The Encryption Conniption

A resolution for encryption debate remains as cryptic as ever.

by / September 30, 1998
Sen. Dianne Feinstein, D-Calif., recently brought leaders of the computer industry to Washington, D.C., to meet with Attorney General Janet Reno and FBI Director Louis Freeh to see if there was any way to resolve the ongoing dispute over U.S. encryption policy. After meeting with Bill Gates of Microsoft, Jim Barksdale of Netscape and Steve Case of America Online, the meeting reached what has become a predictable conclusion in this debate -- no progress was made.

While Gates called the meeting "a good exchange," he added, "there wasn't an agreement to change any position." Feinstein's comments were a bit more hopeful. "I think both sides did listen," she said. "I think some seeds for possible approaches were developed, and we'll see what happens with them."

But Dave Banisar, staff counsel at the Electronic Privacy Information Center (EPIC) and co-author of The Electronic Privacy Papers, a comprehensive look at the encryption debate, noted, "there's no serious possibility of an agreement being reached that would satisfy all sides of this. There is no easy solution, no such thing as a win-win on this."

Raging Debate

The debate on the use of strong encryption has been going on at least since the beginning of the Clinton administration. It is an issue of extreme importance to the high-tech industry, which generally would like to see no restrictions on the export and use of encryption programs. But the law enforcement and intelligence communities hold just as passionately to a position that, if not directly opposite that of industry, calls for restrictions that are totally unacceptable.

Ever since the "Clipper Chip" proposal at the beginning of the Clinton administration, the government's position has been that encryption programs must contain some kind of "key escrow" -- a mechanism by which a third party, such as a law enforcement agency, could decode encrypted messages pursuant to a court order. It is a situation that has been characterized as allowing a third party to hold the key to your safe-deposit box, and it is totally unacceptable to industry and privacy advocates.

At a press conference held by the Business Software Alliance, a group representing high-tech companies, Novell Chairman Eric Schmidt observed, "This encryption thing is turning out to be a real crisis. It's killing the American industry."

No Worries

Just how complicated resolution of these issues is was clear at EPIC's recent Cryptography and Privacy Conference in Washington. Gathered in a hotel auditorium were many of the world's leading experts in this area, along with government officials from the United States and abroad.

The current legislative solution to the problem was presented by Rep. Bob Goodlatte, R-Va., and Sen. Conrad Burns, R-Mont., who are sponsoring bills in both housesof Congress to allow for the unrestricted export of unbreakable encryption programs.

Goodlatte rejected the government's argument that unbreakable encryption would lead to catastrophic problems for law enforcement since it would not be able to obtain documentary evidence of criminal wrongdoing if it were encrypted in such a way that it could not be decoded. Instead, he pointed out that unbreakable encryption would prevent far more crime than it would foster, and companies and individuals would be able to send sensitive electronic files over the Internet without fear that the files would be read and used by unauthorized third parties.

Perhaps one of the most interesting aspects of the current situation is the question of whether the key-escrow concept promoted by the government is technologically possible. A panel that included Matt Blaze of AT&T Labs and Bruce Schneier of Counterpane Systems -- Banisar's Electronic Privacy Papers co-author -- suggested that keeping track of all necessary keys and allowing access only to authorized third parties was not so easy. They indicated that not only would keys that would decode encrypted messages generally have to be escrowed, but so-called "session keys," created only for a single transmission, would also have to be escrowed. Keys to be kept would likely number in the millions, if not the billions. And all of these would need to be escrowed so that on a handful of occasions each year, law enforcement agencies could use a few keys pursuant to a court order.

On the Firing Line

Bob Litt of the Department of Justice (DOJ) and Bill Reinsch, undersecretary of Commerce for Export Administration, took their lumps on the next panel. After EPIC's Marc Rotenberg praised the two for being willing to enter the lion's den and appear before an audience that largely disagreed with the government's position, the two ended up in deep water.

An audience member asked Litt why the government was still pursuing the key-escrow policy after it had been criticized in a report prepared by a committee of the National Research Council that included former officials from the justice and intelligence communities. Litt had to admit that he had never read the report, although he said he had been told that there were some serious problems with its methodology. Reinsch seemed to discount the importance of the report. But on a later panel, Helen McDonald of Industry Canada told the audience that her agency had taken the NRC report seriously and generally agreed with its findings.

The government's main weapon in the war against unbreakable encryption software has been the existing legal apparatus for export administration. Cold War policies allow the export of anything that could be used to military or intelligence advantage by a foreign power to be restricted or prohibited. This has included encryption software on the theory that foreign powers could develop communications packages that could not be decrypted by U.S. surveillance. So, in a peculiar set of circumstances, unbreakable encryption programs can be sold domestically but not abroad, even though unbreakable encryption programs developed abroad can be imported and sold here.

The computer industry has argued strenuously that these restrictions have put it at a disadvantage. One practical response from industry has been to manufacture encryption software abroad through a foreign subsidiary. A recent example was Network Associates' decision to sell a version of Pretty Good Privacy through a Dutch company. Another solution may be that encryption software companies will just move to off-shore locations where U.S. restrictions don't apply.

Free Speech Defense

The EPIC Conference wound up with a panel discussing the handful of cases currently being litigated. Most of these cases have been argued on the basis of whether encryption programs are speech protected by the First Amendment. At least one federal court in San Francisco has agreed that they are protected and found that export restrictions pose an unconstitutional infringement on the program author's First Amendment rights.

Anthony Coppolino, the DOJ attorney litigating all these cases, argued that the speech issue was somewhat irrelevant since a finding that the programs constituted speech would not determine whether their export could be restricted, but he agreed that another line of attack might be more damaging.

Attorney, Ken Bass is arguing that the regulations under the Export Administration Act have lapsed, that Congress has not bothered to reauthorize them and the president cannot continue to use an emergency economic powers act to provide the legal basis for continued enforcement of the export restrictions. As Bass noted, the president cannot claim that Congress' unwillingness to act is an economic emergency.

Both sides have entrenched positions in this debate and do not appear to be willing to compromise. It may well be that there is no compromise possible. A legislative fix that prohibits government from restricting the export of encryption software could solve the matter, but passage of such legislation is far from certain.

While Goodlatte's bill has a number of cosponsors, it has received mixed signals from various House committees that have dealt with it. It survived intact in committees exercising jurisdiction over commerce and consumer matters, but the House Intelligence Committee amended it so that it basically codified the government's position, an action that government officials at the EPIC Conference took as an encouraging sign.

The stakes in encryption are high, and without an agreement between the two sides, the development of electronic commerce and commercial and individual use of the Internet may well suffer. One intriguing possibility would be mass civil disobedience as business and individuals moved to use unbreakable encryption because it is a major component in resolving the continuing uneasiness about electronic transactions. In the end it may all come down to whether the government is willing to criminalize the behavior of the masses to make the job of law enforcement and intelligence easier in an electronic world.

Harry Hammitt is editor/publisher
of Access Reports, a newsletter published in Lynchburg, Va., covering open government laws and information policy issues.

October Table of Contents

Harry Hammitt Contributing Writer