[ISN] No choice perfect on encryption

From: mea culpa (jerichoat_private)
Date: Wed Jan 20 1999 - 17:16:18 PST

  • Next message: mea culpa: "[ISN] New Java Virus Alive Like a Hive"

    http://www7.mercurycenter.com/columnists/gillmor/docs/dg011699.htm
    No choice perfect on encryption
    Jan. 17, 1999
    BY DAN GILLMOR
    Mercury News Technology Columnist
    
    IN a society where compromise is a pillar of government, it feels almost
    un-American to admit that some issues defy any middle ground. It feels
    even worse when there are only two alternatives, and both offer unpleasant
    consequences. 
    
    This is the reality of encryption, the scrambling of data to keep it away
    from prying eyes. Yet at a time when it's essential to hold an honest
    debate about a difficult decision, encryption policy drifts in a Twilight
    Zone, where both sides tend to avoid acknowledging some hard truths. 
    
    Security in the Digital Age is at the heart of the matter. Both sides are
    talking about your security, but their perspectives could hardly be more
    divergent. 
    
    Law enforcement and national security people say the ubiquitous use of
    unbreakable encryption will harm national security. But if this kind of
    encryption is prohibited, a direction in which governments are moving, the
    security of individuals' most private and sensitive information will be at
    risk to criminals and oppressive governments. 
    
    Both sides are right. 
    
    Experts on encryption and its uses are gathering in San Jose this week for
    the annual RSA Data Security Conference. For the most part, speakers and
    participants have already come down on the side that makes the most
    practical sense, as well as being the only one that maintains personal
    liberties: unrestricted use of strong encryption. But making this choice
    means understanding the other side. 
    
    Strong encryption once was the sole province of the state. Today, low-end
    personal computers are powerful enough to scramble data so thoroughly that
    all the supercomputers in the world would have to work for billions of
    years to decipher a single message. 
    
    It's easy to see why that worries police and national security agencies. 
    Slowly but surely during the next few years, they're going to lose one of
    the tools on which they've relied for decades: the ability to tap into the
    communications of criminals. 
    
    Oh, law enforcement people will still be able to intercept the bits of
    information flowing back and forth. But they won't be able to decipher any
    of it. 
    
    >From law enforcement's perspective, this is an invitation to evil. When
    criminals can communicate securely, catching criminals will be more
    difficult. 
    
    Someday, terrorists will use unbreakable encryption to conceal the
    evidence of their plotting. That is certain. But should we give up our
    most fundamental liberties to prevent this? 
    
    Slowly but surely during the next few years, more and more of our daily
    doings will take place in digital form, on computers and online. We will
    need a tool that keeps our business dealings, finances, medical records
    and other information safe from criminals and those who would wrongly pry
    into our personal affairs. 
    
    Strong encryption is that tool. Without it, we will be vulnerable to new
    kinds of crimes and gross invasions of privacy by malevolent people and
    businesses. Without strong encryption, moreover, governments will have
    unprecedented power to spy on citizens, to create police states the likes
    of which George Orwell could barely have imagined. 
    
    The problem for law enforcement is that strong encryption exists. It is
    used most widely where it's least visible, such as commerce on the World
    Wide Web and in banking transactions. Encryption is used less widely when
    it has to be added on. It is easy to obtain, but often difficult to use. 
    
    The point is that secure encryption is already out there. Police agencies
    know they can't stop this technology outright. But rather than engage in
    an honest debate with supporters of encryption, they and their political
    allies have resorted to rear-guard actions to slow its adoption, with a
    considerable degree of success so far. 
    
    The principle at work is that criminals are fundamentally stupid: As long
    as we can keep encryption from becoming ubiquitous, criminals will be too
    stupid to use it, so we'll be able to catch them. 
    
    American companies continue to be frustrated by the Clinton
    administration's general refusal to let them export hardware and software
    containing strong encryption, unless the product also has a back way in
    for law enforcement authorities. There have been some modest exceptions,
    but the policy remains pretty much intact even though it's slowly being
    liberalized. 
    
    It's a foolish policy, not just because smart programmers live in other
    countries that don't have these kinds of restrictions on commerce. To
    date, American companies have lost some business, and as more people
    insist on buying secure products American companies will lose out on more
    sales. 
    
    It's also a sideshow to the real issue: whether strong encryption will
    survive the inevitable challenge by law enforcement people in coming
    years.  FBI Director Louis Freeh and others in his field have made no
    secret of their desire to restrict communications that they can't
    intercept and understand. Widely used strong encryption, by their
    reckoning, is unacceptable. Although they keep insisting that there are no
    plans to move for restrictions, here's an open bet that they'll try sooner
    rather than later. 
    
    When government officials say they merely want to protect their current
    surveillance capabilities, they're telling only part of the truth. They
    can't maintain the status quo, because technology has upset the status
    quo.  Law enforcement can have essentially all or nothing in the Digital
    Age -- untrammeled access to everything, with serious risks that criminals
    will gain the same kind of access through malevolent hacking, or no access
    at all. 
    
    I vote for unrestricted encryption, here and abroad, for more than the
    merely practical reason that the proverbial genie has long since escaped
    the bottle. I support it because I've weighed the risks on both sides. 
    
    Risk is part of life. It's intrinsic to our economic system. 
    
    Our legal system also acknowledges risk. We grant ourselves civil
    liberties because we don't want to live in a dictatorship. We protect the
    rights of suspects in criminal cases, because we don't want governments to
    have the power to ruin the lives of innocent people. We have a Fifth
    Amendment against self-incrimination, for example, because we don't want
    the police torturing confessions out of innocent people. 
    
    Liberties and rights add risk to our everyday lives. We accept the
    trade-off as part of living in a mostly free society. 
    
    Someday, we'll have a serious national debate on strong encryption. When
    you consider the issue, be honest with yourself. Strong encryption will
    increase risks in some areas. It will cut risks elsewhere. 
    
    Whichever way we go on this issue that defies compromise, there will be
    consequences. That may be unfortunate, but it's real life. 
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:27 PDT