COURTS & TECHNOLOGY

The "I Love You" virus attack in May 2000 and the attacks in February 2000 on popular Internet shopping sites, including Amazon.com, have raised public awareness of the importance of Internet security (see, e.g., the Ernst & Young white paper on denial of service attacks). The issues arising in security overlap with privacy, and raise difficult questions about how to balance interests of free speech, government regulation and the role of the private companies that control the central nervous system of the Internet. The judiciary plays an important role in protecting Internet security in such areas as the criminal sentencing of hackers, deciding cases of electronic contracts and reviewing the proper scope of government cyber-snooping under the Fourth Amendment. Judges should view with skepticism almost all of what is said about security, for the area is fraught with misinformation and myth. The importance of a proper understanding of the topic will increase in the next few years as more Americans conduct public and private business online.

Applied to courts, Internet security is akin to a three-tiered cake. The top layer is the Internet as a network, and this was the weak point hackers exploited in the February denial of service attack. The attack was composed of an excessive number of false, computer-generated hits on a given Web site causing the site to overload, and become unavailable to customers. The second layer of the cake is transactional security, or what is commonly called ecommerce and personal identity. This includes the question of who, really, sent you an email, or whose Web site are you accessing. The third layer of the Internet security cake is personal privacy, represented by encryption such as PGP. These three separate areas are commonly lumped together in discussions but must be understood independently to properly discern the Internet security issues.

Security of the Internet Network

In the wake of the denial of service attacks, President Clinton convened a White House Summit on computer security. An expanded federal role was proposed in monitoring Internet activity to prevent future security threats, or at least track down the perpetrators after the fact (see streaming audio report at The News Hour with Jim Lehrer, February 15, 2000, on the Internet Security Summit). Parallel to the Whitehouse Summit, on May 15, 2000, the Federal Trade Commission Advisory Committee on Online Access and Security issued its report on privacy and security.

This initiative was mirrored internationally by an announcement from the United Kingdom government that it would play a more active role in monitoring Internet activity. Finally, the G-8 Internet Security Conference held May 15-18, 2000, in Paris, France, examined how government and the private sector could "conduct common threat evaluations of specific menaces resulting from the development of information and communication technologies or the use of these technologies by criminals." As reported by the Electronic Privacy Information Center, "controversial suggestions to mandate that Internet Service Providers gather and keep more information about users were opposed."

Private companies are also working in the network security field. Counterpane Systems founded by Bruce Schneier, is a security firm that specializes in protecting networks against attacks. Schneier edits the influential crypto-gram newsletter, which contains a wealth of information on technical issues in security and often points out the weaknesses in widely distributed computer software. A helpful place to start learning about computer security is the Yahoo category of links to computer security.

In short, efforts to protect the security of the Internet can run afoul of the desire to retain privacy of individual users, who would, for reasons both historical and paranoid, prefer not to have the government know every little thing they do. One solution to network security that does not compromise privacy is to spend more money on implementing the simple improvements we know about, such as configuring software to prevent outside access to servers.

Transactional Security: Identity and Anonymity

A confounding part of online security is the field of identity. If I receive an email from "John Smith" how do I know it is really him, or the unique Mr. Smith I know? If it is really from John Smith, the implications for ecommerce are enormous, for then the law should arguably treat electronic contracts as the equivalent of paper. The symbol "/s/ John Smith" at the bottom of an email could become an electronic signature with the same weight as a pen and ink signature.

Sometimes security of identity is provided by passwords. But industry analysts have pointed out that passwords are not failsafe. The security firm RSA has stated that: "Unfortunately, security built on static, reusable passwords has proven easy for hackers to beat." A solution to secure identity is a digital signature issued by a trusted authority, which carefully checks identification prior to issuing a certificate with the identity "John Smith of New York City, New York." Marc Strassman and Robert D. Atkinson, Jump-Starting the Digital Economy (with Department of Motor Vehicles-Issued Digital Certificates), June 1999.

This technology is little used by consumers but is widespread in providing identity to Web servers, with products from companies such as Verisign. A server certificate protects an online brokerage site from being "spoofed" by a hacker, who would redirect an IP address, intent on collecting credit card information from an unsuspecting customer of, say, Charles Schwab. E.W. Felten, et al., Web Spoofing: An Internet Con Game. Absent the server certificate, a customer who entered the Schwab URL in his browser could arrive at a false mimic of the Web site. Court efiling sites often use server certificates to provide security that legal documents are being uploaded to the court.

While at first glance it may seem that the validity of transactions requires secure personal identification, there are compelling reasons to work with insecure systems. Privacy of individual activity can be protected through adoption of false identity, which may be the only protection available in this age of aggressive data mining (see, e.g., Electronic Frontier Foundation identity articles; cf., Mitch E. Kabay, Anonymity and Pseudonymity in Cyberspace: Deindividuation, Incivility and Lawlessness Versus Freedom and Privacy, Proc. Conf. European Institute for Computer Anti-virus Research (EICAR), Munich, Germany 16-18 March 1998).

Perhaps more importantly, the Internet has already happened so it is too late to stop it or slow down ecommerce while we decide on how to go about defining transactional identity. For example, federal courts already use the symbol "/s/ John Smith" to sign efiled documents; email that arrives from "John Smith" is answered as if it really came from that person; and Visa credit cards are the de facto method for consumers to create electronic contracts (see Testimony of Andrew Konstantaras, Vice President and Counsel, Visa International Service Association, before the Domestic and International Monetary Policy Subcommittee of the Banking and Financial Services Committee of the U.S. House of Representatives, July 9, 1997 ("The use of Visa cards on the Internet is, instead, an example of the private system environment. Even though the merchant and the cardholder may have never met before, the cardholder is indirectly contractually linked with the merchant.")) While personal identity security is an evolving standard, a legal rule that treats all insecure transactions as untrustworthy makes sense in a theoretical test tube, but almost nowhere else.

Personal Privacy and Cyber-Snooping

Use of the Internet by judges has many positive aspects, including access to free legal materials. Internet use also gives judges a better intuitive understanding of technology, which can aid them in deciding Internet law cases.

A troubling aspect of judges online, however, is the unprecedented snooping that goes on (see E-avesdropping, January 7, 2000, The News Hour with Jim Lehrer). The executive branch of every local government in the United States has the ability and legal right to read the email and watch the Web surfing of the judicial branch. By way of comparison, federal judges' Internet use is provided and monitored within the U.S. Court Administrator's Office, similar to state appellate court judges, who usually use networks from their state court administrator's office. Judges have yet to address this threat to personal privacy but should be concerned. Brad Marlowe, "You are being watched" ZDNet Magazine, December 1999.

A recent example illustrates the point. On June 2, 2000, a respected rural judge in Washington state, Randolph Furman, was forced to resign by the Commission on Judicial Conduct after a network administrator found, reviewed and reported on his personal use of the Internet. Furman, a judge of the Cowlitz County Superior Court in Kelso, Washington, had visited "adult-only," shopping, auction sites and travel sites (In re Randolph Furman, CJC No. 3245-F-84, filed June 2, 2000). In other words, he surfed porn, and some sites like eBay and Expedia.

One need not condone his activity to raise questions about the broader public issues in this case. For there was only one way to "out" Judge Furman, and that was to monitor every judge in Cowlitz County. And "monitor" means to record and review each Web site visited and email sent or received, whether for judicial or personal business. The moral of the story is that had he only visited Findlaw and the Cornell Law School site: his activity would have been reviewed with the same rigor, and recorded with the identical tools by an employee of the executive branch.

Stated with some salt, if the logic of Internet monitoring is so compelling, the only wonder is why judges' telephone calls are not tapped, or why judicial chambers lack hidden microphones, or that judges are free from surprise urinalysis. In this vein, we can agree that only improper phone calls and conversations will be brought to the attention of the authorities! Judges are, after all, public servants, should be held to the highest ethical standards and are never above the law. Or are we missing the crucial point?

There are two points, actually. First, the ethics of Internet use could be broadened to include lack of use along with excessive use. Why not hold the Cowlitz County executive branch in contempt for failure to make government services available online, or to replace expensive paper forms with virtually free electronic ones. The truth about the Internet is that it is so inexpensive the best word we have in English to describe it is "free." But the radically cheap cost of the Internet remains alien to many governmental agencies. For example, the Washington Judicial Conduct Commission ordered: "Respondent [Judge Furman] further agrees that he shall reimburse the County for reasonable costs associated with the retrieval of data regarding his use of computers and the Internet." The cost of writing that single sentence, let alone the County tabulating the cost, exceeds at least by a factor of ten the cost of Judge Furman's activity, but the Commission doesn't tell us that.

PGP Encryption and Anonymous Web Surfing Tools

The second point is - surprise! - the tools already exist to protect judicial privacy in the form of personal encryption and zero knowledge systems. These privacy tools are freely available but are under attack. A growing number of public and private entities are banning their use. The FBI and State of Washington Information Services Board have already banned personal encryption out of fear that encrypted agency records can be lost if a user forgets a password, or a disgruntled employee can zap a network before quitting. Judges should act now to create an exemption for the judicial branch from a ban on personal encryption.

Encryption, such as Pretty Good Privacy ("PGP") invented by Phil Zimmerman, scrambles a message with a mathematical code so only the intended recipient can read it. In laymen's terms, PGP gives email the same privacy as a telephone call. A judge can download and install PGP in a few minutes (see the PGP Web site). Most popular email programs, such as Microsoft Outlook 98, then display a button in the toolbar that reads "encrypt on sending." One mouse click secures the email in transit. The judge supplies his or her "public key" to colleagues and on arrival in the inbox the recipient, who has also installed PGP, clicks on the button that reads "unencrypt," that is, return the message to the original, readable text.

It is crucial to always keep encrypted sent or received email stored on your system to prevent a network administrator from reading it after you have gone home for the night. Some judges will eventually be given a "digital signature" which is managed by a "certificate authority." Most digital signatures come bundled with encryption but it provides no guarantee of privacy, in contrast to PGP. With encryption provided by a certificate authority, a copy of your private key is held by the company and is commonly provided to the local network administrator upon request. So you can easily think your email is secure - but it is not.

The reason companies and governments oppose use of PGP is the same reason they oppose some other forms of privacy: how does one discover wrongful conduct? Encryption is most often discussed in the context of export restrictions due to its potential protection for criminal activity. The courts have long recognized that privacy allows both lawful and, unfortunately, unlawful activity. In the ongoing debate, judges must balance the legitimate need to police communication with the benefit to society from maintaining an independent judiciary.

While PGP protects the content of a message, zero knowledge systems eliminate tracking of Web site access. Sometimes called "anonymizers," these systems typically consist of visiting an initial Web site from which the user can surf to other sites leaving no trace or trail of activity. Links to these services are found at the EPIC Online Guide to Practical Privacy Tools. For example, if U.S. District Court Judge Thomas Jackson, who is handling the Microsoft antitrust case, visits the Netscape Web site it would remain private if he went there via a zero knowledge Web site.

A more direct solution is for judges to not use computers or networks provided by the courts. With a laptop and wireless modem, a judge can opt out of monitoring by the executive branch for under $2,000.

Conclusion

There was a time in the late 1980s when calling a politician a "card carrying member of the ACLU" had some kick to it. But the rise of cyber-snooping by governments on judges, and of businesses on employees, is bringing the gleam back to civil rights in the eyes of many Internet users. What the Fourth Amendment does not protect, a growing number of citizens are realizing can be hidden with PGP and zero knowledge Web surfing systems. Judges will have to catch the personal privacy wave if they plan to continue to use the Internet in a manner befitting the tradition of judicial autonomy from the other branches of government. An exception for the courts from bans on personal encryption is a crucial component in this effort.

Broader issues of Internet security require a balance between the government's ability to track individual identity and online activity with personal privacy. Dialogue continues in federal and state agencies, and among nations at international forums, on how to prevent future attacks from hackers. Judges who are faced with sentencing hackers for crimes should weigh the potential damage that could have been done and was not; degrees of maliciousness are found in the target chosen. Did the hacker close a bookseller for a few hours or, more seriously, a hospital during a civil emergency? On a humorous note, any sentence should include the hacker teaching the judge how to use PGP to protect his or her email.

Possible legislation on Internet security should consider requirements to install the latest software patches, or to configure software to prevent remote launches of denial of service attacks. Finally, security of personal identity shows us that while improvements are needed in authentication, much of the ecommerce revolution will continue under the present regime. Security solves some issues and raises concern over others. Lucky for society, judges are trained to wrestle with these difficult questions, if only we can learn to leave their private meanderings unmolested.

Additional Web links

Microsoft security, bulletins on patches, viruses and holes
http://www.microsoft.com/security/default.asp

Electronic Privacy Information Center
http://www.epic.org

Electronic Frontier Foundation
http://www.eff.org

World Wide Web Consortium Security Resources
http://www.w3.org/Security

Bradley J. Hillis, M.A., J.D.
June 8, 2000

———————————————————————
Discussion

JURIST and Bradley Hillis welcome your views and comments on this column. Use this form, or e-mail JURIST@law.pitt.edu.