Eric Vance*
Encryption technology is at the center of a bitter dispute that
promises to hold serious ramifications for not only worldwide law
enforcement, but perhaps more importantly the entire future of Internet
commerce or e-commerce. What is encryption technology? Quite simply,
it is a set of complex mathematical formulae which permits anyone
transmitting electronic in-formation over something as vast as the
Internet or as simple as cellular phone, to scramble the message
so nobody but the recipient understands it. If you purchased anything
over the Internet you've probably used encryption technology already
without knowing it to keep your credit card information safe from
poachers. Likewise, new encryption programs are becoming available
to prevent eavesdroppers from listening in on your cellular phone
conversations.
The theory underlying encryption technology has been around for
at least two hundred years, but until recently remained a backwater
for mathematical theoreticians and consisted largely of arcane algorithms.
However the advent of vast new computing power has placed nearly
impenetrable encryption programs in the hands of the everyday citizen,
a development which ignited the first debate. Should people like
you and me be able to communicate without anyone being able to listen:
anyone.
The current level of encryption technology in the United States
is reflected by the U.S. Data Encryption Standard ("DES")
which utilizes 64 bit technology. Although previously considered
impregnable, DES was recently cracked through the simultaneous use
of several thousand computers working continuously for 92 days,
thus throwing the standard into turmoil. Since the cracking of the
DES, there have been proposed alternative programs including one
from NEC in Japan which employs 128 bit technology and another utilizing
elliptical curve cryptography to ensure privacy. Against this uncertain
backdrop, Congress has been active trying to pass legislation regarding
the distribution and export of encryption technology.
Federal Legislation
Initially, Representative Bob Goodlatte (R-Virginia) sponsored
HR 695, dubbed the "SAFE" bill, which would have eased
the restrictions on the export of encryption technology. Currently
regulations limit export of encryption software to relatively low
powered 40 bit programs. The reason for this restriction was quite
simple: the United States government did not want powerful encryption
programs written in the U.S. to fall into the hands of extremists
and potential terrorists.
As originally written, the SAFE bill also prohibited the government
from mandating a "key" recovery system. A key recovery
system would provide the government access to a "key"
to unscramble the contents of any electronic transmission and read
the message. Therefore the bill's prohibition of a key recovery
system meant that the transmissions would be safe from prying eyes,
regardless of who was looking.
In a complete turnaround, by the time the SAFE bill emerged from
committee, amendments were added which would have required all encryption
products sold or distributed in the United States after January
31, 2000 to include just such a key recovery system. Under the terms
of the amended bill, sarcastically referred to as the "UNSAFE"
bill, anyone using encryption technology would be required to turn
over an encryption key to a "key recovery agent", a caretaker
of sorts who safeguards the keys until directed by court order to
turn them over. As currently written the UNSAFE bill requires that
any law enforcement official seeking an access key would have to
show "a factual basis establishing the relevance of the plaintext"
to their investigation, a very easy standard to meet.
The amendments to the SAFE bill were made by Michael Oxley (R-Ohio)
and Thomas Manton (D-New York), at the behest of the FBI and other
law enforcement officials who argued that allowing encryption technology
to be widely utilized by the general public will make surveillance
of criminal activity over the Internet nearly impossible. Absent
the ability to monitor such electronic transmissions, law enforcement
officials argued that the transmissions would become a indecipherable
tool of terrorists, child pornographers and other nefarious wrongdoers.
In support of their position law enforcement officials cited Ramsi
Yousef, who was convicted of the World Trade Center Bombing and
had also encrypted plans to blow up eleven US commercial airliners.
Opposing the UNSAFE bill were various high tech companies and civil
liberties groups who argued Orwellian shades of Big Brother.
Despite weeks of intensive lobbying, law enforcement advocates
came up short when in September, the House Commerce Committee voted
35-16 against the bill which would have required all encryption
programs to contain a backdoor or key allowing governmental access.
A similar version of the UNSAFE bill, S 909 sponsored by Senators
John McCain (R-Arizona) and John Kerrey (D-Nebraska) is also winding
its way through the Senate. Under the McCain-Kerrey bill, it would
be illegal to export encryption software more than 40 bits unless
a key recovery system was installed within two years. Domestically
the bill would also require anyone wanting to do business on the
Internet to deposit a copy of their encryption keys with a key recovery
agent. Whatever the outcome of these particular bills, the issue
of encryption technology will continue to be debated in the halls
of Congress for some time to come.
Courtroom Challenge
Concurrent with the emergence of encryption legislation, several
court cases have raised the question of whether restrictions on
encryption technology are sustainable. Most recently in December,
the Ninth Circuit Court of Appeals heard the appeal of a case known
as Bernstein v. United States Department of State, 945 F. Supp.
1279 (N.D. Cal. 1996). In Bernstein, a mathematician who invented
an encryption program called "Snuffle" sought a ruling
from the Court that the Arms Export Control Act ("AECA")
which restricted the export of Snuffle based on military secrecy,
was unconstitutional. Under AECA, the export of encryption technology
in printed form, i.e., source code is permissible, but not over
the Internet in electronic form.
In December 1996 the district court ruled that Snuffle was nothing
more than source code. Thus the court found that as source code,
"Snuffle is speech afforded the full protection of the First
Amendment not because it enables encryption, but because it is itself
speech." The court concluded that the AECA's prior restraints
on the export of encryption technology could not be sustained. The
government, unsatisfied with the court's ruling, appealed the case
to the Ninth Circuit.
During oral argument before the Ninth Circuit, Bernstein's lawyers
cited precedent from the Pentagon Papers decision and Reno v. A.C.L.U.
for the proposition that the AECA constituted an illegal prior restraint
on free speech. The government countered that what was being restricted
was not the speech itself, but merely the medium over which it was
transmitted, i.e. the Internet. Whatever the decision of the Ninth
Circuit, the losing side will almost certainly appeal to the Supreme
Court and thereby make issue setting precedent about the distribution
and export of encryption technology.
Policy Issues and the Future
The debate over the control of encryption technology is also being
heard on the world stage. Several weeks ago the Organization for
Economic Cooperation and Development ("OECD") an influential
consortium of twenty-nine countries, met in Paris to discuss the
use of encryption technology to protect commerce from fraud while
precluding it from becoming a tool of terrorists and criminals.
France and the United States both advocate limiting the export of
encryption technology while Japan and the Scandinavian countries
oppose such measures. Not coincidentally, France is currently the
only Western country that bans the domestic use of any encryption
technology.
Most of this year's conference was dedicated to the role of so
called "trusted third parties", which are the private
entities which are supposed to "hold the keys". While
that topic proved to be of great interest, next year's conference
will center on an even more critical development: taxation of Internet
or e-commerce.
At present there are few formal structures in place to tax transactions
which are wholly electronic. Most governments base their taxation
scheme on the fact that sooner or later the proceeds of a purchase
or sale are converted to cash. But imagine a world, perhaps just
a few years away, where no cash changes hands when you buy your
new car, but instead you receive a digital debit or credit to your
account. Now imagine even further that your entire transaction is
encrypted so that nobody, including the IRS, can tell if you are
talking to your aunt in Toledo or selling mountains of merchandise.
Without the ability to monitor these cyberspace transactions, the
entire ability of governments to levy and collect taxes could be
fundamentally altered. Current estimates by the IRS of unreported
income run as high as 120 billion dollars, with the number certain
to grow significantly in the face of increasing e-commerce.
Given the huge amount of money at stake, the real debate about
the future of encryption technology will almost certainly center
on e-commerce. In the context of e-commerce, the public key system
works like this: the sender, say a bank, has a private key in its
possession which it uses to scramble an outgoing wire transfer of
funds. The encrypted message can only be decoded by using a public
key associated with the bank.
Thus, when a person receives the wire transfer they believe comes
from the bank, they look up the bank's public key in the equivalent
of an electronic phone book. If the public key associated with the
bank decodes the message, then the recipient knows that message
is genuine. Of course this whole system rests upon the integrity
of the public directory. If the directory has been tampered with
or even contains misfilings, then the system breaks down. The sheer
scale of the public key system that would be required to make such
a system work on a nationwide, let alone a worldwide basis, is daunting
and would likely require the establishment of a huge new quasi-governmental
agency. Although no such agency has been planned, the White House
has sought to establish a national policy for dealing with Internet
security issues by establishing the President's Commission on Critical
Infrastructure Protection co-chaired by former Georgia Senator Sam
Nunn and former deputy attorney general Jamie Gorelick.
Not satisfied to wait for the government, electronic Goliaths like
Visa, Mastercard and Microsoft have established the Secure Electronic
Transactions protocol ("SET") whereby each party to a
transaction must independently establish the authenticity of its
digital signature including the merchant, the consumer, the bank
card issuer and the payment processor. Unfortunately such an elaborate
system, like the proposed governmental key agency, does little to
streamline a transaction and adds to the costs as well.
Whatever the outcome of the current debate, the ramifications of
the new encryption technology have not been lost on an avant-garde
group of crypto-libertarians who want to see government take a smaller
role in John Q. Public's life. They have made relatively powerful
encryption programs available free over the Internet at web.mit.edu/network/pgp.html.,
free of charge to all comers. With the ability to screen the government's
prying eyes from their conversations and its taxing fingers from
their pockets, the crypto-libertarians want a chicken in every pot
and an encryption program in every home computer. Whether they get
their wish may well shape the course of government and the economy
in the next century.
*Eric Vance is an attorney with the firm of Blank Rome Comisky
& McCauley LLP in Philadelphia, Pennsylvania. He is a member
of the Philadelphia Lawyers Chapter and serves on the publications
committee for the Intellectual Property Practice Group.
|