Decoding the Encryption Debate

Does government have an absolute right to listen to private conversations? To force citizens to actively make themselves available for wiretapping? To force companies to design their products to enable the government to eavesdrop on their customers?

In the encryption debate, the government says yes. We disagree.

So what is encryption? It’s a way of scrambling and protecting digital data. This is usually done with a software program and an associated software “key.” The key tells the program how to scramble the data so that only the person you send the information to can unscramble it.

The longer the key (for example 40-bit versus 128-bit), the harder it is for eavesdroppers to unscramble. The whole point of encrypting data is to keep the data, and the key, secret from competitors, thieves or anybody who for any reason would pry into your business.

Federal government policy since the Cold War has prohibited the export of encryption products utilizing keys greater than 40 bits. (This has recently been raised to 56 bits under certain burdensome conditions.) The idea was to keep strong encryption out of the hands of criminals and terrorists while maintaining the ability to decrypt their data. But recent advances in computing technology have rendered 40-bit encryption dangerously weak and export limits commercially obsolete.

The Clinton administration has responded with several policy revisions, but the problem lies in its insistence on two things: export limits and mandatory “key recovery.”

Key recovery refers to any system that provides third-party access to encrypted data. It allows the government (and other clever people) to retrieve the key and surreptitiously “unlock” encrypted information.

The National Security Agency and the FBI claim that if encryption is too strong for them to break with a brute force attack, they need access to the key. Thus the government will only lift export controls for companies that implement acceptable key recovery.

While sympathetic to law enforcement, the tech industry points out that some countries have no export limits and that strong encryption is widely available. There are no restrictions for domestic use. It’s obtainable from the Internet. Today, you can legally import 128-bit encryption products without key recovery from foreign firms, yet you would be committing a federal crime if you exported it back out. The added insult is that many of these firms are using technology originally developed in the United States.

This policy simply loses sales for American companies and does nothing to limit the availability of strong encryption. Worldwide, businesses and individuals are clamoring for good, strong encryption. But why would the rest of the world purchase products with back doors for U.S. government snooping when unrestricted products can be bought from Germany, Japan or Russia? Terrorists and criminals certainly won’t.

Although much of the concern surrounding this issue has focused on Silicon Valley, the San Fernando Valley also has a major stake in the debate. In 1995, U.S. sales to foreign countries of core copyright industries--including filmmaking, TV broadcasting, recording, publishing and software--totaled $53 billion, ahead of every export sector except the automobile and agriculture industries. In addition to the 1,500 software and multimedia firms in the Valley area, our entertainment companies are fast becoming purveyors of bits.

*

As the digitization of video discs, audiotapes and TV broadcasts evolves, personal computers and the Internet provide a means for instantaneous dissemination of digital masters--and intellectual property becomes ever more difficult to protect. Copyright law alone will not impede unauthorized use and distribution. Encryption and copyright management technologies are imperative for physical protection.

But our studios and small multimedia firms should not have to navigate onerous export controls or restrict themselves to weak technology simply because they want to incorporate encryption into their protection strategies. Products and protection should be designed according to company policy and customer priorities, not government demands for access.

Recognizing this, both the Valley Industry and Commerce Assn. and the United Chambers of Commerce of the San Fernando Valley are supporting the Security and Freedom Through Encryption Act (HR 695), known as SAFE, and its companion bill in the Senate, S377, or ProCODE. These bills would eliminate export controls on encryption products and prohibit the government from mandating key-recovery systems. They represent our best chance at reforming U.S. encryption policy in a way that protects privacy, promotes electronic commerce and recognizes the realities of the global economy.

Technologically astute Reps. Howard L. Berman (D-Mission Hills) and Elton Gallegly (R-Simi Valley) voted with the House Judiciary Committee to approve SAFE. Gallegly and Reps. Brad Sherman (D-Sherman Oaks) and David Dreier (R-San Dimas) joined Rep. Howard P. “Buck” McKeon (R-Santa Clarita) as co-sponsors. Sen. Barbara Boxer (D-Calif.) is co-sponsoring ProCODE.

We urge the Clinton administration to accept reality and adhere to its own policy statement in “A Framework for Global Electronic Commerce”: “Efforts to protect the privacy of personal data and to protect intellectual property are futile unless there are technologies and policies in place that ensure the security and integrity of on-line information.” And if Vice President Al Gore truly wants the information superhighway to flourish, he should support the high-tech community on this issue.

Public networks, including the Internet, are rapidly becoming a primary means for business to conduct banking, send mail and distribute intellectual property. To be effective, they must be secure.