Encryption is technology that “encodes” computer files and communications to protect people’s privacy, much like a combination lock secures a filing cabinet. If computers touch your life in any way, information about you is likely protected by encryption. It protects everything from computer-stored medical records to online credit card numbers.
Currently, Americans can purchase and use products with the strongest encryption available on the market, without providing the government with any extraordinary access to “encrypted” information.
Internationally, however, Administration policy prohibits U.S. companies from exporting products with strong security features, limiting their encryption “strength” to a mere “40-bit” key. (The more “bits,” the stronger the encryption.) This is true even though the “40-bit” limit was set in 1992, and today “40-bit” encryption is considered laughably weak. Much stronger products, up to “128 bit,” are readily available from foreign competitors in the U.S. and around the world. But U.S.-made “128-bit” encryption products, and even those products utilizing the 20-year-old “56-bit” Data Encryption Standard, are prohibited from competing in those global markets.
Encryption is the best way to protect information communicated over the Internet. It is also the most effective way to protect sensitive personal information and confidential business data stored on computer systems. Current U.S. policy on the domestic use of encryption is hands-off and has proven effective.
On the other hand, the U.S. export policy on encryption is seriously flawed. Manufacturers in more than 20 different countries sell hundreds of products containing encryption that is much stronger than what U.S. policy allows U.S. manufacturers to sell worldwide. American companies are stuck on a playing field slanted against them in a hot growth market. This outdated policy is costing American jobs. A Computer Systems Policy Project study estimates it will cost 200,000 high-skill, high-wage jobs by the year 2000.
The Security and Freedom through Encryption (SAFE) Act (H.R. 850), championed by Reps. Bob Goodlatte (R-VA) and Zoe Lofgren (D-CA) and cosponsored by a solid majority in the U.S. House of Representatives, would establish a new encryption policy that will protect privacy while stimulating competition. Americans for Computer Privacy (ACP) enthusiastically supports it.
The bill would ensure that consumers have access to the strongest possible encryption in the U.S., without depositing “keys” with some government-approved “third party.” In essence, it would ensure that any individual, business or organization that uses encryption, or anyone whose life is touched by computers using encryption (i.e., patients whose medical records are online or stored on a network) would be better protected from computer crime.
The legislation would loosen the Administration’s limits on the export of strong encryption products to allow U.S. industries to compete on a level playing field in a booming global information economy that involves trillions of dollars and millions of jobs. That would mean customers abroad would be able to choose American-made products with encryption as strong as the non-U.S. products that currently compete for their dollars.
For every encryption code, there exists a “key” to unlock that code, much like a bank card PIN number provides access to a bank account or the proper numerical code provides access to a combination lock. In contrast to the ACP-backed plan, the FBI is asking Congress to change encryption policy as it applies to U.S. citizens. The FBI’s goal is to obtain access to those “keys” without your knowledge for investigating criminal activity. The result would be a vastly overreaching and unprecedented system of information access that would allow the government to obtain more personal information than ever before.
The FBI’s plan would outlaw your ability to encrypt data and communications without providing “keys” to government-approved “third parties.” In essence, your ability to communicate and store information in such a way that is not relatively quick and easy for the government to read would be prohibited by law. It would provide law enforcement greater access to your information, which is fundamentally intrusive and threatens our constitutionally protected right to privacy. Moreover, private citizens, corporations, schools, universities, laboratories, hospitals and charities that use encryption all would be vulnerable to unscrupulous “third parties” who carelessly or irresponsibly handle those “keys.”
The Administration currently prevents U.S. companies from exporting strong encryption products, costing American jobs, even though foreign competitors from more than 20 countries are selling hundreds of strong encryption products.
This creates a “lose-lose” situation for American companies and consumers. Because of economies of scale, manufacturing and marketing strong encryption products in the U.S. domestically, and weaker encryption products abroad, is very costly. It means American companies will lose the important lead the high-tech industry has earned in the global marketplace because many foreign customers reject American “encryption lite” products. But if American companies simply sell weaker encryption products domestically as well as internationally, they could see the American market disappear to foreign competitors.
The Administration’s insistence that the government be given greater access to encrypted data as a trade-off for the ability of American manufacturers to export strong encryption products is simply unfair and heavy-handed. It denies American citizens and businesses their constitutional right to keep personal and business information private. In addition, the impact on the future economic growth of today’s information economy could be severe.
Encryption is a fundamental building block of the digital age and critical to the future of electronic commerce, which means trillions of dollars to the American economy and millions of American jobs. The National Research Council warned in 1996, “U.S. export controls may stimulate the growth of significant foreign competition for U.S. vendors to the detriment of both U.S. national security interests and U.S. businesses and industry.” These predictions are proving correct.
Encryption Glossary & Terminology
Bit – the unit in which encryption key-length, or strength, is measured. The more bits, the stronger the encryption.
Brute Force Search – a method of attempting to break encryption by simply trying all possible keys. Strong encryption must have a large enough keyspace to ensure that a brute force search is not feasible.
Cryptanalysis – the art of decoding text. Cryptanalysis is a complex process, involving statistical analysis, analytical reasoning, math tools and pattern-finding.
Decryption – the art of decrypting text – the process by which encoded text is made readable.
DES – the U.S. Government’s Data Encryption Standard. It is 56-bit.
Encryption – technology that encodes computer files to protect peoples’ privacy.
Escrow Agent – an entity that holds encryption keys for other users.
Key – similar to a password, allows you to access or decrypt encrypted data.
Key Recovery or Key Escrow – system by which encryption users deposit the keys to encrypted information with a third party for storage and/or retrieval.
Keyspace – the span of available keys. The longer the key-length, the more possible combinations a potential code-breaker would have to test. The table below shows the number of possibilities for common key length (Source: FreeMarket.Net: Policy Spotlight, October-November 1997.)
Key Length & Possible Keys
- 40 bits 1,099,511,627,776
- 56 bits 72,057,594,037,927,900
- 90 bits 1,237,940,039,285,380,000,000,000,000
- 128 bits 340,282,366,920,938,000,000,000,000,000,000,000,000
Public-Key Cryptography – a technique that uses a pair of asymmetric keys for encryption and decryption. One is the public key (that can be distributed widely) and the private key (which is held by its owner and never distributed). When data is encrypted using the private key, it can only be decrypted using the public key; conversely, data encrypted using the public key can only be decrypted using the private key.
Myths vs. Reality on Encryption
Myth # 1: Strong encryption is not necessary to protect consumer privacy and ensure security on electronic networks.
Reality: In fact, encryption is a critical foundation of electronic transactions. Almost all transactions (involving sensitive data) conducted over the Internet are currently protected by strong 128-bit encryption. For example, 128-bit encryption is currently required by all major banks in order to conduct banking transactions over the Internet.
Myth # 2: The widespread use of encryption will leave Americans more vulnerable to crime and terrorism.
Reality: Actually the opposite is true. Strong encryption will help protect America from growing computer crime, fraud, and theft. Moreover, in a 1996 Presidential Commission report, the National Research Council, recognizing the vulnerabilities of the nation’s critical infrastructure, called for the “broad use of cryptography Š” to meet today’s information security needs.
Myth # 3: Encryption technology currently is controlled by the National Security Agency and law enforcement.
Reality: Encryption is not controlled by law enforcement. It is prevalent today and used regularly to protect bank records, financial transactions, e-mail, and medical records. State-of-the-art encryption is sold in the United States “over the counter” at thousands of retail outlets and over the Internet. Any attempt by the FBI to mandate a system in which “third parties” hold encryption “keys” would represent a substantial new limitation on an individual’s ability to protect his or her privacy.
Myth # 4: The Fourth Amendment gives law enforcement the right to access your data and computer communications without your knowledge.
Reality: The Fourth Amendment establishes only a right of the people against unreasonable searches and seizures. It does not grant an affirmative power to the federal government ensuring reasonable and convenient access to evidence. The federal government has only the power to search – it does not have the right to find. Outlawing the use of encryption where no “key” is held by a “third-party” turns the Fourth Amendment inside-out. The police would have a “right to find” evidence, while the people would be jailed for best securing their “papers and effects.” [more]
Myth # 5: The FBI’s “key recovery” plan is workable.
The Administration and the FBI have proposed a “key recovery” infrastructure designed to enable law enforcement access to the plaintext of encrypted data and communications. Specifically, the FBI wants “immediate access to the plaintext of encrypted communications or electronic information without the knowledge or cooperation of the person using such product or service.”
Reality: For today’s commercially sold encryption products, the technology does not exist to provide “immediate access” to “communication without the knowledge of the user.” (This can be roughly comparable to the FBI mandating compact disk quality sound recording in the days of the 45-RPM record.)
Myth # 6: Because law enforcement officers would be required to obtain a court order to view personal information without the owner’s knowledge, innocent people are not at risk.
Reality: Law-abiding citizens are most at risk. Imagine a system where all citizens, not just criminals, would have to deposit a copy of their house key or a copy of their safe combination with a “trusted third party,” just in case law enforcement ever wanted covert access to their private information. So-called “key recovery” gives the government and third-party key holders the ability to access the private data of every American — well before a crime is committed or a court order is secured.
Myth # 7: “Trusted third parties” would ensure that encryption keys aren’t misused.
Reality: “Key recovery” is an inherently insecure system because “keys” would be held by either “trusted third parties” or governments. Under such a system, security rests with the integrity of the institutions and individuals holding the “keys,” not with the underlying technology. The 1996 National Research Council stated it best: “Escrowed encryption (encryption for which a “third party” holds a key) by design introduces a system weakness Š and so if the procedures that protect against improper use of that access somehow fail, information is left unprotected.” No government policy can guarantee those “third parties” will be scrupulous with those “keys.”
Myth # 8: Strong encryption is available only in the United States.
Reality: Strong, state-of-the-art, non-“key recovery” encryption is freely available abroad from major multinational corporations like Siemens and Brokat. Some foreign companies market unrestricted products as “stronger security than any U.S. company can provide.”
Myth # 9: The Administration and the FBI have secured global support for their “key recovery” infrastructure.
Reality: Since the Internet is global, any “key recovery” technology scheme must be global AND interrelated. There is no global legal infrastructure to support “key recovery.” In fact many countries have already decided not to participate. Currently, the OECD (26 countries) and the European Commission have both indicated opposition to a mandatory “key recovery” scheme. Moreover, despite the Administration’s best efforts over a number of years, not one bilateral or multilateral agreement has been reached regarding the global exchange of encryption keys.
Myth # 10: Current U.S. export controls are constitutional.
Reality: This is not a settled matter. Today’s export controls may be unconstitutional as “prior restraint” of speech under the First Amendment. The District Court in the Northern District of California has already held that the current export control regulations are unconstitutional.