Encryption Special Report
Navigation Bar
Navigation Bar

 Key Stories
 Key Players
 Links and

Encryption Graphic
Encryption: Who Will Hold the Key? Two Bills Reflect the Split Over Restrictions

By Elizabeth Corcoran
Washington Post Staff Writer
Monday, August 4, 1997; Page F15

Area software companies and government agencies whose stock in trade is the ones and zeroes of data scrambling have their eyes trained on Capitol Hill this summer. There two conflicting bills are going head-to-head in an effort to set government policy toward the ever-more complex issue of privacy in the electronic age.

At issue: How tightly should the government regulate the digital means of protecting information, known as encryption technology?

One bill, emerging from the House of Representatives, champions loosening existing restrictions. The other, coming from the Senate, would promote a plan to provide law enforcement agencies with "spare keys" to unlock scrambled information after obtaining court orders. The agencies are fearful that criminals and terrorists will use the technology to cover their tracks.

The only sure bet is that there will be some surprising twists before the votes are counted. One occurred just last week: Dorothy Denning, computer science department head at Georgetown University and one of the few academics to defend the existing restrictions, released a study that has led her to express open doubts about the effectiveness of restricting encryption.

"Law enforcement is right," said Denning, whose report was disclosed by the San Jose Mercury News. "We're at the beginning of what will be a bigger problem" of criminals using encryption. That said, trying to push the use of "spare keys" may not solve the government's problem. Such solutions "could also be incredibly burdensome and costly, and involve a certain amount of risk to the people whose data is encrypted," she said.

"I still don't know what the right policy move is on all this," Denning added.

Encryption is becoming a big business because in a world where information is as valuable as gold, people want to have some way to lock it up. The locks of this world are abstract mathematical formulas, called encryption algorithms, that make a digital message or file look like gibberish to those without the proper "key."

That's great for people who own information – and a potential headache for law enforcement and national security officers, who worry that terrorists, spies and thieves will use such technology to hide what they're doing.

For years the federal government has enforced rules restricting the export of encryption technology. Officials contend that this helps ensure that U.S. intelligence agencies will continue to be able to intercept foreign communications, a major consideration in national security.

Critics say those export controls are likely to be futile – software, which is easily transmitted over the Internet or on floppy disks, can't be controlled the way tanks or jet fighters can, they say.

While restricting foreign sales, the Clinton administration has long promised it would not restrict use of such technology within the United States, where there are strong legal protections for privacy. But the government hasn't been shy about trying to influence indirectly what happens domestically.

Export restrictions can affect what is sold here, industry executives say, because companies find it costly to offer separate products in different markets. So they've tended to sell the simpler, exportable products both within the United States and abroad.

And the administration has spent five years trying to wangle a deal with the industry and privacy groups that would preserve law enforcement agencies' ability to peek into computer files and electronic messages.

The way to do this, the government argues, is to keep spare "keys" to scrambled files in special places where government agents could get them when they suspect wrongdoing and have the proper court authorization. The keys would be held at "key recovery centers."

They would also be handy to organizations that scramble files, the government says. In case an employee forgets a key or gets hit by a truck, a spare would be available.

So far, there are few working examples of such key recovery centers. The firm furthest along in creating them is Trusted Information Systems Inc. of Glenwood, which has set up a key recovery center for Royal Dutch Shell in the Netherlands, and is working with a number of other companies.

Enter Congress. In the House, Rep. Bob Goodlatte (R-Va.) has proposed a bill that now has 253 co-sponsors – enough to win approval on the House floor. It would loosen the export restrictions. Companies would be free to establish centers for storing spare keys but government would not take an active role in promoting them.

The bill says the real way to help law enforcement in this field is to encourage people to use strong encryption. Well-scrambled bank records, for example, would make it that much harder for electronic criminals to steal money. "If an ounce of prevention is worth a pound of cure, then an ounce of encryption is worth a pound of subpoenas," Goodlatte told a House subcommittee in May.

That bill worries the administration. In mid-June, Louis J. Freeh, director of the Federal Bureau of Investigation, told members of the Senate Judiciary Committee that if encryption technology without spare keys is widely used, it will "ultimately devastate our ability to fight crime and prevent terrorism."

Freeh would like to see the government continue to prod industry toward key recovery centers. "We don't believe we can leave [encryption policy] solely to market forces," Freeh told the Judiciary Committee. "There needs to be a government policy. . . ."

But he stopped short of calling for a domestic requirement. "There's a big difference" between what the government is pushing and a mandatory policy, he told The Washington Post. People "still don't have to use" key recovery centers, he added.

In the Senate, a bill proposed by Sens. Robert Kerrey (D-Neb.) and John McCain (R-Ariz.) would reduce export restrictions on some types of encryption, but create "incentives" for the public to use key recovery centers. For example, the bill would require people sending encrypted information to the federal government to use key recovery systems. The bill would also make using encryption to commit a crime a separately punishable offense.

That bill still frustrates industry, which contends that key recovery centers are not practical. They would largely be used by law-abiding citizens and companies, critics say. Terrorists and criminals would still be able to get tough-to-break encryption from overseas sources.

To her surprise, Georgetown University's Denning found that a recent study she conducted with William Baugh Jr., a vice president at the Science Applications International Corp. in McLean, confirmed some of the industry's points.

Denning and Baugh counted at least 500 criminal cases around the world in which encryption played a role, and they estimate that the number is growing at an annual rate of 50 percent to 100 percent. "Quite a few people [are] technically sophisticated," Denning said, and either creating their own encryption programs or electronically fetching programs via the Internet.

Even so, "by and large, people in law enforcement have been able to pursue the investigation anyway," she said. Sometimes the encryption programs used weren't that powerful. Other times, someone under investigation handed over the keys. And other times, law enforcement found enough evidence that they didn't need the information that had been scrambled.

"So as a result of that . . . [you] have to ask the question is legislation necessary and how effective would it be?" Denning said.

When Congress returns from its summer break, that question is precisely what it will debate.

© Copyright 1998 The Washington Post Company

Back to the top

Navigation Bar
Navigation Bar
yellow pages