New Scientist 11 Mar 95

Identity crisis on the Internet:

Well-connected Internet users who distribute secret or sensitive information without revealing their names are playing havoc with national laws.


In the past few weeks several citizens of cyberspace have heard an unfamiliar sound - the knock of uninvited guests. The arrest of Kevin Mitnick, alleged hacker extraordinaire, was widely reported by the world's media. Less coverage followed two other incidents. In Glendale, California, a few days before Mitnick's arrest, lawyers from the Church of Scientology accompanied by police officers presented a former member of the church, Dennis Erlich, with a warrant to search his apartment. On 8 February, at the request of Interpol, Finnish police served a similar warrant on Johan Helsingius, who runs a computer in Helsinki linked to the Internet.

Mitnick may have stolen the headlines, but the actions against Erlich and Helsingius have sparked far more discussion on the Internet because they arise from a piece of technology called an anonymous remailer, which companies and governments see as a growing threat. Their fear is that these devices, together with encryption programs, will undermine long- established laws designed to protect the ownership of information and control its spread. With this combination of technologies, people will be able to publish any confidential information, without the fear of being caught.

Untraceable Contacts

An anonymous remailer is simply a computer connected to the Internet that forwards electronic mail or files to other addresses on the network. But it also strips off the "header" part of the messages, which shows where they came from and who sent them. All the receiver can tell about a message's origin is that it passed through the remailer. Some remailers also allocate each sender an "anonymous ID", rather like a PO box number, which it stores with the sender's address so that any replies reach them.

These anonymous remailers were invented by security experts interested in whether it was possible to send a message on the Internet which could not be traced back to its source. As soon as the first ones were built, though, people found a more pragmatic use for them: to send messages to bulletin boards about subjects so sensitive that they did not want their names known. People with unusual sexual tastes make good use of remailers, as do the victims of sexual abuse.

But the use of remailers can also make it impossible to enforce national laws. How can copyright be protected, for example, if anything that can be scanned into a computer can be broadcast anonymously to millions over the Internet? How can a judge ensure that prejudicial information does not leak from a court if anyone in the public gallery can distribute those details from the nearest terminal without fear of being caught? The inability to trace the source of information may foil the police on the trail of a pornographer, and leave companies struggling to deter a disgruntled employee or client from revealing commercial secrets.

Examples of all these scenarios have taken place recently. The scientologists accuse Erlich of posting material to which it claims the copyright on one of the Internet's bulletin boards, or "Usenet newsgroups". Erlich denies the charge, saying he made "fair use" of the information within the terms of the law. The church's lawyers are also pursuing messages that were routed through Helsingius's anonymous remailer. No clear evidence exists about the sender. So, through Interpol, the lawyers asked the Finnish police to search Helsingius's property, including his remailer, in order to locate the suspect from its database. No case has yet come to court.

Similarly, in Britain, when Rosemary West was charged with 10 murders last month, details from a pre-trial hearing were posted anonymously to a newsgroup for all to read. Yet no British newspaper or magazine could have published them without being held in contempt of court.

As for pornography, newsgroups abound with obscene pictures sent through remailers. And last year RSA Data Security, a cryptography company based in Redwood City, California, found that software which laid bare its RC4 encryption algorithm had been posted - via anonymous remailers - onto the Internet. The company was appalled. It had regarded RC4 as secret.

The combination of anonymous remailers and encryption programs - of which scores are freely available - raises particular concerns. With these technologies, people can confidently leave private messages in a public place - on a newsgroup, for example. Without a decryption key, these messages will look like rubbish.

Four Horsemen of the Internet

Correspondents could further cover their tracks by sending messages through chains of remailers. People often build up relationships in cyberspace without meeting, but by using cryptography and remailers they might not even know who it is they are dealing with. One might request military or industrial secrets; the other would send them, along with the number of a Swiss bank account for the payoff. If the police noticed the messages and were able to crack the code and trace one of the pair, that person would be unable to name the other, even if he or she wanted to.

Some are worried by this aspect of remailers. "They envisage them being used for what I call the Four Horsemen of the Internet. That is - terrorism, child pornography, money laundering and drugs," says Timothy May, a Californian cryptography and computing consultant. So, should remailers simply be closed down? Absolutely not, says May. "Just as privacy in hotel rooms should not be banned simply because a lot of crime - drug deals, plotting, sexual perversity - happens in hotel rooms," he says.

Helsingius agrees. "These servers enable safe discussion of sensitive issues, such as reporting violations of human rights. They are vital for support of freedom of expression," he says. "These servers are used by people all over the world who are under pressure or persecuted, or who want to discuss their personal problems and sufferings."

There are 27 publicly listed remailers on the Internet, though the worldwide total is closer to a hundred. Helsingius's, which is one of the oldest, was only set up in 1992. Since then, 200 000 people have sent mail through the machine. At present it deals with more than 7000 messages a day.

Politicians who would like to keep an eye on this and other traffic on the Internet face an unenviable task. Ian Taylor, Britain's technology minister, admitted recently that it is virtually impossible for governments to say what can and cannot be done on the Internet (see New Scientist, 27 February 1995). Chris Smith, a Labour MP who is helping to frame his party's strategy on electronic information, is also at a loss over remailers. "There are clear benefits to remailers, for support groups and so on, but also dangers in that criminal activities could be undertaken. I'm not sure there is any system that can preserve the benefits but avoid the downside," he says.

Shutting down remailers altogether is a very unlikely prospect. It would provoke a storm from people who use them for legitimate reasons. In addition, every country in the world would have to adopt the law, be-cause the nature of the Internet means that wherever a remailer exists, it can be used.

Governments trying to legislate on anonymous remailers have found that for every legal twist they think up there is already a technological turn that evades it. What about a law dictating that remailer operators must know the source of a message? May responds: "Send it via somebody who 'quotes' your message, which is encrypted." What about refusing any message containing encryption? Sometimes you cannot tell when a message is encrypted. A text message, for example, can be included in a digitised picture by altering the least significant bits of its pixels. It is the electronic equivalent of the microdot: what seems like a holiday snap might contain the blueprint of a building or a bomb.

On encryption, Smith favours a system where the only programs permitted would be those that the government knew it could unscramble. If it suspected that a crime was being or about to be committed, it could then seek a court order to eavesdrop on suspects. "That's one of the things we would like to look at," he says.

But, again, the technology eludes such control. The posting of the RC4 algorithm means that anyone determined enough could create their own, practically uncrackable, code. And that code can pass across national borders as easily as a phone call. Encryption programs such as PGP are already freely available over the Net.

Taylor identified laws on the protection of intellectual property as already under threat from developments on the Internet, and in need of international action. May believes the time is coming when the whole notion of ownership of information will need to be rethought.

He sees parallels between the efforts of governments and companies to keep information to themselves with those of medieval guilds. "Medieval guilds believed that they owned the knowledge of how to shoe a horse, for example," he says. "That's very like the modern system of patents and copyrights." But the guilds fell victim to the arrival of printing and the spread of literacy, because knowledge could be passed freely to any number of people.

There is even a modern example of how the Internet can make an impact on "restricted" information. In the US, there are laws against selling locksmiths' tools to the public. But one newsgroup has seen anonymous postings of lock-picking methods. When the editor of a locksmith journal plugged into the Internet last year, he was appalled to find trade secrets being openly discussed. May is unimpressed. "In the long term, I think 'copyright' as we know it today is dead, just as the information 'owned' by the guilds ceased to be owned by them after several decades or so of books being available," he says.

So how can those aiming to protect existing laws defend them? Brad Templeton runs an electronic news service called ClariNet, which distributes articles to readers over the Internet, each of whom pays a subscription fee. Occasionally, ClariNet's revenue is threatened when an article has been reposted anonymously. "It happens rarely, and we do have ways of dealing with it," says Templeton. "We have contracts with all our subscribers that make such posting not just a copyright violation but a breach of contract. The operators of remailers have no interest in having their remailers used for illegal activity and usually are quick to pull the access of anyone who tries this."

Indeed, the most likely source of regulation for remailers will come from the operators themselves. For example, Matthew Ghio, a student at Carnegie Mellon University, Pittsburg, who runs an anonymous remailer, refuses to forward mail to the White House because it might contain death threats, and he doesn't want the US Secret Service knocking on his door. Helsingius has vowed to fight any restriction placed on his remailer. But a code of conduct is evolving slowly.

In their way, the publishers and governments of today are probably no less powerful than the guilds and kings of the Middle Ages. And, like the printing press, the Internet is becoming so widely available as to be irresistible. The question now is whether the Internet will have as profound an impact as printing.

New Scientist

Volume 145. Issue 1968.