February 10, 1998

SCANT APPETITE FOR CONTROLLING COMPUTER ENCRYPTION

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Thanks to a extensive research effort by public-interest advocates, an intriguing survey of government attitudes toward the regulation of computer encryption was made public on February 9. In addition to fascinating trivia—did you know that the most militant defense of encryption rights may come from a group of Orthodox monks in their enclave on a Greek peninsula?—the survey makes a very serious point regarding privacy in an electronic age: most countries of the world do not support US efforts to restrict the rights of people to protect their online communications.

The reason this is a big deal is that powerful forces in the U.S. government—the White House, the FBI, the Commerce Department, and (many suspect) the National Security Agency—are trying their best to keep people from being able to protect their telephone calls and electronic mail from government wiretapping. But since electronic networks do not recognize borders, attempts to enforce wiretapping capabilities become less and less effective without support from other countries.

The FBI claims that drug traffickers are increasingly using encryption, and that it has been found in such high-profile terrorism cases as the World Trade Center bombing. Of course, there are other ways to intercept drugs or bombs besides wiretapping. While law enforcement groups make the case that they need wiretapping to fight crime, the public and the civil liberties community is more worried about potential for politically-motivated abuse.

Three forces promote the continuing growth of encryption despite U.S. government opposition. First, major computer companies are chomping at the bit to enter the online commerce market. Encryption products and services are a critical part of lucrative digital markets, which depend on people securing their signatures, contracts, payments, and possibly copyrights. U.S. restrictions on encryption not only hinder commercial development; they raise the disturbing precedent that the government can distort scientific research and technological development for political ends.

Second, the measures recommended by the government to control encryption are technically heavy-handed and sometimes bizarre. The most fully-developed suggestion is the use of “trusted third parties” that would hold everybody’s secret encryption keys and release them to law enforcement agencies on demand. These proposals have been criticized by leading cryptography experts as costly, untested, and hard to secure.

Third—and the subject of this article—comes the tradition of protecting privacy in Europe. As recent commentaries on the twentieth anniversary of Roe vs. Wade have pointed out, the U.S. Constitution has no explicit guarantee of privacy. It can only be inferred from such statements as the Fourth Amendment (against unlawful searches) or the Tenth Amendment (reserving rights to the people).

But in Europe the right to privacy find more support. It is listed in the European Convention on Human Rights, and has recently been reaffirmed in an October 1995 directive regarding data privacy by the European Parliament.

The U.S. government has repeatedly claimed that other countries accept the U.S. view that encryption must be controlled. That is why it is so important to read the actual positions taken by these governments, as reported in the new survey by an international coalition of public-interest groups called the Global Internet Liberty Campaign. I am a member of this group, and had a chance to read an early version of the survey, which was prepared by the Electronic Privacy Information Center.

Many of the 200 countries surveyed have no regulations regarding computer encryption; this probably just shows that digital technologies have not become popular enough to raise privacy questions. But a large number of technologically advanced countries still allow their residents the free use of whatever encryption products they choose. Restrictions on export are more common, but even those exist in only a handful of countries.

U.S. attempts to make international bodies endorse the “trusted third party” plan have come to naught. The Organization for Economic Co-operation and Development, notably, rejected such a proposal in favor of a proposal for strong cryptography and the right of users to choose any form of encryption they want.

The OECD allowed that, “National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data,” but immediately reiterated that “These policies must respect the other principles contained in the guidelines to the greatest extent possible” and, “This principle should not be interpreted as implying that governments should, or should not, initiate legislation that would allow lawful access.”

Europe, Japan, and Canada have all reaffirmed the basic right to privacy in data communications. European nations repeatedly declare their support for strong cryptography. Yet the U.S. continues to stand against the tide. A spokesperson for the Commerce Department claimed in the New York Times of February 9 that other countries are “moving in our direction.”

This claim is supported only in the case of Britain, whose Labour government has historically opposed the trusted third party proposal, but where the Home Secretary recently suggested that the government needs some form of access to encryption keys. France, in contrast, is moving in the opposite direction, avoiding enforcement of a 1990 law that restricts encryption to forms authorized by the government.

Wiretapping will continue to be an emotional issue, where fear drives both the desire for tight privacy and the opposing urge to give governments the power to snoop. But technology and globalization are colluding to remove entry points that governments can exploit.

Does the Clinton Administration really want every national government in the world to be able to decrypt electronic communications? How will that encourage businesses to exchange sensitive plans and citizens to make purchases over the Net—not to mention human rights and democratic organizations? It is time to admit that governments will have to find other ways to fight crime, and celebrate the rare blow in favor of privacy that we have achieved with computer encryption.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles