Washington DC
GOVERNMENTS have always considered codes and ciphers to be among their most
closely guarded secrets. Breaking Germany鈥檚 Enigma code during the Second World
War, for example, helped to give the Allies a decisive advantage over the Axis
powers.
But the spread of powerful personal computers is undermining the monopoly on
encryption that governments have had. The US government has mounted a sustained
rearguard action to prevent the spread of encryption software, but its attempts
are increasingly in vain.
Advertisement
A decision by a Californian court last month further weakened Washington鈥檚
position. The court decided that Daniel Bernstein, a mathematics professor from
the University of Illinois in Chicago, could publish an encryption program that
the government had tried to suppress. His constitutional right to free speech,
said the court, is more important than the government鈥檚 claim that publication
could jeopardise national security.
The end to control
This is not the first time that national security and the right to free
speech have clashed. But in this case, computer companies are keeping a close
eye on the decision. They hope it will loosen the government鈥檚 grip on
encryption and rid them of export regulations which they say cost them billions
of dollars a year.
鈥淭he policy of limiting what encryption can be shipped overseas limits the
market. Ultimately, we support doing away with all export controls,鈥 says David
Byer, director of governmental affairs for the Software Publishers Association,
a Washington business group.
Back in 1992, when Bernstein was a graduate student at the University of
California at Berkeley, he wrote a program called Snuffle. He wanted to publish
the program and, like any other academic, to write articles about it and present
papers at conferences.
In most disciplines no one would bat an eyelid. But cryptography is
different. The US government operates strict export controls over cryptographic
software, and Bernstein knew that simply publishing his program, even if he did
it solely in the US, could be interpreted by the government as exporting
it鈥攁s could speaking about it to anyone who was not a US citizen. And to
export the program, he needed a licence from the government. To clear up the
legal position, Bernstein asked the US State Department if he needed a licence
or not (Technology, 15 April 1995, p 22).
The US State Department referred the matter to the National Security Agency,
which eventually told Bernstein he would need a licence. In fact, said the NSA,
he would have to register as an arms dealer, and then ask the government for
permission to publish his material. Cryptography exports fall under the category
of 鈥渁uxiliary military equipment鈥 in the International Traffic in Arms
Regulations, which includes 鈥淐ryptographic (including key management)
systems鈥r software with the capability of maintaining
蝉别肠谤别肠测鈥︹赌
Bernstein wrote to the State Department, appealing against the decision, but
received no reply. So in 1993, he filed a lawsuit against the government on the
grounds that its ban infringed his right to free speech.
Bernstein had legal help from the Electronic Frontier Foundation, a San
Francisco-based pressure group that has been fighting the government鈥檚 policy.
鈥淭here鈥檚 no sense in burning the constitution in order to save it,鈥 says John
Gilmore, a founder of the EFF. 鈥淭he secretive bureaucrats who have restricted
these rights for decades in the name of national security must come to a larger
understanding of how to support and preserve our democracy.鈥
Today鈥檚 best encryption programs allow you to lock up information so securely
that even the most determined government with the most powerful computers cannot
read it. But the US government does not want powerful encryption to become
commonplace. The NSA, for instance, spends billions of dollars a year monitoring
and sorting intercepted electronic information from around the world. But if a
large chunk of those messages and phone calls were encrypted, the job would
eventually become impossible.
Yet there is a growing market for encryption software, says Douglas Barnes,
marketing head of C2Net, a software company based in Oakland, California. He
says that companies which take credit card orders from customers through their
Web sites need to be sure that no one can hack into their credit card
details.
American companies that want to export products with encryption
features鈥攚hether secure phones or simply password protection devices on
word-processing programs鈥攈ave to use easy-to-break codes in the products
they export.
What this means, says Byer, is that American software companies are losing a
lot of business. Some companies make two products, one for domestic consumption
and one for export. Byer says foreign companies are now taking the lead in
supplying encryption programs to the growing world market. After all, the US
does not have a monopoly on competent programmers.
Sold from abroad
C2Net, for example, has just launched a program called Stronghold. People
running Web pages can use it to encrypt communications with their users. But
because of export laws in the US, C2Net could not develop the cryptography and
export it. So instead, it was developed by the company鈥檚 British subsidiary, UK
Web, which is based in Leeds. The program is now sold all over the world.
Bernstein knew what he was doing when he applied for his licence. His program
was specifically designed to show that American restrictions do not make much
sense and that programs which the government allows to be exported can easily be
converted into encryption programs. Bernstein鈥檚 lawyer, Cindy Cohn of the San
Francisco firm McGlashan and Sarrail, says: 鈥淪nuffle is his demonstration of how
the government regulations work, and how silly it all is.鈥
Bernstein鈥檚 programs are based on an algorithm called a hash function. A hash
function is normally used to prevent people tampering with electronic documents.
The American government does not ban the export of hash function software.
The hash function takes the information in a document and uses it to
calculate a number. This number appears at the end of the document. If someone
changes the document, when you run the hash function the new number no longer
matches and you know someone has tampered with it.
The mathematics behind hash functions is very similar to the mathematics
behind encryption. Bernstein鈥檚 Snuffle algorithm takes hash function software
and converts it into a powerful encryption program鈥攃onverting a program
that can be legally exported into one that is strictly banned. His algorithm was
as much a critique of government policy as anything else.
In court, Bernstein argued that the government could not prevent him
publishing and discussing his algorithm without violating his right to free
speech. In December, a judge in San Francisco agreed. Cohn says that the
government has not been prosecuting people for speaking about cryptography, but
Bernstein wanted to challenge the law. The government, she says, 鈥渨ins if people
are afraid to speak. That鈥檚 a chilling effect.鈥
But this is far from being the final decision. At the moment it applies only
in the district of San Francisco and the ruling could be overturned if the
government appeals.
Moreover, much of Bernstein鈥檚 case hinged on the fact that he wanted to talk
about his program and its methods. Barnes thinks a court would be unlikely to
overturn the law for a company that wanted simply to sell encryption
programs.
But the decision is another setback for a government that has had little luck
with its encryption initiatives, says Barnes. The Clinton administration has
been pushing a plan for a 鈥渒ey escrow鈥 encryption system, which would allow
people to use powerful encryption as long as their system automatically
generated a sort of master key. This master key would be kept by a trusted third
party, and turned over to agencies such as the FBI and the NSA if they presented
a warrant. The law enforcement agencies argue that the key is necessary in the
fight against terrorists and child pornographers.
In November, the government presented a plan that would allow businesses to
export moderately strong cryptography as long as they agreed that within three
years they would have a plan drawn up to switch over to a key system.
But businesses are not keen on it. Byer says it would be expensive and
unwieldy to implement. Besides, overseas customers are not likely to use a code
that they know the US government can break any time it wants to. And civil
liberties鈥 campaigners do not like the idea that the government could look at
anyone鈥檚 communications. Congress has been equally cool.
So the government is trying another tack. It has named David Aaron as its
special envoy on cryptographic policy. Aaron鈥檚 job is to try to convince foreign
governments to agree with the US鈥檚 plan, and to pass their own laws.
鈥淭he administration realises they鈥檙e not winning at home,鈥 says David
Banisar, a lawyer with the Electronic Privacy Information Center, a Washington
pressure group. 鈥淪o they鈥檙e putting pressure on other governments to go for
their own plans.鈥 Banisar says the government is trying to get around Congress
by having the restrictions built into treaties.
Critics like Banisar say there is no practical way to eliminate strong
cryptography鈥攖he genie is out of the bottle. But by making it difficult to
put cryptography in popular mainstream programs, the government can keep codes
out of common use, at least for a while.