The Encryption Scramble
Why Can't Americans Publish Data-Encryption Programs?
OCTOBER 01, 1999 by CLAUDE MORGAN
Claude Morgan writes on culture and technology from his home in Portland, Maine.
When law professor Peter Junger penned a small computer program for his computer-law class at Case Western Reserve University School of Law, he never dreamed he’d be battling the U.S. Commerce Department for the right to post it on his Web site.
In 1997 the Commerce Department informed Junger that he would need a special munitions export license to publish “Fiddle”—a small encryption program that scrambles computer files into gibberish—over the Internet. “When I realized that I could not publish my little program, or any other encryption program, without asking for permission from the bureaucrats,” he says, “I was shocked and angry.”
Junger sued the Commerce Department for violating his First Amendment rights—the fifth freedom-of-speech case filed against the department in as many years. As he argues that “Fiddle” is protected speech, U.S. software makers gather at the sidelines to await the outcome of his case. They say that the very same export regulations that prevent Junger from posting “Fiddle” on the Net could cost their industry as much as $60 billion and 200,000 high-end jobs by next year.
Domestic software makers currently command 70 percent of the world’s software market, with sales that topped $135 billion at home and abroad in 1997 alone. In fact, U.S. software makers are so adroit at capturing the world market that they are currently growing at two-and-a-half times the rate of other U.S. industrial sectors. But hampered by the current regulations, they have so far managed to win only a meager portion of the world’s booming encryption software market.
Critics of the Clinton administration’s communications and technology policies charge that backward export regulations are blocking the industry from competing in the world market. Furthermore, they say, lagging behind in encryption sales isn’t just about losing profits, it’s about undermining national security.
“Encryption really is the backbone of effective privacy on the Internet,” says Linda Bloss-Baum, manager of public policy at the Business Software Alliance (BSA), a public-policy group representing 17 leading U.S. software makers. By converting data in files to gibberish and requiring mathematical “keys” to unlock them, encryption products have protected sensitive data from unauthorized users since the earliest days of computing, says Bloss-Baum.
Encryption guards flight-control data, telephone networks, and power grids from mishaps and sabotage. It cloaks online financial transactions, trade secrets, and sensitive business and military data. It can also be used to scramble telephone calls and e-mail. In fact, Bloss-Baum says, “without strong encryption, anyone would be able to break into your files and gain access to your identity.”
But if encryption software protects sensitive data from saboteurs and high-tech mischief-makers, it can also be used to conceal that information from law-enforcement agencies, the Clinton administration argues. Citing national security and endorsements from the National Security Agency (NSA) and FBI director Louis Freeh, the administration in 1996 banned the export of all “strong” encryption software and technology to U.S. subsidiaries, trading partners, and all foreign markets. The administration defined “strong” encryption as any software with key lengths of 40 bits or more. (Each bit represents an order of magnitude in the complexity of the decoding key.)
Domestic sales and the domestic use of strong encryption remain exempt from Commerce Department regulations. Banks and other financial institutions have been given special dispensations to glide the Internet safely with strong encryption.
The administration only briefly considered raising the export bar to 56 bits when a graduate student cracked the 40-bit code in three-and-a-half hours using simple desktop computers. After similar demonstrations and pressure from high-tech industry, the administration presented software makers with this proposal: Software stronger than 56 bits can be exported to friendly nations only after a Commerce Department review and only if the code-breaking key can be held in “escrow” by a government-authorized third party. This so-called “key recovery,” or “key escrow,” plan would allow law-enforcement agencies to obtain keys from escrow agents in much the same way that police currently obtain evidence through search warrants or wiretaps.
So far, the plan has won few friends among industry, public-interest groups, or private citizens. The key recovery plan is riddled with administrative and ethical flaws, says David Banisar, policy director at the Electronic Privacy Information Center. It calls for centralized databases—places to store keys—that would make appealing targets. Key recovery is therefore a bad strategy that jeopardizes national as well as corporate security, says Banisar, who recently gained national notoriety spearheading a boycott against the Intel Corporation for loading its new chip, the Pentium III, with trail-blazing serial numbers. “From a social and ethical standpoint,” he says, “the concept that your communication should never be private, but subject to the whims of government, turns the basic principles of free speech and privacy on their heads.”
Impeding the Market
That’s not the only principle turned upside down, Bloss-Baum says. Current regulations prohibit American companies from competing against foreign firms. “There are a lot of 128-bit products already out there in the marketplace,” she says. “Products are being manufactured by foreign providers in countries that have no export controls on how long the bit-strength is on their encryption.” Because that technology is already widely available, she says, American companies should be allowed to compete with the same types of products.
More than 900 software makers in nearly 70 countries currently produce and market strong encryption software. Foreign competitors also produce “patches” and “plug-ins” to boost weak encryption exports from the United States.
Bloss-Baum, who has been lobbying Congress to lift the ban on encryption exports for three years, says that most U.S. intelligence agencies support industry’s position that encryption software can be widely and safely distributed. She, Banisar, and others point fingers at Louis Freeh for driving the administration’s policy into its current regulatory waters.
“The law enforcement argument has been wagging the Administration’s whole Internet policy,” says Alan Davidson, counsel for the Center for Democracy and Technology (CDT), a nonprofit public-research group promoting constitutional liberties on the Internet. Davidson argues that a lack of security and privacy actually slows economic growth on the Net, leaving consumers distrustful and U.S. technology and infrastructure vulnerable.
“There are serious inconsistencies between the administration’s free-market version of the Internet and the administration’s law enforcement version,” says Davidson. “Encryption is only the most glaring example.”
Davidson believes that the export controls are destined to fail because ideas cannot be stopped at the border. “People have good encryption outside of the U.S. and they’re going to keep having that,” he says. “Key recovery is a real problem because it builds a backdoor that people don’t like, and that jeopardizes their privacy. As a whole, the policy really leaves people without the tools they need to protect themselves on the Internet.”
Vulnerability has never appealed to the pioneers of the Internet. As early as 1990, Net-surfers began inventing their own tools to shield themselves from observation.
In 1990, Phillip Zimmermann, a Denver-based software engineer, wrote a small but powerful encryption program called Pretty Good Privacy (PGP) and distributed it to friends. The program found its way onto the World Wide Web in 1991, and the Commerce Department found its way to Zimmermann in 1993.
He became the focus of a two-and-a-half-year Justice Department investigation during which he gained cyber-folk-hero status, as well as a $35 million offer from a leading software maker to purchase and distribute PGP. Zimmerman fought the Justice Department’s charges, which were dropped unexpectedly in 1996.
In 1995, university professor Daniel Bernstein filed suit against the government for prohibiting him from publishing “Snuffle,” another homemade encryption program. A federal judge ruled in favor of his First Amendment suit in 1997. The government promptly appealed, but in May the Ninth Circuit Court of Appeals upheld the decision. There are currently three constitutional cases challenging the export regulations in court, says Banisar. The Supreme Court is likely to hear all three.
“The government has never demonstrated, and can never demonstrate,” says Junger, “any threat to security interests that would arise from my publishing my little programs. As to more serious programs, they are all available on Web sites outside the United States anyway, so allowing their publication on Web sites within the United States could not possibly endanger any United States security interest.”
Since April 1996 the administration has waffled on its export policy at least four times, amending, changing, updating, even reversing the Commerce Department’s complicated application process. Loopholes in the regulations make it possible to export strong encryption software, says Banisar. But that process can be expensive. Software makers must document that they are trying to comply with the key recovery plan before export licenses are granted.
Loopholes have led to skirting the law. Network Associates, the current distributor of PGP and popular software like the McAfee anti-virus programs, exports PGP’s 6,000 pages of raw binary code to a Swiss subsidiary, which then compiles, packages, and sells it to foreign markets. That’s legal. Yet U.S. regulations forbid the California-based company from e-mailing the small compiled program abroad.
But using loopholes and complying with regulations are too expensive, software makers say. The regulations are opaque, and the review process often runs late. Foreign manufacturers are not bound by similar restraints.
It’s not just encryption software like PGP that gets snared by the regulations, says Bloss-Baum. Mass-market software like Lotus Notes and Microsoft Word have encryption capabilities built into them for the domestic market. “So those parts of these programs would also be subject to the export regulations,” she says.
That means that when U.S. companies submit operating systems or Internet browsers for export, says Banisar, “they either have to find an overseas partner who can provide the encryption part of the system, or they forgo the whole contract altogether.”
Who currently outside the United States buys American encryption software and technology? The answer is no one. Foreign buyers show little or no interest in the bit-strength of American exports or in the prospects of handing over their keys to a U.S.-based escrow agent. CDT says not one major key recovery product is being widely used by consumers today.
The cost of buying American can be prohibitive, as well, says the BSA. U.S. industry can plan on shelling out $4.2 billion annually for the first five years to set up and maintain the key recovery system. Start-up costs for small businesses will average $2,500. Large corporations may have to cough up as much as $25,000.
Consumers will chip in $1.8 billion annually for the first five years. Escrow agents will earn $6 billion a year for keeping the consumer and business keys available to law-enforcement agencies.
Who exactly is a key recovery agent? While details of the plan remain sketchy, many analysts believe that contracts will be awarded to banks, post offices, or private mail handlers like Mail Boxes Etc., according to a security spokesman for a leading software maker. Large corporations may be allowed to “post their own centers” provided investigations and warrants can be conducted discreetly—that is, without alerting the bosses upstairs.
Freedom of Speech
Despite the business concerns, free-speech arguments will likely play a decisive role in overturning the regulations. But the law is not clear on high-tech definitions of “speech” in the information age, says Davidson. “We think that there are free-expression issues implicated by the export controls,” he says. “But we’re treading on new legal ground here. Its difficult getting courts to understand why there’s an expressive quality to Professor Junger’s little programs.”
If the legal issues surrounding encryption software aren’t complicated enough, says Davidson, philosophical issues about privacy in the information age are about to muddy the waters further. “This is really about some very different views of how we protect privacy online,” he says. “There are two different visions: one is where individuals have the tools to be able to protect themselves; another is where we build backdoors to the system, where we rely on government to be the protector. One minute I’m e-mailing somebody down the street, but the next minute that message is going across ten different countries. And each of those countries has different laws.”
Getting the lawmakers to understand that has been difficult enough, says Bloss-Baum. But for the time being, she and her colleagues plan to focus the argument on free-market principles. In 1997, she says, a handful of lawmakers endorsed federal legislation to lift the ban on encryption strengths already available on the world market. That bill failed with 205 supporters.
This year a similar bill was introduced with 210 endorsements. The Safety and Freedom through Encryption Act of 1999 (SAFE), which in March passed the House Judiciary Committee, would prohibit the government from requiring keys to be held in escrow, but the secretary of commerce would still have the power to review encryption products and control exports. On the Senate side, the PROTECT Act of 1999 (Promote Reliable On Line Transactions To Encourage Commerce and Trade) would immediately raise the bar to 64 bits and open the floodgates for exports of any strength by 2002. Bloss-Baum says she’s optimistic that the ban will be lifted this year.
“People are already moving their lives online,” says Davidson. “There has to be a very broad discussion about how we’re going to protect what’s seen of us online. Encryption is just one small piece of it. I think this is the first skirmish in a very long campaign.”