Chapter 9Secret Codes as Munitions and MoneyEncryption Becomes Unbreakable9.1 Senator Gregg ReconsidersSeptember 13, 2001: Fires were still smoldering in the wreckage of the World Trade Center whenJudd Gregg of New Hampshire rose to tell the Senate what had to happen. He recalled the warningsissued by the FBI years before the country had been attacked: that the FBI’s most serious problemwas “the encryption capability of the people who have an intention to hurt America.” “It usedto be,” the senator went on, “that we had the capability to break most codes because of oursophistication.”1No more. “The technology has outstripped the code breakers,”2he warned. Evencivil libertarian cryptographer Phil Zimmermann agreed that the terrorists were probably encodingtheir messages. Zimmermann’s software had been posted on the Internet in 1991 for use by humanrights workers around the world, but he had to acknowledge that the bad guys also “would wantto hide their activities using encryption.”3Encryption is the art of encoding messages so they can’t be understoo d by eavesdroppers or ad-versaries into whose hands the messages might fall. De-scrambling an encrypted message requiresknowing the sequence of symbols—the “key”—that was used to encrypt it. An encrypted messagemay be visible to all the world, but without the key, it may as well be hidden in a locked box.What was nee ded, Senator Gregg asserted, was “the cooperation of the community that is build-ing the software, producing the software, and building the equipment that creates the encodingtechnology.” Cooperation, that is, enforced by legislation. Whoever made encryption software,Senator Gregg proposed, would have to enable the gove rnment to bypass the locks and retrievethe decrypted messages. What about encryption programs written abroad, which could be sharedaround the world in the blink of an eye, as Zimmermann’s had been? The US should use “themarket of the United States as leverage” in getting foreign manufacturers to follow requirementsfor “back doors” that could be used by the US government.12 CHAPTER 9. SECRET CODES AS MUNITIONS AND MONEYBy September 27 Gregg’s legislation was beginning to take shape. The keys used to encryptmessages would be held in escrow by the government under tight security. There would be a“quasi-judicial entity,” appointed by the Supreme Court, that would decide when law enforcementhad made its case for release of the keys. Civil libertarians squawked, and doubts were raised as towhether the key escrow idea could actually work. No matter, opined the Senator in late September.“Nothing’s ever perfect. If you don’t try, you’re never going to accomplish it.”4And then abruptly, Senator Gregg dropped his legislative plan. “We are not working on an encryp-tion bill,” said the Senator’s spokesman on October 17.5On October 24 Congress passed the USA PATRIOT Act, giving the FBI sweeping new powers tocombat terrorism. But the PATRIOT Ac t does not even mention encryption. No serious attempthas been made to legislate control over cryptographic software since Gregg’s proposal. Why not?9.2 Why Not Regulate Encryption?Throughout the decade of the 1990s, the FBI had made control of encryption its top legislativepriority. Senator Gregg’s proposal was a milder form of a bill, drafted by the FBI and reportedout favorably by the House Select Committee on Intelligence in 1997, that would have mandated afive-year prison sentence for selling encryption products unless they enabled immediate decryptionby authorized officials.6How could regulatory measures deemed critical for fighting terrorism by US law enforcement in1997 drop completely off the legislative agenda four years later—in the aftermath of the worstterrorist attack ever suffered by the United States of America?No technological breakthrough in cryptography in the fall of 2001 had legislative s ignificance. Therewere no diplomatic breakthroughs either. Nothing else transpired to make the use of encryptionby terrorists and criminals unimportant. It was just that something else about encryption hadbecome more important. And that was to ensure that encryption tools could be in the hands ofbanks and their customers, airlines and their customers, Ebay and Amazon and L. L. Bean andtheir customers. That is, in the hands of anyone using the Internet for commerce.For a decade, government officials had been debating the tension between secure conduct of elec-tronic commerce and secret communication among outlaws. Senator Gregg was but the last of thevoices calling for restrictions on encryption. The National Research Council had issued a reportof nearly 700 pages in 1996 weighing the alternatives. The report concluded that on balance, ef-forts to control encryption would be ineffective, and that their costs would exceed any imaginablereward.7The intelligence and defense establishment remained unpersuaded. FBI Director LouisFreeh testified before Congress in 1997 that uncontrolled public access to encryption “ultimatelywill devastate our ability to fight crime and prevent terrorism.”8Yet only four years later, even in the face of the September 11thattack, electronic commercedemanded encryption software for every business in the country and every home computer fromwhich a commercial transaction might take place. At the moment when Freeh was cautioning9.2. WHY NOT REGULATE ENCRYPTION? 3Congress about encryption software, elected officials might never have bought anything on lineand their families might never have used computers. By 2001, computers had become consumerappliances, Internet connections were common in American homes—and average citizens were wellaware of electronic fraud. Consumers did not want their credit card numbers and social securitynumbers exposed to everyone on the Internet.Why is encryption so important to Internet communications that Congress was willing risk ter-rorists using encryption, so that American businesses and consumers could use it too? After all,information security is not a new idea. People communicating by postal mail have reasonableassurances of privacy without any use of encryption.The Internet is different from the postal system, despite the metaphor of electronic “mail.” Datapackets zipping across the Net are not like envelopes with an address on the outside and contentssealed inside. Packets are more like postcards, with everything exposed for anyone to
View Full Document
Unlocking...