Coded Communications On the Internet: Who Should Hold The Key?

Words like "encryption," "de-coder keys," and "scrambled data" probably bring to mind visions of national security, intelligence agents and international spies. But, recently, the concept of coded communications has become a hot topic for Internet users, politicians, privacy activists and law enforcement agents. The increased popularity of on-line communications, and the use of the Internet for financial transactions, has fueled the debate about technology that can prevent unauthorized access to electronically-transmitted material.

Should such technology be highly restricted by the government, or should it be allowed to flourish in the American or global market? The answer depends on your perspective.

The technology in question is called cryptography -- the use of mathematical formulas to encrypt electronic information so it is indecipherable without the proper digital "key." At one time, the average person had little interest in this arcane topic, then the domain of spies and large banking institutions.

However, the need for and implications of encoding software grow with the number of people and businesses that use the Internet.

International communications compound the problem.

Both parties to coded Internet communications need cryptographic software that interfaces one with the other in order for the recipient to decode what the sender wants to say. Examples include credit card or bank account numbers in commercial transactions or electronically transmitted medical records or digitized medical images.

Self-evidently, interception of such communications, or tampering with them, could cause significant harm. Some people further assert that they have the right to keep their communications secret from anyone else as a matter of personal privacy.

Presently, though, the U.S. government has strict laws regarding this technology. The Secretary of State placed information security systems and equipment, including cryptographic software, on the U.S. Munitions List (see 22 C.F.R. Section 121.1, category XIII), which means it cannot be sent abroad without a State Department arms export license. The State Department grants licenses only for weak encryption software, that is, software that develops codes that are relatively easy to crack.

Critics complain that this approach is causing the United States to fall behind in the worldwide electronic communications market. And Internet users, particularly those in the business community, are pushing for relaxed restrictions so that companies can feel more secure about transmitting sensitive business, financial and legal material.

So why is the government holding back? Law enforcement officials warn that open access to advanced levels of this technology will give criminals a system through which they can use codes to communicate, secure in the knowledge that police will be unable to decipher their transmissions. And, intelligence agents fear that international spies will be able to use strong encrypting technology to pass on top-secret information to other countries and that terrorists will use the technology to hide the planning of terrorist activities.

The debate has grown increasingly controversial, especially with the introduction of H.R. 3011, the Security and Freedom Through Encryption Act ("SAFE" Act), which would relax licensing and export restrictions. Those opposed to this effort have testified at length as to how increased levels of encryption technology would harm law enforcement efforts. According to Jamie S. Gorelick, Deputy Attorney General, U.S. Department of Justice, the harmful effects of cryptography have already begun to surface. (See, Hearing on H.R. 3011, The Security & Freedom Through Encryption (SAFE) Act Before the House Judiciary Committee, 104th Congress (Sep't 25-26, 1996), Statement of Jamie S. Gorelick, Deputy Attorney General.)

For example, Gorelick stated that Ramzi Yousef, who was recently convicted of conspiring to blow up ten U.S. airliners in the Far East, apparently stored information about his terrorist plot in an encrypted computer file in Manila, the Phillippines. Also, in a major international drug-trafficking case, the subject of a court ordered wiretap used a telephone encryption device to significantly hinder the surveillance. "Kiddie porn" dealers have even encrypted obscene and pornographic images of children over the Internet. Gorelick cautioned that stronger encryption products will increase to the point of denying law enforcement access to stored electronic evidence, resulting in an increased threat to public safety.

On the other hand, supporters of SAFE argue that stronger encryption technology would ensure safe electronic commerce, protect individual privacy and boost the competitiveness of U.S. companies. Further, they point out that elaborate digital codes would actually hinder crime by providing better protection for top-secret information such as banking and telecommunications networks.

So far, no one has come up with an approach that pleases all sides.

At one time, some politicians supported the "trusted third party" approach whereby master "key" codes to the scrambled data would be placed in the hands of an escrow agent, such as a private party or a governmental entity. Law enforcement officials would then need to go through proper legal channels in order to obtain the keys for use in a particular situation. But, the idea of placing the codes with a third party negates the purpose of encryption, that is, keeping the coded information a secret. If the escrow agent, through neglect or otherwise, were to let the keys out, then things that should have remained secret could become vulnerable and a new set of master keys might need to be created, with a new set of encryption software written to use those keys.

The escrow agent approach also concedes that the government should have the ability to decode anything, with limitations placed by law on the circumstances in which it may properly do so. Accepting that premise, a recent suggestion has been raised that may provide a compromise for dealing with the possibility that the escrow agent could lose the master keys.

Eleven major information technology vendors and user organizations, including Apple Computer and IBM, have announced the formation of an alliance to develop an exportable worldwide approach to strong encryption. This approach has been labeled the "key recovery" system and would involve the development and distribution of technology that could permit the recovery of anyone's lost or damaged keys without the need to store or escrow the master key codes with a third party. Law enforcement agents could then gain access to the data after securing a court order that would allow them to recover the keys.

This approach would seem to satisfy the concerns of everyone involved, except the most ardent advocates of privacy at all costs. In fact, Vice President Al Gore recently announced the White House's support for the "key recovery" system, suggesting that the Administration has abandoned the "escrow" approach. But, not all parties believe that "key recovery" is the way to go. Some U.S. companies, like Netscape, have said that the proposed system will not work and privacy activists have expressed similar doubts.

As with most controversies, it will no doubt be difficult to come up with a solution that makes everybody happy. But the problem is one that will not go away. As use of the Internet increases, more and more people will be affected by the issue of encryption. The debate is likely to heat up before it cools down, particularly with the proposal that Congress enact the SAFE Act.