Proponents and foes of the U.S. government's encryption policy squared off in a panel yesterday evening at the RSA Data Security Conference, and while the thrusts and parries of the panelists gave the audience plenty of chances to applaud or grumble in their seats, the only conclusion was that the two sides don't seem to be willing or capable of reaching compromise anytime soon.
No matter who is right, the debate underlined a basic difference in philosophy that an infinite number of panels won't solve: Some people believe the government for security reasons has a right to access private data without the individual's knowledge, and some people don't. Legislation in Congress could ban mandatory key storage, but a presidential veto looms large. Whether Congress could override such a veto depends upon how quickly many members of Congress can change their philosophy.
RSA president and CEO Jim Bidzos moderated last night's panel, stacking the deck against the pro-government forces from the start. Each panelist began by summarizing his or her views of the battle over encryption regulation, but those on the government side came under heavy fire from other panelists, Bidzos, and the audience.
Ed Roback from the National Institute of Standards and Technology gave a rundown of the efforts to reach a standard on encryption for government use. NIST determines standards that guide government purchasing and contracting. An audience member accused NIST of seeding an otherwise infertile market for mandatory key storage by forcing software vendors to produce compliant products in order to get government contracts.
Next up was Georgetown University professor Dorothy Denning who argued that encryption source code should not be considered free speech protected by the First Amendment. She was referring to two recent court cases in which federal judges handed down contradictory rulings--one stating that software source code was in fact protected speech, the other that it is a function and a product and therefore can be subjected to regulations which restrict its dissemination. Denning took up this second argument but shied away from debate when challenged to give a more precise definition of protected speech.
The third pro-government panelist was Edward Appel, director of counterintelligence programs for the National Security Council and cochair of the interagency group that wrote the current encryption export regulations. Appel tried to soften his stance by acknowledging the current regulations aren't perfect, a result of compromise among many competing interests within the administration.
"This middle of the road option does not please everyone all the way," Appel said.
But Appel staunchly defended the mandatory key storage at the heart of the current crypto regulations. Like Ambassador David Aaron, the administration's special envoy for cryptography who delivered the morning keynote, Appel insisted that key storage (also known as key escrow or key recovery) was the best way to protect user privacy and give law enforcement proper access to the data and communications of suspected criminals.
Other panelists had a rebuttal for every pro-government statement.
"This policy is driven solely and exclusively by the FBI," said Kenneth Bass, a former government security advisor and now a partner with the law firm Venable, Baetjer & Howard. "It's a policy driven by a non-real threat. I am not aware of any legitimate story that says we could have prevented a crime if only we could have read an encrypted message."
Appel justified the administration's attempts to coordinate a global key management system by saying foreign governments are eager to implement controls similar to those in the United States. Marc Rotenberg, director of the Electronic Privacy Information Center, dismissed the statement as untrue.
"There is no international consensus to permit lawful [government] access to encrypted data," Rotenberg said.
Rotenberg helped write the cryptography guidelines of the Organization for Economic Cooperation and Development, a policy and research body comprised of 29 nations to which David Aaron is the U.S. permanent representative. The guidelines are due for release in March, and Rotenberg said there is no recommendation that governments should be allowed to access data.
Rotenberg and others also contended that the ultimate goal of current export restrictions is to restrict the domestic use of encryption, a charge that Appel denied, as did Ambassador Aaron earlier in the day. As evidence, Rotenberg referred to a document obtained in 1995 under the Freedom of Information Act in which then-FBI director William Sessions wrote that technical solutions to the spread of encryption would only work if "incorporated into all encryption products."