IP: The Crypto Generation Gap, from Wired 5.10

[David Farber <farber () cis upenn edu>]

Date: Tue, 9 Sep 1997 14:38:11 -0800
To: farber () cis upenn edu, pagre () weber ucsd edu
From: "--Todd Lappin-->" <telstar () wired com>






In light of all the encryption developments of this week... I'm passing
along this column from the current issue of Wired. I think it helps put
things in perspective.  Feel free to redistribute


--Todd Lappin-->
Associate Editor
WIRED Magazine






> From: Wired 5.10, October, 1997


THE GENERATION GAP


The Old Guard wants to ban strong cryptography to protect
the national security state. The Young Turks want to unleash
strong crypto to protect the national economy - and our privacy.
A report from the front lines of a struggle for the future.


By: Rebecca Vesely




It's a sweltering July afternoon in Washington, DC, as a dozen lawmen
dressed in dark blue suits =DEle into a meeting room on Capitol Hill. The
broad-shouldered cops stroll con=DEdently through a crowd of lobbyists,
journalists, and congressional staffers, push aside the "reserved" cards
placed before their front-row seats, and settle into their chairs. The men
are supercops - bigwigs from the FBI, the National Security Agency, the
Drug Enforcement Agency, and the Commerce Department - and they've come to
Congress to declare war on strong encryption.


On this particular day, the lawmen are on hand at a meeting of the House
International Relations Committee, which is poised to vote on the Security
and Freedom through Encryption Act, better known as SAFE. Sponsored by
Representative Bob Goodlatte (R-Virginia), SAFE would prohibit the
government from imposing any controls on the use of strong encryption
within the US and relax the export regulations that bar American =DErms from
selling such software internationally. The bill is a darling among high
tech companies and civil libertarians, but to the law enforcement guys,
SAFE is a nightmare.


As the Feds settle into their seats, lobbyists from Netscape, Microsoft,
and Pretty Good Privacy huddle along the side wall, biting their nails and
seething about the supercops in hushed, nervous tones. Although SAFE has
attracted strong support in the House, the massive show of institutional
force by the national security apparatus is a grim indication that the
tides have turned in the encryption debate. Only a few months ago, high
tech lobbyists were prodding the White House to relax its encryption export
controls. Now, they're =DEghting to keep the technology legal.


Surprisingly, however, the ominous, front-row presence of the supercops was
not enough to sway the International Relations Committee. Nor was the =FEurr=
y
of anti-SAFE letters sent by Defense Secretary William Cohen and Attorney
General Janet Reno. At the end of the day, the committee passed SAFE by a
voice vote.


Yet much greater challenges lie ahead. The ongoing battles over encryption
policy have exposed a glaring rift between two vastly different political
camps inside the Beltway - each =DEghting to uphold a different vision of=
 the
future. For the aging Cold Warriors who fantasize that crypto can be
closely controlled, the future looks like a reprint of an old James Bond
movie, replete with heroic cloak-and-dagger struggles against drug lords,
terrorists, and rogue foreign governments. But for those with a deeper
understanding of digital technology, the future brings the growing
invisibility of national borders, a distributed realignment of political
and economic power, and an increasing vulnerability to forms of espionage
that have little to do with national governments and everything to do with
the global economy. Meanwhile, civil libertarians say that recent efforts
by the Cold Warriors to mandate the use of encryption key recovery systems
within the United States pose a monumental threat to a basic civil liberty:
privacy.


"This debate is no longer about export controls," says Alan Davidson of the
Center for Democracy and Technology. "It's becoming clearer and clearer
that we're talking about what's going to happen domestically with
encryption."


Such suspicions were con=DErmed by FBI assistant director Jim Kallstrom, the
agency's foremost wiretapping authority, when he told the House
International Relations Committee: "We don't give a damn about export. We
care about protecting people domestically." Trouble is, Kallstrom and his
allies want to "protect" Americans with an unwieldy, insecure, and
potentially unconstitutional encryption key recovery scheme that would
require citizens to make their private communications accessible to law
enforcement in advance of any evidence that they have participated in a
crime.


Big Brother reanimated


Admittedly, the strong-arm lobbying tactics used by the Clinton
administration's national security all-stars have not yet proven effective
in the House, where SAFE now enjoys a full majority. But over in the
Senate, the story is entirely different.


The reigning chair of the encryption debate is Senator John McCain, the
powerful Arizona Republican who heads the Senate Committee on Commerce,
Science, and Transportation. McCain is widely known as a free-market
iconoclast - a reputation he solidi=DEed in February 1996, by becoming the
lone GOP senator to vote against the Telecommunications Act that ostensibly
deregulated the telecom industry. McCain opposed the act because, he said,
it didn't do enough to create competition and keep the government's hands
off the market. But as a former US Navy pilot who spent more than =DEve=
 years
in a North Vietnam POW camp, McCain takes a hard line on national security
issues, and the crypto debate has forced him to make an awkward choice
between his free-market idealism and his hawkish national security
instincts. Ultimately, his Cold War anxieties prevailed.


McCain signaled his new resolve last spring, when he joined forces with
Senator Bob Kerrey (D-Nebraska), the ranking member of the Senate Foreign
Relations Committee, to introduce S 909, the Secure Public Networks Act - a
crypto bill so restrictive that it could cost the US software industry
billions of dollars in lost sales while also creating a national system for
online wiretapping that would breathe new life into the tired Big Brother
clich=E9. The McCain-Kerrey bill reinforces existing encryption controls=
 that
limit the strength of exported software to only 56 bits for companies that
promise


to install key recovery features within two years. (For those that refuse
to make such a promise, the export limit will remain at a feeble 40 bits.)
The bill also creates a domestic key recovery scheme that would effectively
require anyone who wants to buy or sell products on the Internet to give up
a copy of their encryption keys to a "key recovery agent" approved by the
US government. (Imagine being required to hand over a copy of your front
door keys to a government-certi=DEed locksmith.) Any law enforcement agency
would then be able to obtain quick and easy access to encrypted data by
getting copies of private keys from key recovery agents with only a
subpoena - a legal hurdle that is much less stringent than a search warrant
because it does not require police to rigorously demonstrate "probable
cause" that an individual has been involved in a crime.


To accomplish the monumental task of providing police with this access, key
recovery centers would be set up across the country and - the Clinton
administration hopes - around the world. These centers would handle and
store keys to encrypted data for the sole purpose of allowing law
enforcement agencies quick access to any suspicious information traveling
over networks. But with billions of transactions and communications stored
on individual hard drives and zipping through cyberspace, the system
envisioned in the bill - and endorsed by the White House - would rival the
US post of=DEce in scale. However, unlike the post of=DEce, privacy would in=
 no
way be assured. In a day-to-day sense, the McCain-Kerrey bill is tantamount
to ordering the US Postal Service to ban envelopes and requiring everyone
to send all their mail on postcards. Meanwhile, the post of=DEce would also
make a copy of each card and keep it in a central database that would, by
its very nature, be vulnerable to mismanagement by postal of=DEcials with=
 all
the intelligence and integrity of Cliff Clavin from Cheers.


"We don't believe it will work," Michael MacKay, vice president of Novell,
=FEatly told the Senate Judiciary Committee this summer. Peter Neumann,
principal scientist at SRI International, calls the idea of
government-mandated domestic key recovery "ludicrous." Even Dorothy
Denning, a professor of computer science at Georgetown University and a
vocal proponent of key recovery, says in a recent study on encryption and
organized crime published by the National Strategy Information Center,
"Mandatory key recovery would force users to take risks they might consider
unacceptable, particularly with respect to their communications where they
might not need key recovery for their own purposes."


Denning's study also throws into doubt the FBI's assertions that it needs
access to crypto keys to solve crimes. Worldwide, she reports, the total
number of criminal cases in which encryption has been used hovers at about
500. But in many of those cases, crypto did not prevent or even slow
crime-solving efforts by law enforcement. Although Denning and study
coauthor William Baugh, a former assistant FBI director, warn that the use
of encryption by organized criminals and terrorists is on the rise, they
also doubt that domestic key recovery and export controls will do much to
stop this trend.


Nevertheless, the drumbeat of fear sounded by the FBI and NSA has inspired
several members of Congress to propose unworkable solutions to a dubious
crisis. Senator McCain's recent conversion to the side of the crypto
hardliners has been particularly damaging, and it has left many observers
wondering what prompted his sudden about-face.


The answer, it turns out, is blandly familiar. Last spring, national
security of=DEcials visited McCain to give him the latest version of their
crypto gloom-and-doom scenario. The Brie=DEng, as it is called, has become a
rite of passage in Congress, as almost every member has been subjected to
it in one form or another. Some report that the meeting begins with a
dramatic Cold War song and dance, during which agents sweep the meeting
room for bugs. They then talk about the use of encryption technology by the
Cali drug cartel. They discuss PGP's worldwide availability and its use by
terrorists, pedophiles, and illegal gamblers - and so on and so on, with
the purpose of instilling a neurotic fear that the American way of life
will go to hell in a handbasket unless police are somehow given access to
the keys that protect encrypted data.


Of course, law enforcement has a legitimate interest in trying to prevent
crime. But other factors may be at work as well. FBI director Louis Freeh,
for example, has a few skeletons in his closet: no explanation for the
crash of TWA Flight 800, no resolution in the Saudi bombing, no more
suspects in the Atlanta Olympic Park bombing, reports of mishandled
evidence at the FBI crime lab - the list goes on. Implicitly, at least,
strong encryption provides Freeh with a plausible explanation for some of
the FBI's recent failures while also raising the specter of a new and
unseen criminal menace. As Republican Senator Jon Kyl of Arizona fretted,
"I don't want to be sitting here a few years from now having law
enforcement tell us we had the opportunity to stop terrorism and did not."


Such arguments struck a chord with McCain. "This is not something I say
often, but the three senators cosponsoring this bill: myself, Kerrey, and
Massachusetts Senator John Kerry, all have one thing in common: we all
served in Vietnam," the spry Arizonan told me while I visited him on
Capitol Hill. "The strongest opponents to this bill have never heard a shot
=DEred."


That is the fault line that divides the old guard from the new. Four long
years after the White House's former crypto =FEack, Mike Nelson, =DErst=
 called
encryption "the Bosnia of telecommunications policy," the analogy still
holds true. For the grizzled Cold Warriors, encryption is a =DExed opponent
to be surrounded, rolled back, and conquered. But for the high tech
industry, private sector businesses, and millions of individual Internet
users, strong encryption provides a powerful defense against the anarchic
jungle combat of economic espionage and computer fraud. In the digital age,
crime has less to do with criminals using the system than with criminals
breaking into the system. Yet the law enforcement community and its
sympathizers envision their criminal foes as looming Death Stars - large,
easily identi=DEable targets equipped with ample resources and big guns -=
 not
as small, distributed guerrilla =DEghters armed with nothing more than a
decent PC and modem, some patience, and lots of guile.


Political calculus


In fairness, worries about crime must be taken seriously by any elected
of=DEcial. In a society infected by an undercurrent of nervous fear, taking=
 a
tough stance on crime wins more votes than serving as a poster child for
civil liberties. It would be career suicide for any politician to appear as
if his or her views on crypto liberalization facilitated an incident like
the 1994 World Trade Center bombing. (Ramsi Yousef, who was convicted for
the bombing, had encrypted information on his computer that outlined plans
to blow up 11 US-owned commercial airliners, although that information was
also found in decrypted form.)


As Peter Harter, global public policy counsel for Netscape, puts it,
looking strong on encryption "allows the Cold Warriors to get on their
horses and trot off into the sunset in the name of law and order and the
American way."


Inside the Clinton administration, the rift that divides those who want
fewer controls on crypto and those who view the regulations as a worthy
sacri=DEce to make on the altar of national security is just as wide as it=
 is
on the Hill. In the balkanized bureaucracies of the White House, many
staffers working on trade-oriented issues would like fewer restrictions on
encryption, while those who specialize in crime and punishment want more.
"Ultimately, it's something of a generational gap," says one young
administration of=DEcial who follows crypto policy. "The older generation=
 has
been groomed with crises - they understand con=FEict in a way that younger
people don't. But the younger people who get this stuff understand that the
policy is no good if other countries don't follow it."


Indeed, the international dimension of the crypto debate may ultimately
moot the position of the hard-liners. Despite the administration's
insistence to the contrary, other countries are, for the most part, not
playing by American rules. During a July conference of European ministers
in Bonn, US Commerce Secretary William Daley failed to persuade the Germans
- our leading competitor in encryption software development - that every
country should restrict exports, and that every citizen should be urged to
hand over copies of their encryption keys to a government-approved source.
But the most ironic failure of the US export policy came in May, when Sun
Microsystems signed a deal with Elvis+, a Russian software =DErm staffed=
 with
refugees from the Soviet space program, to manufacture strong crypto
without key recovery and sell it internationally - including within the
United States.


Against this backdrop, plunging into the encryption policy quagmire is
hardly a good career move for any US government of=DEcial. And with no
resolution in sight between those within the administration who side with
industry and those who favor law enforcement, encryption has become a hot
potato no one wants to touch. "I asked a long time ago what this crypto
stuff was," says one of=DEcial who has a hand in several aspects of Internet
policy. "Everyone told me, 'You don't want to know.'"


No one understands this better than Ira Magaziner, Clinton's senior policy
adviser on Internet affairs and chief architect of the White House's
recently released Framework for Global Electronic Commerce.


In attempting to construct the administration's ecommerce policy, Magaziner
was left with the unenviable task of trying to =DEt a square peg into a=
 round
hole by jamming a strict export control policy into a document that
otherwise takes a strikingly hands-off approach to the Internet. Magaziner
is clearly uncomfortable with the disconnect. Publicly, he is careful to
toe the administration party line that "there must be a balance between
data protection and national security concerns." But in private, Magaziner
has not been shy about expressing his disagreement with the
administration's crypto stance and its plans to build a domestic key
recovery infrastructure - plans that have been grafted onto the
McCain-Kerrey Senate bill.


Remarkably, the worst may be yet to come. At the House International
Relations Committee meeting in July where the supercops received the royal
treatment, the committee chair, Republican Representative Benjamin Gilman
of New York, offered an amendment that would ban the sale, use, and import
of strong encryption. Although the amendment failed, it put Internet
advocates on notice that the House may also be vulnerable to the crypto
paranoia that has already infected the Senate. "It's the =DErst time we've
gotten a glimpse of where this could be going," says the Center for
Democracy and Technology's Alan Davidson. "It's a potentially very scary
future."


The wide gap that separates the thought processes of fear and opportunity
foreshadows a bigger showdown on encryption policy. Though it now seems
unlikely that any crypto legislation will pass during the 105th Congress,
it's even less likely that the president would sign a bill that seeks to
liberalize US policy. But in the meantime, computer users will continue to
download and share encryption software. Some may even send a few copies
overseas illegally. Whether all Americans will be forced to pay a steep
political and economic price for the borderless geography of cyberspace
remains to be seen. As McCain himself said, "Not everything in this country
is free."
###


Rebecca Vesely (rebecca () wired com) is Washington bureau chief for Wired=
 News.




Copyright =A9 1993-97 Wired Ventures Inc. and affiliated
companies.
All rights reserved.