Cryptographic Issue Statement

by Jason Hillyard

On June 5, 1991, Philip Zimmerman released a computer program called PGP to the world. PGP, which stands for "Pretty Good Privacy", is an encryption program, a bunch of bits and bytes which Zimmerman himself calls "guerrilla software". It was written in response to what he perceived as a threat to our privacy-- the proposed Digital Telephony legislation pushed by the FBI and the Department of Justice. This software engineer decided to take direct action. He wrote a high quality encryption program and gave it away for free. Today there are versions of PGP available for all kinds of computers, from Macs to VAX, and programmers all over the world are working on future versions.

Zimmerman's actions can be seen as a strong affirmation that cryptography has gone public. What was once the exclusive domain of the NSA and military signal intelligence experts has become a thriving field of academic inquiry, and it has been for twenty years. Now encryption is starting to hit the street. Our personal computers are perfectly capable of providing us with the type of communications security once reserved for the military and intelligence communities. The digital telecommunications networks we will become personally acquainted with in near future will also provide more opportunities for the public use of encryption.

Recently, however, there has been a growing public debate about how strong encryption technology should be and who should be able to use it. One major player in this debate is the federal government. Different gears in the federal machine are squeaking for different reasons. The executive branch wants to build its "information infrastructure". The FBI wants to keep its ability to easily eavesdrop on telephone conversations. The NSA must preserve its position as supreme code maker and code breaker. In the past few years a new brand of civil libertarian has also vigorously joined the debate. Public-interest groups such as the EFF (Electronic Frontier Foundation) and CPSR (Computer Professionals for Social Responsibility) seek to ensure our privacy and civil liberties are not compromised by new technologies. They are challenging the government's attempt to influence the public use of encryption.

I would also like to introduce a third player in the debate-- the "technicians". These are the computer scientists and engineers who develop, design, and implement encryption systems. As the ones who will actually be building the encryption and telecommunication systems of the future, we have a unique position to take a leading role in the debate. Rather than blindly accept government standards and regulations, we should examine the issues and decide for ourselves how encryption technology should be used.

FREEDOM TO COMMUNICATE

The fundamental question boils down to this: How much access should the government have to our personal communications? This presents a trade- off between the obligations of the government to protect national security and the rights of the citizens to privacy and free speech. Proponents of government control insist restrictions on encryption technology are necessary to conduct lawful investigations of terrorists, drug dealers, and gangsters. Opponents cry out that any restrictions intrude on our right to privacy and right to free speech.

These arguments are currently being made in the debates on encryption technology and the Digital Telephony proposal. I tend to side with the freedom of speech argument-- but with a twist. The real issue at stake is communication. Simply put, we should have the freedom to communicate, in any way we wish by whatever medium we wish. If that means communicating so nobody else can understand us, so be it. This is not about restricting freedom of speech. As the proponents of government control point out, there are restrictions on our freedom of speech. People cannot make slanderous or libelous remarks. There are laws against "obscenity". But restrictions on freedom of speech deal with speech which can be understood- - the restrictions are based on content. What about speech which nobody, except the parties who are speaking, can understand? How in the world could that speech be restricted for it's content?

It can't. Restrictions on encrypted speech would prevent speech simply because it had the potential to be obscene, the potential to be libelous, the potential to be a threat to national security. The idea of the government restricting speech simply because it has the potential to be dangerous is a drastic expansion of government power. Restrictions on encryption technology, whether by export control or government-influenced standards essentially result in restrictions on encrypted speech.

DEMAND A LEVEL PLAYING FIELD

Many people won't agree with me-- but that's fine. As technicians we should examine the issues and decide for ourselves how encryption technology should be used. Upon making that decision, we can design systems to deal with the issues and satisfy the needs of the public. If one engineer wants to design an escrowed key system, that's fine. If another wants to design a highly secure system, that's fine.

However, the federal government is ready to decide for us what kind of communication systems we must design. That is why we must take a stand and demand what I call a "level playing field" when it comes to communication technology. The technology we design should be built to meet the specifications of those who use it. The purpose of the technology should not be manipulated for the political benefits of a few, as the Digital Telephony proposal would do. Communication networks should be designed to facilitate communications between interested parties. They should not be designed to facilitate communications between interested parties and provide the cops lawful access to those communications. Encryption systems should be designed to provide the best security possible for a given application. They should not be designed to provide the best security possible, but no security when law enforcement has warrant to tap the line. The law enforcement agencies have no place in demanding special consideration when it comes to developing or providing communications technology for the public.

The government should also realize that changes in technology will change the way law enforcement does its job. That's the way the game will be played on the level playing field. Our access to technology is based on how much time, money, and skill we have available. The FBI should and does use the technology it feels necessary to do its job better. And hey, the drug dealers also use technology: fast cars, cellular telephones, beepers.

But should we not develop certain benign technologies simply because the bad guys will use them? That's a decision the engineers should make, not the government.

STANDARDIZE IT

Given this, industry should take the initiative to design and develop authentication and encryption products to meet public demand. They could start by developing some international standards. Interestingly, the government always seems to be there when encryption standards are developed. This is not true for other telecommunications standards. What normally happens is that a standards organization, such as the International Telecommunications Union or the International Standards Organization, gets together and decides on the specifications for a proposed standard. Then various companies go to work on their various solutions and propose them to a committee. After a debate, the committee decides on a standard. The government never plays a part.

But for some reason, the NIST and the NSA feel they have been given the authority to develop encryption standards. They were involved in the design of Data Encryption Standard and the Digital Signature Standard. Now the NSA helped design the Clipper Chip. This leads to possible conflicts of interest, since the NSA is tasked with making codes for public use as well as breaking codes. But the government involvement is totally unnecessary. Sure, the government should make its own standards for government communications. But it's about time for industry to develop their own authentication and encryption standards and implement these standards, without any meddling from the government.

Even if the export restrictions persist, international industry standards would encourage international development. If U.S. companies can't provide secure products for Americans, we could get compatible products from other countries. Or better yet, multinationals like Motorola or AT&T could develop standard encryption devices overseas, for overseas markets as well as domestic markets.

ENCRYPTING THE FUTURE

Unfortunately, I believe it would be very difficult for the technicians to accomplish this in the present political climate. One engineering professor I spoke with suggested it would be even more difficult to create an international encryption standard, since foreign governments would have similar motivations to repress encryption technology. However, as engineers and computer scientists, we should exercise our professional authority on the technical issues and get involved in the policy debate. It's about time cryptography was treated as a science and not a secret. It's about time the use of cryptography was treated as a telecommunications issue, not a national security issue. As technicians, we will be the ones building the communication systems, and we

have the final say if we wish to take a stand.

Jason Hillyard 5/25/93
P.O. Box 14685
Santa Barbara, CA 93107
805-968-1771