I ran across this entry in the Congressional Record which discusses several examples where encryption was discovered in the course of a law enforcement investigation. [Congressional Record: September 18, 1996 (Senate)][Page S10882-S10886] [...] Mr. GRASSLEY. Mr. President, I'm pleased that the Senate has passed the eonomic espionage bill. This is an important measure that I believe will save American business significant amounts of money. The theft of confidential information from American businesses is a serious problem, and this bill takes important steps in the right direction. I am particularly pleased that the Senate has accepted the amendment I offered with Senator Kyl. This amendment commissions the first-ever study on the criminal misuse of encryption technologies. Under the Grassley-Kyl amendment, court officers who prepare pre-sentencing reports will include information on the use of encryption to conceal criminal conduct, obstruct investigations, and commit crimes. The sentencing commission will then collect and collate this information and include it in its annual report to congress. In this way, I am hopeful that Congress and executive branch will have reliable data on whether the criminal misuse of encryption is actually a problem and, if so, what response to this problem would be appropriate. As chairman of the Oversight Subcommittee on the Judiciary Committee, I did an informal survey of state-level law enforcement concerning the criminal misuse of encryption. This informal survey, while not scientific, provides valuable insights into the actions of the criminal element in our society. Here are just some of the responses my subcommittee received. In one case involving John Lucich of the New Jersey attorney general's office was involved, a computer was seized pursuant to a warrant in a serious assault case. Examination revealed that approximately 20 percent of the hard drive files were encrypted. Investigators sought the assistance of two different Federal agencies. Both of these agencies were unsuccessful in decrypting the files. Finally, a third Federal agency was successful in decrypting the files after expending considerable resources. The Decrypted files did not contain evidence of the assault but rather contained evidence of child pornography. The encryption type likely used was ``DES.'' And Officer Tim O'Neill of the Roseville, California Police Department reported to the subcommittee that he participated in a search involving a complaint against a subject who was on probation for solicitation/annoyance of minors. The subject had a hidden encrypted file on his personal computer. In the ``slack'' area at the end of the file the officer found names, addresses, school, grade, and phone numbers of 4-5 young teen girls. The encryption type used was known as ``pincrypt.'' Officer Mike Menz of the same department advised the subcommittee that he was working on a joint State/Federal major check fraud case where part of the potential evidence was encrypted. Ivan Ortman, a senior prosecutor in Seattle, Washington, encountered some encrypted files and password protection in a cellular phone fraud investigation. For a number of files the popular and inexpensive ``PGP'' type of encryption was used. Orton indicated that no effort was even made to examine the files as the police could not locate any method for ``cracking that encryption.'' In other words, why try since such an effort is certain to be futile. Surely a rational society should look long and hard at this situation. Agent Chuck Davis of the Colorado Bureau of Investigation reported to the subcommittee that he has encountered encryption as well as password protection problems. In one embezzlement case, a computer system has seized. Examination revealed that files on the hard disk were encrypted. The software manufacturers were contacted and the technical personnel who wrote the program advised that, ``they had left no `back door' access to the product as this would adversely impact sales. The hallmark of the program's appeal is that it cannot be broken, even by those who created it.'' Agent Davis advised that his investigation was ``halted'' due to the time and expense of a ``brute force attack''. The encryption program used was entitled ``watchdog.'' Agent Davis also advised the subcommittee that password protection also presents problems for other types of investigators. In cases involving theft of drugs from an emergency room by a doctor, bribery/ extortion by a police officer, and the suicide by an 11 year-old boy after telling friends that he had been molested by a family friend, investigators encountered password protection. The first two cases were successfully resolved through assistance from the manufacturer of the software. The third case, however, especially illustrates the seriousness of decryption problems--determining the unique key or in this case, password from a large number of possibilities. According to Agent Davis, a mere 4 character password has 1.9 million possibilities due to the number of keyboard characters. Can you imagine how difficult it must be to figure a short, 4 character password. What if the password were 10 characters or 20 or more? It's easy to see why criminals are moving toward password protection for their records. -- Greg Broiles gbroiles@c2.net 510-986-8779 voice 510-986-8777 fax