Thank you for sharing!

Your article was successfully shared with the contacts you provided.
It’s just weeks after the hijacking attacks on New York and Washington, D.C., and I know that a lot of Americans are feeling just what I feel. We’re ready to make sacrifices in order to force those who committed these acts to face justice, and to do what we can to prevent such catastrophes from happening again. But is secure encryption the thing we need to be giving up? On that score, I have to say the answer is a big No. Encryption — the science and technology of encoding data so that they can’t be read by unintended parties — is beloved by privacy advocates, e-commerce companies and traditional business interests like banks. Encryption makes it possible to use an open, robust network like the Internet for secure, private transactions and communications. And in a world where technological advances have tended to erode our privacy, many of us regard it as salutary that at least one such advance, encryption, makes it possible to reclaim some of what we’ve lost. Of course, any technology that makes it possible to keep legitimate communications utterly private also empowers criminals and terrorists to keep their conspiracies private. And both law enforcement and intelligence organizations, fearful that they may not be able to guarantee effective wiretaps (or the e-mail equivalent), have long resisted encryption altogether, or have sought to restrict it. Typically, they have raised the specter of a terrorist attack on the United States — one that could not be detected or investigated because of securely encrypted communications. It was no surprise that, in the first days following the September attacks, Sen. Judd Gregg, R-N.H., called for global restrictions on encryption technology without a built-in “back door” allowing law enforcement access. Manufacturers of encryption software and hardware products “should understand that as a matter of citizenship, they have an obligation” to provide law enforcement with the means of cracking the encryption, subject to a court order, according to Gregg. Gregg and other legislators who have opposed strong encryption did not present any anti-encryption measures to Congress in the first wave of legislative responses to the World Trade Center and Pentagon disasters. But some Hill-watchers say they are confident of seeing such proposals in the second or third wave. And Gregg himself says that he is drafting a bill. As it happens, what we know of the investigation of the Sept. 11 attacks as of press time — and already we’ve learned a lot — shows that encryption technology doesn’t seem to have played a central role in the conspiracy. So far as we know, none of the computer evidence — literally hundreds of e-mail messages in various abandoned or seized computers — has been encrypted. Still, it’s widely believed that Osama bin Laden and other terrorists do use encryption tools. But is encryption itself the threat the government says it is? The fear that it poses a threat has driven American encryption policy for more than two decades, and, in the wake of the World Trade Center attack, may drive it again. (Full disclosure: In the 1990s, I worked for the Electronic Frontier Foundation and am now a policy fellow at the Center for Democracy and Technology, two organizations that oppose strong regulation of cryptography.) Three decades ago, the United States had no general public policy on encryption, or on cryptography. It was the province of intelligence agencies and nobody else. But by the late 1970s, the political landscape concerning cryptography had changed massively. Suddenly, it was dominated by a single, monolithic policy — Stop the Spread of Cryptography At All Costs. The new policy was born in a panic. In the mid-1970s two American cryptographers, Whitfield Diffie and Martin Hellman, invented “public-key cryptography,” which made widespread encryption more practical. Although e-mail was not yet widespread, Diffie and Hellman anticipated the development of the networked society in which we now live. Diffie and Hellman were not in the pay of the intelligence agencies, and therefore their work had not been instantly classified. This development of a public, academic science of cryptography — and the resulting colloquy concerning it — was accompanied by an equally dramatic drop in the cost of computing. By the early 1990s, for the first time in history, ordinary individuals with desktop PCs had the potential to encrypt their messages or data to a degree that, only a few decades before, had been solely within the reach of the government. In this new era, there were no guarantees that the cops and intelligence community would be able to figure out what a criminal or terrorist was saying even if they’d intercepted an e-mail communication. At the same time, telephone companies were computerizing their networks and services — raising the possibility that phone calls, too, might be routinely encrypted. Government wiretaps — or at least effective ones — looked as though they were about to become a thing of the past. The Bush administration’s response in the early 1990s was twofold. The first part was its “Digital Telephony” initiative, which would require phone companies to structure their networks to facilitate wiretapping. In a 1992 memo, released as the result of a Freedom of Information Act request, former National Security Adviser Brent Scowcroft wrote: “Success with digital telephony will lock in one major objective; we will have a beachhead we can exploit for the encryption fix; and the encryption access options can be developed more thoroughly in the meantime.” This plan was adopted without significant change by the Clinton administration when it took over in 1993. Within two years, the digital telephony initiative had become law, in the form of the Communications Assistance to Law Enforcement Act. The so-called encryption fix turned out to be harder to implement. In the spring of 1993, the Clinton administration introduced the “Clipper Chip” program, in the hope that it would steer the growing market for computer security in the right direction. The Clipper Chip was a hardware device that would encrypt phone messages but also enable law enforcement and intelligence agencies to recover the content of those messages. Each Clipper Chip had a back-door key that would be held in escrow by a trusted government agency. The proposal ignited a firestorm of public criticism of the administration from many political sectors. By 1996 the Clinton administration had abandoned the Clipper Chip, but it continued to lobby both domestically and abroad in favor of software-based “key-escrow” encryption standards that would enable law enforcement and intelligence agencies to recover encrypted data. This effort was marginally successful abroad. But domestically there was little acceptance of the administration’s push for key-escrow standards, now relabeled “key recovery.” By late 1999, what once was a monolithic American cryptography policy was reduced, more or less, to rubble, thanks in part to the presidential candidacy of Al Gore. Gore, who at one point had backed key-escrow schemes, now assured potential supporters among the leaders of high-tech industries that he was pro-crypto. The high-tech community also successfully persuaded policy makers that export controls hurt their ability to sell in foreign markets. By 1999 the export restrictions had been all but eliminated. Even so, in late 1999, Center for Democracy and Technology Director Jerry Berman warned that “one terrorist incident involving encryption could change the landscape.” Are the Sept. 11 attacks, which don’t seem to have involved encryption, nonetheless such a landscape-changing incident? Maybe, although most aspects of the conspiracy seem to have been frighteningly and inventively low-tech. (Who needs guns when you have box cutters? Who needs explosives when you have jet fuel?) Worse, there seems in retrospect to have been lots of publicly available evidence beforehand — unprotected by encryption — that this conspiracy was being executed. The problem was less the conspirators’ efforts at concealment than the government’s failure to know where to look. Nevertheless, the sheer magnitude and horror of the event have already forced policy makers to rethink everything they thought they knew about what kinds of policy will make the nation secure. What scares policy makers about encryption is that it’s something new. The hijackers’ conspiracy was facilitated by cheap motels, cell phones, taxicabs, and plain old untraceable paper currency. While we won’t be seeing efforts to make taxicabs and currency less useful to terrorists, we are likely to have a debate over whether strong, uncrackable encryption should be allowed. If the question is framed this way — “Would you be willing to give up totally secure encryption if by doing so you’d enable the government to prevent future attacks like those on the World Trade Center and the Pentagon?” — you can bet that most policy makers, and the general public, will quickly trade away that privacy-enhancing technology. But I think the question should be framed this way: “Would you give up encryption, even though there’s no guarantee that doing so would improve anti-terrorism efforts, and even though doing so would make your own communications and networks more vulnerable to attack from criminals and terrorists, and even though our law enforcement and intelligence communities don’t seem to be able to sort effectively through the information they already are able to collect with the broad powers they have under existing law?” Okay, that’s a heck of a long question. But I think my short answer — No — is the right one. Mike Godwin is chief correspondent of IP Worldwide , a sibling publication of American Lawyer Magazine . E-mail: [email protected]

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.