[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Crypto doesn't kill--people do

------- Forwarded message follows -------
Date sent:      	Sun, 30 Sep 2001 17:58:35 -0400
To:             	Digital Bearer Settlement List <dbs@philodox.com>,
	dcsb@ai.mit.edu, cryptography@wasabisystems.com
From:           	"R. A. Hettinga" <rah@shipwright.com>
Subject:        	Crypto doesn't kill--people do


Crypto doesn't kill--people do
By Charles Cooper
September 28, 2001

In June 1991, Phil Zimmerman sent the first release of Pretty Good
Privacy, an e-mail encryption program he developed, to a couple of
buddies who uploaded the code to the Internet.

Within a very short time, PGP had been ported to nearly every computer
platform out there in many different foreign languages as people
latched onto something that would help them maintain their electronic
privacy in an ever-more-connected world.

Some folks in powerful positions were not of a similar mind, and a
controversy was born as Zimmerman quickly became the subject of a
criminal investigation by the U.S. Customs Service. The probe came
about because of suspicions that Zimmerman had violated a federal
regulation proscribing the illegal export of munitions--even though
the code was up there on the Internet for anyone to download.

Simply put, the feeling inside the federal bureaucracy was that PGP
was potent enough to be lumped together with rocket-propelled grenades
and advanced jet aircraft, and this was just not acceptable.

Calmer voices ultimately prevailed, and the investigation was finally
closed without indictment in 1996.

But in the aftermath of the Sept. 11 suicide bombings in New York and
Washington, some people want to require U.S. software companies to
build so-called backdoors into their products. New Hampshire Sen. Judd
Gregg has been at the forefront of the debate, allowing that even if a
perfect solution isn't attainable, Congress shouldn't sit idly by
since perfection isn't attainable, in any case.

To be sure, terrorists can use encryption to hide their activities
from the likes of Interpol, the CIA or any other snoopy intelligence
gatherer. Ramzi Yousef, who was convicted of planning the 1993 World
Trade Center bombing, was found to have used encryption to shield his
plot to blow up U.S. airplanes while they were en route to this
country over the Pacific. Thus the temptation to reopen the 1990s' key
escrow debate.

But would we then all be better off if law enforcement agencies had
keys to unlock encrypted messages? It's a philosophical issue that was
never firmly answered because market realities intervened. At the
time, consumers and companies steadfastly balked at the prospect of
using software that included built-in backdoor access for the feds.
The Clinton administration realized it was on a fruitless mission and
dropped the issue.

So I'd like to take a stab at explaining why requiring backdoor access
to encryption software is a non-starter:

* First off, it's a quick-fix, feel-good measure that won't make a
whit of difference when it comes to stopping the bad guys. Terrorists
don't need U.S. encryption technology. Code makers long ago broke
ahead of the code breakers, and the fact is that the knowledge of
cryptography has since spread far and wide. Remember that Zimmerman
wrote PGP from information that was readily available in the open
literature at the time.

I doubt whether the Osama bin Ladens of the world are so dumb that
they would use software that has already been compromised. No doubt
there are any number of capable computer scientists in the Middle East
and Central Asia whom these groups can turn to in a pinch for
technical assistance.

* Then there are the obvious civil-liberty objections. Presumably,
backdoor access would be limited to instances in which the authorities
need to track e-mail communications between terrorists. The problem
here is that you never know which way the wind is going to blow. Once
surveillance tools receive legitimization, who can guarantee that
they'll always be used in enlightened ways by an administration in,
oh, how about the year 2084?

* The competitive angle: If U.S. companies are forced to play by the
these rules, rest assured there are foreign companies aplenty that
will get around the Americans' export ban. Network defense is
something governments are keen on. Consulting company Frost & Sullivan
estimates that sales of encryption technologies to government and
military agencies around the world will soar to $457.6 million in 2007
from the current $176 million.

Assessing the blame
The fear now is that encryption technology will be unfairly singled
out in the debate over how to guard against future terror attacks.

A recent story in The Washington Post, for example, misrepresented
Zimmerman's views on the role PGP encryption may have played in the
terrorist attacks. Still, I suppose that a lot of people may be ready
to believe that encryption played a role in the deaths of the victims
on Sept. 11. It's a flight of logic that makes as much sense as
pointing a finger of blame at Boeing, the company whose giant aircraft
destroyed thousands of lives in a matter of minutes.

In this ever-smaller world of ours, there are few tools that people
can't misuse to fulfill their own evil purposes. Nuclear power can be
used to provide cheap electricity to towns and cities; it also can be
used to build atomic bombs.

In the end, we're left with the unsatisfying conclusion that partisans
on both sides of the debate were right about encryption. PGP has
become the way for people--and that includes the bad guys--to encrypt
their e-mail.

But there's no way--or at least none that I've heard about--to stop
the use of encryption. The hard truth is that the encryption genie has
escaped from the bottle. Somebody indeed deserves to shoulder the rap
for the suicide bombings of Sept. 11, but it's not Phil Zimmerman. If
he hadn't invented PGP, rest assured that somebody else would have.

Copyright 1995-2001 CNET Networks, Inc. All rights reserved. 	CNET
Jobs -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The
Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44
Farquhar Street, Boston, MA 02131 USA "... however it may deserve
respect for its usefulness and antiquity, [predicting the end of the
world] has not been found agreeable to experience." -- Edward Gibbon,
'Decline and Fall of the Roman Empire'

The Cryptography Mailing List Unsubscribe by sending "unsubscribe
cryptography" to majordomo@wasabisystems.com
------- End of forwarded message -------