Top Stories • U.S. to Relax Encryption Limits (Washington Post, Sept. 17) • Harry and Louise Have a New Worry: Encryption (Washington Post, July 28)

By Dan Froomkin
Washingtonpost.com Staff
and Amy Branson
LEGI-SLATE News Service
Updated May 8, 1998

The very same data-scrambling technology that can let you send your credit card number across the Internet without a qualm or e-mail a friend in absolute privacy may also make it harder for law enforcement authorities to detect terrorist plots or build cases against criminals.

Due to recent developments in software and hardware, some consumer-level encryption products are now so powerful that law enforcement officials say they can't crack them, even with massive supercomputers.

Encryption has become one of the hottest hi-tech issues on Capitol Hill, as Congress debates whether the government should step in and limit the strength of encryption products to maintain law enforcement's historical ability to eavesdrop electronically on anyone it wants.

There are currently no restrictions on the use of encryption technology within the United States, though the Clinton administration, citing national security, has long prohibited U.S. firms from selling their best products overseas.

Law-enforcement advocates say the government should maintain export limits and maybe even impose restrictions on domestic use of strong encryption.

But privacy advocates and U.S. software makers – who are worried about international competitiveness – say the government should get out of the way.

This special report includes stories from The Washington Post and LEGI-SLATE News Service, an update on top legislative proposals and profiles of players in the debate.

Our selection of opinion pieces and Web links offers other perspectives, as does our ongoing online discussion.

This essay provides an introduction to encryption, covering the following topics:

Bits and Keys | Pros and Cons | History | Where It Stands

Bits and Keys

Modern encryption is achieved with algorithms that use a "key" to encrypt and decrypt messages by turning text or other data into digital gibberish and then by restoring it to its original form.

The longer the "key," the more computing required to crack the code.

To decipher an encrypted message by brute force, one would need to try every possible key. Computer keys are made of "bits" of information, binary units of information that can have the value of zero or one. So an eight-bit key has 256 (2 to the eighth power) possible values. A 56-bit key creates 72 quadrillion possible combinations.

If the key is 128 bits long, or the equivalent of a 16-character message on a personal computer, a brute-force attack would be 4.7 sextillion (4,700,000,000,000,000,000,000) times more difficult than cracking a 56-bit key.

Given the current power of computers, a 56-bit key is considered crackable; a 128-bit key isn't – at least not without an enormous amount of effort.

Until 1996, the U.S. government considered anything stronger than 40-bit encryption a "munition" and its export, therefore, was illegal. The government now allows the export of 56-bit encryption, with some restrictions – but 128-bit cryptography is emerging as the new digital standard.

The "secure" mode on the latest Netscape browsers available to U.S. and Canadian citizens, for instance, uses 128-bit encryption to encode and decode information that is sent and received. But because of export rules, Netscape can provide overseas users only with browsers that employ much weaker encryption.

Encryption software can also use keys in different ways.

With single-key encryption, both the sender and receiver use the same key to encrypt and decrypt messages. But that means the sender has to get the key to the receiver somehow, without it being intercepted.

One of the most important advances in cryptography is the invention of public-key systems, which are algorithms that encrypt messages with one key (a public one) and permit decryption only by a different key (a private one). Dan can openly publish his "public" key, and if Amy uses it to encrypt a message, the message turns into incomprehensible garbage that can only be decoded with Dan's secret, "private" key.

Finally, if Dan's bosses – or the government – insist that there be some way for them to decode his encrypted data and messages in case he gets hit by a truck or appears to be engaging in illegal activity, there are a few basic options. Dan can be forced to turn over a "spare" copy of his secret key to a third party, either private or governmental, who will only allow it to be used under certain circumstances. Or, along the lines of the government's failed "Clipper Chip" initiative, Dan can be told to use only encryption products that automatically create a master key, held in reserve by a third party. Those options are known as "key recovery" or "key escrow."

Pros and Cons

The debate over encryption has fractured party lines, and has even put top level Clinton administration officials at odds with each other.

For Restrictions

FBI Director Louis Freeh is the most outspoken advocate of encryption restrictions. He argues that the capability to conduct court-authorized electronic surveillance should be built into any technology, including powerful encryption software.

Electronic surveillance has become a powerful tool in the police arsenal. But now, Freeh complains, new technology is helping criminals more than the police.

One Freeh proposal is that all users of powerful encryption software be asked to turn over their keys to a third party, so that law-enforcement officials can gain access to them with a court order.

Freeh's allies include his boss, Attorney General Janet Reno, and legislators including Rep. Gerald B.H. Solomon (R-N.Y.), the retiring chairman of the House Rules Committee.

"Let there be no doubt," Reno wrote congressmen last year. "Without encryption safeguards, all Americans will be endangered."

Against Restrictions

But support for unfettered encryption is intense and comes from many corners

U.S. software companies say that overly strict regulations are already making it difficult for America to compete internationally in a booming technology market. They also say weak encryption will leave customers with little confidence in online commerce and communications.

Manufacturers say that having to build a "key recovery" option into software for domestic use would be expensive and unpopular with customers. While some businesses might appreciate having the "key recovery" option when it comes to encrypted data stored by employees on company computers, they have no interest in weakening the security of transmitted data – precisely the data the government is most interested in being able to keep an eye on.

Internet denizens are fighting to prevent the government from being able to monitor their conversations. And some legislators from all over the political spectrum are concluding that privacy is the key issue. Sen. John Ashcroft (R-Mo.), who points out that the Founding Fathers used cryptography to encode their messages to each other, argues that law enforcement needs must not violate privacy rights.

"We must protect our First and Fourth Amendment rights in the Information Age," Rep. Bob Goodlatte (R-Va.) said at a hearing in March. "The government should no more mandate that folks give the keys to their computer to another person, than it should mandate that folks give someone the keys to their house or their safety deposit box."

History

Before 1991, the government and large companies were the only real users of encryption technology. That began to change when programmer Philip Zimmermann released free software called Pretty Good Privacy, which can encode ordinary e-mail.

Its domestic use was never challenged. But when PGP turned up in other countries, the Department of Justice launched a three-year criminal investigation of Zimmermann. PGP used 128-bit encoding keys at a time when U.S. export laws allowed only 40-bit encryption to cross the borders. Anything stronger was classified a munition, just like guns and warheads.

No charges were filed against Zimmermann. But the case dramatically highlighted the sharply differing views toward encryption technology.

In 1993, the Clinton administration proposed a government-designed encryption chip called the "Clipper chip" as the industry standard.

By adding a Clipper chip to, say, a telephone, users could scramble their phone conversations. But precisely how Clipper encrypted messages was classified. And to ensure that law enforcement officers could easily tap Clipper-scrambled exchanges, the government would keep copies of Clipper decoding keys.

Software companies and privacy advocates were infuriated, and the administration backed away from the plan.

In 1996, the Clinton relaxed its stand somewhat, declaring that encryption software would no longer be considered a munition, unless it was created specifically for military purposes, and allowing manufacturers to incorporate stronger encryption into their products as long as they committed to systems that allow the government to recover keys.

Where It Stands

In the House, Representative Goodlatte is the champion of the anti-restriction movement, having authored legislation that would greatly relax U.S. export controls and outlaw any attempt to limit domestic encryption.

But his measure hit a big snag after Freeh made his concerns public last year.

In the Senate, Montana Republican Conrad Burns is pushing legislation similar to Goodlatte's, but John McCain (R-Ariz.) and Robert Kerrey (D-Neb.) are promoting a bill that is closer to the FBI's position.

Vice President Al Gore recently assumed a more visible role in the encryption debate by attempting to broker an agreement that suits high-tech companies, privacy advocates and federal law enforcement and intelligence officials.

But finding a way to guarantee law enforcement the ability to snoop without damaging the commercial viability of cryptography or the civil liberties of Americans remains an enormous challenge – both technologically and legislatively.

Dan Froomkin can be reached at froomkin@washingtonpost.com; Amy Branson can be reached at AKBranson@legislate.com.

LEGI-SLATE, Inc., is a Washington Post Co. subsidiary that provides online information about legislation and regulations.