cryptography regulations
TRANSCRIPT
Smith, 1
Adam Smith17.31J, Professor Oye, Fall 2004October 14, 2004
Cryptography Regulations
Cryptography has been an important thread in the story of the rapid technological
developments over the past fifteen years. Since its popularization, markets have desired
to export the capabilities to foreign markets simply for the customer base. However, if
foreign entities hostile to the United States used that cryptography, the US intelligence
apparatus’ ability to collect important information could be impaired. As a result of the
market’s failure to internalize this concern, the government has sought to use standards
and regulations to curb international use of unbreakable cryptography. In this paper we
will discuss this development, including many attempts to control encryption technology
and each attempt’s subsequent failure. We will then explore why government-imposed
regulation of encryption is not effective, and thus should not be pursued. The discussion
begins with a description of the status quo, followed by a treatment of historical attempts
to control encryption, and will conclude with an argument for why the market-driven
solution has won over regulatory control.
Cryptography and Its Use – The Status Quo
At the time of writing, the export of any open source cryptographic software is
legal, except to a small set of nations.1 Commercial software containing strong
cryptography is subject to a review in some cases, however it is clear that restrictions are
not frequently exercised. Some products which use strong cryptography are restricted
1 Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria; US Department of Commerce, Bureau of Industry and Security, http://www.bxa.doc.gov/Encryption/Default.htm
Smith, 2
from export to government agents in most countries.2 On the whole, however, current
export restrictions are weak.
Attempts to Control the Export and Use of Cryptography
In 1991, about the time that military grade cryptography was becoming widely
available, Senate Bill 266 was introduced. If passed, all manufacturers “of electronic
communications service equipment [would have had to] insure that communications
systems permit the Government to obtain the plain text contents of voice, data, and other
communications when appropriately authorized by law."3 The bill did not provide any
reference to how such a back door system could be implemented, but the requirements
were clear – at least part of the Senate favored mandatory back doors for law
enforcement agencies. The bill failed after an outcry from many civil liberties groups,
but began the debate about technology policy as it related to cryptographic controls.
On April 16th, 1993, the National Security Agency (NSA) announced the Clipper
chip. The Clipper chip was a hardware device which would perform important
cryptographic functions like encryption using an NSA algorithm named Skipjack. The
details surrounding the algorithm were not published at the time. The Clipper chip also
implemented a protocol named Law Enforcement Access Field (LEAF), which would
allow governmental agencies to decrypt any ciphered message if some bureaucratic
process was followed. The government manufactured many of these devices, published
documents for how to develop software which uses them, and made partnerships with
software companies to use them. The multi-billion dollar project was cancelled in 1997,
2 All countries except the European Union, Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, and Switzerland; see ibid3 Senate Bill 266, 1991, see http://livinginternet.com/i/is_crypt_pgp.htm
Smith, 3
primarily because the standard was not being adopted. Interestingly, we now know that
the US Government considered sharing the secret LEAF keys with China, Syria, and
Pakistan. 4
The plan for the Clipper chip deployment was to offer it to industry as a standard
to build off of. According to a presidential directive in April 1993, however, “Should
industry fail to fully assist the government in meeting its requirements within a
reasonable period of time, the Attorney General will recommend legislation which would
compel manufacturers to meet government requirements."5 This was not a viable option;
public opposition to mandated back doors was too large, as could have been seen from
the S. 266 case.
By this point, the US Administration was convinced that a mandatory back door
policy was not feasible. The US Department of Justice stated: “The Administration does
not advocate a mandatory approach, and believes that a voluntary solution is preferable."6
All future attempts at controlling cryptography aimed to establish an encryption standard
which included a back door. This would not preclude the use of unbreakable encryption;
it would just make it more difficult, since it would not be the standard.
There were indications that industry might voluntarily include back doors in its
cryptographic products. On October 2nd, 1996, a group of companies led by IBM formed
the Key Recovery Alliance (KRA).7 The KRA was created to advocate international
4 “U.S. Considered Sharing Security Secrets With China, Syria, Pakistan;” Charles R. Smith; May 15, 2001; http://www.newsmax.com/archives/articles/2001/5/14/203404.shtml5 “Al Gore bugs America?” WorldNetDaily; August 2, 2000; http://www.beyond-the-illusion.com/files/New-Files/20000831/al_gore_presses_for_the_bugging_of_every_american.txt6 Department of Justice, Cryptographic Export Policy FAQ, historically available at: http://www.cybercrime.gov/cryptfaq.htm7 “High-tech leaders join forces to enable international strong encryption,” October 2, 1996; see http://www.interesting-people.org/archives/interesting-people/199610/msg00005.html
Smith, 4
cryptographic standards suitable for electronic commerce which included back doors for
law enforcement agencies holding warrants. Several token industry leaders were at some
time part of the group, including IBM, Apple, Intel, NEC, Hitachi, et cetera. This group,
however, was ineffectual in creating real change. At the time it was created, technology
companies did not know how the industry would mature, and thus hedged their bets by
joining the group. It was “hot air.” Alan Davidson, an attorney at the Center for
Democracy and Technology, stated, “there are other companies in the Key Recovery
Alliance who are steadfastly opposed to the administration's policy and mandatory key
recovery, yet I think they are part of the alliance because they feel they need to be.”8
The final attempt at legislation to promote back doors was made in Senate Bill
909 by McCain/Kerrey in 1997. The bill proposed an elaborate system in which
certificate authorities, needed as part of the in-place cryptographic techniques, were to
facilitate the back doors so that a law enforcement agency could recover cryptographic
keys as demanded by warrants. Several alternative cryptographic policy-related bills
were also introduced in the same session, including the Pro-CODE bill9 which advocated
looser export restrictions and denounced key recovery.
The Attorney General at the time, Janet Reno, submitted a letter to Congress
supporting the McCain/Kerrey bill and criticizing the Pro-CODE bill. "All the bills being
considered allow market forces to shape the development of encryption products,” she
said. “Although such market forces are important, we believe that commercial factors
cannot, standing alone, be relied upon to protect public safety and national security."10
8 “NAI Back in Key Recovery Group,” Wired News Report; November 12, 1998; http://www.wired.com/news/print/0,1294,16219,00.html9 The Promotion of Commerce Online in the Digital Era (Pro-CODE), Senate Bill 377, introduced by Senator Burns10 A copy of the statement is available at: http://www.cybercrime.gov/aglet.htm
Smith, 5
In the end, none of the cryptography policy bills were passed. Since cryptography
development was not adopting protocols including back doors, the Pro-CODE camp won
by default. That is, market forces were allowed to flourish.
There still was, however, a ban on the export of encryption products which had a
certain cryptographic strength. These restrictions were greatly weakened in January of
2000 by the Clinton administration, and have not been changed much since then.11
Why Governmental Control Did Not Work
When Senate Bill 299 was introduced in 1991 to require a back door, Phil
Zimmerman became motivated to make cryptography techniques widely and easily
available to the public. He subsequently created and released a program named Pretty
Good Privacy (PGP) which implemented military grade cryptography. Even though it
violated the patents on the encryption algorithm it used and was illegal to export, it
quickly spread internationally. Physicist Tim May observed, “National borders are just
speed bumps on the information superhighway.”12 This is the first problem with
cryptographic export controls; the Internet makes them unenforceable when free
implementations exist. Cryptographic software is trivially duplicated, unlike physical
munitions, and is transported with equal ease.
The second barrier is that software is often free. It can be created and published
by some set of (possibly anonymous) individuals who have no expectation of being paid;
there is not always a centralized commercial entity. Therefore, regulation enforcement
can be difficult or even impossible.11 The policy was set by the State Department, and thus was controlled by the executive branch instead of legislatures.12 Net.Wars, chapter 5; Wendy M. Grossman; NYU Press; see http://www.nyupress.org/netwars/pages/chapter05/ch05_09.html
Smith, 6
For some time PGP was exported illegally from the United States by someone on
the Internet. Eventually, however, it was observed that while it was illegal to export
electronically programs which use strong cryptography, free speech would protect the
export of books containing the source code for such programs. For a few years,
volunteers in Europe purchased books containing the source code PGP, and scanned the
source code in one page at a time. The source code was split across six books containing
about 6,000 pages, and the project involved over 1,000 man-hours to reproduce PGP
legally outside of the US. Once it was reconstructed in Norway, it was legally distributed
internationally.13 This process continued for each new version of PGP until US export
controls were relaxed in early 2000.
So far each reason explaining why it is hard for the government to control
cryptography points to encryption’s idea-like properties. It is easily reproduced and
transported.
There are other causes of the government’s difficulty. For example, it is much
easier to create a program without a back door. The difficulty in implementing a robust
and trusted cryptosystem containing a back door is paramount. The NSA attempted to
meet the challenge with the Clipper chip, but even it became obsolete as cryptography
moved away from application-specific hardware to software implementations. The task
could be accomplished today quite easily, but at the time it was not clear which technical
decisions were best to make bets on.
In addition, there was not any consumer demand for key recovery. The
McCain/Kerrey approach offered key recovery as a feature for a user who lost their
original key as well as for law enforcement agencies. This attempt to offer incentives to
13 “The PGPi scanning project,” see http://www.pgpi.org/pgpi/project/scanning/
Smith, 7
consumers was not appealing. This is highlighted in a letter from industry groups to
Senator McCain during the consideration of his bill. “There is virtually no business or
consumer demand for third-party access to keys used to protect communications.”14
Additionally, products produced commercially within the US were hurt by export
regulations, which gave foreign products an unfair advantage. For example, Microsoft’s
Internet Explorer by default only offered 40-bit encryption, the maximum allowed by US
export laws at the time.
Finally, there was a large amount of consumer demand for secure cryptography.
Phil Zimmerman states, “despite the lack of funding, the lack of any paid staff, the lack
of a company to stand behind it, and despite government persecution, PGP nonetheless
became the most widely used email encryption software in the world.”15 Here, the
market-dominated solution won the battle – backdoors and export controls were not able
to counter the incredible demand for the product.
The points made are summarized in Table 1, below.
Market Solution Government Regulation
Substance No government control Backdoors in cryptography (compulsory or by standard)
Pros Meet consumer demandStrong cryptography creates
Preserve law enforcement capabilities
14 “Letter from industry groups and privacy advocates sent to Senator McCain and members of the Senate Commerce Committee regarding the McCain-Kerrey bill,” Center for Democracy and Technology; June 18, 1997; see http://www.cdt.org/crypto/legis_105/mccain_kerrey/970618_ltr.html15 “Phil Zimmermann – Creator of PGP, Background,” see http://www.philzimmermann.com/
Smith, 8
new markets (e.g. ecommerce, online banking)
Harder for adversaries to hide communicated information
Support for key recovery for users who lost their keys
Cons Harder to get intelligence Extremely hard to enforceImplementing back doors and
export controls is more difficult
Domestic businesses under regulations are hurt
Table 1. Summary analysis of solutions to encryption market externalities problem
Conclusion
In conclusion, as cryptography became a commodity in the 1990’s, there were
efforts to regulate it so that law enforcement agencies could still have access to the data
gained from interceptions and wire taps. These attempts at regulations, though many
were made, each failed. The two largest causes of the policy failures were the massive
demand for unbreakable cryptography and the ease with which the technology could be
duplicated and transported.