Commentary

Four Pillars Down, Thousands to Go

By Solveig Singleton
September 22, 1999
On September 16, the White House announced that strong encryption, the subject of decades of debate between law enforcement and the high-tech community, has been cut free of its regulatory chains. The high-tech crowd can crack the champagne before Y2K (and the 2000 presidential campaign). But what about the hangover?

Encryption scrambles up the letters in private messages to keep them private. It works like a Captain Crunch decoder ring, only better and using much harder math. Since the early 1970s, law enforcement has warned that strong encryption could be used by “bad guys” to decode their messages so the police can’t possibly understand them.

But the techies had the better arguments. How could anyone prevent the worldwide spread of software flying over the Internet at light speed? Foreign companies were selling encryption, too. And encryption is needed to keep spies and hackers from stealing nuclear secrets and credit card numbers online. So at the press conference announcing the new policy, administration spokesman James Steinberg announced that strong crypto could be freely exported to commercial users in most countries — after a one-time technical review by the folks at national security.

This goes a long way toward ending the despised regime of encryption export controls — a significant step in the right direction. The administration announced that the new policy rested on “four pillars… national security, public safety, privacy, and commerce.” Another of the pillars just released was the proposed Cyberspace Electronic Security Act (CESA) of 1999, which describes how law enforcement can get access to information needed to decode encrypted messages.

A paper just released by the Cato Institute shows that strong encryption is available easily around the world. The spread of technology has largely overtaken regulation entirely. Even the prospect of one-time technical review might chill companies from building encryption into mass-market products sold directly to end users, such as word processors or e-mail programs. Built-in encryption would make its security benefits available to millions of ordinary people.

It’s a puzzle, then, as to why the administration does not abandon the export control process entirely. But DOD’s Deputy Secretary John Hamre even insisted the new policy is “not a relaxation.”

Another puzzle. If strong encryption can be freely exported, what will the technical reviewers be looking for? Perhaps they’re looking for bugs — convenient security holes. Confidentiality provisions of CESA might mean that national security interests could prevent the bugs’ being disclosed. Could parts of CESA undermine confidence in U.S.-made encryption? Software today must pass the test of public scrutiny. But without freedom to talk about bugs, that public scrutiny would suffer. And what happens to the deal if CESA is never made law?

Those questions aside, this move to relax encryption controls shows that the process of educating policymakers about high-tech issues can work. Respected cryptographers, entrepreneurs and scholars have repeated the same arguments over and over again — and finally have gotten some results.

The bad news is, the changes took almost three decades. At a time when new regulation of high-tech is being proposed every day all around the world, that’s a pretty alarming length of time for getting rid of a few lousy rules. It’s hundreds of Internet years. (For non-techies, one Internet year is about one dog year.) The high-tech community should redouble it’s efforts to resist any more elaborate legal schemes governing the Internet — before it finds regulators knocking on its door again.

Solveig Singleton is director of information studies at the Cato Institute.