Smith, 1

Adam Smith 17.31J, Professor Oye, Fall 2004 October 14, 2004 Cryptography Regulations Cryptography has been an important thread in the story of the rapid technological developments over the past fifteen years. Since its popularization, markets have desired to export the capabilities to foreign markets simply for the customer base. However, if foreign entities hostile to the United States used that cryptography, the US intelligence apparatus’ ability to collect important information could be impaired. As a result of the market’s failure to internalize this concern, the government has sought to use standards and regulations to curb international use of unbreakable cryptography. In this paper we will discuss this development, including many attempts to control encryption technology and each attempt’s subsequent failure. We will then explore why government-imposed regulation of encryption is not effective, and thus should not be pursued. The discussion begins with a description of the status quo, followed by a treatment of historical attempts to control encryption, and will conclude with an argument for why the market-driven solution has won over regulatory control.

Cryptography and Its Use – The Status Quo At the time of writing, the export of any open source cryptographic software is legal, except to a small set of nations.1 Commercial software containing strong cryptography is subject to a review in some cases, however it is clear that restrictions are not frequently exercised. Some products which use strong cryptography are restricted
1

Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria; US Department of Commerce, Bureau of Industry and Security, http://www.bxa.doc.gov/Encryption/Default.htm

Smith, 2

from export to government agents in most countries.2 On the whole, however, current export restrictions are weak.

Attempts to Control the Export and Use of Cryptography In 1991, about the time that military grade cryptography was becoming widely available, Senate Bill 266 was introduced. If passed, all manufacturers “of electronic communications service equipment [would have had to] insure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."3 The bill did not provide any reference to how such a back door system could be implemented, but the requirements were clear – at least part of the Senate favored mandatory back doors for law enforcement agencies. The bill failed after an outcry from many civil liberties groups, but began the debate about technology policy as it related to cryptographic controls. On April 16th, 1993, the National Security Agency (NSA) announced the Clipper chip. The Clipper chip was a hardware device which would perform important cryptographic functions like encryption using an NSA algorithm named Skipjack. The details surrounding the algorithm were not published at the time. The Clipper chip also implemented a protocol named Law Enforcement Access Field (LEAF), which would allow governmental agencies to decrypt any ciphered message if some bureaucratic process was followed. The government manufactured many of these devices, published documents for how to develop software which uses them, and made partnerships with software companies to use them. The multi-billion dollar project was cancelled in 1997,
2

All countries except the European Union, Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, and Switzerland; see ibid 3 Senate Bill 266, 1991, see http://livinginternet.com/i/is_crypt_pgp.htm

Smith, 3

primarily because the standard was not being adopted. Interestingly, we now know that the US Government considered sharing the secret LEAF keys with China, Syria, and Pakistan. 4 The plan for the Clipper chip deployment was to offer it to industry as a standard to build off of. According to a presidential directive in April 1993, however, “Should industry fail to fully assist the government in meeting its requirements within a reasonable period of time, the Attorney General will recommend legislation which would compel manufacturers to meet government requirements."5 This was not a viable option; public opposition to mandated back doors was too large, as could have been seen from the S. 266 case. By this point, the US Administration was convinced that a mandatory back door policy was not feasible. The US Department of Justice stated: “The Administration does not advocate a mandatory approach, and believes that a voluntary solution is preferable."6 All future attempts at controlling cryptography aimed to establish an encryption standard which included a back door. This would not preclude the use of unbreakable encryption; it would just make it more difficult, since it would not be the standard. There were indications that industry might voluntarily include back doors in its cryptographic products. On October 2nd, 1996, a group of companies led by IBM formed the Key Recovery Alliance (KRA).7 The KRA was created to advocate international cryptographic standards suitable for electronic commerce which included back doors for
4

“U.S. Considered Sharing Security Secrets With China, Syria, Pakistan;” Charles R. Smith; May 15, 2001; http://www.newsmax.com/archives/articles/2001/5/14/203404.shtml 5 “Al Gore bugs America?” WorldNetDaily; August 2, 2000; http://www.beyond-theillusion.com/files/New-Files/20000831/al_gore_presses_for_the_bugging_of_every_american.txt 6 Department of Justice, Cryptographic Export Policy FAQ, historically available at: http://www.cybercrime.gov/cryptfaq.htm 7 “High-tech leaders join forces to enable international strong encryption,” October 2, 1996; see http://www.interesting-people.org/archives/interesting-people/199610/msg00005.html

Smith, 4

law enforcement agencies holding warrants. Several token industry leaders were at some time part of the group, including IBM, Apple, Intel, NEC, Hitachi, et cetera. This group, however, was ineffectual in creating real change. At the time it was created, technology companies did not know how the industry would mature, and thus hedged their bets by joining the group. It was “hot air.” Alan Davidson, an attorney at the Center for Democracy and Technology, stated, “there are other companies in the Key Recovery Alliance who are steadfastly opposed to the administration's policy and mandatory key recovery, yet I think they are part of the alliance because they feel they need to be.”8 The final attempt at legislation to promote back doors was made in Senate Bill 909 by McCain/Kerrey in 1997. The bill proposed an elaborate system in which certificate authorities, needed as part of the in-place cryptographic techniques, were to facilitate the back doors so that a law enforcement agency could recover cryptographic keys as demanded by warrants. Several alternative cryptographic policy-related bills were also introduced in the same session, including the Pro-CODE bill9 which advocated looser export restrictions and denounced key recovery. The Attorney General at the time, Janet Reno, submitted a letter to Congress supporting the McCain/Kerrey bill and criticizing the Pro-CODE bill. "All the bills being considered allow market forces to shape the development of encryption products,” she said. “Although such market forces are important, we believe that commercial factors cannot, standing alone, be relied upon to protect public safety and national security."10

8

“NAI Back in Key Recovery Group,” Wired News Report; November 12, 1998; http://www.wired.com/news/print/0,1294,16219,00.html 9 The Promotion of Commerce Online in the Digital Era (Pro-CODE), Senate Bill 377, introduced by Senator Burns 10 A copy of the statement is available at: http://www.cybercrime.gov/aglet.htm

Smith, 5

In the end, none of the cryptography policy bills were passed. Since cryptography development was not adopting protocols including back doors, the Pro-CODE camp won by default. That is, market forces were allowed to flourish. There still was, however, a ban on the export of encryption products which had a certain cryptographic strength. These restrictions were greatly weakened in January of 2000 by the Clinton administration, and have not been changed much since then.11

Why Governmental Control Did Not Work When Senate Bill 299 was introduced in 1991 to require a back door, Phil Zimmerman became motivated to make cryptography techniques widely and easily available to the public. He subsequently created and released a program named Pretty Good Privacy (PGP) which implemented military grade cryptography. Even though it violated the patents on the encryption algorithm it used and was illegal to export, it quickly spread internationally. Physicist Tim May observed, “National borders are just speed bumps on the information superhighway.”12 This is the first problem with cryptographic export controls; the Internet makes them unenforceable when free implementations exist. Cryptographic software is trivially duplicated, unlike physical munitions, and is transported with equal ease. The second barrier is that software is often free. It can be created and published by some set of (possibly anonymous) individuals who have no expectation of being paid; there is not always a centralized commercial entity. Therefore, regulation enforcement can be difficult or even impossible.
11

The policy was set by the State Department, and thus was controlled by the executive branch instead of legislatures. 12 Net.Wars, chapter 5; Wendy M. Grossman; NYU Press; see http://www.nyupress.org/netwars/pages/chapter05/ch05_09.html

Smith, 6

For some time PGP was exported illegally from the United States by someone on the Internet. Eventually, however, it was observed that while it was illegal to export electronically programs which use strong cryptography, free speech would protect the export of books containing the source code for such programs. For a few years, volunteers in Europe purchased books containing the source code PGP, and scanned the source code in one page at a time. The source code was split across six books containing about 6,000 pages, and the project involved over 1,000 man-hours to reproduce PGP legally outside of the US. Once it was reconstructed in Norway, it was legally distributed internationally.13 This process continued for each new version of PGP until US export controls were relaxed in early 2000. So far each reason explaining why it is hard for the government to control cryptography points to encryption’s idea-like properties. It is easily reproduced and transported. There are other causes of the government’s difficulty. For example, it is much easier to create a program without a back door. The difficulty in implementing a robust and trusted cryptosystem containing a back door is paramount. The NSA attempted to meet the challenge with the Clipper chip, but even it became obsolete as cryptography moved away from application-specific hardware to software implementations. The task could be accomplished today quite easily, but at the time it was not clear which technical decisions were best to make bets on. In addition, there was not any consumer demand for key recovery. The McCain/Kerrey approach offered key recovery as a feature for a user who lost their original key as well as for law enforcement agencies. This attempt to offer incentives to
13

“The PGPi scanning project,” see http://www.pgpi.org/pgpi/project/scanning/

Smith, 7

consumers was not appealing. This is highlighted in a letter from industry groups to Senator McCain during the consideration of his bill. “There is virtually no business or consumer demand for third-party access to keys used to protect communications.”14 Additionally, products produced commercially within the US were hurt by export regulations, which gave foreign products an unfair advantage. For example, Microsoft’s Internet Explorer by default only offered 40-bit encryption, the maximum allowed by US export laws at the time.

Finally, there was a large amount of consumer demand for secure cryptography. Phil Zimmerman states, “despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world.”15 Here, the market-dominated solution won the battle – backdoors and export controls were not able to counter the incredible demand for the product.

The points made are summarized in Table 1, below.

Market Solution Substance No government control

Government Regulation Backdoors in cryptography (compulsory or by standard) Preserve law enforcement capabilities

Pros

Meet consumer demand Strong cryptography creates

14

“Letter from industry groups and privacy advocates sent to Senator McCain and members of the Senate Commerce Committee regarding the McCain-Kerrey bill,” Center for Democracy and Technology; June 18, 1997; see http://www.cdt.org/crypto/legis_105/mccain_kerrey/970618_ltr.html 15 “Phil Zimmermann – Creator of PGP, Background,” see http://www.philzimmermann.com/

Smith, 8

new markets (e.g. ecommerce, online banking) Cons Harder to get intelligence

Harder for adversaries to hide communicated information Support for key recovery for users who lost their keys Extremely hard to enforce Implementing back doors and export controls is more difficult Domestic businesses under regulations are hurt

Table 1. Summary analysis of solutions to encryption market externalities problem

Conclusion In conclusion, as cryptography became a commodity in the 1990’s, there were efforts to regulate it so that law enforcement agencies could still have access to the data gained from interceptions and wire taps. These attempts at regulations, though many were made, each failed. The two largest causes of the policy failures were the massive demand for unbreakable cryptography and the ease with which the technology could be duplicated and transported.