You are on page 1of 8

Smith, 1

Adam Smith
17.31J, Professor Oye, Fall 2004
October 14, 2004

Cryptography Regulations

Cryptography has been an important thread in the story of the rapid technological

developments over the past fifteen years. Since its popularization, markets have desired

to export the capabilities to foreign markets simply for the customer base. However, if

foreign entities hostile to the United States used that cryptography, the US intelligence

apparatus’ ability to collect important information could be impaired. As a result of the

market’s failure to internalize this concern, the government has sought to use standards

and regulations to curb international use of unbreakable cryptography. In this paper we

will discuss this development, including many attempts to control encryption technology

and each attempt’s subsequent failure. We will then explore why government-imposed

regulation of encryption is not effective, and thus should not be pursued. The discussion

begins with a description of the status quo, followed by a treatment of historical attempts

to control encryption, and will conclude with an argument for why the market-driven

solution has won over regulatory control.

Cryptography and Its Use – The Status Quo

At the time of writing, the export of any open source cryptographic software is

legal, except to a small set of nations.1 Commercial software containing strong

cryptography is subject to a review in some cases, however it is clear that restrictions are

not frequently exercised. Some products which use strong cryptography are restricted

1
Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria; US Department of Commerce, Bureau of Industry
and Security, http://www.bxa.doc.gov/Encryption/Default.htm
Smith, 2

from export to government agents in most countries.2 On the whole, however, current

export restrictions are weak.

Attempts to Control the Export and Use of Cryptography

In 1991, about the time that military grade cryptography was becoming widely

available, Senate Bill 266 was introduced. If passed, all manufacturers “of electronic

communications service equipment [would have had to] insure that communications

systems permit the Government to obtain the plain text contents of voice, data, and other

communications when appropriately authorized by law."3 The bill did not provide any

reference to how such a back door system could be implemented, but the requirements

were clear – at least part of the Senate favored mandatory back doors for law

enforcement agencies. The bill failed after an outcry from many civil liberties groups,

but began the debate about technology policy as it related to cryptographic controls.

On April 16th, 1993, the National Security Agency (NSA) announced the Clipper

chip. The Clipper chip was a hardware device which would perform important

cryptographic functions like encryption using an NSA algorithm named Skipjack. The

details surrounding the algorithm were not published at the time. The Clipper chip also

implemented a protocol named Law Enforcement Access Field (LEAF), which would

allow governmental agencies to decrypt any ciphered message if some bureaucratic

process was followed. The government manufactured many of these devices, published

documents for how to develop software which uses them, and made partnerships with

software companies to use them. The multi-billion dollar project was cancelled in 1997,

2
All countries except the European Union, Australia, Czech Republic, Hungary, Japan, New Zealand,
Norway, Poland, and Switzerland; see ibid
3
Senate Bill 266, 1991, see http://livinginternet.com/i/is_crypt_pgp.htm
Smith, 3

primarily because the standard was not being adopted. Interestingly, we now know that

the US Government considered sharing the secret LEAF keys with China, Syria, and

Pakistan. 4

The plan for the Clipper chip deployment was to offer it to industry as a standard

to build off of. According to a presidential directive in April 1993, however, “Should

industry fail to fully assist the government in meeting its requirements within a

reasonable period of time, the Attorney General will recommend legislation which would

compel manufacturers to meet government requirements."5 This was not a viable option;

public opposition to mandated back doors was too large, as could have been seen from

the S. 266 case.

By this point, the US Administration was convinced that a mandatory back door

policy was not feasible. The US Department of Justice stated: “The Administration does

not advocate a mandatory approach, and believes that a voluntary solution is preferable."6

All future attempts at controlling cryptography aimed to establish an encryption standard

which included a back door. This would not preclude the use of unbreakable encryption;

it would just make it more difficult, since it would not be the standard.

There were indications that industry might voluntarily include back doors in its

cryptographic products. On October 2nd, 1996, a group of companies led by IBM formed

the Key Recovery Alliance (KRA).7 The KRA was created to advocate international

cryptographic standards suitable for electronic commerce which included back doors for

4
“U.S. Considered Sharing Security Secrets With China, Syria, Pakistan;” Charles R. Smith; May 15,
2001; http://www.newsmax.com/archives/articles/2001/5/14/203404.shtml
5
“Al Gore bugs America?” WorldNetDaily; August 2, 2000; http://www.beyond-the-
illusion.com/files/New-Files/20000831/al_gore_presses_for_the_bugging_of_every_american.txt
6
Department of Justice, Cryptographic Export Policy FAQ, historically available at:
http://www.cybercrime.gov/cryptfaq.htm
7
“High-tech leaders join forces to enable international strong encryption,” October 2, 1996; see
http://www.interesting-people.org/archives/interesting-people/199610/msg00005.html
Smith, 4

law enforcement agencies holding warrants. Several token industry leaders were at some

time part of the group, including IBM, Apple, Intel, NEC, Hitachi, et cetera. This group,

however, was ineffectual in creating real change. At the time it was created, technology

companies did not know how the industry would mature, and thus hedged their bets by

joining the group. It was “hot air.” Alan Davidson, an attorney at the Center for

Democracy and Technology, stated, “there are other companies in the Key Recovery

Alliance who are steadfastly opposed to the administration's policy and mandatory key

recovery, yet I think they are part of the alliance because they feel they need to be.”8

The final attempt at legislation to promote back doors was made in Senate Bill

909 by McCain/Kerrey in 1997. The bill proposed an elaborate system in which

certificate authorities, needed as part of the in-place cryptographic techniques, were to

facilitate the back doors so that a law enforcement agency could recover cryptographic

keys as demanded by warrants. Several alternative cryptographic policy-related bills

were also introduced in the same session, including the Pro-CODE bill9 which advocated

looser export restrictions and denounced key recovery.

The Attorney General at the time, Janet Reno, submitted a letter to Congress

supporting the McCain/Kerrey bill and criticizing the Pro-CODE bill. "All the bills being

considered allow market forces to shape the development of encryption products,” she

said. “Although such market forces are important, we believe that commercial factors

cannot, standing alone, be relied upon to protect public safety and national security."10

8
“NAI Back in Key Recovery Group,” Wired News Report; November 12, 1998;
http://www.wired.com/news/print/0,1294,16219,00.html
9
The Promotion of Commerce Online in the Digital Era (Pro-CODE), Senate Bill 377, introduced by
Senator Burns
10
A copy of the statement is available at: http://www.cybercrime.gov/aglet.htm
Smith, 5

In the end, none of the cryptography policy bills were passed. Since cryptography

development was not adopting protocols including back doors, the Pro-CODE camp won

by default. That is, market forces were allowed to flourish.

There still was, however, a ban on the export of encryption products which had a

certain cryptographic strength. These restrictions were greatly weakened in January of

2000 by the Clinton administration, and have not been changed much since then.11

Why Governmental Control Did Not Work

When Senate Bill 299 was introduced in 1991 to require a back door, Phil

Zimmerman became motivated to make cryptography techniques widely and easily

available to the public. He subsequently created and released a program named Pretty

Good Privacy (PGP) which implemented military grade cryptography. Even though it

violated the patents on the encryption algorithm it used and was illegal to export, it

quickly spread internationally. Physicist Tim May observed, “National borders are just

speed bumps on the information superhighway.”12 This is the first problem with

cryptographic export controls; the Internet makes them unenforceable when free

implementations exist. Cryptographic software is trivially duplicated, unlike physical

munitions, and is transported with equal ease.

The second barrier is that software is often free. It can be created and published

by some set of (possibly anonymous) individuals who have no expectation of being paid;

there is not always a centralized commercial entity. Therefore, regulation enforcement

can be difficult or even impossible.


11
The policy was set by the State Department, and thus was controlled by the executive branch instead of
legislatures.
12
Net.Wars, chapter 5; Wendy M. Grossman; NYU Press; see
http://www.nyupress.org/netwars/pages/chapter05/ch05_09.html
Smith, 6

For some time PGP was exported illegally from the United States by someone on

the Internet. Eventually, however, it was observed that while it was illegal to export

electronically programs which use strong cryptography, free speech would protect the

export of books containing the source code for such programs. For a few years,

volunteers in Europe purchased books containing the source code PGP, and scanned the

source code in one page at a time. The source code was split across six books containing

about 6,000 pages, and the project involved over 1,000 man-hours to reproduce PGP

legally outside of the US. Once it was reconstructed in Norway, it was legally distributed

internationally.13 This process continued for each new version of PGP until US export

controls were relaxed in early 2000.

So far each reason explaining why it is hard for the government to control

cryptography points to encryption’s idea-like properties. It is easily reproduced and

transported.

There are other causes of the government’s difficulty. For example, it is much

easier to create a program without a back door. The difficulty in implementing a robust

and trusted cryptosystem containing a back door is paramount. The NSA attempted to

meet the challenge with the Clipper chip, but even it became obsolete as cryptography

moved away from application-specific hardware to software implementations. The task

could be accomplished today quite easily, but at the time it was not clear which technical

decisions were best to make bets on.

In addition, there was not any consumer demand for key recovery. The

McCain/Kerrey approach offered key recovery as a feature for a user who lost their

original key as well as for law enforcement agencies. This attempt to offer incentives to
13
“The PGPi scanning project,” see http://www.pgpi.org/pgpi/project/scanning/
Smith, 7

consumers was not appealing. This is highlighted in a letter from industry groups to

Senator McCain during the consideration of his bill. “There is virtually no business or

consumer demand for third-party access to keys used to protect communications.”14

Additionally, products produced commercially within the US were hurt by export

regulations, which gave foreign products an unfair advantage. For example, Microsoft’s

Internet Explorer by default only offered 40-bit encryption, the maximum allowed by US

export laws at the time.

Finally, there was a large amount of consumer demand for secure cryptography.

Phil Zimmerman states, “despite the lack of funding, the lack of any paid staff, the lack of

a company to stand behind it, and despite government persecution, PGP nonetheless

became the most widely used email encryption software in the world.”15 Here, the

market-dominated solution won the battle – backdoors and export controls were not able

to counter the incredible demand for the product.

The points made are summarized in Table 1, below.

Market Solution Government Regulation


Substance No government control Backdoors in cryptography
(compulsory or by
standard)
Pros Meet consumer demand Preserve law enforcement
Strong cryptography creates capabilities

14
“Letter from industry groups and privacy advocates sent to Senator McCain and members of the Senate
Commerce Committee regarding the McCain-Kerrey bill,” Center for Democracy and Technology; June 18,
1997; see http://www.cdt.org/crypto/legis_105/mccain_kerrey/970618_ltr.html
15
“Phil Zimmermann – Creator of PGP, Background,” see http://www.philzimmermann.com/
Smith, 8

new markets (e.g. Harder for adversaries to hide


ecommerce, online communicated information
banking) Support for key recovery for
users who lost their keys
Cons Harder to get intelligence Extremely hard to enforce
Implementing back doors and
export controls is more
difficult
Domestic businesses under
regulations are hurt

Table 1. Summary analysis of solutions to encryption market externalities problem

Conclusion

In conclusion, as cryptography became a commodity in the 1990’s, there were

efforts to regulate it so that law enforcement agencies could still have access to the data

gained from interceptions and wire taps. These attempts at regulations, though many

were made, each failed. The two largest causes of the policy failures were the massive

demand for unbreakable cryptography and the ease with which the technology could be

duplicated and transported.