Cryptographic Issue Statement
by Jason Hillyard
On June 5, 1991, Philip Zimmerman released a computer program called
PGP to the world. PGP, which stands for "Pretty Good Privacy", is an
encryption program, a bunch of bits and bytes which Zimmerman himself calls
"guerrilla software". It was written in response to what he perceived as a
threat to our privacy-- the proposed Digital Telephony legislation pushed
by the FBI and the Department of Justice. This software engineer decided
to take direct action. He wrote a high quality encryption program and gave
it away for free. Today there are versions of PGP available for all kinds
of computers, from Macs to VAX, and programmers all over the world are
working on future versions.
Zimmerman's actions can be seen as a strong affirmation that
cryptography has gone public. What was once the exclusive domain of the
NSA and military signal intelligence experts has become a thriving field of
academic inquiry, and it has been for twenty years. Now encryption is
starting to hit the street. Our personal computers are perfectly capable
of providing us with the type of communications security once reserved for
the military and intelligence communities. The digital telecommunications
networks we will become personally acquainted with in near future will also
provide more opportunities for the public use of encryption.
Recently, however, there has been a growing public debate about how
strong encryption technology should be and who should be able to use it.
One major player in this debate is the federal government. Different gears
in the federal machine are squeaking for different reasons. The executive
branch wants to build its "information infrastructure". The FBI wants to
keep its ability to easily eavesdrop on telephone conversations. The NSA
must preserve its position as supreme code maker and code breaker. In the
past few years a new brand of civil libertarian has also vigorously joined
the debate. Public-interest groups such as the EFF (Electronic Frontier
Foundation) and CPSR (Computer Professionals for Social Responsibility)
seek to ensure our privacy and civil liberties are not compromised by new
technologies. They are challenging the government's attempt to influence
the public use of encryption.
I would also like to introduce a third player in the debate-- the
"technicians". These are the computer scientists and engineers who
develop, design, and implement encryption systems. As the ones who will
actually be building the encryption and telecommunication systems of the
future, we have a unique position to take a leading role in the debate.
Rather than blindly accept government standards and regulations, we should
examine the issues and decide for ourselves how encryption technology
should be used.
FREEDOM TO COMMUNICATE
The fundamental question boils down to this: How much access should
the government have to our personal communications? This presents a trade-
off between the obligations of the government to protect national security
and the rights of the citizens to privacy and free speech. Proponents of
government control insist restrictions on encryption technology are
necessary to conduct lawful investigations of terrorists, drug dealers, and
gangsters. Opponents cry out that any restrictions intrude on our right to
privacy and right to free speech.
These arguments are currently being made in the debates on encryption
technology and the Digital Telephony proposal. I tend to side with the
freedom of speech argument-- but with a twist. The real issue at stake is
communication. Simply put, we should have the freedom to communicate, in
any way we wish by whatever medium we wish. If that means communicating so
nobody else can understand us, so be it. This is not about restricting
freedom of speech. As the proponents of government control point out,
there are restrictions on our freedom of speech. People cannot make
slanderous or libelous remarks. There are laws against "obscenity". But
restrictions on freedom of speech deal with speech which can be understood-
- the restrictions are based on content. What about speech which nobody,
except the parties who are speaking, can understand? How in the world
could that speech be restricted for it's content?
It can't. Restrictions on encrypted speech would prevent speech
simply because it had the potential to be obscene, the potential to be
libelous, the potential to be a threat to national security. The idea of
the government restricting speech simply because it has the potential to be
dangerous is a drastic expansion of government power. Restrictions on
encryption technology, whether by export control or government-influenced
standards essentially result in restrictions on encrypted speech.
DEMAND A LEVEL PLAYING FIELD
Many people won't agree with me-- but that's fine. As technicians we
should examine the issues and decide for ourselves how encryption
technology should be used. Upon making that decision, we can design
systems to deal with the issues and satisfy the needs of the public. If
one engineer wants to design an escrowed key system, that's fine. If
another wants to design a highly secure system, that's fine.
However, the federal government is ready to decide for us what kind
of communication systems we must design. That is why we must take a stand
and demand what I call a "level playing field" when it comes to
communication technology. The technology we design should be built to meet
the specifications of those who use it. The purpose of the technology
should not be manipulated for the political benefits of a few, as the
Digital Telephony proposal would do. Communication networks should be
designed to facilitate communications between interested parties. They
should not be designed to facilitate communications between interested
parties and provide the cops lawful access to those communications.
Encryption systems should be designed to provide the best security possible
for a given application. They should not be designed to provide the best
security possible, but no security when law enforcement has warrant to tap
the line. The law enforcement agencies have no place in demanding special
consideration when it comes to developing or providing communications
technology for the public.
The government should also realize that changes in technology will
change the way law enforcement does its job. That's the way the game will
be played on the level playing field. Our access to technology is based on
how much time, money, and skill we have available. The FBI should and does
use the technology it feels necessary to do its job better. And hey, the
drug dealers also use technology: fast cars, cellular telephones, beepers.
But should we not develop certain benign technologies simply because the
bad guys will use them? That's a decision the engineers should make, not
the government.
STANDARDIZE IT
Given this, industry should take the initiative to design and develop
authentication and encryption products to meet public demand. They could
start by developing some international standards. Interestingly, the
government always seems to be there when encryption standards are
developed. This is not true for other telecommunications standards. What
normally happens is that a standards organization, such as the
International Telecommunications Union or the International Standards
Organization, gets together and decides on the specifications for a
proposed standard. Then various companies go to work on their various
solutions and propose them to a committee. After a debate, the committee
decides on a standard. The government never plays a part.
But for some reason, the NIST and the NSA feel they have been given
the authority to develop encryption standards. They were involved in the
design of Data Encryption Standard and the Digital Signature Standard. Now
the NSA helped design the Clipper Chip. This leads to possible conflicts
of interest, since the NSA is tasked with making codes for public use as
well as breaking codes. But the government involvement is totally
unnecessary. Sure, the government should make its own standards for
government communications. But it's about time for industry to develop
their own authentication and encryption standards and implement these
standards, without any meddling from the government.
Even if the export restrictions persist, international industry
standards would encourage international development. If U.S. companies
can't provide secure products for Americans, we could get compatible
products from other countries. Or better yet, multinationals like Motorola
or AT&T could develop standard encryption devices overseas, for overseas
markets as well as domestic markets.
ENCRYPTING THE FUTURE
Unfortunately, I believe it would be very difficult for the
technicians to accomplish this in the present political climate. One
engineering professor I spoke with suggested it would be even more
difficult to create an international encryption standard, since foreign
governments would have similar motivations to repress encryption
technology. However, as engineers and computer scientists, we should
exercise our professional authority on the technical issues and get
involved in the policy debate. It's about time cryptography was treated as
a science and not a secret. It's about time the use of cryptography was
treated as a telecommunications issue, not a national security issue. As
technicians, we will be the ones building the communication systems, and we
have the final say if we wish to take a stand.
Jason Hillyard 5/25/93
P.O. Box 14685
Santa Barbara, CA 93107
805-968-1771
|