Four Pillars Down, Thousands to Go


On September 16, the White House announced that strong encryption, the subject of decades of debate between law enforcement and the high-tech community, has been cut free of its regulatory chains. The high-tech crowd can crack the champagne before Y2K (and the 2000 presidential campaign). But what about the hangover?

Encryption scrambles up the letters in private messages to keep themprivate. It works like a Captain Crunch decoder ring, only better and usingmuch harder math. Since the early 1970s, law enforcement has warned thatstrong encryption could be used by "bad guys" to decode their messages sothe police can't possibly understand them.

But the techies had the better arguments. How could anyone prevent theworldwide spread of software flying over the Internet at light speed?Foreign companies were selling encryption, too. And encryption is needed tokeep spies and hackers from stealing nuclear secrets and credit cardnumbers online. So at the press conference announcing the new policy,administration spokesman James Steinberg announced that strong crypto couldbe freely exported to commercial users in most countries -- after aone-time technical review by the folks at national security.

This goes a long way toward ending the despised regime of encryption exportcontrols -- a significant step in the right direction. The administrationannounced that the new policy rested on "four pillars... national security,public safety, privacy, and commerce." Another of the pillars just releasedwas the proposed Cyberspace Electronic Security Act (CESA) of 1999, whichdescribes how law enforcement can get access to information needed todecode encrypted messages.

A paper just released by the Cato Institute shows that strong encryption isavailable easily around the world. The spread of technology has largelyovertaken regulation entirely. Even the prospect of one-time technicalreview might chill companies from building encryption into mass-marketproducts sold directly to end users, such as word processors or e-mailprograms. Built-in encryption would make its security benefits available tomillions of ordinary people.

It's a puzzle, then, as to why the administration does not abandon theexport control process entirely. But DOD's Deputy Secretary John Hamre eveninsisted the new policy is "not a relaxation."

Another puzzle. If strong encryption can be freely exported, what will thetechnical reviewers be looking for? Perhaps they're looking for bugs --convenient security holes. Confidentiality provisions of CESA might meanthat national security interests could prevent the bugs' being disclosed.Could parts of CESA undermine confidence in U.S.-made encryption? Softwaretoday must pass the test of public scrutiny. But without freedom to talkabout bugs, that public scrutiny would suffer. And what happens to the dealif CESA is never made law?

Those questions aside, this move to relax encryption controls shows thatthe process of educating policymakers about high-tech issues can work.Respected cryptographers, entrepreneurs and scholars have repeated the samearguments over and over again -- and finally have gotten some results.

The bad news is, the changes took almost three decades. At a time when newregulation of high-tech is being proposed every day all around the world,that's a pretty alarming length of time for getting rid of a few lousyrules. It's hundreds of Internet years. (For non-techies, one Internet yearis about one dog year.) The high-tech community should redouble it'sefforts to resist any more elaborate legal schemes governing theInternet -- before it finds regulators knocking on its door again.