Decoding the Controversy Over Exports of Encryption
It’s a nightmare scenario: Foreign terrorists plan to blow up a passenger terminal at a major U.S. airport. Our spies know that much. But no one knows where or when the attack will occur because the criminals communicate using a super code--an encryption method exported from the United States, no less.
For years, such terrifying possibilities have been trotted out to justify a federal policy that defines encryption as a weapon and restricts the export of hardware and software capable of encoding information.
But experts say a change in the political climate is likely to force the government to ease long-standing rules that prevent U.S. companies from selling overseas products, such as cell phones and personal computers, that contain strong encryption technology.
A blue-ribbon report released May 30 states that national security actually is threatened more than helped by the export controls because they ultimately deprive corporate America of adequate encryption devices to protect sensitive information from computer hackers. Within days of the report’s release, a Japanese company confirmed that it has already begun to sell powerful encryption chips that U.S. companies are forbidden to export.
The developments come at a time when Congress has been pressuring the Clinton administration to ease restrictions. Three versions of such proposals are pending on Capitol Hill, and the Senate Commerce subcommittee on science, technology and space will have a hearing Wednesday on the issue of export controls. Sen. Conrad Burns (R-Mont.), who chairs the panel, is the author of one of the bills.
“What’s going to happen is that the export restrictions will become moot,” says Daniel Cohen, professor of computer science at Hunter College in New York and an expert on export control question. “The technology already is leaking out of America. The idea that we have a monopoly and can keep it out of the hands of other countries is out of date. The restrictions only hurt American entrepreneurs.”
The outcome of this seemingly esoteric battle over export policy will have a major impact on how much privacy the average American will enjoy in the coming century, experts say. With confidential personal records such as medical histories stored in electronic databases and an increasing push toward an information economy in which routine banking and credit card transactions are conducted online, encryption may be the only way to assure privacy.
“We’ve been holding back security domestically, and at this point the Internet provides less protection than it should,” says Kenneth Dam, the University of Chicago law professor who chaired the National Research Council panel that prepared the new National Academy of Sciences report titled “Cryptography’s Role in Securing the Information Society.”
“We need an agency that has primary responsibility for promoting domestic security. We have the NSA [National Security Agency] for classified security, but no part of government considers itself responsible for civilian computer security,” he says.
*
The power of cryptography has been put to use during wartime ever since Julius Caesar sent military messages using a simple code to replace one letter of the alphabet with another. Like the more complex codes that would be devised in the next centuries, Caesar’s cipher relied on a single key, which a sender would use to encrypt a message and a recipient would use to decode it.
Protecting the key from enemy hands was the problem that plagued cryptographers until the 1970s, when a young computer scientist named Whitfield Diffie came up with a remarkable solution: split the key in half.
Here’s how it works: A so-called public key encryption system, which uses mathematical recipes called algorithms to scramble data, relies on two keys, one private and one public. Whatever is encoded by one key can be decoded by the other. Encryption users distribute copies of their personalized public keys but keep their private keys to themselves. A sender uses a public key to encode a message; the recipient uses a private key to decrypt it.
A commercial public key encryption system is now marketed by RSA Data Security, a Silicon Valley company. But the government rules only allow the export of products with relatively simple keys, in order to preserve the ability of spy agencies to crack the codes.
The National Research Council report, prepared over 18 months at the behest of Congress, calls for the government to ease restrictions enough to allow the export of strong codes that rely on 56-bit digital keys to encrypt and decrypt information. Currently, keys of no more than 40 bits may be exported.
Domestic access to strong encryption technology has also been limited because U.S. companies were unwilling to manufacture two separate grades of products to sell at home and abroad.
“It’s not as cheap as you might think to produce two designs for two different markets. You’d almost be duplicating the effort of designing the product in the first place,” says Jim Bidzos, chief executive of RSA Data Security.
*
But last week, a Japanese corporate behemoth, Nippon Telegraph & Telephone Corp., announced that it has begun to sell a set of two chips that can be embedded in a variety of products to provide strong encryption. The chips use the world’s best-known strong cryptography program, the data encryption standard. DES relies on a 56-bit key to encrypt data. The NTT technology goes one better: It uses a technique called “triple DES” to multiply the power of the code and to create a system so strong that it is considered virtually unbreakable.
NTT officials have said they would like to use software from RSA Data Security to provide an added layer of protection by encrypting the keys that unlock the triple DES code. Because NTT is a major global supplier of products ranging from phones and fax machines to fiber-optic cable and complex computers known as switches and powerful routers, the chips will be widely distributed.
The potential impact of NTT’s plans has prompted even such longtime proponents of export controls as the National Security Agency’s former general counsel to say that time is running out for the U.S. government to show that the restrictions serve any purpose beyond creating an impediment to U.S. companies’ trying to compete in an international market.
“U.S. companies are going to say that you have restrictions for us that don’t exist for competitors,” says Stewart Baker, now a lawyer in private practice in Washington. “In today’s climate, it’s hard to maintain that kind of control.”
But although government officials indicated last week that the administration may streamline the export-licensing process to speed it up, such a move would not ease overall restrictions. The administration warns that privacy requires a trade-off. More privacy means less security because widespread use of strong encryption would make it harder for law enforcement agencies to conduct wiretaps to investigate the activities of sophisticated criminals.
“Of course, what really has big implications for law enforcement agencies, in terms of their ability to investigate a lot of crimes, is to make sure that encryption does not preclude the government from listening in when necessary,” says Dorothy Denning, a professor of computer science at Georgetown University in Washington and longtime advisor to the Clinton administration on encryption policy.
The government has long advocated adoption of a national encryption system with a feature that would create and archive a copy of everyone’s digital key. Then, if the government obtained a court order authorizing eavesdropping on encrypted conversations, law enforcement agencies could obtain the key to unscramble the communications.
“The National Research Council report acknowledged the problems of law enforcement, and that’s a positive step,” Denning says. “The answer would be a system where people were using very strong cryptography, with really long key lengths, and their keys would be in escrow with a party they trusted. They would have a choice as to what country the keys would be escrowed in. Corporations could operate as their own key holders.”
But the key escrow proposal, which relies on a computer chip called the Clipper, has been fought by an array of interest groups that do not normally find themselves on the same side of a hot political issue: Civil libertarians fear indiscriminate government eavesdropping, and corporate interests worry that they’ll lose sales and be unable to assure the security of online commerce.
“The average American needs encryptions to protect from privacy invasions by both law enforcement and corporate interests, who want to use personal information and sell it,” says Richard Field, chairman of the American Bar Assn. committee on electronic commerce payment and author of the association’s proposed digital signature guidelines. “But corporate interests are somehow standing on the same side of the battle now as the average American, fighting the government.”
Freelance writer Michelle Slatalla can be reached via e-mail at mslat@echonyc.com
