Encryption Bound?

August 6, 1997 • Commentary
By Solveig Bernstein

In Greek mythology, Prometheus created an age of prosperity by teaching mankind how to use fire. The gods punished him for his audacity by chaining him to a rock. Now some members of Congress seem determined to shackle the U.S. software industry by preserving the Clinton administration’s restrictions on the export of encryption technology.

The Secure Public Networks Act (S. 909), just passed by the Senate Commerce Committee, would be disastrous in its effects on the privacy and security of U.S. computer users. Essentially, S. 909 could open any Internet communication to instantaneous government scrutiny. Meanwhile, the House International Relations Subcommittee on International Economic Policy and Trade has passed the Security and Freedom Through Encryption Bill (SAFE), H.R. 695, a more enlightened approach that would lift at least some of the Clinton Administration’s restrictions. But the Clinton administration’s “Framework for Global Electronic Commerce,” recently released with great fanfare, promises no reforms, sadly contradicting the report’s assertion that governments should leave the private sector alone to develop the mechanisms of electronic commerce.

The new Prometheans are cryptographers and designers of strong encryption technology — that is, technology that encodes computer files so that only someone with a unique “key” can read them. Encryption will encourage Internet commerce while protecting consumer privacy. It will keep snoops from reading your e‐​mail or stealing your credit card numbers as they are sent over the Internet. It will protect computer systems from industrial spies and malicious hackers. In short, it is vital to the future of cyber‐​commerce.

But Washington politicians want to keep encryption in chains, stifling its vast potential to empower Internet users. The government now restricts the export of encryption stronger than 56 bits. (The more bits in an encryption system’s key, the more secure the system.) Just last month, however, Internet users succeeded in cracking a 56‐​bit key, that of the government‐​approved Data Encryption Standard system. Much stronger encryption will have to be made available for electronic commerce to flourish.

We can already see the promise of increased freedom and prosperity that electronic commerce brings.

Some law enforcement officials fear foreign criminals will obtain access to strong encryption. FBI director Louis Freeh warns, “The proliferation of unbreakable encryption would seriously and fundamentally threaten . . . critical and central public safety interests.” But the lack of strong encryption is a graver danger, because it continues to make the computer networks that you and I use vulnerable to electronic trespass, violation of privacy and theft.

Export restrictions will never keep strong encryption out of the hands of foreign criminals, since the technology is readily available worldwide. If U.S. companies are forbidden to satisfy the worldwide demand for encryption, companies based in other countries will. Law enforcement officers can use informants and bugs to spy on criminals — there’s no need for useless and easily evaded export restrictions.

Does restricting the export of strong encryption sound futile and destructive? Wait — it gets worse.

Now the Clinton administration and supporters of S. 909 are doing their best to require that U.S. users of strong encryption give law enforcement officers access to their secret keys via a “key recovery” system. They might just as well demand that every family give the federal government a copy of the house keys, just in case the government ever needs them. Supporters of S. 909 in the Senate argued that failure to restrict encryption technology would protect child pornographers. Although Sen. John Ashcroft, R.-Mo., protested that encryption was, like photography, an intrinsically harmless technology, saying “We’re not going to [ban] photography if someone takes dirty pictures,” his view did not prevail. The “key recovery” idea should provoke both fear and ridicule. Fear, because we can’t trust government officials to guard our privacy. And ridicule, because a recent report issued by 11 recognized leaders in cryptography and computer science argues that it’s probably impossible to build an infrastructure that could keep billions and billions of secret keys secure.

Eventually, Prometheus was freed from his chains. Encryption technology cannot be restricted forever, either. We can already see the promise of increased freedom and prosperity that electronic commerce brings. S. 909’s misguided encryption policies will do nothing but erode our privacy and delay our destiny of greater wealth and freedom.

About the Author
Solveig Bernstein is associate director of telecommunications and technology studies at the Cato Institute.