---------- Forwarded message ----------
Date: Sun, 22 Jun 1997 20:52:08 -0700 (PDT)
From: Declan McCullagh
The Washington Post, July 27, 1996, p. A22.
Speaking in Code on the Internet ... [Editorial]
The decibel level has been rising in the argument over how much control the federal government should have over the export of encryption technology. The Senate Commerce Committee held hearings Thursday on a proposal dubbed Pro-CODE (Promotion of Commerce On-line in the Digital Era) that would lift current restrictions on exporting encryption software above a certain level of complexity. The move is opposed strongly by law enforcement and national security authorities, who fear the consequences to their tracking of terrorism or crime if uncrackable cryptography becomes the global standard.
But encryption software -- which scrambles a person's computer messages so no one can read them without a key -- also is thought by many in the computer industry to be the missing piece that's preventing customers from a full-scale move to the Internet for banking and other confidential transactions, rather than, as now, worrying about the security of their data. They also see it as a market in which the United States maintains a comfortable lead, one that is threatened if domestic encryption makers can't sell their products elsewhere. The makers argue that foreign encryption software will rush in to fill the gap, doing nothing about the uncrackability problem -- indeed, making it worse. The administration in turn is pursuing a wider international agreement to maintain controls on cryptology export by all the industrialized nations and has been putting pressure on its colleagues in the Organization for Economic Cooperation and Development, which will rule on the matter in a Paris meeting in September.
Administration officials, including FBI chief Louis Freeh, have been pushing for an alternative policy of "voluntary key escrow" -- encryption makers would deposit a key to the code with a neutral third body before exporting the products and could then have access to the codes only by court order, as happens now with wiretapping. Mr. Freeh, testifying at Thursday's hearing in favor of an optional key escrow plan, noted that the point is not to prevent all copies of uncrackable code from going abroad -- that's clearly impossible -- but to prevent such high-level code from becoming the international standard, with architecture and transmission channels all unreadable to world authorities. To software companies and Internet users who have been clamoring for the right to encrypt as securely as possible, Mr. Freeh and others argue, "the genie is not yet out of the bottle" on "robust," meaning uncrackable, encryption.
It's far from obvious to anyone that an optional escrow plan really can prevent the growth of inaccessible transmissions by international terrorists or criminals. Encryption, if widely used, could conceivably ease some privacy problems concerning who gets to see personal and financial data on individuals -- though such data usually are vulnerable to being dug out of storage rather than intercepted in transmission. But neither is it clear that the encryption enthusiasts' desire for free development should take precedence over the tracking of terrorism. At the very least, Congress should be exceedingly cautious about getting out ahead of administration concerns on controls that, once lifted, are hardly reversible.
---- The Washington Post, October 4, 1996, p. A22. Crypto Politics [Editorial] The Clinton administration once had a coherent, if unpopular, position on encryption software, the stuff that allows you to encode your email messages or other data so that no one can read it en route without a key. Now, in the wake of word that the president will sign an executive order, the position is no longer coherent, nor discernibly more popular with the high-tech audience it attempts to mollify. People and companies doing international financial business are highly interested in this kind of software, the more powerfully "uncrackable" the better. The U.S. software industry thinks there's a lot of money in it, especially if encryption becomes routine. The administration position till recently was that, much as U.S. software companies might profit from being able to market "uncrackable" encryption software freely, national security and law enforcement considerations dictated that such exports be controlled by license. Powerful encryption, like arms, could be dangerous in the hands of terrorists, rogue governments or international criminals. The software was classed as a munition; software above a certain uncrackability level could not be exported unless law enforcement authorities could get access somehow to the "key" after obtaining the proper warrants. Unbreakable codes on the loose strike us as a real danger, a legitimate reason for tight export controls. But if the administration really believes this, you'd think it would stick with steps that can plausibly meet the goal of control. Instead, trying to please, it has been splitting and splitting the difference between itself and the largely unmoved industry, which argues that no one will buy an encryption product that a government can decrypt at will. As with arms sales, the companies also argue that if they don't sell it, somebody else will, and that anyway it's far too late to fence off rogues. The national security people respond that there is still a "window," perhaps two years, in which they can prevent, if not all leaks of unauthorized crypto technology, at least its off-the-shelf use and wide adoption as the international standard. The administration initially proposed, then repeatedly refined, the concept of key "escrow" -- depositing a copy of the code with trusted third parties -- but never came up with a version the industry would accept. It commissioned a National Research Council report, which recommended a significant easing of restrictions. Now the president appears to have embraced a yet looser form of licensure upon declaration by a company that it will develop a plan within two years for key recovery. Also, the technology no longer will be considered munitions. What kind of plan? Nobody can quite say. What if the plans aren't acceptable? Licensing will revert to the old rule in two years. Will the security issue be moot by then? Probably. Barring some burst of clarity, one is left wondering whether the administration has compromised or caved, and what it now believes about the dangers of exporting uncrackable software. ---------- Showdown on Encryption Sunday, May 25 1997; Page C06 The Washington Post AFTER A YEAR'S rumbling, Congress seems ready to mount a direct challenge to the administration's position on encryption, the sticky issue of how to handle software that creates, for commercial use, codes too strong to break. The House Judiciary Committee the other day passed a bill dubbed Security and Freedom Through Encryption, or SAFE, which would undo existing curbs on the export of "uncrackable" encryption technology abroad without a license. The administration has fought to maintain those curbs against increasing pressure from the manufacturers of such software and from a loose but growing coalition of privacy and civil liberties groups. A similar bill is pending in the Senate. The administration maintains that the sellers of software capable of encrypting electronic messages to a complexity beyond ready cracking shouldn't sell it abroad -- or, if they do, should be prepared to deposit keys to the codes with trusted commercial third parties at home. Police or national security authorities could get these keys with a search warrant or court order, as in normal investigations, and a market would develop to provide the third-party service of holding them. This vision of a worldwide "key management" structure is a clever way to reconcile two otherwise contradictory desires: the desire of Internet users for absolute security and privacy in electronic transactions and the government's desire to prevent criminals and terrorists from making themselves impregnable to a degree never before seen. "Key management" does not, however, exist. And the administration has gone so far toward undercutting its own position -- saying key escrow should be voluntary, trying to accommodate industry with numerous exemptions, licensing uncrackable software separately for banks -- that it's not clear it ever will exist. Meanwhile, the once-obscure drive to make unlimited-strength cryptography available to all has picked up momentum -- and some odd allies. Phyllis Schlafly was among those who testified in favor of the SAFE bill, saying it would protect Americans from unprecedented government intrusion and the FBI reading their mail. Libertarian groups such as Americans for Tax Freedom are enthusiastic about the vision of a world where powerful, widely available encryption renders communications totally safe. The odd part is that there currently are no restrictions on use of uncrackable encryption software within this country. The software industry has argued that the export control makes for a de facto domestic curb, because it's too complicated to market a full-strength version for the domestic market and a weaker one for the foreign market. But this isn't a very persuasive argument, since most popular software programs exist in dozens of versions for different markets and in different languages. The real question is whether you believe this stuff poses a significant national security threat in the wrong hands. If you do -- and we think it irresponsible to assume otherwise -- then it's not enough to declare uncrackable privacy a civil right. You have to at least address the question of how to minimize intrusion into that right while preserving some ability to grapple with the potential danger. Neither the SAFE advocates in Congress nor the administration's voluntary escrow enthusiasts up to now have laid out that vision in a convincing way. ###