Taking account of the world as it will be: the shifting course of U.S. encryption policy.

• Author: Black, Tricia E.

It is change, continuing change, inevitable change, that is the dominant factor in society today. No sensible decision can be made any longer without taking into account not only the world as it is, but the world as it will be.(1)

1. INTRODUCTION

   On January 12, 2000, the U.S. Department of Commerce Bureau of Export Regulation ("BXA") issued new encryption export regulations that removed most of the prior limitations on the export of U.S. encryption technology. The previous export limitations, combined with efforts by the Clinton Administration to encourage the use of key escrow, had sparked contentious debate among public interest privacy groups, law enforcement, and the high-tech software industry.(2) The relaxation in policy signaled another retreat by the Clinton Administration from strong restrictions on export technology. While some questioned the complicated nature of the regulations, one software executive characterized the liberalization as "an 'inside the ball park' home run."(3) The finalized regulations had been eagerly anticipated since September 16, 1999, when the White House announced its proposal to loosen restrictions ("September proposal"), perhaps because of increasing pressure from Congress through proposed legislation over the previous three years.(4)

   In the wake of the new regulations and the furor that led to them, however, little mention has been made of the Cyberspace Electronic Security Act of 1999 ("CESA"), which was announced by the Clinton Administration in tandem with the September proposal to loosen export restrictions.(5) As proposed, CESA would "establish[] limitations on government use and disclosure of decryption keys obtained by court process and provide[] special protections for decryption keys stored with third party 'recovery agents,'" and authorize appropriations for a Federal Bureau of Investigations ("FBI") Technical Support Center to serve as a resource for federal, state, and local law enforcement.(6) Online privacy proponents strongly criticized CESA, claiming it would allow the government to circumvent the Fourth Amendment and easily gain access to encrypted e-mails, business documents and private files.(7) Former President Clinton left office without Congress taking any action on CESA, despite the White House's transmittal letter to Congress in September 1999.(8)

   This Note argues that the marked changes in U.S. encryption policy in the past seven years, specifically the relaxation of export regulations and key escrow advocacy, result from governmental and societal recognition and acceptance of how the world will be in the information age. Despite these expansive actions, introduction of CESA signals yet another attempt at government regulation of encryption technology. Therefore, this Note encourages critical study of CESA and similar legislation to ensure public awareness, understanding, and active involvement in shaping encryption policies affecting those living and working in the interconnected twenty-first century. Part II of this Note offers a brief history of cryptography and explains modern terminology essential to comprehension of the encryption debate. Part III traces governmental regulation of encryption technology--until recently almost solely a creation of executive directive--and offers competing arguments regarding key escrow systems and restrictive export regulations. Part IV analyzes both facets of the September proposal: export relaxation and CESA. Finally, Part V argues that Internet advances have caused the dramatic policy shift of the past three years, and that the U.S. government will continue to remove impediments to encryption exportation. This section cautions, however, that legislation concerning encryption, like CESA, should be monitored continuously to ensure that privacy concerns are adequately addressed.

2. A BRIEF HISTORY AND EXPLANATION OF ENCRYPTION

   1. What is Encryption?

      Stanford Law Professor Lawrence Lessig writes with only slight exaggeration that encryption technologies are the most important technological innovations of the last millennium.(9) Encryption, or cryptography, may be understood on a basic level as scrambling information to disguise an intended communication.(10) The disguise may serve several purposes, including protecting the privacy, security, authenticity, and integrity of the communication.(11) Encryption allows a readable message--plaintext--to be transformed into an unreadable message--ciphertext--which remains incomprehensible to the recipient without a "key" to unlock the transformed message and return it to its original form.(12) An analogy to house keys illustrates how encryption keys function.(13) A homeowner or intended guests may enter a home through use of a house key that fits the lock on the front door and allows the keyholder to gain access, while keeping non-keyholders outside. Similarly, encryption keys allow intended readers to "unlock," and thereby understand, messages while keeping uninvited readers locked safely outside the circle of understanding.

      While this Note focuses on the modern implications of encryption, the field's significant past should not be overlooked.(14) Initially, cryptography was accomplished simply through the manual substitution of one item for another to provide security in communications or information transmissions.(15) Early military communications employed this method and still comprise one of the most prevalent uses of encryption, because different factions often needed to transmit messages to one another and ensure integrity.(16) With the advent of radio signals in World War I, the military required a stronger method of encryption, because messages were increasingly vulnerable to interception.(17) Cryptographers thus began to work on mechanizing encryption, a path that led to the automatic encryption systems used today.(28)

   2. Modern Encryption

      Just as World War I and radio signals led to a rethinking of encryption systems, the expansion of the Internet created similar demands for even more secure encryption technology.(19) Exponential advancements in access, speed, and power have created a global interdependence unseen and--some might argue--unimagined until the past decade. Encryption's smooth and often imperceptible integration into daily life has become essential to modern day society.(20) Encryption is used to protect individual and business finance, as well as the national infrastructure that runs power grids, hospitals, and communications.(21) More notably, the explosion of e-commerce makes it difficult to recall not being able to buy a plane ticket online or trade stocks from one's personal computer, and many take advantage of these new conveniences.(22)

      These advances come at a price, however, which must be contained through adequate security measures to protect the large, growing quantities of sensitive and private information that now move along digital channels. Recently, the fragility of Web site security became painfully clear when a hacker published thousands of credit card numbers obtained from customers of CD Universe after the company refused a ransom demand.(23) Public awareness of the vulnerability of online information has helped create a large market for strong encryption technology.(24) This new-age encryption technology, while based on the same simple substitution foundation of earlier cryptography, is now increasingly, and necessarily, complex.

      The modern process by which a message is encrypted and decrypted involves complicated mathematical algorithms.(25) The strength of an encryption key is determined by how difficult it would be for a third party to break the code, which depends on the key length, measured in bits, and the complexity of the algorithm in question.(26) Bits are the digits "0" and "1" used for encoding computer data; the greater the number of bits, the greater security afforded in art encryption algorithm, because more combinations are possible, thereby making the code harder to break.(27) For example, a 40-bit key length offers more than a trillion possible combinations, a 56-bit key length permits more than 72 quadrillion combinations, and a 128-bit key length allows 3.4 x 10.sup.34 possible 28 combinations of key sequences.(28)

      The most common, and widely used, algorithm is the Digital Encryption Standard ("DES"), which has a key length of 56 bits and was developed by the federal government in the 1970s.(29) The 56-bit key length was once considered secure, but recent DES "cracking contests," sponsored by a prominent producer of encryption technology, have proven otherwise.(30) The weakness of a 56-bit key length also becomes apparent when one recognizes that by June 1999, the minimum strength to meet the standards of new Internet applications was 128-bit encryption.(31) Since recognizing the problem in 1997, the National Institute of Science and Technology ("NIST"), a division of the Department of Commerce, has been working to create a more powerful algorithm, known as the Advanced Encryption Standard ("AES").(32) In October 2000, NIST announced the selection of an algorithm named "Rijndael" as the proposed AES.(33) Assuming the rest of the development schedule proceeds as expected, AES should be completed by summer 2001.(34) In the interim, triple-DES, which requires the use of three DES keys, has become the de facto standard used by the U.S. government and other entities.(35)

      Two basic types of widely available encryption systems are private ("symmetric") key systems and public ("asymmetric") key systems.(36) In a private key system, the same key is used to both encrypt and decrypt the message. Therefore, the system remains vulnerable because the key used to decrypt the information must be sent to the intended recipient of the message, leading to the risk that the key could be intercepted.(37) The key itself might also be more vulnerable to attack because it is used twice. A public key system employs two...