sometimes by posting them on the Internet. The sender uses this public key to encode messages to the recipient. The recipient decodes the message with his private key. Without the corresponding private key, though, anyone trying to decode an encrypted message would have to do an impossibly exhaustive number of calculations.

What law-enforcement agencies want is a way to access private keys when they can convince a court that a wiretap is justified.

How law enforcement might eventually be brought in from the Internet dark is an open question, says Jim Clark, president of Netscape Communications Corp. of Mountain View, Calif., which sells its own security software package for Internet users.

Keeper of the keys

One arrangement under discussion, Mr. Clark says, would be to pass legislation requiring that keys to all encryption software be deposited with a ''disinterested'' third party and be available through court order.

But who or what that third party might be is not clear. And in any case, criminals relying on encryption would be unlikely to turn over their keys.

The Internet's global reach also poses significant challenges. Representatives of governments and businesses met in Paris recently and agreed to work on encryption guidelines - such issues as key complexity, who might be the third-party escrow holder for private keys, and criteria to release private keys.

Privacy advocates are working to make encryption software widely available. MIT, for example, through a World Wide Web page, supplies free of charge a version of encryption software called PGP (pretty good privacy).

This program was developed by political activist Phil Zimmermann, a cryptographer and software writer in Boulder, Colo., who was cleared this month of charges of exporting PGP illegally.

Mr. Zimmermann is now introducing a program that utilizes computer software to scramble phone conversations so they cannot be wiretapped. He says MIT will also distribute this program free of charge.

No law prohibits selling or distributing encryption software in the US. Such software that is exported, however, falls in the customs category of weapons and must be limited to 40-bit technology to make it decodable by US government experts.

This riles people outside the US - especially foreign governments - who don't want Uncle Sam reading their communications.

They will be more riled when they learn that MIT undergraduate student Andrew Twyman, using a high-powered super computer, showed last month that one product using 40-bit technology can be cracked in less than eight days.