Chief Technology Counsel
MCI Communicationsbefore the
Subcommittee on
Constitution, Federalism, and Property
March 17, 1998
I. INTRODUCTION
MCI believes that controls on the use of strong encryption, including key recovery systems, are contrary to the best interests of the American people for at least three reasons. Such controls could: (1) harm the ability of American business to compete with foreign companies for foreign and domestic customers; (2) undermine the enormous potential of the Internet, including global electronic commerce, to improve the lives of all Americans; and (3) violate the constitutional right to privacy and abrogate the protections of the 4th and 5th Amendments. In addition to these important considerations, there are a number of practical problems associated with key recovery systems that render them futile or even counter-productive.
II. ENCRYPTION CONTROLS ARE CONTRARY TO AMERICA’S BEST INTERESTS
1. Impact on U.S. Business
Companies like MCI are concerned that encryption controls will negatively impact our ability to compete with multinational carriers for multinational customers. MCI offers customized Internet products — such as World Wide Web browsers — that incorporate encryption tools. Because foreign carriers from countries without encryption controls will offer strong encryption to which no government entity holds the keys, we believe that potential customers seeking the highest level of protection will choose their products over ours.
By limiting the sale and use of domestically developed U.S. encryption technology abroad, current export controls endanger America’s technological competitiveness and its overall economic security. If those in the international marketplace cannot obtain strong encryption products from U.S. firms, they will increasingly turn to foreign suppliers ó threatening America’s edge in the critical sectors of computer technology and telecommunications. In addition, one of several legislative versions promoted by federal authorities now pending in the U.S. House of Representatives would prohibit domestic manufacturing, sale or importation of any encryption product or service, unless the government is given immediate access to the plain text of communications and stored files so that they can be immediately read without the knowledge of the user. We believe that this requirement would have a chilling effect on our ability to gain new customers and retain our current ones.
2. Potential of the Internet and Global Electronic Commerce
In addition to the specter to American business raised by controls on strong encryption, the enormous potential of the Internet, including Internet-based global electronic commerce, could be undercut by the government’s efforts to limit online privacy.
Anyone who once doubted the Internet’s potential to transform the daily lives of all Americans, must now see that the Internet has already revolutionized the way millions of people communicate, conduct business, and access information. Without strong encryption and severe limits on the government’s ability to access Internet communications, people may lose confidence in the Internet and fail to make use of its full potential. This could destroy the great potential of the Internet to bring new and better services to people, enhance the efficiency of our economy, and further strengthen our democracy.
We stand on the brink of a great change in the way people and companies conduct business around the world. Electronic commerce will create efficiencies in the cost of doing business, open new markets, and bring new products and services to all people. But this promise will never be fulfilled if the average citizen feels his or her privacy is not secure on the Internet. As a recent front-page Washington Post article reports, of the millions of people already using the Internet, growing numbers are turning to encryption and other methods to protect their privacy online.
3. Constitutional Issues
The FBI’s proposal for key recovery in general, and Director Freeh’s recent call to include domestic controls on the use of strong encryption in particular, raise serious questions about the people’s right to privacy under the Constitution.
I urge the Committee Members to parse the words of the 4th Amendment very carefully in considering the constitutionality of controlling strong encryption. The 4th Amendment requires that a warrant particularly describe the places to be searched or the things to be seized. I ask the Committee Members to consider the extent to which key recovery abrogates this important limit on the government’s authority. By the very nature of a proposal to store keys in advance, can the “places to be searched” and the “things to be seized” be particularly described?
The 5th Amendment’s command is very simple: “No person shall… be deprived of life, liberty, or property without due process of law.” I suspect that most Americans would consider the keys to their encrypted communications and stored data to be their personal property. By requiring the surrender of all keys to all communications and stored data, the American people may feel that their government seeks to deprive them of that property without due process.
As a practical matter, while law enforcement insists that its access to private communications will be limited in scope and subject to properly-obtained warrants, the American people are well aware that private efforts to “hack” into computer systems — including the Internet — are tenacious and pervasive. As a result, providing law enforcement with a key to every communication on the Internet will surely lead to an increase in abuse of those keys by private parties.
III. THE AMERICAN PEOPLE’S STRONG INTEREST IN PRIVACY
The Post article reports that the American people are becoming increasingly frustrated with unauthorized use of their personal information. The measures people are using to protect that information increasingly include encryption of e-mail and data files. It is important to understand that a compromise in privacy — even if limited and controlled as the government promises — is a compromise nonetheless. Neither the government nor a “trusted third party” can guarantee that personal information will not be misused under the key recovery proposals. It’s been widely reported that once someone’s credit report, medical history, or other sensitive information has been misused, the consequences can be grave, and the misuse difficult or impossible to correct.
A recent survey also provides strong evidence of the people’s serious concern with online privacy matters. So leery are Americans of privacy on the Internet, that 40% of the 20,000 respondents to a survey by the Georgia Institute of Technology reported that they have given false personal information when registering at a website. By way of comparison, only 8% of those surveyed reported that they were concerned enough about “spamming” — or unsolicited, bulk e-mail — on the Internet to support a legislative solution. This is particularly striking because spamming is widely considered to be one of the biggest problems on the Internet.
The very viability of Internet commerce and the integrity of its communications are dependent on the unobstructed use of superior encryption products. Many consumers are still very wary about purchasing products and services via the Internet, fearful that their credit-card numbers could be appropriated or their privacy compromised. Businesses, moreover, are rightly worried about threats to the confidentiality and authenticity of their online communications and transactions. Strong encryption can significantly mitigate these concerns by affording individuals and companies protection from computer crimes and unauthorized access. And in doing so, encryption can facilitate and speed the realization of the Internet’s enormous economic and social potential.
IV. COPYRIGHT LIABILITY AND PRIVACY
As a related matter, limiting privacy on the Internet may bolster the plans of some to impose a new and unreasonably strict copyright regime in cyberspace. Providers like MCI may be forced to monitor and/or block the communications of individuals and businesses in a fruitless effort to identify potential copyright infringements. Technical impossibility and practical concerns aside, such monitoring or blocking would invade the privacy of every Internet user.
As explained, the American people have the right to be secure in their communications. I certainly do not advocate the violation of copyright laws; however, denying people the right to keep their communications private — from the government and Internet service providers alike — is not the way to fight crime, and not the way to protect valuable copyrights. In fact, strong encryption can actually help fight crime and protect copyrights and other intellectual property. By ensuring the security of financial transactions, for example, strong encryption can help reduce white collar crime. In addition, strong encryption provides an inexpensive method for authors and other creators to protect against the theft of copyrighted works on the Internet.
V. INTERNET DOMAIN NAMES
In considering both domestic restrictions and export controls of strong encryption, I want to make an important point about Internet domain names. Domain names ending with the “.com” designation are available to any domestic or foreign company, and can be used by computers anywhere in the world. The typical Internet user is not aware of the location of the domain he or she is accessing. To take one example, the government of Singapore has monitored and may still be monitoring all Internet communications entering that country. As a result, the communications of Internet users around the world accessing a “.com” address residing in Singapore could be exposed to the watchful eye of that local government. The only way to ensure the highest level of privacy throughout the Internet is to ensure that the strongest encryption is available in the U.S. for sale or export and to discourage the use of encryption controls abroad.
VI. PRACTICAL PROBLEMS WITH KEY RECOVERY
In addition to all these concerns, practical limitations on the effectiveness of key recovery suggest that its use does not justify the cost to individual privacy. Put simply, key recovery will not work to solve the anti-criminal issue that it is primarily based upon. First, encryption users employing a two-step key process can require a password — often called a “passphrase” or “challenge phrase” (which can itself be encrypted) — to decrypt the key to an encrypted message. As a result, a stored key — without its corresponding password — would not function.
Another type of encryption growing in popularity is the split-key method. These systems require a combination of keys to reconstruct the “real” key originally used to encrypt a message. Because such second-level protections can be modified at will by the user, stored keys would quickly become worth less than the cost of administering them. Furthermore, common sense suggests that among the most diligent users of such methods would be criminals bent on hiding their communications from the authorities.
I am unaware of any key recovery system that puts the keys in the hands of users that could not be easily defeated by criminals, even those whose only crime is circumvention of encryption control laws. Centralized systems can be imagined by which, for example, a corporate computer would produce and issue keys to users. I feel strongly, however, given the American people’s concern with online privacy, that they will want to choose encryption systems in which they create and manage their own keys. And I’m certain that any proposal forcing companies like MCI to issue and store its customers’ keys would contribute to the competitive disadvantage created by encryption controls in general.
VII. CONCLUSION
MCI recognizes the need to be tough on crime; but doing so should not come at the expense of privacy. The American people are making it increasingly clear that privacy is at the forefront of their concerns. To any suggestion that privacy concerns are exaggerated, I would point to the countries around the world that currently impose controls on the use of encryption. They include: Belarus, China, Pakistan, and Russia. I would ask the Committee Members if you believe the American people want the United States to join that list of countries.
I believe that strong encryption is the key to privacy on the Internet, and that such privacy, in turn, is the key to realizing the enormous potential of the Internet and global electronic commerce. MCI has watched the debate over encryption labor on for years without progress. We believe that the time has come to embrace an approach supportive of innovative, strong self-regulation rather than continuing to pursue an elusive compromise between industry and law enforcement.