The Coming War Over Encryption Technology
Intellectual Property Practice Group Newsletter - Volume 2, Issue 1, Spring 1998
May 1, 1998Eric Vance
Encryption technology is at the center of a bitter dispute that promises to hold serious ramifications for not only worldwide law enforcement, but perhaps more importantly the entire future of Internet commerce or e-commerce. What is encryption technology? Quite simply, it is a set of complex mathematical formulae which permits anyone transmitting electronic in-formation over something as vast as the Internet or as simple as cellular phone, to scramble the message so nobody but the recipient understands it. If you purchased anything over the Internet you've probably used encryption technology already without knowing it to keep your credit card information safe from poachers. Likewise, new encryption programs are becoming available to prevent eavesdroppers from listening in on your cellular phone conversations.
The theory underlying encryption technology has been around for at least two hundred years, but until recently remained a backwater for mathematical theoreticians and consisted largely of arcane algorithms. However the advent of vast new computing power has placed nearly impenetrable encryption programs in the hands of the everyday citizen, a development which ignited the first debate. Should people like you and me be able to communicate without anyone being able to listen: anyone.
The current level of encryption technology in the United States is reflected by the U.S. Data Encryption Standard ("DES") which utilizes 64 bit technology. Although previously considered impregnable, DES was recently cracked through the simultaneous use of several thousand computers working continuously for 92 days, thus throwing the standard into turmoil. Since the cracking of the DES, there have been proposed alternative programs including one from NEC in Japan which employs 128 bit technology and another utilizing elliptical curve cryptography to ensure privacy. Against this uncertain backdrop, Congress has been active trying to pass legislation regarding the distribution and export of encryption technology.
Initially, Representative Bob Goodlatte (R-Virginia) sponsored HR 695, dubbed the "SAFE" bill, which would have eased the restrictions on the export of encryption technology. Currently regulations limit export of encryption software to relatively low powered 40 bit programs. The reason for this restriction was quite simple: the United States government did not want powerful encryption programs written in the U.S. to fall into the hands of extremists and potential terrorists.
As originally written, the SAFE bill also prohibited the government from mandating a "key" recovery system. A key recovery system would provide the government access to a "key" to unscramble the contents of any electronic transmission and read the message. Therefore the bill's prohibition of a key recovery system meant that the transmissions would be safe from prying eyes, regardless of who was looking.
In a complete turnaround, by the time the SAFE bill emerged from committee, amendments were added which would have required all encryption products sold or distributed in the United States after January 31, 2000 to include just such a key recovery system. Under the terms of the amended bill, sarcastically referred to as the "UNSAFE" bill, anyone using encryption technology would be required to turn over an encryption key to a "key recovery agent", a caretaker of sorts who safeguards the keys until directed by court order to turn them over. As currently written the UNSAFE bill requires that any law enforcement official seeking an access key would have to show "a factual basis establishing the relevance of the plaintext" to their investigation, a very easy standard to meet.
The amendments to the SAFE bill were made by Michael Oxley (R-Ohio) and Thomas Manton (D-New York), at the behest of the FBI and other law enforcement officials who argued that allowing encryption technology to be widely utilized by the general public will make surveillance of criminal activity over the Internet nearly impossible. Absent the ability to monitor such electronic transmissions, law enforcement officials argued that the transmissions would become a indecipherable tool of terrorists, child pornographers and other nefarious wrongdoers. In support of their position law enforcement officials cited Ramsi Yousef, who was convicted of the World Trade Center Bombing and had also encrypted plans to blow up eleven US commercial airliners. Opposing the UNSAFE bill were various high tech companies and civil liberties groups who argued Orwellian shades of Big Brother.
Despite weeks of intensive lobbying, law enforcement advocates came up short when in September, the House Commerce Committee voted 35-16 against the bill which would have required all encryption programs to contain a backdoor or key allowing governmental access. A similar version of the UNSAFE bill, S 909 sponsored by Senators John McCain (R-Arizona) and John Kerrey (D-Nebraska) is also winding its way through the Senate. Under the McCain-Kerrey bill, it would be illegal to export encryption software more than 40 bits unless a key recovery system was installed within two years. Domestically the bill would also require anyone wanting to do business on the Internet to deposit a copy of their encryption keys with a key recovery agent. Whatever the outcome of these particular bills, the issue of encryption technology will continue to be debated in the halls of Congress for some time to come.
Concurrent with the emergence of encryption legislation, several court cases have raised the question of whether restrictions on encryption technology are sustainable. Most recently in December, the Ninth Circuit Court of Appeals heard the appeal of a case known as Bernstein v. United States Department of State, 945 F. Supp. 1279 (N.D. Cal. 1996). In Bernstein, a mathematician who invented an encryption program called "Snuffle" sought a ruling from the Court that the Arms Export Control Act ("AECA") which restricted the export of Snuffle based on military secrecy, was unconstitutional. Under AECA, the export of encryption technology in printed form, i.e., source code is permissible, but not over the Internet in electronic form.
In December 1996 the district court ruled that Snuffle was nothing more than source code. Thus the court found that as source code, "Snuffle is speech afforded the full protection of the First Amendment not because it enables encryption, but because it is itself speech." The court concluded that the AECA's prior restraints on the export of encryption technology could not be sustained. The government, unsatisfied with the court's ruling, appealed the case to the Ninth Circuit.
During oral argument before the Ninth Circuit, Bernstein's lawyers cited precedent from the Pentagon Papers decision and Reno v. A.C.L.U. for the proposition that the AECA constituted an illegal prior restraint on free speech. The government countered that what was being restricted was not the speech itself, but merely the medium over which it was transmitted, i.e. the Internet. Whatever the decision of the Ninth Circuit, the losing side will almost certainly appeal to the Supreme Court and thereby make issue setting precedent about the distribution and export of encryption technology.
Policy Issues and the Future
The debate over the control of encryption technology is also being heard on the world stage. Several weeks ago the Organization for Economic Cooperation and Development ("OECD") an influential consortium of twenty-nine countries, met in Paris to discuss the use of encryption technology to protect commerce from fraud while precluding it from becoming a tool of terrorists and criminals. France and the United States both advocate limiting the export of encryption technology while Japan and the Scandinavian countries oppose such measures. Not coincidentally, France is currently the only Western country that bans the domestic use of any encryption technology.
Most of this year's conference was dedicated to the role of so called "trusted third parties", which are the private entities which are supposed to "hold the keys". While that topic proved to be of great interest, next year's conference will center on an even more critical development: taxation of Internet or e-commerce.
At present there are few formal structures in place to tax transactions which are wholly electronic. Most governments base their taxation scheme on the fact that sooner or later the proceeds of a purchase or sale are converted to cash. But imagine a world, perhaps just a few years away, where no cash changes hands when you buy your new car, but instead you receive a digital debit or credit to your account. Now imagine even further that your entire transaction is encrypted so that nobody, including the IRS, can tell if you are talking to your aunt in Toledo or selling mountains of merchandise. Without the ability to monitor these cyberspace transactions, the entire ability of governments to levy and collect taxes could be fundamentally altered. Current estimates by the IRS of unreported income run as high as 120 billion dollars, with the number certain to grow significantly in the face of increasing e-commerce.
Given the huge amount of money at stake, the real debate about the future of encryption technology will almost certainly center on e-commerce. In the context of e-commerce, the public key system works like this: the sender, say a bank, has a private key in its possession which it uses to scramble an outgoing wire transfer of funds. The encrypted message can only be decoded by using a public key associated with the bank.
Thus, when a person receives the wire transfer they believe comes from the bank, they look up the bank's public key in the equivalent of an electronic phone book. If the public key associated with the bank decodes the message, then the recipient knows that message is genuine. Of course this whole system rests upon the integrity of the public directory. If the directory has been tampered with or even contains misfilings, then the system breaks down. The sheer scale of the public key system that would be required to make such a system work on a nationwide, let alone a worldwide basis, is daunting and would likely require the establishment of a huge new quasi-governmental agency. Although no such agency has been planned, the White House has sought to establish a national policy for dealing with Internet security issues by establishing the President's Commission on Critical Infrastructure Protection co-chaired by former Georgia Senator Sam Nunn and former deputy attorney general Jamie Gorelick.
Not satisfied to wait for the government, electronic Goliaths like Visa, Mastercard and Microsoft have established the Secure Electronic Transactions protocol ("SET") whereby each party to a transaction must independently establish the authenticity of its digital signature including the merchant, the consumer, the bank card issuer and the payment processor. Unfortunately such an elaborate system, like the proposed governmental key agency, does little to streamline a transaction and adds to the costs as well.
Whatever the outcome of the current debate, the ramifications of the new encryption technology have not been lost on an avant-garde group of crypto-libertarians who want to see government take a smaller role in John Q. Public's life. They have made relatively powerful encryption programs available free over the Internet at http://web.mit.edu/network/pgp.html, free of charge to all comers. With the ability to screen the government's prying eyes from their conversations and its taxing fingers from their pockets, the crypto-libertarians want a chicken in every pot and an encryption program in every home computer. Whether they get their wish may well shape the course of government and the economy in the next century.
*Eric Vance is an attorney with the firm of Blank Rome Comisky & McCauley LLP in Philadelphia, Pennsylvania. He is a member of the Philadelphia Lawyers Chapter and serves on the publications committee for the Intellectual Property Practice Group.