Berkman Center for Internet & Society.
Welcome
Registration
Discussion
Resources

 

Module 1: Introduction
Module 2: Online Data Collection
Module 3: Monitoring Employees
Module 4: Governmental Collection of Data
Module 5: The Total Information Awareness Program
Module 6: Comparative Approaches (the EU)
Module 7: Self-Help, Free Software, Cryptography

Harvard Law School > Berkman Center > Open Education > Cyberprivacy > Self-Help > Cryptography > Arguments for Restrictions >

PRIVACY IN CYBERSPACE

Arguments For Restrictions on Cryptography -- Law Enforcement

The government’s fear of unbreakable encryption is simple -- if encryption is used by the wrong people, then law enforcement officials will be powerless to stop those people from committing crimes of extraordinary degree.[19] Law enforcement officials rely on electronic surveillance as a tool of utmost importance in terrorism cases and in many criminal investigations, especially those involving serious and violent crime, terrorism, espionage, organized crime, drug-trafficking, corruption and fraud.[20] Unbreakable encryption will render such methods of electronic surveillance useless; even if law enforcement officials intercept the communication made between criminals, they will be unable to decipher the encrypted messages.[21] As a result, drug lords, spies, and even violent gangs will be able to communicate about their crimes and their conspiracies with impunity.[22]

According to FBI Director Louis Freeh, this is not a problem that will begin sometime in the future. In 1997 alone, there were numerous examples of people using encryption as an integral part of their criminal plans: 1) a convicted spy Aldrich Ames was told by the Russian Intelligence Service to encrypt computer file information that was to be passed to them; 2) an international terrorist was plotting to blow up 11 U.S.-owned commercial airlines in the Far East; his laptop computer which was seized during his arrest contained encrypted files concerning his plot; 3) a subject in a child pornography case used encryption in transmitting obscene and pornographic images of children over the Internet; and 4) a major international drug trafficking subject used a telephone encryption device to frustrate court-approved electronic surveillance.[23] Furthermore, between 1994 and 1997, the FBI saw the number of computer-related cases utilizing encryption and/or password protection increase from 2 percent of the cases involving electronically stored information to 7 percent.[24]

The government’s recent policy stance with respect to encryption has not been to ban encryption outright -- rather, it has been to encourage the free and widespread use of strong encryption, yet to allow law enforcement officials to regulate encryption for the good of public safety by providing for a “back door” access to encrypted information in special circumstances. In March of 1998, Robert Litt, the Principal Associate Deputy Attorney General during the Clinton administration, testified before the Senate Subcommittee on the Constitution, Federalism, and Property Rights and analogized the government’s policy towards encryption to regulations governing automobiles.[25] He argued that society “managed” the automobile, not by letting it develop completely unfettered and without regard to public safety concerns, but first by recognizing that cars could cause substantial damage to the public safety, and then by regulating the design, manufacture, and use of cars to protect the public safety.[26] As a result, cars today are subject to numerous regulations: they must be inspected for safety on a regular basis, they are subject to minimum gasoline mileage requirements and maximum pollutant emission requirements, and they must comply with seat belt and air bag regulations. Furthermore, the laws of every jurisdiction in the United States closely regulate every aspect of driving cars on the public streets and highways, from driver’s licenses to regulation of speed to direction and flow of traffic. Litt argued that Congress and the state legislatures recognized the public safety and health threats posed by the technology of automotive transportation, even as they recognized the dramatic benefits of mobility, productivity, and industrialization that the automobile brought with it.[27]

Litt continued with his automobile analogy by stating that the most relevant example to the policy issues posed by encryption is the practice of requiring cars to be registered and to bear license plates.[28] More recently, federal law has required all vehicles to bear a vehicle identification number (VIN).[29] According to Litt, America now recognize that license plates and VINs afford victims of accidents, victims of car theft, and law enforcement officials with an essential means of identifying vehicles and obtaining information on the movements of criminals.[30] And just as legislatures in the early 1900s acted to manage the risks posed by automotive technology, the American government today urges that there be the same sensitivity to the need to preserve and advance public safety in the face of encryption in the information age. And according to Litt, such a regulatory scheme, if properly constructed, will have benefits for businesses and consumers, just like license plates.[31]

Reflecting these concerns addressed by Robert Litt on the need to have regulatory oversight of encryption, the government has, in the past 8 years, come up with numerous proposals that would enhance law enforcement officials’ ability to access encrypted information. In 1993, the Clinton administration announced its “Clipper Chip” proposal.[32] Under this proposal, a government-designed encryption chip, called the Clipper Chip, would become the industry standard for encryption.[33] Everyone who wanted to encrypt and decrypt messages (i.e., their email messages or telephone conversations) would be required to use the Clipper Chip. But precisely how Clipper encrypted messages was classified. To ensure that law enforcement officials could easily tap Clipper-encrypted messages, the government would keep copies of each of the Clipper decoding keys.[34] However, law enforcement officials’ use of these keys were restricted -- only with an equivalent of a search warrant would the government be allowed to use the keys to decrypt the messages.[35] With the Clipper Chip proposal, the Clinton administration thought that they had struck a proper balance between allowing the use of strong cryptography and answering law enforcement concerns for decrypting messages in certain circumstances. Now, individuals were allowed to use the highest level of encryption, yet government still had a back door key to each encrypted message in case they needed it.

The Clinton administration sorely miscalculated public sentiment. Rather than embrace the Clipper Chip proposal, the public lashed out, denouncing it as undermining privacy rights and being reminiscent of “an Orwellian Big Brother government.”[36] The American Civil Liberties Union was one of the strongest voices against the proposal. It analogized the Clipper Chip proposal to “the equivalent of the government requiring all homebuilders to embed microphones in the walls of home and apartments.”[37] A Time/CNN poll conducted soon after the Clipper Chip was proposed found that 80 percent of the public opposed it on the grounds that it made private information too readily accessible to government officials.[38] The Clinton administration quickly withdrew the proposal.

Shortly after withdrawing the Clipper Chip proposal, the Clinton administration came up with a second, less-intrusive proposal. Rather than having individuals install a government-manufactured chip in order to encrypt and decrypt information, this second proposal allowed individuals to use freely their own encryption programs.[39] In exchange, anyone who used greater than a 40-bit encryption program would be required to leave their decrypting key with a government-approved “escrow agent.”[40] As with the original Clipper Chip proposal, law enforcement officials would be allowed access to the keys only with a court-approved warrant. However, this second proposal was also met with tremendous public opposition. The fact that the escrow agents were pre-screened and approved by government officials led the public to believe that this second proposal would have the same practical effect as the original Clipper Chip proposal in terms of potential government intrusion on individuals’ privacy rights.[41] Public sentiment against this second proposal forced the Clinton administration to abandon it in mid-1994.

The Clinton administration’s third proposal to allow government officials to have a “back door” key to encrypted messages did not differ significantly from its second proposal.[42] This proposal would still have used escrow agents to hold onto keys of greater than 40-bit encrypted messages; however, rather than being government approved agents, the escrow agents would have been “trusted third parties,” chosen from within the private sector.[43] This did little to silence the critics -- and by early-1995, this third proposal was also abandoned.

Finally, in 1996, the Clinton administration revealed a fourth plan and made some important changes in the direction of its policies. There would henceforth be no restrictions on the use of cryptographic systems -- based on key length or technology -- if those systems contained so-called “key recovery” features.[44] That is, if encryption users could demonstrate a viable plan in which trusted third parties (possibly including “self-escrow” within user organizations) would hold (and supply government when presented “appropriate legal authority”, i.e., if government obtained a legal warrant) information that would permit recovery of code keys and decryption of data, unrestricted use of such encryption systems would be allowed.[45] Although some in the U.S. business community continued to objected, initial reaction was much more favorable than with previous cryptography initiatives. The government had worked with U.S. business in developing the new initiative, and a number of major U.S. computer and software companies voiced support for the general principles outlined in the initiative.[46] Others took a wait-and-see approach.

The wait was not a long one. Within months, a number of the proposal’s initial supporters had publicly or privately defected as the details of the implementation were revealed.[47] One major sticking point was the government’s apparent desire to involve itself in frequent and detailed reviews of proprietary company business plans and progress in developing key recovery systems, as a condition for continued approval of high-level encryption systems.

As the debates over encryption policy raged on during 1996 and 1997, three major legislative proposals emerged in the 105th Congress (1997-1998).[48] The first was called the Security and Freedom Through Encryption Act (SAFE).[49] This act, championed by Representatives Bob Goodlatte (R-VA) and Zoe Lofgren (D-CA), was designed to promote privacy, security, and competitiveness in the Information Age. This proposal purported to: 1) affirm Americans’ freedom to use the strongest possible encryption; 2) defeat attempts to force Americans to provide the government with some government-approved third party with keys to their encrypted information; and 3) allow the U.S. to compete in the rapidly growing market for strong encryption products.[50] U.S. businesses, as well as groups such as the ACLU and Americans for Computer Privacy, strongly supported this act.

A second proposal was called the E-Privacy Act,[51] introduced on May 12, 1998 by Senators John Ashcroft (R-MO) [who is now, of course, the Attorney General of the United States], Patrick Leahy (D-VT), and Conrad Burns (R-MT). The bill sought to encourage the widespread availability of strong encryption without back-doors for government, and provide security for individuals’ communications, business transactions, medical records, tax returns, and other sensitive information.[52] This bill was also backed by the ACLU and Americans for Computer Privacy.

The third proposal was called the Secure Public Networks Act,[53] sponsored by Senators John McCain (R-AZ), Bob Kerrey (D-NE), John Kerry (D-MA), and Ernest Hollings (D-SC). Unlike the Security and Freedom Through Encryption Act, S. 909 would implement a key-recovery system, whereby Americans would be required to use government-approved third party agents to hold a spare copy of their encryption keys. The purpose of the bill was to promote national security by ensuring that law enforcement officials would have an adequate back door entry to encrypted messages that otherwise would be unbreakable.[54] Law enforcement offices, namely the DOJ and FBI, supported this bill.

Debates over these three pieces of legislation continued for over two years. Finally, on January 12, 2000, amid political pressure from U.S. computer industry interest groups, the Clinton administration announced that encryption laws were to be liberalized.[55] These new liberalized laws adopted much of what had been proposed in the Security and Freedom Through Encryption Act.

Next: Arguments against restrictions...

 
Please send inquiries to bold@cyber.law.harvard.edu

Welcome | Registration | Discussion | Resources |
The Berkman Center for Internet & Society