Electronic Border-Control

by Simson L. Garfinkel

14 July 1997

Today, the Internet is a great borderless country. Packets of data travel unfettered from any computer to any other computer in the world, hindered only by slow connections and a few corporate firewalls. Netizens laugh at attempts by countries like China and Singapore to limit their citizens' access to the Internet. In the immortal words of John Gilmore, "The Net treats censorship as damage and routes around it."

But I foresee a time - perhaps not very long from now - when the wired nations of the world will decide to restrict the flow of packets across their electronic borders, much in the way they control the flow of atoms across their physical ones.

The goal of this electronic border-control won't be censorship, but law enforcement and protection from information warfare. We live in an imperfect world. Rather than attempting to make it over according to our morals and codes of conduct, electronic border-control will instead attempt to keep the bad guys out.

Like it or not, there is such a thing as contraband information - data that can get you thrown in jail. Although child pornography is an obvious example, it is also illegal to possess a list of stolen credit-card numbers. Even garden-variety software piracy is a criminal offense in the United States. Got unlicensed copies of Office 97, Windows NT Server, Word Perfect, Lotus 1-2-3, and Visual C++? Technically, it can cost you your freedom.

Trademark violations are another type of data crime. For years, the country has been awash with fake Rolex watches and imitation Chanel No. 5. Now lawyers from companies like Disney and Paramount are scanning the Web, tracking down unauthorized images of Winnie-the-Pooh, Kirk, and Spock - and especially images of Kirk and Spock doing the nasty.

If you are part of a large corporation and a third party is illegally distributing your company's content or infringing on your trademark, you send them a cease-and-desist letter, and then you take them to court. But while that might work against a Web site in the United States, Canada, or Great Britain, I doubt that a Web site in Africa or South America would be too troubled by such legal tactics. The global treaties governing these matters aren't uniformly enforced around the world.

There's a lot of incentive for companies in underdeveloped countries to get relatively high-speed Net connections and offer free downloads of the most expensive copyrighted software. Got a political message you want to get out? Put it in a banner ad. While you're at it, you might want to advertise tourism to your particular spot of the world, or even use the free software as a lure for more illicit activities, like child prostitution or gambling.

Internet sites supplying contraband data already exist, and are sure to multiply in the coming years. John Perry Barlow says that as a result, the laws of contraband will necessarily be repealed - or at least not enforced. I disagree. Long before injured parties - those companies losing millions in sales to pirates - throw up their hands, they will contact the long-haul Internet providers like MCI and Sprint, and arrange for packets from rogue Web sites to be automatically blocked.

Digerati are quick to point out that no blocking solution can be perfect. While that's true, it ignores the fact that solutions don't have to be perfect: Companies would be pleased with an electronic border-control system that blocks even just half the intellectual-property violations. It should only take a few successful prosecutions for breaking the border-control system to instill fear into millions of Internet users.

When I lived in Cambridge, Massachusetts, I lived in a high-crime area. I responded by turning my house into an electronic fortress. I installed bars on my basement windows and put fancy screens on my first-floor windows that would sound an alarm if they were ripped. On my front door, I put a magnet that held the door shut with 1,200 pounds of force. Controlling the magnet was a voiceprint lock, which prevented electricians and other questionable contractors from copying their keys or lending them around.

Then I moved to Martha's Vineyard. Here, we leave our front door unlocked during the day; the back door can be left ajar. Our neighbors leave their keys in their cars - they really do! But in my basement on the Vineyard is a computer with a high-speed, dedicated connection to the Internet. The system, despite being physically located in such a low-crime area, is equipped with all the latest in computer security, because it's vulnerable to nefarious burglars and vandals from all over the world.

There is no incentive for an industrial spy in Tokyo to make a pit stop at my home on Martha's Vineyard on their way to Intel headquarters, but many unprotected systems with high-speed connections have become unwitting relay points for intruders, or repositories for stolen electronic documents. The Internet isn't a global village, it's a global ghetto. Without a powerful security system, you're toast.

Computer-security professionals are fond of saying that good security is everyone's responsibility: Vendors have to deliver secure systems, administrators need to be taught how to install them, and users need to be trained to operate them securely. Today, it's clear that this approach is fundamentally flawed.

Just as most homeowners have no interest in living with bars on their doors and windows, few computer users want systems that require strong passwords and that automatically encrypt all their files. Like bars, encryption can trap you outside when you forget your key. Even when security systems are easy to use and relatively transparent, it's still hard to put them out of your mind. They remind you that you are essentially under siege.

Although many computer criminals are based in the United States, more computer crimes committed against systems in the United States are being committed by non-Americans all the time. It's dramatically more difficult to track down, sue, or bring charges against a computer criminal operating outside the United States. Non-Americans know that, and as a result they are likely to do more damage when they attack American systems. So what can we do? To be perfectly blunt, it would be fine with me if my upstream provider blocked telnet connections between my computer and, say, a computer from within the Commonwealth of Independent States. That's because I can't imagine a legitimate reason for somebody in Moscow to log in to my computer.

Critics who say that an electronic border-control system could never be built underestimate the ingenuity of American businesses.

Border-crossing links could easily be gimmicked so that TCP/IP connections were blocked unless they were accompanied by digital certificates. Indeed, Netscape's SSL protocol already comes with this capability built in. Large data transfers could be logged with the name of the sender, the recipient, the first 1,000 bytes, and a cryptographic hash function. Expert systems and neural networks could search for suspicious activities and report them to users. Dangerous protocols, like telnet, could simply be blocked altogether, unless they came through specially authorized and secure proxy servers.

Alternately, computers could be programmed permissively to allow all traffic, but keep a vigilant electronic eye out for questionable activity. Once detected, it could automatically be shut down.

Encryption technology would of course make any systematic monitoring effort significantly more difficult, much as disguised container vessels have made it harder for federal agents to catch drug traffickers. But, once again, remember that the goal is not to catch every illegal border-crossing - it's merely to detect some of them. I'm confident that technical gurus will be able to develop profiles that say when encryption is at work. Knowing the actual content of the message may, in fact, be irrelevant.

I don't think electronic border-control is a measure a free society would adopt readily. But I'm hard-pressed to find alternatives for dealing with rogue data states. America has made plenty of enemies in the past 100 years; as a matter of national security, we simply don't allow people from certain countries to hop on a plane with an uninspected suitcase, leave the airport without going through customs, and walk into a bank. But today, there is nothing to stop a computer hacker in Iran from sitting at a terminal and traveling to that same bank over the Internet.