December 01, 1996
The cryptography debate is a fascinating one. It divides the body politic in surprising ways. Cold-War Republicans find themselves lining up with Clinton loyalists against an odd-couple alliance of hard-core, government-wary, Christian Coalition conservatives and hard-core, government-wary, ACLU liberals. High-tech business groups that once stood solidly behind the techno-savvy Clinton-Gore team now excoriate the Administration for exalting a tough-on-crime message over technology exports. Private industry demands the strongest encryption available while the Clinton Administration insists that widely available encryption would lead to uncontrolled criminal activity or would undermine national security. When both private industry and the Clinton Administration are in the same room (as they have been on numerous occasions), the debate goes along these lines.
Business: I can't believe we have to explain this to you guys. Didn't you win the election by pounding on George Bush as technologically clueless? Surely you know that American business has a legitimate need for strong encryption. As we begin to conduct business on the Global Information Infrastructure ("Gil"), the need for strong encryption to protect a company's proprietary information and communications grows. Many American companies conduct business overseas which requires them to communicate and transfer data over the GIL This information must be safe from both commercial and state-sponsored surveillance. Strong encryption is needed to protect the confidentiality of this information as well as the identity of the users and the integrity of the information.
The encryption that can now be exported without restrictions cannot guarantee this protection. For example, the strongest encryption readily exported under United States export control laws has a key length of 40 bits. As a result of these controls, 40-bit encryption is widely used in U.S. origin commercial software that dominates the global market. Recent developments have called into question whether 40-bit encryption offers sufficient security. In July 1995, a group of Internet users broke the 40-bit algorithm used by Netscape, known as RC-4. With mostly desktop computers, this group exhausted every possible 40-bit key in about a week. Other such breaches are becoming more and more prevalent. The communication of valuable commercial information demands stronger security than is available under current controls.
Clinton Administration: You don't have to explain that to us. We understand the need for strong encryption in the private sector. Indeed, the protection of this information from both spying and disruption is vital to our national security. That's why no one is proposing to control encryption within the United States — so companies can use the strongest encryption available to protect their proprietary and confidential information. But there are also important law enforcement and national security reasons that require constraints on this technology.
Why doesn't business listen to us for a change when we point out how badly the widespread use of unbreakable encryption would hurt our law enforcement efforts? The law enforcement community relies heavily on wiretapping as an important preventive tool that has foiled many crimes before they could be committed. Such wiretapping may be law enforcement's only tool in preventing acts of terrorism such as a plot to shoot down airliners over Chicago or a possible TWA bombing. Wiretapping also provides information that usually would be unobtainable by other means. Additionally, wiretap evidence is typically considered more credible and probative than other evidence uncovered through other methods. If wrongdoers were able to cryptographically protect their communications, law enforcement would lose its most valuable tool.
Business: Interesting. You say you recognize that American commercial interests are important to our national security, but you promote policies that undermine America's international competitiveness. Controls on encryption technology, especially export controls, hurt American industries that stand to benefit from the booming demand for information security products containing strong encryption. We are burdened by controls that other governments don't impose on our international competitors.
Encryption controls impose costs on producers because it becomes necessary to develop and produce two or more versions of the same software or hardware — one for domestic use and one for export. The need to deal with complex governmental licensing or authorization requirements also imposes legal and administrative costs that are not incurred by competitors in countries with fewer regulations. Finally, to compete in this growing market, business may be forced to license their products to companies in other countries, forgoing the profits that would accrue from having the ability to manufacture and distribute the products themselves.
So your policies are creating a great opportunity for companies in other countries, where controls on cryptography are less burdensome. You're also creating an opportunity for companies with a global presence to develop encryption in unregulated countries to meet global market demand. Whether controlled or not, technology will migrate to those locations offering a "safe haven" from encryption controls. As the potential profits from sales of encryption products increase, the incentive for bypassing or violating government encryption controls will also rise — and more encryption know-how will filter out to companies in a position to profit unimpeded by government controls.
Of course, we can't prove that the increasing availability of foreign products is due to U.S. encryption controls. But it's easy to see that, without controls, American companies could exploit their dominant position in the software and hardware markets, and their massive installed base of users, to win markets we're losing now by default.
There's a boom in global demand for encryption. Without policy changes, migration of encryption technology will continue. So government controls can't prevent the widespread deployment of strong encryption — just the deployment of American-made encryption.
Clinton Administration: Give me a break. Contrary to your claims, the global market is not open to the importation of limitless high-strength encryption. Some countries already have import controls — France and Israel, to name two. And since all countries have similar law enforcement and national security concerns, exporting stronger United States or other encryption to these countries will only force them to erect barriers to cryptographic imports. Although there may be a demand for strong encryption, international encryption policies, not U.S. export controls, will be the ultimate barrier to American companies.
And anyway we should be careful not to compromise our law enforcement or national security interests by encouraging the spread of this unbreakable encryption. Even 40-bit encryption that is not escrowed undermines these interests.
In terms of competitiveness, the much-maligned 40-bit encryption also remains strong enough for many uses, especially in competition with foreign products whose real level of security has been questioned. What's more, U.S. companies with interests overseas are already allowed to use stronger encryption to protect their own communications.
Finally, we're willing to liberalize controls even further for commercial encryption products in exchange for industry's assistance in developing a key management system that protects our law enforcement capabilities. We want an international standard that provides protection to international business communications but will not jeopardize our ability to protect our national security and law enforcement interests.
Business: If wishes were horses, beggars would ride. You can't control the direction of this technology, and neither can we. Governmental controls are ineffective today and in danger of becoming irrelevant tomorrow. The proliferation of DES and other strong algorithms in foreign-supplied software and the absence of enforcement of the munitions controls on laptop exports are ample evidence of this.
Export controls cannot stop the global spread of encryption technology; they can only slow its development and export from the United States. As a technical matter, encryption can be, and has been, made widely available over the Internet. Internet FTP sites allow easy, and often anonymous, access to encryption software. The Software Publishers Association has identified more than 450 foreign encryption products. Although the strength of some foreign products was questioned by a January 1996 government study (parts of which remain classified), there is still ample evidence that government controls are stifling sales opportunities outside the U.S.
Even import and use controls cannot stop the use of this technology, since encryption software is so readily available on the Internet. The users least likely to be deterred by such controls are the criminals and hostile governments at which controls are presumably aimed. Moreover, as more consumers and companies pass information over unsecured networks, the public will demand the right to use strong encryption. Government restrictions, once attacked by only a cadre of libertarian computer activists, could become the target of a new, large and powerful lobby of encryption users.
Controls will become even less effective as the profit potential of evading controls rises. Companies developing encryption products and wishing to profit from the international market may take advantage of loopholes in export control laws. For instance, under U.S. law, the owner of a U.S. encryption invention can license a foreign company to manufacture and distribute products which have reduced the invention to tangible form. A national company with a marketable encryption invention could license the right to have it built in Taiwan, then import the product back to the U.S. for domestic use, even though the national company could not build that product in the United States and export it. Aggressive use of such loopholes, and even an increase in intentional violations of encryption controls, will become more common as the commercial market for strong encryption grows.
The only prospect for effective government controls is tightly coordinated international policymaking coupled with strict national enforcement, and there is little indication that this will occur in the near term. Japan, for example, is suspicious of the U.S. commercial key escrow initiative. Moreover, Scandinavian and certain EU governments value privacy rights and oppose the concept of mandating the escrow of keys with trusted third parties.
Clinton Administration: You've just explained precisely why business should immediately assist the Clinton Administration in developing a key management system. Business will not be immune to the criminal activity that could flourish with the proliferation of unbreakable encryption, and industry would also suffer from weakened national security. On the other hand, international use of a key management system would provide the strongest encryption available while still protecting our vital interests.
And so it goes. The only sure thing about this debate is that it will still be going on next year — no matter who is elected President.
*Stewart A. Baker is a partner in the Washington, D.C. office of Steptoe & Johnson LLP.
 A Study of the International Market for Computer Software with Encryption, Report Prepared by U.S. Department of Commerce and National Security Agency (Jan. 1996).