Diffie, Whitfield & Landau, S. Privacy on the line: the politics of wiretapping and encryption. Updated and expanded edition. Cambridge, MA: The MIT Press, 2007. xvii, , 472 pp. ISBN 978-0-262-04240-6 £16.95
Whitfield Diffie is the inventor of public key encryptography and, consequently, well placed as joint author of this expanded version of a text first published in 1998. The expansion amounts to 100 additional pages on the subject and includes two new chapters and changes to the remainder to reflect developments over the past ten years.
The two new chapters reflect the changes that took place shortly after the publication of the first edition, which are outlined in the preface to this new edition. First, as a result of the Electronic Frontier Foundation's publication of the DES Cracker, '...the existing encryption standard was decisively shown to be inadequate...'; secondly, 'The secret Skipjack algorithm that underlay the key escrow plan was declassified...'; progress was made by the National Institute of Standards and Technology on the development of an alternative to the Data Encryption Standard; American export control rules were revised, making it easier to sell encrypted software to anyone other than military agencies; and the terrorist attack of the 11th September, 2001, radically changed both the US government's and the public's (contrary) view of the nature of privacy.
The first edition of this book was not reviewed in Information Research, but I have located another that gives a good account, so I shall concentrate on the changes. The two new Chapters are 10 and 11—And then it all changed and Après la déluge. The authors date the 'change' to 2nd January, 1997 when the US government decided to replace its Data Encryption Standard through a competition to find a replacement. That competition was eventually won by two Belgian cryptographers with their algorithm, named Rijndael. Rijndael became the official Advanced Encryption Standard and was authorised to be used with all levels of classified documents, messages, etc. A second development was the change in the export controls operated by the USA, which freed up trade in software and hardware with embedded encryption. Other developments bringing about change included the US Digital Millenium Copyright Act and various Digital Rights Management systems, and actions by, for example, the music industry to use these to support their existing business models. Protection, supposedly of the state, was also the reason for the FBI's Carnivore: a system for, as the Wall Street Journal described in, '...wiretapping the Internet...'. Suddenly, the Internet and all its traffic, which had been assumed by many to more or less guarantee anonymity, was openly available to FBI investigators.
And after the deluge? The 'deluge', of course, was the terrorist attacks of the 11th September, 2001, which raised the stakes in terms of 'homeland security'. The result was an expansion of intelligence efforts, the Patriot Act - a wide ranging Act, intended to 'Intercept and Obstruct Terrorism', and a variety of other measures with the same intent.
The conclusion to all this, as one might expect, the raising of further difficult issues:
The task is simple to explain but far harder to achieve. If we do not incorporate adequate security measures in our computer and communications infrastructure, we risk being overwhelmed by external enemies. If we put an externally focused view of security ahead of all other concerns, we risk being overwhelmed by their misuse. We must find a set of rules and a mechanism for overseeing those rules tht allows society to defend itself from its genuine enemies while keeping communication surveillance from stifling dissent, enforcing morality, and invading privacy. If we do not, the right to use privacy-enhancing technology that was won in the 1990s will be lost again.
Somehow, I don't think that finding those rules and that mechanism will be particularly easy.
Professor Tom Wilson