|
FOREIGN INFLUENCES
"Since 1992, when AT&T announced its plan to sell a small, portable telephone device that would provide users with low-cost but robust voice encryption, the issue of encryption 'that is, the use of mathematical algorithms to protect the confidentiality of data’ -- has been vociferously debated in the United States."2 Encryption is used by a number of industries to protect sensitive information. Banks, for example, can encrypt their customers’ information so that "hackers" cannot access individual accounts or private records. This beneficial measure protects both the banks and their clients. Unfortunately, encryption is also used by terrorists, drug runners, and other malicious entities to hide their activities from law enforcement officials. "Law enforcement is in unanimous agreement that the widespread use of robust unbreakable encryption ultimately will devastate our ability to fight crime and prevent terrorism. Unbreakable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity."3 "Court-authorized wiretaps have proven to be one of the most successful law enforcement tools in preventing and prosecuting serious crimes, including terrorism. In addition, as society becomes more dependent on computers, evidence (and the fruits) of crimes are increasingly found in stored computer data, which can be searched and seized pursuant to court-authorized warrants. But if unbreakable encryption proliferates, these critical law-enforcement tools would be nullified."4 "Even if the government satisfies the rigorous legal and procedural requirements for obtaining a wiretap order (which can be obtained only in limited circumstances), the wiretap would essentially be worthless if the intercepted communications of the targeted criminals amount to an unintelligible jumble of noises or symbols. The potential harm to law enforcement -- and to the nation's domestic security -- could be devastating. [The] concern is neither theoretical nor overstated. [Law enforcement officials] have already begun to encounter the harmful effects of encryption in recent investigations."5
"Ramzi Yousef, recently convicted of conspiring to blow up 10 U.S. owned airliners in the Far East, and his co-conspirators apparently stored information about their terrorist plot in an encrypted computer file in Manila. (Yousef is also one of the alleged masterminds of the World Trade Center bombing.)7 "In a major international drug-trafficking case, the subject of a court ordered wiretap used a telephone encryption device, significantly hindering the surveillance."8 "Requests for cryptographic support pertaining to electronic surveillance interceptions from FBI field offices and other law enforcement agencies have steadily risen over the past several years. For example, from 1995 to 1996, there was a two-fold increase (from 5 to 12) in the number of instances where the FBI's court-authorized electronic efforts were frustrated by the use of encryption products that did not allow for lawful law enforcement decryption. Over the last three (3) years, the FBI has also seen the number of computer-related cases utilizing encryption and/or password protection increase from 20 or two (2) percent of the cases involving electronically stored information to 140 or seven (7) percent. These included the use of 56-bit data encryption standard (DES) and 128-bit "pretty good privacy" (PGP) encryption.9 Prior to 1997, the average length of encryption code was 40 bits. An effort was made to push the code bit length to 56. Every time a length of code increases, the number of variables in an encrypted piece rises significantly, making it harder to "break" the code.10 "In late 1994, in fulfillment of Vice President Gore's earlier commitment, National Security Advisor Anthony Lake directed that a report be prepared assessing the current and future international market for software products containing encryption and the impact of export controls on the U.S. software industry. The Department of Commerce and the National Security Agency jointly prepared the report, which was completed in July, 1995."11 "A declassified version of the final report was made available to the public in January 1996."12 "When the U.S. let it be known at a December 1995 meeting of the OECD that it was considering allowing the export of some stronger, non-escrowed encryption, many of our allies expressed dismay at the prospect of such an action. They feared that it would flood the global market with unbreakable cryptography, increasing its use by criminal organizations and terrorists throughout Europe and the world. It follows that the elimination of U.S. export controls…would have an even more devastating impact on international law enforcement. It would be a terrible irony if this government -- which prides itself on its leadership in fighting international crime -- were to enact a law that would jeopardize public safety and weaken law enforcement agencies worldwide."13 "Some industry and privacy advocates claim that strong encryption such as 56-bit DES should be exportable without restriction because, even if this leads to a massive proliferation of DES products both at home and abroad, U.S. law enforcement and intelligence agencies can be given the resources necessary to decrypt DES-encrypted communications. Essentially, they argue that expensive, fast computers can be used to decipher encrypted communications by "brute force" -- which essentially means trying every possible "key" (a sequence of symbols that determines the transformation from plain text to cipher- text, and vice versa) until the right one is found. For several reasons, this argument -that "brute force attacks" and additional resources will resolve the encryption debate -- does not withstand scrutiny."14 "Suppose that the theoretical machine were asked to assist law enforcement to decrypt a message encrypted by a terrorist organization and that organization used the algorithm in PGP (Pretty Good Privacy), an encryption package available on the Internet. That law enforcement investigation would be delayed for quite a long time, since the theoretical machine would take longer than the estimated age of the universe (15 billion years) to recover a single message via brute force. In fact, it would take an estimated 100,000,000,000,000,000 (100 quadrillion) years to recover that message, over six million times the estimated age of the universe. Moreover, it is important to note that modern cryptographic systems generate a unique key for each new message; therefore, each subsequent message would require the same amount of effort. "15 In February, 1996, a Long March missile failed shortly after take-off. On board the rocket were "two American cryptographic chips."16 For five hours, Chinese officials prevented U.S. engineers and a Pentagon official from inspecting the field of debris.17 "When the Americans finally reached the area and opened the battered but intact control box of the satellite, a supersecret encoded circuit board was missing."18 "Congressional Republicans say that Chinese officials may have retrieved American encryption devices from the debris, compromising classified U.S. communications codes. Administration and industry officials say chances are extremely remote that the Chinese found the sensitive gear."19 In 1996, the Clinton Administration proposed a plan to address encryption concerns. They proposed that all encryption packages contain a KMI (Key Management Infrastructure) key, a "code" key, which would be kept in "escrow" in the event it was required by law enforcement officials or company personnel. This key could be used by law enforcement officials to break the encryption code or by businesses to recover the "code" in the event of a loss. Administration officials insisted that "if the KMI supports key recovery, then bit limit restrictions can be lifted on encryption exports."20 Ironically, that same year, "the National Research Council released a report advocating that the Administration immediately liberalize export controls on encryption to 56 bits without implementing a "key escrow" plan which they said would not work."21 Further, "Vice President Gore announced in July, the Administration [was] considering various measures to liberalize export controls for certain commercial encryption products, in order to promote the competitiveness of U.S. manufacturers during the transition to a global KMI. In addition, the Administration [was] considering transferring jurisdiction over commercial encryption products from the Department of State to the Department of Commerce…."22 Despite this, on July 25, 1997, the Congress passed S.A.F.E. (Security And Freedom Through Encryption) Act, which increased the bit limit to 56 and disallowed the mandatory use of an "escrowed" encryption key; however, they did allow for law enforcement agencies to obtain keys in the course of investigation potential crimes.23
|