September 9, 1997


by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Two limbs on the Executive Branch of the U.S. government revealed two different and irreconcilable views of the Information Infrastructure last Thursday, September 4. On the one side lay greater access to valuable information, while on the other lay suspicion and surveillance. The battle ground was encryption.

On the side of information access stood the Social Security Administration, which is trying for the second time to offer valuable data about benefits to individuals trying to make retirement plans. The first attempt, in March, had been withdrawn a month later under heavy criticism for its lack of protection for citizens’ privacy. Now the SSA is back to the table again with a less ambitious proposal.

As an alternative to time-consuming paper inquiries, the SSA would like citizens to be able to learn their retirement benefits through email. To safeguard against impersonation, they are restricting the information they give out more than they did in their first initiative. They are also demanding more proofs of identity, in the form of specifying your place of birth, mother’s maiden name, and so on.

Yet these safeguards are not enough. The information requested could be known to a snoopy relative, a divorced spouse, a neighbor, or perhaps even an employer. The acting Commissioner of the SSA admitted that their system was flawed. With a “higher level of technology,” he said, they could better ensure privacy. And this technology is encryption.

Through encryption an individual can provide a digital signature that marks email as his or hers. A trusted third party (an institution known to both the signer and the recipient, as a bank is known to financial correspondents) can verify that the signature is valid.

Also through encryption, the SSA can wrap up the information it mails back so securely that it would take an interceptor thousands of years to decode it. This, needless to say, would be long after the expiration of an individual’s benefits, and most likely of the whole Social Security system.

And encryption is available right now. Many Web sites use it to permit credit card transactions. In a free software (and now commercial) product called Pretty Good Privacy (PGP for short), encryption is used by political activists and other people holding sensitive information worldwide.

But encryption was precisely the technology attacked by the other limb of the Executive Branch on Thursday. The FBI director, Louis Freeh, testified to a Senate judiciary subcommittee that any form of encryption permitted in the United States should include a back door through which law enforcement could enter and read email. Freeh has spoken often on this theme before, but last week he made unusually strong demands. Without the ability to intercept electronic communications, he said, the FBI is “out of business.”

The breadth of the FBI’s request surprised some Senators, although the subcommittee was clearly partial to his point of view and invited only those who supported such “key recovery” plans to testify. But the Clinton Administration felt Freeh had let the cat too much out of the bag. “The administration does not support domestic controls on encryption,” said a spokesperson for Vice President Gore.

This statement is a weak feint toward taking a middle ground. Years’ worth of proposals for “key escrow” or “key recovery” from the administration show that it wants the entire U.S. population to adopt a form of encryption that law enforcement can break. The promotion may use stealth, but the ultimate goal is a complete take-over.

The most recent embodiment of the administration proposals is the McCain/Kerrey “Secure Public Networks Act” (S. 909). It was this bill that was under discussion in the judiciary subcommittee on Thursday, and concerning which Freeh spoke. By requiring the use of key escrow encryption on networks owned by the federal government and by people corresponding with the federal government, it opens a chink in the general infrastructure through which to thrust its vision (astigmatic as it is) of citizens’ privacy. A new “Section 105” that would put the FBI restrictions into law is now also being considered.

Key recovery requires an enormous framework of companies that store keys, and a complex system for releasing them to the proper authorities. The proposal is demonstrably insecure, costly, and completely untested. It would lead to increased burdens on users and a mistrust of encryption that would hold back wonderful initiatives like that at the SSA.

Of course, encryption can be used by criminals. It is a rare technological advance that can be used only good, and never for ill. But the FBI has never released - despite requests from the civil liberties community - clear evidence that it requires the interception of phone and email to stop crime. On the other hand, history furnishes plenty of examples where surveillance has been misused by the U.S. government against political opponents.

In its key recovery proposals, the U.S. also sets an example for other countries, where the track record for the protection of citizens’ rights is much worse. It is time for the public to enter the debate and decide which kind of information age we want.

Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles