NYT op-ed: Computer Privacy: Your Shield? Or a Threat to National Security?
September 24, 1997
Computer Privacy: Your Shield?
Or a Threat to National Security?
By PETER WAYNER
[T] he Internet has been roiling for the last few weeks
as members of Congress have gathered in secret,
closed-door sessions to determine how much security
Americans will be allowed to use to protect themselves
in cyberspace.
The issue of encryption
-- the scrambling of
e-mail and other
computer files so they
can't be read by others
-- is generating
increasing tension between civil liberty groups, which
assert that it is a basic privacy right essential to
personal security, and law enforcement officials, who
want the right to read whatever they please in the name
of national security and crime fighting.
On one side of the issue, the branches of the United
States government responsible for law enforcement and
intelligence are pushing for the enactment of laws that
would make it illegal for Americans to encrypt computer
files in a way that makes them unreadable by the police.
In the wake of open committee testimony by officials of
the Federal Bureau of Investigation and National
Security Agency and meetings with members of Congress
behind closed doors, this side, sensing it has captured
the momentum, is pushing for quick legislation.
On the other side, the computer industry and public
interest groups as diverse as the American Civil
Liberties Union and the National Rifle Association are
struggling to put the brakes to legislation that they
feel would subject citizens to unnecessary regulation,
astronomical costs and a loss of civil liberties.
The issue is reaching a crucial juncture, and members of
Congress may soon be called to decide the issue. The FBI wants a
law requiring that every encryption program used to scramble data
include a secret back door, known
as a "key recovery system," that the police could use
for surveillance.
The computer industry views these back doors as a
burdensome regulation that criminals could easily thwart
or ignore. What's more, many in the industry argue that
the cost of a key recovery system could be as high as
$100 billion, leaving taxpayers and law-abiding
consumers to shoulder the expense and frustration of
adding a back door to their system security -- and to
suffer the consequences if the lock to that back door
were ever broken.
Congress as a whole seems unsure about how to proceed.
Representatives Bob Goodlatte, Republican of Virginia,
and Zoe Lofgren, a California Democrat, took a
libertarian stance earlier this year when they
introduced a bill they called Security and Freedom
through Encryption. The legislation, known by the
acronym SAFE, would have liberalized export controls to
allow the United States software industry to compete
internationally, and it would have added new criminal
penalties for anyone who used encryption in the
commission of a crime. It quickly attracted more than
250 co-sponsors.
But under heavy lobbying by the Clinton administration,
SAFE has met increased resistance. Committees have
gutted key provisions and added language that would
sharply increase encryption regulations for Americans.
Now, as Congressional leaders begin to search for a
compromise position, some staff members say that SAFE is
dead, while others predict that members who support the
F.B.I.'s position will push for action on a much-altered
version of the bill this year.
Representatives Mike Oxley, Republican of Ohio, and Tom
Manton, a New York Democrat, have vowed to push the
House Commerce Committee, in a meeting scheduled for
Wednesday, to include an amendment that would require
the nation's software companies to add a key-recovery
system to encryption software by Jan. 1, 1999.
But even some of the strongest defendants of the
intelligence agencies and their need to eavesdrop are
unsure about how to proceed.
Curt Weldon, a Republican from
Pennsylvania, led his National
Security Committee in the House to
add an amendment that would tighten
the export controls to the SAFE bill,
effectively changing it from a
pro-industry bill to a
pro-intelligence agency bill. Yet he
says he recognizes the need for
Americans to protect their secrets
against industrial espionage and
feels uncomfortable with the domestic
controls added by House's Select
Committee on Intelligence.
"We're moving too fast on this, and
we should slow down," Weldon said in
an interview. He added that he would
prefer waiting at least a year to
enact any encryption legislation.
As members of Congress struggle with
the nuances of privacy versus
national security, many people in the
computer industry wonder just how
much this will cost. For example,
they point to a bill sponsored by
Senator Bob Kerrey, Democrat of
Nebraska, which would require that
all computers attached to a federally
financed network to include key
recovery for the police. The expense,
say industry insiders, could be
astronomical.
There is no easy way to estimate the
cost for complying with some of the
new backdoor proposals already before
Congress because nothing as
all-pervasive has ever been
attempted. Estimates range wildly
from $2 billion to 100 billion.
At the same time, Congress is not
eager to spend money to right
computer problems. Many systems
managers in government agencies are
already concerned about the arrival
of the year 2000, pointing out that
simply adding the extra two digits to
all of the government's databases
could cost taxpayers billions of
dollars. Paradoxically, Kerrey has
been a key critic of allocating money
to upgrade the Internal Revenue
Service's computer system.
In fact, Kerrey's legislation could
easily create the largest bureaucracy
ever -- by some estimates requiring
more record keeping than all the
states' departments of motor
vehicles, the Internal Revenue
Service and the various welfare
agencies combined. While no one knows
how Congress or the FBI intends to
carry out key-recovery legislation,
it is entirely possible that anyone installing a piece
of software on a hard drive will need to register it
like people now register a car with the Department of
Motor Vehicles.
While most people own only one car and file only one tax
return a year, many computer users have multiple copies
of programs like Quicken, Notes or Power Point. Each
could require a separate registration if it includes
encryption features -- and many users will be shocked to
discover what qualifies as encryption, which is becoming
increasingly common even in trivial programs like games
because it is a good way to regulate copyright
infringement.
Many also express concern that the law could backfire
and actually make Americans more vulnerable to attack.
For example, in any system that features back-door keys
for the police, a security breech involving a deeply
placed Aldrich Ames-type operator could easily leak the
secret master key. This in turn would allow terrorists
or other criminals access to all the files in the
nation, leading to a collapse of Internet security that
some computer professionals have dubbed a "digital Pearl
Harbor."
The decision Congress must make is far from simple, and
both sides use extreme cases and outright scare tactics
to make their points. Officials at the Department of
Justice, including the FBI, are fond of asking members
of Congress whether they would want agents to be able to
eavesdrop on criminals if their daughter were kidnapped.
The other side points out that the kidnapping may never
of happened if the daughter had encrypted her e-mail,
thus preventing an electronic stalker from tracking her
movements.
Many members of Congress have taken classified,
members-only briefings from the National Security
Agency, which asserts that encryption software prevents
it from vacuuming up data from throughout the world that
are now easy to read. The briefings reportedly contain
details about how United States military forces were
able to gather crucial information about Iraqi troop
movements during the Gulf War. Code breaking and
electronic intelligence has been an important strength
of the United States in every military conflict since
the War for Independence.
In a recent statement, Oxley declared: "Indeed, I would
find it difficult to believe that a member who heard the
briefing could walk away not committed to addressing
security issues. Frankly, I wish everyone interested in
this issue could have heard for themselves the alarming
briefing that members of our committee heard."
The details of the briefing, however, remain classified,
presumably to protect the source of the information from
being compromised.
A report issued last year by the National Research
Council, however, rejected the notion that the
classified briefings were particularly compelling. Many
members of the committee that wrote the report had
access to the same intelligence examples but felt that
the issue could easily be discussed in public. The
committee rejected the backdoor plans supported by the
FBI as too expensive and untested.
At the same time, the Defense Department has voiced
concern about its ability to defend the United States
against information warfare, arguing that encryption is
crucial for securing the Internet and protecting
American citizens. One example cited is the case of
AT&T, which recently withdrew from bidding on a contract
in Argentina after competitors publicized tapes of
conversations between the company's executives and
regulators -- a leak that might never have occurred if
encryption were used.
The President's Commission on Critical Infrastructure
Protection is also studying the need for encryption,
although it has refused to address the issue publicly
until its report is published in October. Privately,
however, several members of the commission express
concerns that police keys to everyone's back doors will
be difficult to protect, leaving the nation more
vulnerable to terrorism. At the same time, several
members have said they are "under fairly strict orders"
to fall in line with the FBI's push for key recovery.
Much of the computer industry's
reaction is more practical as it
contemplates systems that would even
inadvertently preclude a way for
criminals to avoid police
surveillance. Some joke that proposed
legislation would even ban emoticons,
the smiley-face icons like :-) widely
used in Internet communications, at
least until someone can seek approval
from the United States government. Others joke that
Anita Hill could be locked up because the men in the
government "just don't get" what she had to say.
As absurd as they are, such jokes illustrate the
pressure felt by the computer industry. The recent
language approved by the House Select Committee on
Intelligence defines encryption as "the transformation
or scrambling of data, including communications, from
plaintext to an unreadable or incomprehensible format,
regardless of the technique utilized for such
transformation or scrambling and irrespective of the
medium."
The language also calls for up to five years in prison
for anyone convicted of selling software that fails to
provide the police with "immediate access" to
encryption.
Broad language like that introduced by the House Select
Committee on Intelligence is often used by Congress to
avoid loopholes that criminals might exploit, but often
such sweeping measures generate more problems than
solutions.
For example, many computer programs store their files in
binary, a format that is unreadable by humans --
something that computer users often discover when they
try to use a file with either a different application or
a different computer.
One Congressional staff member who participated in
drafting the legislation but asked not to be identified
conceded that the bill would force developers of new
software to seek approval for their products from the
United States government even if the products did not
explicitly include encryption features. Such approval
would be the only way to escape prosecution, he said.
While admitting that this language would add a six- to
nine-month delay in releasing new products, the staff
member asserted that the computer industry would simply
have to build this time into product development cycles.
The staff member also insisted that relatively rare
languages like that of the Navajo Indians, which was
used by the United Stated military for secret
communications in World War II, would not be controlled
by the legislation "because they are languages not
codes." Secret codes like those used by baseball
managers to communicate with their players would also
not be affected, he said.
Yet he could offer no solid definition for what
constitutes a language, and the legislation does not
offer users any guidance for what the police can and
cannot reasonably be expected to comprehend.
Copyright 1997 The New York Times Company