Interesting People mailing list archives
IP: The Crypto Generation Gap, from Wired 5.10
From: David Farber <farber () cis upenn edu>
Date: Tue, 09 Sep 1997 17:42:27 -0400
Date: Tue, 9 Sep 1997 14:38:11 -0800 To: farber () cis upenn edu, pagre () weber ucsd edu From: "--Todd Lappin-->" <telstar () wired com> In light of all the encryption developments of this week... I'm passing along this column from the current issue of Wired. I think it helps put things in perspective. Feel free to redistribute --Todd Lappin--> Associate Editor WIRED Magazine
From: Wired 5.10, October, 1997
THE GENERATION GAP The Old Guard wants to ban strong cryptography to protect the national security state. The Young Turks want to unleash strong crypto to protect the national economy - and our privacy. A report from the front lines of a struggle for the future. By: Rebecca Vesely It's a sweltering July afternoon in Washington, DC, as a dozen lawmen dressed in dark blue suits =DEle into a meeting room on Capitol Hill. The broad-shouldered cops stroll con=DEdently through a crowd of lobbyists, journalists, and congressional staffers, push aside the "reserved" cards placed before their front-row seats, and settle into their chairs. The men are supercops - bigwigs from the FBI, the National Security Agency, the Drug Enforcement Agency, and the Commerce Department - and they've come to Congress to declare war on strong encryption. On this particular day, the lawmen are on hand at a meeting of the House International Relations Committee, which is poised to vote on the Security and Freedom through Encryption Act, better known as SAFE. Sponsored by Representative Bob Goodlatte (R-Virginia), SAFE would prohibit the government from imposing any controls on the use of strong encryption within the US and relax the export regulations that bar American =DErms from selling such software internationally. The bill is a darling among high tech companies and civil libertarians, but to the law enforcement guys, SAFE is a nightmare. As the Feds settle into their seats, lobbyists from Netscape, Microsoft, and Pretty Good Privacy huddle along the side wall, biting their nails and seething about the supercops in hushed, nervous tones. Although SAFE has attracted strong support in the House, the massive show of institutional force by the national security apparatus is a grim indication that the tides have turned in the encryption debate. Only a few months ago, high tech lobbyists were prodding the White House to relax its encryption export controls. Now, they're =DEghting to keep the technology legal. Surprisingly, however, the ominous, front-row presence of the supercops was not enough to sway the International Relations Committee. Nor was the =FEurr= y of anti-SAFE letters sent by Defense Secretary William Cohen and Attorney General Janet Reno. At the end of the day, the committee passed SAFE by a voice vote. Yet much greater challenges lie ahead. The ongoing battles over encryption policy have exposed a glaring rift between two vastly different political camps inside the Beltway - each =DEghting to uphold a different vision of= the future. For the aging Cold Warriors who fantasize that crypto can be closely controlled, the future looks like a reprint of an old James Bond movie, replete with heroic cloak-and-dagger struggles against drug lords, terrorists, and rogue foreign governments. But for those with a deeper understanding of digital technology, the future brings the growing invisibility of national borders, a distributed realignment of political and economic power, and an increasing vulnerability to forms of espionage that have little to do with national governments and everything to do with the global economy. Meanwhile, civil libertarians say that recent efforts by the Cold Warriors to mandate the use of encryption key recovery systems within the United States pose a monumental threat to a basic civil liberty: privacy. "This debate is no longer about export controls," says Alan Davidson of the Center for Democracy and Technology. "It's becoming clearer and clearer that we're talking about what's going to happen domestically with encryption." Such suspicions were con=DErmed by FBI assistant director Jim Kallstrom, the agency's foremost wiretapping authority, when he told the House International Relations Committee: "We don't give a damn about export. We care about protecting people domestically." Trouble is, Kallstrom and his allies want to "protect" Americans with an unwieldy, insecure, and potentially unconstitutional encryption key recovery scheme that would require citizens to make their private communications accessible to law enforcement in advance of any evidence that they have participated in a crime. Big Brother reanimated Admittedly, the strong-arm lobbying tactics used by the Clinton administration's national security all-stars have not yet proven effective in the House, where SAFE now enjoys a full majority. But over in the Senate, the story is entirely different. The reigning chair of the encryption debate is Senator John McCain, the powerful Arizona Republican who heads the Senate Committee on Commerce, Science, and Transportation. McCain is widely known as a free-market iconoclast - a reputation he solidi=DEed in February 1996, by becoming the lone GOP senator to vote against the Telecommunications Act that ostensibly deregulated the telecom industry. McCain opposed the act because, he said, it didn't do enough to create competition and keep the government's hands off the market. But as a former US Navy pilot who spent more than =DEve= years in a North Vietnam POW camp, McCain takes a hard line on national security issues, and the crypto debate has forced him to make an awkward choice between his free-market idealism and his hawkish national security instincts. Ultimately, his Cold War anxieties prevailed. McCain signaled his new resolve last spring, when he joined forces with Senator Bob Kerrey (D-Nebraska), the ranking member of the Senate Foreign Relations Committee, to introduce S 909, the Secure Public Networks Act - a crypto bill so restrictive that it could cost the US software industry billions of dollars in lost sales while also creating a national system for online wiretapping that would breathe new life into the tired Big Brother clich=E9. The McCain-Kerrey bill reinforces existing encryption controls= that limit the strength of exported software to only 56 bits for companies that promise to install key recovery features within two years. (For those that refuse to make such a promise, the export limit will remain at a feeble 40 bits.) The bill also creates a domestic key recovery scheme that would effectively require anyone who wants to buy or sell products on the Internet to give up a copy of their encryption keys to a "key recovery agent" approved by the US government. (Imagine being required to hand over a copy of your front door keys to a government-certi=DEed locksmith.) Any law enforcement agency would then be able to obtain quick and easy access to encrypted data by getting copies of private keys from key recovery agents with only a subpoena - a legal hurdle that is much less stringent than a search warrant because it does not require police to rigorously demonstrate "probable cause" that an individual has been involved in a crime. To accomplish the monumental task of providing police with this access, key recovery centers would be set up across the country and - the Clinton administration hopes - around the world. These centers would handle and store keys to encrypted data for the sole purpose of allowing law enforcement agencies quick access to any suspicious information traveling over networks. But with billions of transactions and communications stored on individual hard drives and zipping through cyberspace, the system envisioned in the bill - and endorsed by the White House - would rival the US post of=DEce in scale. However, unlike the post of=DEce, privacy would in= no way be assured. In a day-to-day sense, the McCain-Kerrey bill is tantamount to ordering the US Postal Service to ban envelopes and requiring everyone to send all their mail on postcards. Meanwhile, the post of=DEce would also make a copy of each card and keep it in a central database that would, by its very nature, be vulnerable to mismanagement by postal of=DEcials with= all the intelligence and integrity of Cliff Clavin from Cheers. "We don't believe it will work," Michael MacKay, vice president of Novell, =FEatly told the Senate Judiciary Committee this summer. Peter Neumann, principal scientist at SRI International, calls the idea of government-mandated domestic key recovery "ludicrous." Even Dorothy Denning, a professor of computer science at Georgetown University and a vocal proponent of key recovery, says in a recent study on encryption and organized crime published by the National Strategy Information Center, "Mandatory key recovery would force users to take risks they might consider unacceptable, particularly with respect to their communications where they might not need key recovery for their own purposes." Denning's study also throws into doubt the FBI's assertions that it needs access to crypto keys to solve crimes. Worldwide, she reports, the total number of criminal cases in which encryption has been used hovers at about 500. But in many of those cases, crypto did not prevent or even slow crime-solving efforts by law enforcement. Although Denning and study coauthor William Baugh, a former assistant FBI director, warn that the use of encryption by organized criminals and terrorists is on the rise, they also doubt that domestic key recovery and export controls will do much to stop this trend. Nevertheless, the drumbeat of fear sounded by the FBI and NSA has inspired several members of Congress to propose unworkable solutions to a dubious crisis. Senator McCain's recent conversion to the side of the crypto hardliners has been particularly damaging, and it has left many observers wondering what prompted his sudden about-face. The answer, it turns out, is blandly familiar. Last spring, national security of=DEcials visited McCain to give him the latest version of their crypto gloom-and-doom scenario. The Brie=DEng, as it is called, has become a rite of passage in Congress, as almost every member has been subjected to it in one form or another. Some report that the meeting begins with a dramatic Cold War song and dance, during which agents sweep the meeting room for bugs. They then talk about the use of encryption technology by the Cali drug cartel. They discuss PGP's worldwide availability and its use by terrorists, pedophiles, and illegal gamblers - and so on and so on, with the purpose of instilling a neurotic fear that the American way of life will go to hell in a handbasket unless police are somehow given access to the keys that protect encrypted data. Of course, law enforcement has a legitimate interest in trying to prevent crime. But other factors may be at work as well. FBI director Louis Freeh, for example, has a few skeletons in his closet: no explanation for the crash of TWA Flight 800, no resolution in the Saudi bombing, no more suspects in the Atlanta Olympic Park bombing, reports of mishandled evidence at the FBI crime lab - the list goes on. Implicitly, at least, strong encryption provides Freeh with a plausible explanation for some of the FBI's recent failures while also raising the specter of a new and unseen criminal menace. As Republican Senator Jon Kyl of Arizona fretted, "I don't want to be sitting here a few years from now having law enforcement tell us we had the opportunity to stop terrorism and did not." Such arguments struck a chord with McCain. "This is not something I say often, but the three senators cosponsoring this bill: myself, Kerrey, and Massachusetts Senator John Kerry, all have one thing in common: we all served in Vietnam," the spry Arizonan told me while I visited him on Capitol Hill. "The strongest opponents to this bill have never heard a shot =DEred." That is the fault line that divides the old guard from the new. Four long years after the White House's former crypto =FEack, Mike Nelson, =DErst= called encryption "the Bosnia of telecommunications policy," the analogy still holds true. For the grizzled Cold Warriors, encryption is a =DExed opponent to be surrounded, rolled back, and conquered. But for the high tech industry, private sector businesses, and millions of individual Internet users, strong encryption provides a powerful defense against the anarchic jungle combat of economic espionage and computer fraud. In the digital age, crime has less to do with criminals using the system than with criminals breaking into the system. Yet the law enforcement community and its sympathizers envision their criminal foes as looming Death Stars - large, easily identi=DEable targets equipped with ample resources and big guns -= not as small, distributed guerrilla =DEghters armed with nothing more than a decent PC and modem, some patience, and lots of guile. Political calculus In fairness, worries about crime must be taken seriously by any elected of=DEcial. In a society infected by an undercurrent of nervous fear, taking= a tough stance on crime wins more votes than serving as a poster child for civil liberties. It would be career suicide for any politician to appear as if his or her views on crypto liberalization facilitated an incident like the 1994 World Trade Center bombing. (Ramsi Yousef, who was convicted for the bombing, had encrypted information on his computer that outlined plans to blow up 11 US-owned commercial airliners, although that information was also found in decrypted form.) As Peter Harter, global public policy counsel for Netscape, puts it, looking strong on encryption "allows the Cold Warriors to get on their horses and trot off into the sunset in the name of law and order and the American way." Inside the Clinton administration, the rift that divides those who want fewer controls on crypto and those who view the regulations as a worthy sacri=DEce to make on the altar of national security is just as wide as it= is on the Hill. In the balkanized bureaucracies of the White House, many staffers working on trade-oriented issues would like fewer restrictions on encryption, while those who specialize in crime and punishment want more. "Ultimately, it's something of a generational gap," says one young administration of=DEcial who follows crypto policy. "The older generation= has been groomed with crises - they understand con=FEict in a way that younger people don't. But the younger people who get this stuff understand that the policy is no good if other countries don't follow it." Indeed, the international dimension of the crypto debate may ultimately moot the position of the hard-liners. Despite the administration's insistence to the contrary, other countries are, for the most part, not playing by American rules. During a July conference of European ministers in Bonn, US Commerce Secretary William Daley failed to persuade the Germans - our leading competitor in encryption software development - that every country should restrict exports, and that every citizen should be urged to hand over copies of their encryption keys to a government-approved source. But the most ironic failure of the US export policy came in May, when Sun Microsystems signed a deal with Elvis+, a Russian software =DErm staffed= with refugees from the Soviet space program, to manufacture strong crypto without key recovery and sell it internationally - including within the United States. Against this backdrop, plunging into the encryption policy quagmire is hardly a good career move for any US government of=DEcial. And with no resolution in sight between those within the administration who side with industry and those who favor law enforcement, encryption has become a hot potato no one wants to touch. "I asked a long time ago what this crypto stuff was," says one of=DEcial who has a hand in several aspects of Internet policy. "Everyone told me, 'You don't want to know.'" No one understands this better than Ira Magaziner, Clinton's senior policy adviser on Internet affairs and chief architect of the White House's recently released Framework for Global Electronic Commerce. In attempting to construct the administration's ecommerce policy, Magaziner was left with the unenviable task of trying to =DEt a square peg into a= round hole by jamming a strict export control policy into a document that otherwise takes a strikingly hands-off approach to the Internet. Magaziner is clearly uncomfortable with the disconnect. Publicly, he is careful to toe the administration party line that "there must be a balance between data protection and national security concerns." But in private, Magaziner has not been shy about expressing his disagreement with the administration's crypto stance and its plans to build a domestic key recovery infrastructure - plans that have been grafted onto the McCain-Kerrey Senate bill. Remarkably, the worst may be yet to come. At the House International Relations Committee meeting in July where the supercops received the royal treatment, the committee chair, Republican Representative Benjamin Gilman of New York, offered an amendment that would ban the sale, use, and import of strong encryption. Although the amendment failed, it put Internet advocates on notice that the House may also be vulnerable to the crypto paranoia that has already infected the Senate. "It's the =DErst time we've gotten a glimpse of where this could be going," says the Center for Democracy and Technology's Alan Davidson. "It's a potentially very scary future." The wide gap that separates the thought processes of fear and opportunity foreshadows a bigger showdown on encryption policy. Though it now seems unlikely that any crypto legislation will pass during the 105th Congress, it's even less likely that the president would sign a bill that seeks to liberalize US policy. But in the meantime, computer users will continue to download and share encryption software. Some may even send a few copies overseas illegally. Whether all Americans will be forced to pay a steep political and economic price for the borderless geography of cyberspace remains to be seen. As McCain himself said, "Not everything in this country is free." ### Rebecca Vesely (rebecca () wired com) is Washington bureau chief for Wired= News. Copyright =A9 1993-97 Wired Ventures Inc. and affiliated companies. All rights reserved.
Current thread:
- IP: The Crypto Generation Gap, from Wired 5.10 David Farber (Sep 09)