Tuesday, March 26, 2013

Contemplating Privacy and Radio Communications I

As a ham radio operator, I'm required to comply with FCC Rules, Part 97 of the Commission's Rules whenever I use the amateur bands.  One of the rules is that we must identify our transmissions at the start and end of a contact with our federally issued callsign.  Hams have a tradition going back as far as the hobby exists of swapping little post cards, called QSL cards, commemorating the contact.  (The name is one of many "Q signals" that hams using Morse code developed to shorten the text they needed to send.)  In the days before the Interwebz, you bought a phone book sized directory called a Callbook, which was a listing of every ham in the US by callsign.  You looked them up in the book, and mailed the card.  Today, hams go to a number of online sources like QRZ to look up anyone by callsign. As with all information in today's society, it's easier to trace a ham by callsign than ever before. 

Because this information was always available to anyone who cared to look, hams were always a rather open group.  Many guys just identify themselves online by their calls, including the rather famous ones (and there have always been famous ones).  If you go to hamfests, it's so unusual to see someone without a callsign badge or monogrammed shirt or hat that you just assume they're not a ham.  Many hams have carried this into the rest of their online lives.  I can't tell you how many identifiers I've come across on forums that either are the callsign by itself or a name and callsign made into one identifier. 

Most of the folks that visit here are preppers, as I am, and preppers have a completely different mindset about privacy than the typical hams do.  We're of a mindset that many in the country would describe as at least mildly paranoid.  We're certainly not the mainstream in the country, partly because we choose to think about things that most people refuse to look at.  Someone I recently heard being interviewed said he couldn't even talk with his wife about a storm pantry, just a few days worth of preps, because she "just refuses to think about it".  As a counter example, in the mid '80s, I recall deciding I would never say things like "I'm going out of town this weekend" on the VHF (2 meter) radios because I considered it a home security risk.  It's not as easy as the kids today telling everyone on Face Book or Twitter that they're far from home, but someone who had a scanner and a callbook could hear me, look me up, and visit the house while no one was here.

The concept here is "reasonable expectation of privacy".  If you're on an amateur frequency you don't haz one.   But let's say you wanted or really needed privacy.  What then? 

The military was among the first organization to have this problem and address it.  They typically describe systems as LPI/LPE: low probability of interception / low probability of exploitation.  You'll also see LPD, where D is detection.  It's handy to think of it that way because it can help you channel your thoughts on how to solve the problems.

The easiest one to accomplish is actually the last: low probability of exploitation - using your transmission against you.  I've written before on the topic of encryption or encoding which is the answer here.  It's important to note that encryption is not allowed in the amateur radio service.  There's an important distinction between encrypting something and encoding it.  As I said in the linked piece:
When you encode things, you simply change their language; when you encrypt something, you attempt to hide its meaning.  For example, any language is a coding of symbols, and in typing this, I'm encoding my thoughts into a computer code (ASCII) that can be read on your terminal.  The difference is subtle, but it matters - especially in legal context.  Some systems prohibit encryption, or “non-standard” codes.  I could transmit the phrase, “the wheat is ready for harvest” in plain English to someone who knows that I mean, “I've planted the evidence” and it is encoded, not encrypted.  If, instead, I told them, “516EE75994BA0DC137BE1074E46CB27D069C39A4” and it means the same thing, it has been encrypted. 
Either way, encoded or encrypted, I've prevented a casual listener or even a determined adversary from knowing what I told the person on the other end.  If they've broken the code somehow, they know what I meant and can exploit that information.  There are many ways of breaking codes - from getting the information from someone who knows the code to analysis of the words and frequency of usage and many other tactics.  People have been studying this around as long as there have been people.  And, of course, I can't talk about encryption without lifting this XKCD cartoon yet again.

One of the standard ways of maintaining secrecy in codes is by changing them all the time.  But what about reducing the chance of an adversary ever detecting or even knowing you're transmitting?   This is the realm of a lot of technology.  While we're not allowed to encrypt transmissions, experimentation with interesting technology is one of the stated purposes of ham radio.  The rules actually encourage many of the things we can do.   

Stay tuned...



2 comments:

  1. Most Hams don't have a clue about OpSec, and if they do, they think it's something that would only apply to ARES/RACES/DCS or any other "public service" function they perform.

    My callsign traces back to a P.O. Box, but if you Google enough, you'll find me.

    Since 1995 I've been spreading my callsign far and wide, and the genie's out of the bottle for me, because for all those years I never though society could become as scummy as it's gotten in the last 10 years or so....

    ReplyDelete
  2. I can neither confirm nor deny anything in this post, other that the XKCD comic is the second greatest IT nerd comic ever written (after the Bobby Tables one).

    ReplyDelete