Infoworld and Denning's study

[Peter Gutmann]

>Infoworld NZ has just published an awful article (written by US reporter Sari 
>Kalin and titled "Criminals Eyeing Encryption"), which emphasises repeatedly 
>that encryption is a major problem just waiting to happen, using Dorothy 
>Dennings report as a basis.  This represents a rather ugly way to interpret 
>the report (and, presumably, an attempt by the USG to recover something from 
>a report which was supposed to come down firmly in favour of crypto 
>restrictions but didn't).  
 
Due to the late hour I got that wrong, it's Computerworld NZ, not Infoworld 
(slight difference in naming).  Even later last night I wrote a letter to the 
editor which, I gather, will appear in the next issue.  I've included it below 
in case anyone finds it useful, it's written for a general audience who 
probably aren't aware of the deeper issues apart from the fact that the USG 
has a peculiar attitude towards crypto, due to length constraints I couldn't 
go into too much detail.  If you feel the need to circulate this, please don't 
do so until after next Monday when it's officially published.
 
Peter.
 
-- Snip --
 
The article "Crims eyeing encryption" in the September 9 Computerworld 
presents an extremely peculiar view of the study "Encryption and Evolving 
Technologies in Organised Crime and Terrorism".  The final conclusion of the 
study was that there is no real "encryption problem" which justifies placing 
limitations on the use of encryption, and yet the article, by more or less 
ignoring the conclusion and concentrating instead on a number of 
scaremongering quotes, manages to create exactly the opposite impression.  To 
understand what's involved here, it might be useful to know a bit about the 
background of the study.
 
For a number of years the US government has held that it needs to strongly 
restrict peoples access to encryption.  They can't actually provide you with 
any supporting facts for this because they're all classified, but if they were 
allowed to tell you, they're certain you'd agree with them.  Now over the 
years they came to the realisation that people weren't really buying this 
argument, and so they decided to create a study which would provide proof, 
once and for all, that they were right.  The two people who worked on this 
study were Dorothy Denning, virtually the only supporter of the US governments 
policy apart from the US government itself, and a vice-president of SAIC, a 
large defence contractor.
 
They toiled away for quite some time, and finally announced their results a 
month or two back.  Unfortunately the findings put them in a rather awkward 
position: Although the study was supposed to provide proof that there was some 
sort of "encryption problem" which needed to be countered, it instead showed 
that there wasn't really a problem at all.  Sure, it showed that criminals 
occasionally use encryption, just like criminals also drive cars, eat pizza, 
drink Coke, and (quite probably) read Computerworld.  The important point - 
which was almost completely ignored in the article in favour of running 
scaremongering quotes from a variety of US government officials - was that 
the "encryption problem", the whole reason for the governments' claimed need 
to restrict encryption, by and large didn't exist.
 
It got even worse for the government though.  So convincing was the evidence 
in the study that Denning - for years a very outspoken supporter of their 
policies - did an about-face and declared that she was no longer prepared to 
back government plans for restricting encryption until someone proved to her 
that there was a very good reason for it (this was reported in a number of US 
papers and publications which cover computer issues, so it was reasonably well 
known, eg "Denning unable to confirm FBI Assertions; alters her position" in 
the Mercury News, the largest silicon valley paper).  Although the governments 
star technical witness was unable to find any evidence that their position was 
valid, the Computerworld article, by resorting to selective quoting and 
innuendo, paints a very different, and quite inaccurate, picture.
 
(As a side-note, I find it amusing to read that the government policy relies 
on people handing over their encryption keys to them.  Quite apart from the 
question of why anyone would trust the US government with their keys, there's 
also the small problem that no criminal will ever do this - that's why they're 
criminals after all.  The only ones who'll ever get caught by this cunning 
plan are you and I).
 
-- Snip --
 
(I'm assuming most readers will get the Baldrick/Blackadder reference in the 
last sentence :-).