High Technology and the Law

A Legal Perspective on the Open Systems Industry

Strong Crypto, Weak Liberties

by Jonathan Wallace

The U.S. Government is bugged, so to speak, about the future of wiretapping.

The Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) have been agitated for years that developments in digital communications and cryptography will close the door on the era when it was easy for them to listen in on communications. Thus, they have urged Congress and the executive branch to mount a three-pronged attack by restricting public use of cryptography, asking manufacturers voluntarily to insert a "back door" in telecommunications devices, and requiring a similar back door in the national telephone network.

As has been reported periodically in this magazine, cryptography programs such as Phil Zimmermann's nearly unbreakable free software Pretty Good Privacy (PGP) have been classified as "munitions" under federal export laws. Until January, when all charges against him were dropped, Zimmermann, a consultant in Boulder, CO, had been under investigation by a federal grand jury for almost two years because someone posted PGP to the Internet, where it was downloaded by overseas users; this constitutes an illegal munitions export in the government's view. Zimmermann says, "I think this raises First Amendment issues, because the only way to comply with the law is not to publish at all."

Meanwhile, U.S. software companies are unable to compete in foreign markets with companies that offer much stronger encryption solutions in their products. Sun Microsystems has taken to incorporating encryption utilities developed abroad in products it manufactures overseas. Because no U.S. export is involved, Sun avoids Zimmermann's legal problems.

The feds also have been pushing various versions of the Clipper chip. Installed voluntarily by manufacturers of telecommunications devices, the chip would include software which would automatically transmit a copy of the key to any encrypted communication to the government. The key would be split into two parts, one of which would be held by the Treasury Department and the other half by the National Institute for Standards and Technology (NIST). The FBI would have to obtain a warrant from a federal judge in order to reunite the two halves of the key and "unlock" a suspect's communications.

However, both of the escrow agencies are part of the executive branch, as is the FBI, and many civil libertarians believe that abuse--deencryption of communications without a warrant--is likely. John Perry Barlow, cofounder of the Electronic Frontier Foundation, says, "Trusting the government with your privacy is like trusting a Peeping Tom with your window blinds." So far, the Clipper chip has won little support from the manufacturers whom the feds hope will support it.

A Mandate to Eavesdrop

Not content to have a back door into the devices that originate communications, the government also wants to build its monitoring capability into the network itself. In the past, monitoring of phone calls has involved attaching a device to the wire; the Digital Telephony Act, passed at the end of last year's congressional session, awaits funding by this congress. This act would effectively permit the FBI to flip a switch to listen to any telephone call. Although warrants would still be required, the possibilities for abuse are significant.

Last year, federal courts authorized fewer than 1,000 wiretaps nationwide, and the FBI has not claimed that any of these investigations were thwarted by encryption or the need to use traditional means of eavesdropping. The FBI's proposed implementation of the system called for by the Digital Telephony Act would cost $500 million and would give the agency the capability to monitor one out of every 1,000 phone lines (in certain parts of the country, listening in on as many as one of every 100 phone calls). Obviously, since many millions of phone calls are made in this country every day, the FBI's new wiretap capability will far exceed the 1,000 wiretaps it actually performed last year.

Prophets of "technological determinism" agree that human beings want to use new toys to the full extent of their capability. It can be expected that if Congress funds the Telephony Act, we will see a lot more wiretapping.

When new technology is involved, fear, uncertainty and doubt always seem to cloud the issue and keep policymakers and the public from spotting simple parallels. It took the Supreme Court 50 years to recognize that a movie is protected by the First Amendment just like a play or a novel. In the 1980s, courts were confused whether software, which was recognized to be copyrightable if stored on disk, was protected if stored in ROM. The analogy that many don't see in the debate on wiretapping and civil liberties is that it is as if the government is actually asking you to deposit a copy of the key to your house. These federal agencies want to be able to come in and take a look around whenever they want, but they promise they will get a warrant first. Can they be relied on to keep that promise?

The debate about cryptography is prejudiced by a perception that honest people don't need to encrypt communications. But the very reason that U.S. companies are losing market share in Europe is that businesspeople do, in fact, want to encrypt sensitive data and communications before sending them out over an insecure wire. We all have that same right. Phil Zimmermann says, "I should be able to speak to you in Navajo if I wanted, even if law enforcement can't understand Navajo." The ban on secure cryptography is analogous to the government telling you you must speak in loud, clear English in your living room, so it can eavesdrop better.

The FBI isn't looking too good to congress and the public in the aftermath of the shoot-outs at Waco and Ruby Ridge. This situation currently provides the main hope that congress will not reach into the public purse for the required $500 million to build the FBI's back door into the national telephone system.

Jonathan Wallace is vice president and general counsel of Pencom Systems, Inc., in New York City. He can be reached at jw@pencom.com. His colleague Mark Mangan provided research for this article.