Where the United States goes the world will follow - won't it?

• Author: Cockburn, Christina A.

1. INTRODUCTION

   To compete in the rapidly emerging global economy, business and commerce must have strong encryption schemes, available on an international basis, to protect the confidentiality and integrity of business transactions and electronic commerce.(1) The U.S. encryption industry dominates the market for encryption technology, but its lead may be diminishing.(2) The U.S. encryption industry stands poised to lose its competitive edge to foreign encryption industries,(3) which some think will result in the loss of thousands of jobs and millions of dollars in revenue.(4) International and domestic debates on the regulation of encryption technology have reached a crescendo. The purpose of this comment is to clarify the debated issues, as well as to encourage industry to abandon its insistence on a total abrogation of regulation of encryption technology, and to work with the Clinton Administration to develop a compromise.

   Part II of this comment provides a quick tutorial on encryption. Part III describes the competing arguments for and against regulation, in the form of "key management." Although presented from the U.S. perspective, these arguments mirror the struggles taking place in other countries that are formulating their own encryption policies.(5) Part IV discusses how the United States is regulating encryption technology. This section specifically examines the internal discord in Congress over regulation of encryption technology. Part V compares how other countries and multinational organizations are cultivating encryption policy. Part VI concludes that the encryption industry must take immediate action to maintain its competitiveness, which can be achieved by working with, rather than against, the Clinton Administration.

2. A TUTORIAL: THE KEY TO ENCRYPTION

   Encryption is a technique for encoding information that allows only a person possessing an appropriate electronic key to decode it.(6) The information is first scrambled using a mathematical function called an algorithm.(7) The algorithm lets an individual select a "key" that is used to encrypt the information.(8) The "algorithm can be either a `secret key' algorithm or a `public key' algorithm."(9) Secret key cryptography uses the same secret key for encryption (sender) as for decryption (receiver).(10) Public key cryptography uses different keys for encryption and decryption,(11) One key is kept private while the other, the public key, can be published in directories.(12) A sender obtains an intended recipient's public key and uses it to encrypt a message.(13) The recipient uses his private key to decrypt the message.(14)

   Secret key encryption works like this. Amanda wants to send Peter an encrypted message so together they obtain a secret key. Amanda encrypts her message with the secret key and Peter uses the same key to decrypt the message. If Dan the FBI agent wants to read Amanda's messages, he obtains the proper authorization, such as a Title III judicial wiretap authorization,(15) to monitor Amanda's e-mail. With this authorization he obtains Amanda's secret key from the escrow agent. Dan can then read all messages originated by Amanda.

   It is possible to decode the message without the secret key by using brute force.(16) Brute force is a decoding method that uses a modern high speed computer programmed to try every possible key combination until it detects the correct one.(17) The longer the key combination the more time and resources it takes to break the code through brute force.(18) The length of the key combination is measured in bits.(19) After a one-time review, U.S. companies in certain industries may export encryption products of fifty-six bits without key recovery.(20) Other U.S. companies may export encryption products of any strength if a third party may recover the key or plain text.(21)

   Under the current export regulations, the encryption user must store crypto keys so they will be available if needed for criminal or security investigations.(22) One such storage technique is Key Escrow.(23) Key Escrow involves distributing the key to a key escrow agent for storage.(24) A variation of Key Escrow is called Self Escrow.(25) As the name implies, under this storage system the user can self-store the key if he can satisfy government standards.(26) Under the Trusted Third Party (TTP) method, a third party to the cryptographic application actually creates and provides the cryptographic keys to the participants, storing a copy for future key retrieval.(27) The Key Recovery Alliance (Alliance), a coalition of international companies, proposes an alternative to key escrow and third party schemes.(28) The Alliance supports developing a recovery scheme that can be used by all cryptographic schemes and has global scalability.(29) This approach eliminates the need to communicate with an outside agent during setup or message encryption and allows the encryption user to maintain the key at all times.(30)

   Under any of these key storage alternatives, law enforcement entities may seek to obtain court ordered access to the key through "proper legal process."(31) This provision has fueled heated debate between privacy advocates and supporters of law enforcement.(32)

3. TO REGULATE OR NOT TO REGULATE, THAT IS THE GLOBAL QUESTION

   The U.S. government must weigh many competing factors in formulating a comprehensive encryption export regulation policy. These factors include the following: (1) the impact regulation has on the domestic users, (2) law enforcement concerns, (3) industry competitiveness, (4) privacy issues, and (5) freedom of speech. As other nations formulate their own encryption export policies, they struggle with these same concerns.(33) This Part discusses each of these concerns from the perspective of U.S. policy makers.

   1. Domestic Users Do Not Feel Secure

      The U.S. government does not limit the use of encryption in the domestic market by its citizens.(34) However, the government does restrict the export of encryption technology.(35) One prominent scholar, Michael Froomkin, argues that regulation of encryption exports is in fact regulation of the domestic market because the regulation of the export market will require industry to create two technologies: one for sale in the domestic market and a second for export.(36)

      The domestic standard dictates the amount of privacy a user is able to enjoy,(37) for example, communicating via email or banking via computer. The more secure a user feels the more likely the user is to use the Internet for electronic commerce.(38) Because the export standard has stymied the domestic development of encryption,(39) domestic users do not feel secure and consequently are not fully exploiting the Internet's capabilities.(40) The domestic demand for key recovery services is expected to explode.(41) While the current market for key recovery services has not matured, many encryption experts believe that key recovery will fuel the growth of electronic commerce and corporate security both domestically and internationally.(42)

   2. Industry Competitiveness

      Encryption exports are big money for the encryption industry.(43) A study by the U.S. Department of Commerce and the National Security Agency (NSA) estimated worldwide sales of encryption products (both hardware and software) for 1996 alone at $1.8 billion.(44) Over the last several years, the Clinton Administration has proposed various limitations on exports of encryption technology, none of which has succeeded to date in garnering widespread industry support.(45) Opponents of the Clinton Administration's efforts argue that key management will put them at a competitive disadvantage in the global market.(46)

      As the industry waits to see what the standard will be for exports, it has allowed the domestic standard to languish.(47) Initially, the rest of the world waited for U.S. action.(48) One commentator has suggested that foreign governments avoided the issue.(49) Foreign governments "had less need for an explicit ban on strong consumer cryptography because U.S. firms' dominance of the market for operating systems and other potential applications of cryptography tended to stifle the growth of indigenous competitors."(50) Now it appears that other nations may move forward with encryption standards or decide not to impose any limits, leaving the United States to play catch-up in a field it once led.(51)

   3. Law Enforcement

      The Clinton Administration has couched the need for limits on encryption exports in terms of security. FBI Director Louis Freeh draws a parallel between encryption exports and court-authorized wiretaps of digital telephones.(52) In 1993 when the FBI sought the assistance of Congress in maintaining and continuing court-authorized wiretaps in a new technological environment, there was no imminent crisis.(53) However, the FBI was confident that within the next decade it would lose its ability to perform such wiretaps.(54) Likewise today, the Clinton Administration does not claim that there is a crisis involving encryption.(55) Director Freeh argues that if the government waits until there is a crisis it will be too late because high level encryption will be the global standard, leaving law enforcement and national security at risk.(56)

   4. Privacy Concerns

      Privacy advocates are skeptical of the impact government-supported key escrow will have on their personal privacy.(57) This skepticism is heightened by the government requirement of a third party escrow holder and participation in key management.(58)

      Other concerns include whether notice will be given to the encryption user when the government attains access; who will have access to the key; the type of escrowed-encryption method established as standard; the treatment of foreign governments; the treatment of foreign users versus domestic users; and the rules governing intelligence agencies.(59) Constitutional questions of privacy have also been raised,(60) but have not been prominent in...