A recent Petition for Rule Making (RM-11699) seeks to permit the encryption of certain amateur communications during emergency operations or related training exercises. This change, should it be approved, would amend §97.113, which currently prohibits “messages encoded for the purpose of obscuring their meaning.”
On the face of it, it seems like a reasonable proposal. The petition asks that the rule be changed to allow encryption of certain information when passing messages that may contain sensitive information. Indeed, the petition says that such encryption may be required under the provisions of the Health Insurance Portability and Accountability Act (HIPAA).
The ARRL is against this petition. They say that the petition’s reasons for allowing encryption is completely unfounded. They say that radio amateurs, “are not ‘covered entities’ under HIPAA, which applies only to health care providers, health plans and health care clearinghouses.”
KE9V and others say that allowing encryption is a bad idea because it will hinder our ability to self-police amateur radio. KE9V also notes that allowing encryption would allow some to claim that amateur radio could be used for terrorist and other nefarious activities, and that could lead to a shutdown of amateur radio.
I think he’s got a point there. Why give those who would shut down amateur radio the ammo to do so?
KE9V goes on to say that it’s time for a wholesale reevaluation of our role in emergency communications. Amen, brother. It seems to me that as time goes on, what the “served agencies” need and want are becoming more and more different from what amateur radio is prepared to provide.
Elwood Downey, WB0OEW says
I agree that if we were allowed to use encryption it would raise the level of suspicion on us enormously.
Even without it, I think it’s quite remarkable that so many countries even allow ham radio. So often lately it seems governments seem quick to shut off the internet, yet they seem to disregard the direct communications within and beyond their borders that we can perform. If we ever used, or even appeared willing to use, our communications ability to usurp their goals, you can be sure we would be shut down in a heart beat. Then it would all degenerate into clandestine radio all over again, with a constant fear of the dreaded radio direction finding squads. I’m not usually a conspiracist or alarmist, but sometimes I really have to wonder if it could happen again, even here in the name of “Security”.
Chris Wiegand says
Of course hams aren’t Covered Entities – but CEs are required to ensure that their partners, CEs or not, follow the rules in HIPAA (gross oversimpliciation, I know, but it applies for the most part, particularly in relationship to Protected Information). No one, particularly hospitals, want to take on the liability in case someone sues after the fact.
Dan KB6NU says
We’ve been having a spirited discussion of this on Twitter.
Ben (@blueben) has sent several tweets:
Jeff, KE9V (@ke9v) replies:
It certainly is a complicated issue. Both sets of arguments are compelling, but maybe I’m falling off the wagon here.
Part 97 does say that one of the purposes of amateur radio is to advance the state of the radio art, and without being able to use encryption, doing so, at least in that realm, is impossible. And while I might not use the word “disdain,” I certainly agree with Ben that amateur radio’s fear or hesitance about the unknown is harming its future. As Michael (@MBHeyworth) tweeted, “Ignoring technology gets us nowhere but behind.”
Michael Brown, KG9DW says
On the HIPAA thing, Chris is exactly right. Hams are providers but providers must ensure transmission is secure. That’s why even though I’m in IT, I have to take HIPAA training each year because a portion of my employer’s operations deal with medical records.
On the terrorist piece, Jeff and I had the discussion on twitter that laws and rules will never stop nefarious activities. Someone somewhere is using our frequency allocations outside the law right now. That isn’t any reason to keep us from exploring the options.
I’m just glad that hams are talking about something other than propagation and the weather on Twitter!
de KG9DW
Jeff, KE9V says
This is not a technology issue. It isn’t a matter of “if hams don’t do this they are falling behind” in the world of technology. Calls to support this on the basis that it is “high tech” are misguided. You could use GPG/PGP to encrypt text and send that via packet. It is trivial, decades old technology.
Consider this. You use this to transmit and receive confidential patient info and someone hacks your machine or the data stream sent over the air. Who will be liable for the $2.5 million dollar patient lawsuit? The hams transmitting the data – receiving the data – the ARRL for supporting Emcomm in this endeavor?
This is a waiting plague on amateur radio.
Benjamin says
Jeff, you’re deliberately trying to mislead the example. This isn’t a matter of running GPG/PGP. Your phone encrypts data as a matter of course. We can’t even experiment with baseband encryption. Wifi encrypts data as a matter of course. We can’t even experiment with cryptographic wifi modes. The default method by which IP networks are secured is to encrypt them. We can’t encrypt our network, so we are begging ipsec implementers to properly support signing-only modes, which only exist theoretically.
Ham radio has developed new digital modes, such as PSK31, JT65, and WSPR, but they remain toys and objects of academic interest because without encryption capabilities they are of no value to the general public and other sectors. They are only a contribution to ourselves, and do not meet our original charter to advance the state of the art.
And please, leave the hypothetical fear-mongering at home. “OMG somebody hacked a ham you’re gonna get slammed for $2.5 million better stick your head in the sand and not touch it herp a derp!!!one!1!” Stick to the facts.
Jeff, KE9V says
Another radio ham who harbors the illusion that all things on the Internet must of course move to amateur radio or else, we will be “left behind”. Get a clue, we were left behind thirty years ago. It was a deliberate decision. There is ham radio and there are other technologies and blurring the line between our “hobby” and commercial services was deemed undesirable.
The most devious thing about this argument is not me using scare tactics, it’s EMCOMM dudes who covet a fluorescent vest and a badge so they can feel important at the weekly meeting with the local government agencies wanting to fiddle with things that ought not be fiddled with in the name of “technology”.
Saying that encryption is necessary is patently false. The ARRL says not a single EMCOMM agency has ever told them they would stop using our services if we don’t have it.
And if that day ever comes, we can always say “no thanks” and move along.
The recent NSA exposures is a pretty clear example that technology can outpace the legal system. Postal mail is protected from government snooping but email is not. It’s an unintended consequence of technology moving faster than those 80 year-old dudes in congress who struggle to understand the technology that they legislate.
You think the amateur radio service can react any faster than they can to the rolling pace of technology?
I laugh at your premise.
Chris Wiegand K0DEN says
> This is a waiting plague on amateur radio.
People said that about SSB (back when AM was THE mode of choice), and getting rid of the morse code requirement. Amateur radio needs some flexibility to move forward, and I feel that allowing encryption, particularly on the UHF and higher bands (less likely to propagate far enough to get to another country, where the ITU might grumble) gives us some flexibility.
Remember, ham radio is HUGE – there’s DXing, emcomm, experimenters, mesh networks, message passing (winlink/nts) etc.. If you’re going to complain about new tech, then ask the FCC to block MotoTRBO, after all, we’ve already got members in our local club complaining that it’s a ‘scourge’ because the guys with trbo radios “dont get on the analog repeater anymore, and it’s causing a two-class system of haves and have nots”. Or maybe we should just get rid of emcomm entirely, since many of the hams that seem to have a significant negative opinion of this request also seem to be anti-emcomm?
I’ve already filed my comment, but to sum it up, I think 900 mHz and above only, encryption keys must be kept for a year (in case the FCC wants to audit the data), and only in relationship to emcomm, training or (low power only) development purposes. I added the last one because, as a software developer, I’d want to be able to experiment with various protocols without having to have an emergency, but would only need low power between a few radios to test the code.
Dan KB6NU says
I pinged my Division Director, Jim Weaver, K8JE, and here’s what he had to say:
I note that the ARRL opposition to this petition—at least as stated here and in the ARRL Letter—is based specifically on the fact that the petitioner says that encryption is required to meet HIPAA requirements. Might that mean that they wouldn’t be so opposed if the rational was that allowing encryption would allow us to “advance the state of the radio art?”
John K2JLM says
I do not support encryption on the amateur radio bands. In a time of emergency these are the type and modes of communications we can provide. They can either choose to take advantage of our communications or not. There’s always smoke signals. Maybe the emphasis should be placed on changing the HIPAA requirements when an emergency is declared such as a disaster or a loss of normal communication channels. Passing life saving information should take precedence over privacy during an emergency.
Dave, N8SBE says
A little late to the flame fest, but there is no reason to require encryption for any advanced digital mode, even if the available commercial chipsets support it ‘by default’. It’s not the least bit difficult to turn OFF encryption, e.g. for Wi-Fi networks, and even though IPv6 requires support for secure authentication and encryption, if neither end requests it, it isn’t used for a given session. Even spread spectrum can be done with a ‘well-known’ spreading sequence. In the limit, if some popular digital chipset doesn’t sport a non-encrypted mode, then the Amateur community can pick one or more common keys and use them exclusively. Likely all ‘1’s or all ‘0’s would be rejected by the chipset, but cute keys like 0xDEADBEEF or some other popular stack ‘filler’ used by programmers would do nicely. Published widely and adopted commonly, transmissions encrypted by those common keys would be just as accessible as all the other digital alphabet soup that the FCC tolerates these days, as long as the protocol is publically documented, and the keys published.
Note the above paragraph has nothing to do with the HIPAA argument, which frankly I think the ARRL is dead wrong on this one. Where in the world do their attorneys get off thinking that just because we are the ‘common carrier’ of such sensitive data, that somehow we don’t have any responsibility for securing it? That’s just laughable on the face of it, and doesn’t justify any further consideration. What’s the point of secure data, if the universe of available data exchange paths do not protect its privacy?
John KX4O says
Here is an interesting comment from a local ham friend of mine…
“Who says we need to do the encrypting or decrypting? If the FCC would also remove the responsibility for the content transmitted from our station when we are sending third party encrypted traffic then this would work.”
John
David W5KUL says
In truth what is “encryption” really? If I talk to someone on my radio, and I employ certain “key words” in what may otherwise be a normal conversation, I am employing a type of Steganography encryption. Hiding code words in plain sight. Does anyone think this does not happen? If they do, I would suggest they are naive.
Rick Troth N5VDC says
Exclusion of cryptography is a blocker.
YES, to open the door is its own slippery slope, but in so many areas we are simply disallowed because cryptography is required there.
Allowing g cryptography is necessary.