Encryption: The Key to Security

Encryption is the key to security in the Information Age. By scrambling information into unreadable text, encryption ensures the privacy of electronic data and communications. It gives companies and consumers confidence that their information is safe. This confidence is critical if the Internet and electronic commerce are to flourish. But encryption comes in many strengths, and strong encryption carries a price.

A mathematical algorithm known as a "key" determines the strength of an encryption program. A key’s complexity depends on its length, which is measured in bits: the higher the number of bits, the harder it is to break the encryption. Some of the encryption programs available today are so strong that they are essentially "unbreakable" using current technology. Such strong encryption is a two-edged sword, protecting information from criminals but also protecting criminals from the police.

Just as business transactions can be encrypted, so can communications between spies, drug traffickers, and terrorists. U.S. law enforcers fear that, by protecting these criminal communications, strong encryption will empower a new, computer-driven crime wave. In response to this fear, the Federal Bureau of Investigation, the National Security Agency, and other agencies have called on Congress and the Clinton Administration to enact policies that would enable law enforcement personnel to read all encrypted communications.

The challenge facing Congress is to craft an encryption policy that balances the needs of business and law enforcement. Federal legislators have responded to this challenge by considering a variety of policies ranging from strict regulation to substantial deregulation. But the Clinton Administration has stymied these reform efforts by its stubborn refusal to support anything but the strictest possible regulations.

The Clinton Administration’s Encryption Policy

The Administration generally recognizes that the Internet should be free from government intervention. But when it comes to encryption policy, the White House’s actions betray its words. The Administration’s policy attempts to limit the spread of strong encryption using three policy tools: export restrictions, "key recovery" requirements, and industry exemptions.(1)

The Administration severely restricts the export of encryption products stronger than 56-bits. In December, the Administration extended export regulations to foreign countries by orchestrating the Wassenaar Agreement. Under the agreement, 32 countries, including Japan, Germany, and Britain caved in to U.S. pressure and agreed in principle to bar the export of encryption stronger than 64-bits.(2)

Encrypted data is unscrambled using its electronic key. U.S. firms wishing to sell encryption stronger than 56-bits abroad are required to incorporate "key recovery" features. These features, which essentially create spare keys law enforcers can use to decrypt suspect communications, are supposed to provide the guaranteed access that the FBI and other law enforcement agencies covet.

Key recovery amounts to a built-in security vulnerability. Therefore, it is vehemently opposed by companies wishing to use strong encryption to protect their communications with foreign affiliates. In response to this opposition, the White House has issued exemptions.

The financial services industry, for example, is permitted to use the strongest available encryption, without a key recovery feature, to communicate with overseas subsidiaries. The health and insurance industries are also exempt. By placating opponents of encryption regulations, the Administration’s exemptions take dollars away from reform efforts. But they but do not make the White House policy sensible.

Why Encryption Regulations Are Ineffective and Harmful

According to Vice President Gore, current encryption regulations "will protect our national security and safety, and advance our economic interests, and safeguard our basic rights and values." But the Administration’s encryption policy actually hinders progress towards these goals.

Export restrictions do not deter illegal activity. Most countries place no restrictions on encryption. At present, criminals at home and abroad can download unbreakable, 128-bit encryption from companies in at least eight countries, including Germany, South Korea, and Russia.(3) Global standards, therefore, render 56-bit encryption weak. But this encryption is not only obsolete, it also is regularly and easily broken.

In January, for example, U.S. encryption maker RSA Data Security offered $10,000 to the first group to decrypt a message encrypted with the government’s preferred 56-bit algorithm, known as the Data Encryption Standard. It took only 22 hours for a group of computer enthusiasts to crack the code.(4) Attacks on encryption will only get more efficient as the value of information transmitted across the Internet increases.

Despite its apparent weakness, the White House claims that the 56-bit export ceiling is not too low because firms may export stronger, key-recoverable products. But key recovery is a recipe for disaster. The databases storing the keys will be prime targets for spies and hackers. Foreign encryption buyers recognize this and avoid buying U.S. products that contain recovery features.

U.S. policy, therefore, harms American encryption makers. The consulting firm Interpact estimates that the global encryption market reached $1 billion in 1995.(5) According to the National Research Council, this market could total "many tens of billions of dollars" as use of the Internet expands.(6) By locking American firms out of this market, encryption controls force them – and their profits – offshore.

In January, RSA Data Security set up an Australian affiliate to avoid U.S. regulations.(7) Companies such as Sun Microsystems have had no choice but to partner with foreign firms.(8) This means fewer jobs and fewer dollars for American workers.

Recognizing these harmful effects, legislators such as Senator John Ashcroft (R-MO), Senator Conrad Burns (R-MT), and Representative Robert Goodlatte (R-VA) are trying to curb encryption controls. Several reform bills were introduced before the 105th Congress, and new versions of these bills will soon appear before the 106th. As legislators debate encryption reform, they should recognize that the only sensible policy would eliminate encryption regulations altogether.

A Free Market Would Strike the Appropriate Balance

An unhindered market would strike the appropriate balance between the needs of business and law enforcement; under a free-market system, all parties would be better off. Those seeking guaranteed security could buy unbreakable encryption products. High-tech firms could compete globally, returning jobs and dollars to U.S. soil.

While criminal communications would likely increase, law enforcers would not be powerless. Just as they can demand phone records, they can subpoena email, records of electronic transactions, and encryption keys. More significantly, they can respond with innovations of their own.

The idea of eliminating encryption regulations remains painfully absent from the U.S. debate. But many other countries – even some left-wing governments – have seen the light.

In France, for example, socialist Prime Minister Lionel Jospin rolled back the government’s strict encryption controls in January.(9) Recognizing that these regulations harmed the French economy, Jospin replaced them with more funding for police efforts to counter threats from criminals.

Congress should follow Jospin’s lead and remove American firms’ competitive disadvantage by abolishing encryption controls. Just as industries can respond creatively to regulations, the police and other public institutions can respond creatively to private-sector innovations. Until these realities are incorporated into policy, national security will remain at risk and the economy harmed.

NOTES

1 The Clinton Administration’s latest policy was announced but not enacted on September 16, 1998. A summary of the announcement, released by the Office of the Press Secretary at the White House, can be found at http://www.cdt.org/crypto/admin/whousepress091698.html. The actual regulations, which were enacted on December 31st, 1998, can be found at http://www.bxa.doc.gov/Encryption/1231ERC.htm.

2 The Wassenaar Arrangement was crafted and adopted on December 2nd and 3rd, 1998. A Reuters news summary of the Arrangement can be found at http://www.crypto.com/reuters/show.chi?article+912708583. In-depth information about the Wassenaar Arrangement can be found at
www.wassenaar.org.

3 Heidi Przybyla, "Software firms press for encryption reform," Journal of Commerce, February 10, 1999, page 1A.

4 PR Newswire, "RSA Code-Breaking Contest Again Won by Distributed.Net and Electronic Frontier Foundation," January 19, 1999. For text of the release, see http://www.prnewswire.com/cgibin/stories.pl?ACCT=105&STORY+/www/story/01-19-1999/0000848955.

5 According to Winn Schwartau, executive director of Interpact, as reported by Jill Gambon in "The business of security," Information Week, April 10, 1995, page 64.

6 The National Research Council’s Committee to Study National Cryptography Policy, "Cryptography’s Role in Securing the Information Society" (Washington, DC: National Academy Press, 1996), Kenneth W. Dam and Herbert S. Lin, Editors, Section 4:3, page 35. Available:
www.nap.edu/readingroom..

7 PR Newswire, "RSA Provides Security Solutions to Worldwide Markets Through New Operation in Australia," January 6, 1999.

8 Information gathered from a variety of news reports, including: Julia Angwin, "Sun exploits loophole in encryption ban," San Francisco Chronicle, May 20, 1997, p. C1; John Fontana, "Sun Crypto Skirts Feds – Imported 128 bit technology sidesteps U.S. regulations, Communications Week, 5/19/97; Michael Kanellos, "Nyet to Uncle Sam: Sun finds loophole to cryptography ban – Sun signs deal with Russian Company", Computer Reseller News, June 9, 1997.

9 For an excerpt of the French announcement, translated into English, see http://jya.com/fr-128bit.htm. For the complete announcement, see . http://www.premier-ministre.gouv.fr/PM/D190199.htm.