Keep in your mind for the moment the image of John Gotti, plotting some evil deed with an FBI agent listening in and taking down every word.
Last month I noted that "public key encryption" programsósoftware that enables you to scramble a digital file so that the file cannot be read by anyone but the intended recipient, even if you and the recipient had not had any prior contact with one anotheróhave recently become widely available.
Because encryption may be the only way to provide true security for property (intellectual property, credit card numbers, or more sophisticated versions of "electronic cash," and the like) placed in the stream of electronic commerce on the Internet, I suggested that encryption may turn out to be the philosopher's stone for the twenty-first century. I suggested that it may be the key to unlocking the Internet's vast commercial prospects, and that encryption technology may spread quickly beyond the banking sector, where it is already widely used, to help create a broader electronic marketplace for a wide variety of goods and services.
That is all good news. In addition, encryption has the power to keep Big Brother at bay; to allow political dissidents in, say, China, a new and more secure means to disseminate information freely to the outside world.
But there is bad news as well. Now that ordinary everyday communication can easily be placed in digital form (such as an electronic mail message or a conversation on a digital telephone) and then converted into an unreadable scrambled mess with a few clicks of the mouse on a home computer, what happens to the Alligator Clip that Felled John Gotti ? What is the point of tapping a wire when the information coming through the wire is irretrievably garbled?
The FBI and others have raised the specter of a world where not only political dissidents but terrorists, assassins, drug kingpins, and the like are all communicating freely over the Information Superhighway without fear of being overheard; a world where wiretapping is no longer a useful weapon in the law enforcement arsenal, and where crime suddenly becomes more difficult to uncover and punish. "If you think crime is bad now," FBI Director Louis Freeh has warned, "just wait and see what happens if the FBI one day soon is no longer able to conduct court-approved electronic surveillance."
The government does not take this threat to its law enforcement powers lightly, and has, not surprisingly, been trying to devise ways to restrain the use of encryption software. Indeed, encryption has been the focus of the government's first real efforts to exercise control over activities on the Internet, and represents the first battleground in what may become a fascinating, and possibly quite nasty, war to assert jurisdiction over this new territory.
First, the federal government classifies encryption software as a "munition" under the International Traffic in Arms Regulation Act (ITAR). Like an F-15 attack plane, encryption software cannot be exported from the United States without a special state department license, which is next_to_impossible to obtain for the more powerful encryption systems.
Second, and more notoriously, the government is trying to promote adoption of an encryption system that, conveniently enough, has a "back door" through which the government can continue to monitor otherwise "secure" conversations.
With its infamous "Clipper Chip" initiative, the Clinton administration licensed the manufacture of a special chip, incorporating the government's own (classified) encryption system, that could be placed into telephones, computers, and other communication devices. This system differs fundamentally from "public key" systems. It is an "escrowed encryption system" under which the government retains, in escrow, the "keys" that can unscramble encrypted files, keys that can to be released to law enforcement officials upon an appropriate showing of need.
Faced with a choice between an escrowed encryption system, with agencies of the United States government as key-holding escrow agents, and an equally powerful public key system that is secure from all eavesdroppers, most American consumers--let alone foreign consumers, or, for that matter, terrorists--would probably opt for the latter. Do we really expect, as Senator Patrick Leahy (D-Vt.) has asked, to be able to "sell our phones and computers abroad with a note saying, 'All encrypted communications sent on this equipment are guaranteed to be available to the U.S. government upon its secret request'"?
Skipjack/Clipper, in other words, would appear to be a nonstarter in a truly competitive encryption market. How, then, to foster widespread use of the Clipper chip (or other devices implementing an escrowed system)?
The government has not--yet--tried to mandate use of the Skipjack/Clipper system or outlaw use of competing encryption systems. Instead, the original Clipper proposal attempted to establish Clipper as a de facto standard in the marketplace, without, quite, going so far as to mandate its use, by providing that exporters of machines incorporating the Clipper Chip will receive automatic export authorization, and by requiring the government to buy only machines that use the chip.
In this battle over the future of encryption, however, the state is in retreat. Export control has perhaps slowed, but hardly stopped, the spread of public key encryption. Several months ago a copy of PGP, a powerful public key encryption program I discussed in last month's column, was placed on an Internet-accessible computer, from where it could be copied by anyone in the world with a modem and access to the global network. It is estimated--nobody knows for sure--that several hundred thousand copies are now in circulation around the world.
And Clipper, under relentless attack from an alliance of civil libertarians fearful of giving the government Orwellian eavesdropping powers and the software industry looking to exploit a multi-billion dollar market for encryption products, has hardly fared much better. The federal government has apparently abandoned the Clipper initiative, at least with respect to computer (though not voice) communications, and is "re-evaluating" the need for an encryption system requiring government escrow agents.
This all has the flavor of locking the barn door after the horses have left. Although the government initiated a criminal investigation of Phil Zimmerman, PGP's author, over his part in the illegal export of PGP, nothing the government can now do will put the genie back in the bottle. Not in a world where a single copy of a program can generate thousands, or hundreds of thousands, of additional copies in a matter of minutes. It is probably not even too much to suggest that the very notion of "export control" on the Internet, where geographical boundaries have absolutely no significance, and where one computer looks exactly like another regardless of geographical location, has a faintly ludicrous tinge to it.
This is not to say that the encryption battle is over. Far from it; the government has many, many other weapons in its arsenal. For example, talk of outlawing unescrowed encryption systemsóa move that would raise rather profound constitutional and ethical questionsóhas been heard in the land. We shall see. It is on the one hand hard to see how anything short of that will give the government what it apparently seeks: assured access to all electronic communications. But it is just as hard to see how even that drastic step will provide such assurance, given the already widespread availability of unescrowed encryption programs. A difficult dilemma, to be sure, but one that perhaps raises the possibility that the government, whatever its wishes may be, may have to content itself with a less vigorous role in policing cyberspace.
Contact David Post by e-mail at Counsel Connect: firstname.lastname@example.org.
Contact info: OwlLex web site, OwlLex e-mail.