A Call for a Chorus of Voices

[Nomen Nescio]

In these days after the World Trade Center attacks, calls are being heard
for restrictions on access to the technologies of privacy.  As more
and more communications go by e-mail, chat rooms and cell phones,
our intelligence and law enforcement agencies are beginning to rely
on surveillance of these systems in order to collect information about
dangers to society.  Early reports suggest that some of the information
about the terrorists has come from monitored cell phone signals.

These monitoring and surveillance operations are threatened by
new technologies based on cryptography.  No longer just for spies,
cryptography can be used to encrypt e-mail, chat messages, and even
telephone communications so that they are hidden from outsiders.  Exotic
cryptographic technologies potentially provide even more protection for
terrorists as they plan and coordinate attacks.

Osama bin Laden, the figure most often named as a possible mastermind
of the terrorist strikes, is said to have trained his operatives
in the use of these technologies in order to communicate securely.
They encrypt messages and then use the related technology called
steganography to embed them undetectably in pictures, music and other
seemingly innocent data.  They are said to use anonymous mail accounts to
deliver these messages to chat rooms and bulletin boards where they can be
downloaded by other agents.  This allows the group members to communicate
completely undetectably.  Not only that, it preserves the terrorist
"cell" structure -  different members don't have to know the identity
or even email addresses of others in order to communicate.  All they
need to know is in what public forum to look for and leave messages.
Their identities are completely protected through these technologies.

Clearly, cryptographic privacy and anonymity are tremendously valuable
to terrorists, and tremendously obstructive to the efforts of law
enforcement to use electronic surveillance.  Representatives of these
organizations have warned for years that criminals and terrorists would
begin making use of cryptographic technologies, and their fears have
now been realized.  Under the present circumstances, legislators are
beginning to call for restrictions on access to cryptographic technology.
Old proposals are being revived to require that all encryption systems
contain a "back door" which would allow law enforcement access to the
contents of a communication.

We face many dangers at this moment.  The smoking ruins where some
of our proudest buildings once stood, temporary tombs to thousands of
innocent dead, plainly demonstrate the difficulties ahead.  Under the
circumstances it is appropriate for us to consider the balance between
security and freedom which we will adopt as we prosecute a new kind
of war.  As in past wars, sacrifices will be necessary for all of us.
No one should underestimate the hardships ahead.

At the same time, it is important to remember what we are fighting for.
It's not just revenge for the people killed and the buildings destroyed.
We are fighting for our way of life.  If we ignore terrorism, we will
live in fear, always wondering what new horror will be dropping from
the skies.  We will be restricted in how we live, what we do, where
we go.  Our legacy as free Americans will be lost.  This is why we fight.
We fight for freedom.

Given these goals, restricting access to cryptography must be understood
to be a complex issue.  It's not as simple as taking tools out of the
hand of bin Laden and other terrorists.  Cracking down on cryptography
will reduce the freedom of all Americans while failing to effectively
eliminate the use of the technology by those who threaten us.

The fundamental problem is that the tools already exist which allow
terrorists to communicate securely.  Many of them are in the form of free
software, distributed on hundreds of thousands of computers around the
world, which can be run on any ordinary PC.  Much of it was developed
by private individuals for their own use, and then donated to the world.

Any new law to limit cryptographic technology would have no effect
on the use of this large base of existing software and hardware.
Steganography and related technologies will make it impossible to detect
the use of now-forbidden software.  The new breed of terrorists from bin
Laden's training schools will continue to be able to use these tools.
Laws will be ineffective in preventing their use.

The only real effect of these laws would be to prevent honest Americans
from communicating with true privacy.  They are the ones who would
honor the ban and they would be the only ones effected.  They would have
their privacy taken away while bin Laden and his associates are able to
communicate with perfect secrecy.

While not many citizens make use of cryptographic technology now, experts
predict that it will be increasingly important in the future.  In an
Internet where attacks of all sorts are becoming ever more sophisticated
and numerous, cryptography will be a central technology in building the
secure systems of the future.  Limiting and restricting cryptography
will only make the Internet less secure.

When proposals for restrictions on cryptography first surfaced in the
1990s, security experts carefully analyzed the suggestions.  The response,
virtually unanimous, was that putting back doors in cryptography would
reduce its reliability, security, and efficiency, while increasing costs.
Any back door is a potential security hole.  The hackers and crackers
who are expert at exploiting flaws are going to be given a new set of
targets for their attacks.

Indeed, in the years since, a number of incidents have confirmed these
fears.  Last year, for example, the widely used PGP encryption software
was found to have a vulnerability related to the "Additional Decryption
Key", a feature added to the commercial version for back door access to
messages by corporate management.  Attackers could specify fake Additional
Decryption Keys and get them accepted by the software, allowing them to
read any message sent.  The inherent complexity in the implementation
of the Additional Decryption Key feature left a security hole open,
exactly as had been predicted.

Any requirement for government access back doors would undoubtedly lead
to similar weaknesses in other systems.  And next time the problems
might not be found by someone who was willing to reveal them publicly
so that they could be fixed.  In a world where all fielded cryptographic
technology had mandatory back doors, discovery of an exploit could be used
for financial gain, information warfare, or even new forms of terrorism.
It is certain that the Chinese and other competitors on the world stage
would put their best analysts on the job of finding weaknesses which
they could exploit in the future.

Restrictions on cryptography would weaken our Internet infrastructure
without achieving their goal of precluding use of the technology by
those who threaten us.  They are a bad idea for both of these reasons,
but there is a more fundamental objection as well.

The point of our war on terrorism is to preserve our freedom, our way
of life.  We cannot allow ourselves to take shortcuts in this battle
which eliminate fundamental freedoms.  And nothing is more fundamental
than our freedom of speech and communication.  It is enshrined in the
very first amendment to the constitution.

Cryptography is fundamentally a form of free speech.  It is the freedom to
speak privately and anonymously.  Yes, it can be exploited by criminals.
But that is the price we must pay as a country which is dedicated to the
ideals of freedom.  We accept the risk of allowing criminals their freedom
to communicate because we value and cherish this as a fundamental right.

We will not allow our country to be turned into an Orwellian surveillance
state, where every word we speak and every deed we do occurs under the
eyes of government agents.  The very idea is anathema to Americans.
But this is exactly what is being called for by those who propose to
forbid citizens to communicate in a manner which cannot be heard and
understood by the government.

We face challenges ahead, and we must find a balance between security
and freedom.  But we must not allow ourselves to be blinded by fear
and panic, so that we discard truly fundamental freedoms in what will
ultimately be a futile attempt to increase security.  This would be the
worst of both worlds.  We would have lost a major element of freedom
of speech, the freedom to communicate without government surveillance.
And we would have failed to effectively prevent terrorists from using
cryptographic technologies to their own ends.