Proposed crypto limits draw broad criticism
A lone senator's proposals to hobble encryption would make the Internet less, not more, secure against terrorist attacks, according to encryption, privacy and technology experts.
In response to attacks this month on the World Trade Center and the Pentagon, Sen. Judd Gregg, R-N.H., said he favored establishing mandatory backdoors in the software used to scramble digital messages and to ensure that only the intended recipient can read the contents.
The specter of unbreakable encryption falling into the hands of criminals, terrorists and hostile governments has long been used to promote policies limiting commercial data-scrambling products. Such arguments are out of date, however, according to many experts. Critics include not only civil libertarians and a self-interested software industry, but those concerned with preventing terrorism as well.
Two factors have decisively changed the playing field: So-called strong encryption technology is already widely available and can't realistically be recalled. In addition, fear of cyberattacks hitting strategic targets such as electrical grids and nuclear power plants has raised the stakes for domestic security.
"The danger in weakening encryption is that our infrastructure would become even less secure," said Bill Crowell, a former deputy director of the National Security Agency, the organization charged with gathering electronic intelligence for the military and protecting the United States' own communications networks. "There is no indication that the administration is serious about these proposals."
Already, some members of Congress are readying opposition to Gregg's proposal.
Rep. Bob Goodlatte, R-Va., a longtime critic of anti-encryption measures, said he is working to build Senate opposition for such a bill that equals momentum in the House. Goodlatte belongs to a camp of lawmakers that believes such legislation would be a threat to national security.
"It's not a matter of privacy vs. security, but security vs. security," Goodlatte said in an interview.
"Encryption protects our national security," he said. "It protects the controls of everything from nuclear power plants to the New York Stock Exchange, government communications, credit cards and the electric power grid. Encryption plays a critical role in our entire communication system, and to require that a backdoor be built into that system is just an incredibly dangerous thing to do."
Former NSA Deputy Director Crowell, now president and CEO of security software maker Cylink, said intelligence and law enforcement agencies will have to find other ways to gather information than plucking it from the ether.
"Yes, it's hard," he said. "But that is the world that we live in today. I think the alternative of having banks, companies and the government use weak encryption is not a good one."
Key to security?
Gregg stated that he would present legislation to create a "quasi-judicial entity," appointed by the Supreme Court, that would act as an independent third party giving authority to the lawmakers with proper warrants to crack encrypted documents.
"This judicial element would have the ability, with absolute search-and-seizure rights protected, to get access to security keys with cooperation from the industry," said Brian Hart, press secretary for the senator.
Gregg is discussing the proposal with other senators and is waiting to see Attorney General John Ashcroft's full anti-terrorism recommendation, expected to be released next week, Hart said.
"We want to defer to the president and the Bush administration to combat terrorism," he said.
For law enforcement and officials of the newly formed Office of Homeland Security, encryption holds both a promise and a threat.
Today's encryption technology allows anyone with a PC to scramble their e-mail and files so that even the most powerful computers in the world would take centuries, if not longer, to crack the code. Only the correct key can decipher the original message.
On one hand, encryption has made the Internet more secure. In the past, most information on the Internet was sent in plain text with no encryption protecting it. Anyone listening on the line could capture passwords, financial transactions or personal e-mails. Today, the ability to encrypt the content of messages has heightened the security of the Internet.
However, that same ability to scramble messages has left lawful authorities bereft of any ability to eavesdrop on suspected terrorists when encryption is being used. Although there is no evidence yet that encryption was used by the terrorists that attacked the World Trade Center and the Pentagon, many consider it likely.
The dangers of giving criminals the ability to hold absolutely private communications has been debated often in the past decade.
In the late '90s, a group of federal regulators including former FBI Director Louis Freeh and former Attorney General Janet Reno championed legislation that required encryption software to include government safeguards and that restricted U.S exports.
The Clinton administration introduced a proposal for technology known as the "Clipper Chip," or an extra key held by the government, which could with a warrant unlock encrypted electronic messages for criminal investigations. The proposal met with opposition from the American public, businesses and foreign governments, and eventually failed. Critics said foreign consumers or businesses would not buy U.S. encryption software accessible by the U.S. government.
"Everyone gets really nervous when you start talking about backdoors because you have to trust the other fellow a lot," said James Lewis, director for the technology and public policy program at the Center for Strategic and International Studies, based in Washington, D.C.
"If you put domestic restrictions on U.S. encryption use, it doesn't do any good, because first, there are real costs to the economy--the Internet is weakened--and second, without the cooperation of every other crypto supplier in the world, it doesn't prevent terrorists from getting their crypto from somewhere else," Lewis said. "None of these issues have changed."
Little political support
For now, Gregg seems unlikely to gain many adherents.
Scott Schnell, senior vice president of corporate development for encryption technology seller RSA Data Security, argued that a backdoor could make the Internet far more vulnerable to attack.
"The fatal flaw is that if the terrorist ends up with a key (to a backdoor), it could be disastrous," he said. "A single key could compromise a whole company or a large segment of the population."
Rather than preventing terrorism, argued Schnell, Gregg's proposal would empower terrorists by allowing them to focus their attack on a single weakness.
"The proposal not only wouldn't work, but it would force the country to pay a huge penalty to get access to a small body of potential evidence," he said.
Privacy advocates weighed in against the proposal as well. Richard Smith, chief technology officer for the Denver-based Privacy Foundation, characterized any potential encryption laws as a "total waste of time."
"It will take years to get updated forms of the software, assuming that people will even upgrade voluntarily," Smith said. Worse, such legislation would have little effect on terrorists who could just use the software publicly available now. "The bad guys will keep using the old products without the backdoors."
Steve Bellovin, a security researcher with ATT Labs, said any impression the United States has of pre-eminence in the encryption field is wrongheaded. The encryption algorithm to be used by the U.S. government in the future, known as the Advanced Encryption Standard, was originally developed by two Belgian scientists.
Terrorists outside the United States will have access to such expertise, he said. "These people are not stupid," he said. "They will write their own code. I know high-school students who could take the AES specification and write a program."
Gregg hopes to head that off by enlisting other nations' help. One key to legislation would be the cooperation of governments around the world, which Gregg has urged in congressional hearings. Global enforcement is essential to ensuring that terrorists and hackers are unable to obtain encryption software without backdoors.
But opponents to encryption laws believe such cooperation to be impossible.
"Because you can download software on the Internet, people outside the country could sell encryption without a backdoor," said the Privacy Foundation's Smith. "To have practical value, it would have to have worldwide enforcement, and plenty of countries wouldn't want to do this."