Internet Backdoors in Hungary
Legitimating unwarranted and total data surveillance
As in many countries, law enforcement authorities in Hungary require a warrant issued by a judge in order to "obtain information from" (that is, to eavesdrop on) various telecommunication systems, such as the telephone, and other sources, including computer databases. However, according to the 1995 National Security Law, Hungarian law enforcement doesn't require a warrant in order to obtain information categorised as "confidential". This means the secret police can spy on an individual without any form of oversight by simply and arbitrarily classifying a certain operation as a state secret.
Apparently, this has happened with Internet traffic, raising the prospect of total surveillance via computer mediated communications. According to one report, men in suits approached an ISP a couple of weeks ago and requested a link to their lines. To this they attached a computer which the ISP was forbidden to handle. In another incident where men in suits sought to install a transponder, the ISP tried to refuse by claiming they had no right to do so, to which the men agreed, adding that the company also no longer had the right to be an ISP. The transponder was subsequently installed.
Although these and other stories are of the recent past, some claim that this isn't a new development, that it has been going on for years. In fact, in order to obtain a license, all ISPs are forced to sign a contract allowing for full access to all data that passes through their servers, better known as a "backdoor". The National Security Service (NSS) then installs the necessary eavesdropping equipment with which to monitor the traffic.
For their part, ISPs have remained mum on the issue. There are two main reasons for this. The first is that part of their "agreement" with the NSS is to maintain strict confidentiality about the existence of backdoors. The other is that the public knowledge of backdoors is bad for business.
Even so, news of data surveillance by the NSS has leaked out to the on-line community. When queried by an on-line journalist, major ISPs neither confirmed nor rejected the existence of backdoors for the NSS. Indeed, some have pointed out that the law allows for such and that any respectable business plays by the rules. Meanwhile, the minister responsible for the NSS, Ervin Demeter, refused to answer inquiries, while the Computer Crime Unit of the National Police claims to know nothing about the existence of ISP backdoors.
What has many worried in Hungary is that not only does technology enable textual data to pass through computer networks, but all forms of telecommunications -- including fixed line and mobile telephony. This has raised questions of whether the activities undertaken by the NSS are of a targeted nature or that of total surveillance. Put in another way, has Hungary indeed become a surveillance state.
The surveillance state, which was perhaps illustrated best by George Orwell's novel "1984" is, from a technical standpoint, a reality. Entire streams of data and voice communications can be watched in real time and identification traced to some sort of hardware identifier, be it a phone number, IP address, or even the network card of a computer. The only limiting factor to intercepting data at this stage is storage capacity.
But technical capabilities are just one aspect of the Surveillance State; the other is administrative. This is why the revelations of backdoors have caused alarmed in Hungary. Basically, present laws regarding the Internet can make it possible to treat data communications as a national security issue, thereby applying what has been dubbed the "American method" of eavesdropping: mass surveillance as a weapon in the "war on terrorism". In other words, everyone is a potential terrorist, so law enforcement not only has the right but the duty to spy on everyone, everywhere. Subsequently, this method works hand-in-glove with existing laws on intellectual property, in where every user is regarded as a potential criminal in terms of software piracy.
In a feeble attempt to allay fears over the Surveillance State, Csaba Gulyás of the data protection commission maintains that Hungarian law doesn't make it possible for broad, total surveillance. Data privacy legislation stipulates that all surveillance needs to be targeted, even though it's not required by a warrant. As for electronic communications, namely e-mail, restrictions on the actual line to an ISP are still in place and require a warrant. The exchange of data communications can still be monitored by the NSS without any restrictions, however the content of a message can only be viewed with a warrant granted by the Interior Minister or a judge.
All this does little to allay fears of the Surveillance State. It does little more than concede that the NSS legally has a free hand to collect information although it shouldn't do so. The data privacy laws are vague and often misleading. For instance, although a warrant is required for the NSS to actually look at a message, the content is nevertheless in their hands and can be kept in storage if and when it's needed. With no procedures in place for oversight and a lack of transparency at the NSS, there are no guarantees that content at the hands of the NSS are not being used against an individual.
The inadequacies of data protection laws are quite apparent; a tame and toothless tabby can't produce a lion's roar. There is no legislation regarding the surveillance of web pages either, which means the NSS can freely collect information such as IP addresses and other pages visited. The only reply the data commission has to this is that since this is an entirely new area, the rules haven't been quite worked out yet.
As for the operation of backdoors, Csaba Gulyás maintains that ISPs have the right and need to know what kind of data is being collected by the NSS, and aren't required to give a free hand to non-targeted data surveillance. Still, the connection between granting an ISP a license and the work of the NSS is not all that clear. Moreover, the contracts between an ISP and the NSS can't be viewed because they are considered state secrets.
Despite all this, some are making a stand against the powers that be. Tamás Bodoky, writing for Index, a major on-line journal in Hungary, outlines two lines of defense, one legal the other technical. On the legal side of things, he notes that those who feel that they have been unjustly spied upon can officially turn to the National Security Office, the civic NSS minister without portfolio, or the data protection commission. When all else fails, he suggests submitting a petition to the parliamentary National Security Committee.
As for the technical side of things, Bodoky briefly mentions the use of various encryption tools, stressing that there are some which can be broken while others are so secure as to be "unbreakable". Unfortunately, he doesn't discuss the most important line of defense, one which can render even the most secure product useless: user behaviour. Much of our security and privacy depends not only what we use but how we use them, from knowing how to configure our browsers and mail programs to properly using trusted third party systems (like PGP) effectively.
Aside from this, where Bodoky does hit the nail on the head is in the area of social responsibility. As he relates, the anti-terrorism package in the US gave law enforcement and the secret service broad powers for the surveillance of electronic communications. A few days after the attacks in Washington and New York the FBI began the installation of the infamous "black box" at ISPs around the country as part of it carnivore program. This program was already well in the works and had been developed over the years. Prior to the terror attacks in the US, the implementation of carnivore was prevented by protests from the civil sector and privacy lobbyists, all pointing to the erosion of their constitutional rights in their defense. As is already well documented, constitutional rights in the US has since been suspended thanks to the "war on terrorism", thereby putting an end to the "privacy debate" which was in full swing. Privacy advocates are now less vocal and have become a minority of sorts as the "American model" to security has spread to the rest of the world.
Bodoky ends up pointing out the irony that while black boxes are now in place throughout Hungary, the privacy debate hasn't even started yet in this small Central European country. What he failed to outline, however, was this isn't the beginning of the end in terms of privacy, but is the end of a long and winding road that started at least eight years ago. In 1994, the government passed draconian copyright laws, which enabled law enforcement to violate the basic tenets behind the principle of the sanctity of the home. In essence, it cast every computer user in Hungary as a potential criminal. This was followed in 1995 by the aforementioned National Security law that legalised unwarranted surveillance. In 2000, the FBI set up an office in Budapest staffed by four full time American FBI agents for the purpose of "intelligence gathering activities", on the pretext of assisting the Hungarian authorities in their fight against the Russian mafia. And of course, last but not least, the Hungarian government at the end of 2001 pushed through its own anti-terrorism package, one which no doubt mirrors those which can be found throughout the democracies of the developed world.
Anti-privacy moves by the government aren't just limited to the use of Internet, however. The Interior Ministry actually reserves the right to sell personal information contained in government databases to companies, and has even done so. There is no word, naturally, of what happens to the money it makes from such ignominious activities.
Bodoky's observation that the privacy debate in Hungary hasn't even started despite the advent of the Surveillance State can be attributed to many factors. The most obvious is the apparent social malaise with which people approach various issues. Many are preoccupied with wealth accumulation; others are concerned about just staying afloat. An on-line poll conducted by Index was revealing: a little more than half was totally opposed to the idea of electronic surveillance. The rest either was resigned to fate, felt the issue was exaggerated, didn't mind as long as the data was erased after a certain period, or felt it was appropriate for targeted individuals.
The lack of debate over the issue has much to do with the partisan media landscape, dominated mostly by corporate or government interests. Technology news tends to concentrate on the "information society" and how many computers or Internet connections were made available by some government program or business deal. Anything else is in the form of a warning against abuse, usually centering on hackers and pedophiles. Indeed, as if in an indirect reply to Bodoky's article, mention was made in the mainstream media of new laws against hackers. As usual, a "hacker" was not defined but instead lumped in the same basket with child pornographers. Thus, on Easter Monday a new law came into effect whereby someone caught breaking into a system could face up to three years in prison, even if no damage was done. Similar stiff penalties are in store for anyone who has pedophilia on their computer or who reads another person's e-mail.
Without doubt, the best line of defense is public knowledge of the issue. Lack of it has enabled the authorities to get as far as they have. Yet trying to shut the backdoors will be difficult given the climate of fear and trepidation caused by the "war on terrorism". Ironically, what may perhaps render these backdoors irrelevant is another big terrorist attack. Many pundits have observed that the major security weakness of the US and other countries is their trust in the intelligence gathered from electronic communications. An over-reliance on electronic surveillance doesn't produce good intelligence, and was one of the reasons why the events of September 2001 happened. Ultimately, it's the Achilles Heel of the Surveillance State.