Affidavit of Patrick Ball in ACLU v. Miller
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF GEORGIA
|AMERICAN CIVIL LIBERTIES|
UNION OF GEORGIA, et al.,
ZELL MILLER, in his official
capacity as Governor of the
State of Georgia, et al.
FILE NO. 96-CV-2475-MHS
DECLARATION OF PATRICK BALL
District of Columbia
My name is Patrick Ball. I am employed as Senior Program Associate in the Science and Human Rights Program of the American Association for the Advancement of Science (AAAS). The Science and Human Rights Program works to promote respect for the human rights of scientists, and to advance the use of scientific techniques in human rights work. I submit this affidavit only on my own behalf. The opinions expressed herein are my own, and should in no way be construed as those of the AAAS.
I have an A.B. degree from the Columbia College of Columbia University (sociology, 1988), and an M.A. in political sociology from the University of Michigan, Ann Arbor (1991). I am currently finishing a Ph.D. dissertation entitled "Liberalism Revisited: the Social and Ideological Origins of the Human Rights Movement." In the research for this dissertation, I have made an in-depth study of how non-government human rights monitoring organizations form, and once formed, how they work. I have written technical papers on database design and information management for various human rights groups, U.S. specialist publications, and for the Pan-African Development Information Service of the United Nations, and on the political sociology of human rights organizations, among other topics. An accurate copy of my curriculum vitae is attached.
I have worked with the AAAS since 1993. I was a consultant to the Science and Human Rights Program until August, 1996, when I joined the staff. My principal work with the AAAS is to assist grassroots non-government human rights organizations and truth commissions to build information management systems. I help them to figure out what information they need to collect, how to collect it, how to represent the information in a computer database, and then how to analyze it. During 1991-1993, I did this work in El Salvador and Ethiopia. Since 1993, I have worked on behalf of the AAAS in Haiti, Guatemala, South Africa, and Turkey. In Ethiopia, Haiti, and South Africa I worked with quasi-governmental tribunals and truth commissions; other organizations I have worked with include non-government monitoring groups and U.N. human rights missions. I have recently published a brief overview of this work in a volume entitled Who Did What to Whom? Planning and Implementing a Large-Scale Human Rights Data Project (Washington, DC: AAAS, 1996). With two colleagues from the AAAS, I will publish in 1997 a book entitled Safe Computing in a Dangerous World: a Handbook on Cryptographic Applications for Human Rights Work.
In the course of my work, my partner organizations and I concentrate politically volatile information in computers. For example, one database I designed contains the names of witnesses to military massacres in Guatemala; another keeps the names of applicants for amnesty for political crimes carried out in South Africa during the apartheid regime. Both groups of people could be subject to intimidation, harassment, or murder by those intent on preventing the public discussion and analysis of the claims. Both systems are protected by strong cryptography(1).
Many human rights organizations have grave concerns about the security of their information. Often they ask me how they can protect their information while it is physically inside their organization, and how they can secure their Internet-based communications. Because human rights organizations often operate in hostile political environments, and because the information they acquire is often very sensitive, questions about security must be taken seriously. Every year, many human rights workers are killed in the course of their work. The principal reason they are captured, tortured, and killed is so that their captors can obtain information from them. Quite often the captors are government agents, acting either openly or as civilian death squads. Computers are also vulnerable to capture, which is why organizations want to protect information in its electronic form.
Because human rights work is so dangerous, many non-government groups operate clandestinely. Quasi-governmental human rights organizations such as truth commissions, and inter-governmental bodies such as the Organization of American States and United Nations monitoring missions operate publicly but also have serious information security concerns. The discussion below applies, although in slightly different ways, to all of the human rights organizations with whom I have worked.
Human rights groups respond to danger at the electronic level by adopting one or more of three measures: a) encryption for content security, b) digital signatures to assure message integrity and authenticity, and c) transmission of information by anonymous techniques. Encryption means that the original message is transformed in a way such that only the recipient can recover the original message; using modern encryption, even the sender cannot recover the original message after it has been encrypted. Digital signatures are sub-messages which can be affixed to an electronic document (including but not limited to an email message). Signatures serve to verify that i) only the signer could have signed the document, and that ii) the document has not been altered since it was signed. Both encryption and digital signatures are quite important for human rights work.
A third kind of computer security technique important for human rights organizations is called anonymous remailing. It is important to note that all email messages contain header information indicating the electronic addresses of both the sender and the recipient. Anonymous electronic communication can be used to defeat traffic analysis. Traffic analysis is an attack in which the attacker studies the patterns of correspondence shown by the headers of the messages passing through a particular account. The attacker determines to whom the account sends information, and from whom the account receives information. By analyzing this information, the attacker can determine with whom the human rights organization corresponds, as well as when the correspondence occurred, and what quantity of information was exchanged.
Human rights organizations use anonymity to defeat traffic analysis. Anonymity in this sense means that someone watching the sender of a message cannot tell where the message is going; analogously, someone watching the computer account of the receiver of a message cannot determine from whom the message originated. At the simplest, and least safe, level the sender might use a pseudonym.
An attacker who wishes to conduct traffic analysis needs either a) low-level access to the computer system on which the account's email resides, called the mail host; or b) physical access to the human rights organization's computer (e.g., by seizing it). The attack suggested in a) can be used no matter what kind of email system the human rights organization uses. If the human rights group uses a mail system which stores mail on their PC(2), rather than leaving it on the mail host, the attack suggested in b) would also work. The attacker does not need to be able to access the messages' contents. Instead he needs only to study the sending and receiving information stored in the message headers.
Traffic analysis can betray devastating information about a human rights group. For example, if a law firm is offering legal assistance to ensure due process for people accused of nonviolent political crimes, or seeking redress for people tortured in detention, traffic analysis might show that the law firm's email account is frequently corresponding with Human Rights Watch in New York or Washington, or with Amnesty International in London. The mere fact that a given account has frequent correspondence with one of these two internationally-known organizations is sufficient for an attacker to know that the group is engaged in human rights work. This group could then be defamed as a pawn of the West, or subject to more direct repression.
Traffic analysis might be more subtle. For example, if a group in China sends electronic mail to Amnesty International, and Amnesty issues an urgent action relevant to a person known by one of the account's users a day or two later, someone watching the Chinese group's account and Amnesty International's actions might reasonably conclude that the message from the group to Amnesty had been the source of information for the urgent action. Note that the attacker would not need to know the contents of the Chinese group's message sent to Amnesty to make this deduction. If the attacker were the Chinese government, the group in question might have serious problems: twenty- to thirty-year jail terms for human rights dissidents have been common in the last year.
Finally, human rights or humanitarian groups in areas in conflict could be destroyed by traffic analysis. Imagine, for example, rape-survivor groups in Bosnia trying to coordinate with counterparts in Croatia; or groups promoting religious toleration in India and Pakistan. In either example, evidence of the communication itself -- regardless of the content of the communication -- could be sufficient to mobilize popular animosity (for example, paramilitary violence or lynch mobs) or state repression.
There is a method of anonymous electronic communication that eliminates the risk of traffic analysis. All of the problems can be avoided by introducing an intermediary step or steps between the corresponding parties. Each party sends their electronic messages to an "anonymous remailer," that is, to a computer program that strips the originating header information from a message and send it on to the next recipient. The remailer breaks the connection between the parties. When a message arrives at its destination, it appears to have originated at the remailer -- the sender's information has disappeared. It is as if the remailer has received a letter, opened it to find the real recipient's address, resealed the letter in a new envelope with a new address, and put it in the mail again. When the letter arrives, it carries the remailer's postmark, not the sender's.
There are two kinds of remailers: truly anonymous remailers, and pseudonymous remailers(3). A pseudonymous remailer(4) keeps a database of all the addresses from which it has received one or more messages. Pseudonymous remailers are not secure. If an attacker seized the database containing the matches between the pseudonyms and the "real" addresses, then the security of every user would be immediately compromised. Human rights groups should not use remailers of this kind.
True anonymous remailers are quite different(5). These programs maintain no database of addresses. When messages are resent from a truly anonymous remailer, the header information is set either to a deliberately misleading address, or to randomly generated characters. There is no record of the connection between the sending address and the destination address. For greater security, many users program messages to pass through five to twenty remailers before the message arrives at its final destination. This technique, known as chaining, assures greater security than sending through a single remailer. Even if some remailers keep secret records of their transactions, a single honest remailing system will protect the user. One disadvantage is that unless the sender has identified herself in the body of the message, the recipient has no way to reply to an anonymously sent message.
"Anonymity" in this sense I suggest here does not necessarily mean concealing the identity of the sender from the legitimate recipient, although these techniques can be used for that purpose. The sender may have encrypted and digitally signed the message before posting it to the remailer. Therefore when the legitimate recipient decrypts the message, she can verify the digital signature and thereby be assured that the message truly originated with the person who purports to have sent it. In human rights terms, the essential feature of this system is that only the sender and the recipient know that they are in communication with each other. No one else can discover that their conversation even exists, much less what the content of their conversation might be.
In some cases, a source for human rights information might want to remain totally anonymous. A police officer revealing information about an abusive unit might want to be protected from anyone at all knowing his identity; or the citizen of a very repressive state might not want to risk being accidentally betrayed by a well-meaning international human rights group. Such users would not affix digital signatures to their messages, or they would use signatures not connected to their true identities. These cases approximate the well-known "whistle-blower" argument in favor of totally anonymous communication. In these cases, no one, not even the legitimate recipient, would know the sender's true identity.
Although the examples I have used refer mostly to electronic communication in other countries, the need for anonymous electronic communication is just as great for U.S. citizens corresponding with human rights workers in other countries. Indeed, all of these examples are quite closely linked specifically to the State of Georgia. In my experience, some of the most technically advanced people in Amnesty USA are located at Georgia Tech. The Carter Center in Atlanta is one of the world's largest human rights and humanitarian organizations. It is certain that a large quantity of human rights-related electronic communication is originating or arriving in Georgia. Given my argument above, therefore, a great deal of anonymous electronic communication is, or should be, originating or arriving in Georgia. If we are to enable people to monitor violations of internationally recognized human rights, we must allow people associated with the Carter Center, and other U.S. citizens, to be able to communicate anonymously in cyberspace.
I, Patrick Ball, declare under penalty of perjury that the foregoing is true and correct.
Executed this 24rth day of January, 1997.
Senior Program Associate
Science and Human Rights Program
for the Advancement of Science
(1) Although the unlicensed export of strong cryptography from the United States is illegal, human rights groups can very easily find free cryptographic software on non-U.S. sites on the Internet, as well as from foreign commercial vendors.
(2) Such systems would include i) Internet mail clients using the POP or IMAP protocols, such as Eudora, Pegasus, etc.; ii) proprietary mail systems, such as WinCIM for Compuserve, or AOL; or iii) FidoNet applications such as FrontDoor or Marimba. Note that FidoNet systems are commonly used in Africa.
(3) one discussion of remailers, by Andre Bacard, is found at http://www.well.com/user/abacard/remail.html. This Web page also contains references to a wide variety of increasingly technical discussions of how remailers work.
(4) Johan Helsingus' anon.penet.fi was -- before Helsingus discontinued it -- the foremost example of a pseudonymous remailer.