By Elizabeth Corcoran
A big test of that statement is emerging in cryptography, the business of scrambling information so that it looks like gibberish to anyone lacking the keys for unlocking the code.
Once considered an arcane subspecialty of mathematicians and espionage, cryptography is rapidly becoming big business as more and more of the world's information is exchanged on electronic networks and as more and more people want to protect their data from prying eyes.
But in these times of international terrorism, drug trafficking and sometimes peculiar financial transactions, law enforcement agencies want to be able to legally eavesdrop. As technology has grown dramatically more powerful, the ability to peek at encrypted information is slipping from the hands of government.
That balance how much access can government demand versus how much privacy others want has long been a theological debate between civil liberties advocates and worried law enforcement officials.
Now, giddy with the growth of the Internet, technology companies have joined the debate. Both the software industry and civil liberties advocates believe powerful encryption will spur the growth of electronic communications and the Internet. And they don't want encryption restrictions to curb that growth.
There are no limits on what kinds of encryption people can use within the United States. But the government has used export restrictions to try to shape what encryption technology is used internationally, and by extension, what is available in the United States. Those export laws prohibit U.S. companies from selling their best technology overseas.
The restrictions, companies contend, slow the development of the Internet and harm a potentially lucrative market for U.S. manufacturing. Making two flavors of an encryption product, U.S. companies contend, is expensive. Yet even more worrisome is that foreign competitors are likely to move in and offer better technology. That could spell the loss not just of sales of encryption technology, but of many other products that rely on strong digital protection as well.
So companies are looking hard for ways to wriggle around the rules and beginning to find them.
"Trying to suppress this technology is like Prohibition," said Whitfield Diffie, a cryptographer at Sun Microsystems Inc. and an outspoken advocate of widespread use of encryption technology. Companies will use anything at hand technology, business strategies and even the promise of congressional action to begin to get their home-brews out.
Building and breaking encryption is hard. All information stored in computers whether pictures or sounds or documents is represented by ones or zeros or bits, the genetic code of the digital world. Encryption techniques amount to applying clever mathematical formulas to a collection of bits to make it look like gibberish to the uninitiated.
Unlocking encrypted data requires a "key," a mathematical formula that can make sense of the tricks used to scramble the data. One common way to measure the sophistication of an encryption scheme is by the number of bits in the key. The more bits, the harder it is to decode the information.
A 30-bit key, for instance, could take as many as a billion random calculations to crack the code. A 60-bit key could take a billion-times-a-billion calculations.
In past decades, governments were largely the only organizations with the money and need to tackle such expensive problems. But as the power of computers has soared and the cost of running millions of calculations has fallen companies and individuals have begun to clamor for sophisticated encryption.
"We believe that encryption is a critical technology" to support many areas of electronic commerce, said Craig Mundie, a senior vice president at Microsoft Corp.
Under current rules, U.S. companies can export encryption technologies that use up to 40-bit keys. A few years ago, such a lock might have stopped all but the most determined digital interlopers.
No more. Within the past year, graduate students at the Ecole Polytechnique in Paris and others at the Massachusetts Institute of Technology have shown they can break the 40-bit encryption used by Netscape Communications Corp. A few weeks ago, Diffie and six other well-know cryptographers began circulating a report in which they argue that to "adequately" protect information for the next 20 years, keys should be as long as 90 bits.
Even encryption wizards at the National Security Agency would have trouble unlocking 90-bit encrypted information, experts say.
So the government has tried to craft a compromise. Last summer, the government suggested that it would likely let companies use up to 64-bit encryption provided they set up a way for law enforcement agents, with a court order, to unlock encrypted information.
Under this proposal, a "trusted third party," such as a bank or an encryption company that typically handles sensitive information, would safeguard the key. The plan has since bogged down over such details as precisely who might qualify as a trusted third party.
Last fall, Trusted Information Systems (TIS) in Glenwood, Md., in what it calls a test case, applied for a license to export a sophisticated (and still unexportable) 56-bit encryption system called DES. Steve Walker, who heads TIS, has invested months in outlining the sort of spare-key program that he believes both the government and his customers can stomach. In late January, he got approval to ship his product to Britain.
"It's not perfect; it's not where we want to be," Walker insisted. He purposely submitted a case, he said, that was virtually certain to meet the government's still evolving criteria. "But it's a first, giant baby step," he said.
Others are uneasy with putting the means to unlock files in the hands of a "trusted third party."
"Ask anyone who owns a business: Are they willing to give copies of a spare key that leads to everything sensitive in their company to a third party?" said Jim Bidzos, chief executive of RSA Data Security Inc., a leading encryption firm.
But government officials get nervous if the only keys to the scrambled material are held by its owners. Ed Roback, an encryption policy specialist at the National Institute of Standards and Technology, puts it this way: "I know of few front doors that can't be broken down. It's a little different with encryption," when it literally might take 10,000 years to break the code without the key.
Roback and law enforcement officials say they'd be delighted to see Americans make more use of encryption, particularly if spare keys were held by a third party. "This nation, more than any other, relies on computers . . . [so] there's a lot of vulnerability and encryption can help that," Roback said. "So it's a good thing but it can present a problem for national law enforcement."
But momentum in the United States could swing toward widespread use of sophisticated encryption without spare keys if such technology was widely available. That's just what a recent announcement from Microsoft could help spur.
In January, Microsoft told developers it had created a module in its operating system software that will let applications such as word processing programs or spreadsheets "plug in" to encryption technology.
An application developer who built a software program for filing expense accounts would not have to add encryption to his product. Instead, the developer would need only to write a small program that taps the encryption technology available through the operating system.
The strength of the encryption program could vary. Microsoft plans to include a 40-bit code with the version of Windows used principally by companies (called Windows NT). That encryption technology would be easy to export. But Microsoft also is encouraging other encryption firms, including RSA and TSI, to build more sophisticated encryption modules that could be used in the United States.
Commercial products that take advantage of the new function are not likely to appear until the end of the year. But Microsoft is hoping it will spur more widespread use of encryption. "The single most pressing problem for electronic commerce is to create a secure payment structure," Mundie said and Microsoft is hoping to accelerate that work.
RSA's Bidzos is among those in industry who would love to see the government give up on trying to control encryption technology. He worries that other countries are gearing up to snatch a big role in selling encryption while his company and other U.S. businesses remain entangled in U.S. policies.
So he's testing the rules. Early this month, RSA announced that it had created subsidiaries in the People's Republic of China and in Japan. In China, RSA partners include the Chinese government. Bidzos plans to do joint research on encryption software with scientists there.
Although Bidzos says he is planning to export only the approved, 40-bit encryption technology to his Chinese colleagues, "one genuine concern is that they might try to strengthen it themselves," he said. "It would be hard to do but not impossible. I've never had a conversation with [the Chinese] about it," Bidzos added.
In addition, the Chinese have some interesting ideas of their own about new areas of cryptography, Bidzos said. "They're pretty advanced." And if the group developed more powerful techniques than even RSA has in the United States? Bidzos shrugged. RSA would likely take any promising ideas and develop them into products in the United States. As for Chinese export restrictions, "I haven't thought about it," he said.
Industry also is fanning Congress's interest in taking a bigger role in the encryption debate. "Without congressional interest, the administration has no reason to liberalize exports at all," said Becca Gould, director of policy at the Business Software Alliance. "This issue is in Congress's front yard because it affects the economy" as well as U.S. citizens' privacy rights.
Sen. Patrick J. Leahy (D-Vt.) and Rep. Robert W. Goodlatte (R-Va.) agree. They plan to introduce bills in the Senate and House aimed at loosening the restrictions on encryption. "The federal government is taking an attitude that's based more in the 1970s than in present time," said Leahy in a telephone interview.
"This is a matter that should be decided by legislation," he added. "We're talking about billions of dollars in revenues and thousands of jobs if we're handicapped in our global market, especially if what we're told to do is to build an export encryption program that is so outdated that our 12-year-old computer experts would laugh at it."
The bills would do away with export licenses for any encryption technology considered to be "generally available," or "in the public domain." Leahy said that although he, too, worries about national security and terrorism, trying to bottle up technology won't solve the problem.
Law enforcement has "got to figure out how to keep ahead . . . and surprise, surprise, there will be sometimes when we won't be able to eavesdrop," Leahy said. Even now, criminals can make calls at pay telephones or avoid detection in other ways. The government shouldn't cripple the computer industry every time a new technology springs up that challenges law enforcement, he said.
"What I'm suggesting is that if [the administration] works with the Congress, we'll find a solution," Leahy said.
"We say over and over that we recognize that this is a very difficult issue," Roback said. But, he added, "the government has thought about [encryption policies] for a long time as well as industry," he said. To reach some resolution, he added, "compromise is going to be necessary on all fronts."