Government regulation of encryption: the entry of 'big brother' or the status quo?

• Author: Vedder-Brown, Zhonette M.

1. INTRODUCTION

   Julia sits at home writing letters via e-mail and managing household affairs. Electronically, the letters are sent, the bills paid. Knowing that the virtual world is a place of vulnerability where the least, curiosity is easily satisfied and where information is power, Julia encrypts her messages and transactions. That is, she utilizes a software product which systematically scrambles the data transmissions in a manner which will make them unintelligible except to selected recipients who, in turn, possess capabilities to reassemble the signals. But are Julia's messages any more private than without encryption? From whom does Julia seek to shield her messages? Curious cyber-snoops? Cyber-criminals looking for access to her financial accounts, personal information, and other ways to make a fast buck? Government agents who suspect her of a crime and are trying to gather evidence? Or rogue government officials with too much time, too much power, and not enough respect for the privacy of American citizens?

   Public policy-makers and privacy advocates are currently and vigorously debating national encryption policy.(1) This debate began with the Clinton Administration's proposed Clipper Chip--an encryption hardware product employing a government created and classified encryption algorithm--and a companion proposal that encryption keys be placed in escrow with government agencies.(2) The controversy continues today as Congress considers a number of bills related to encryption.(3) The most current iterations of the policy involve the storage of encryption keys with trusted third-parties whom the government proposes to regulate.(4) These policies are called key-recovery proposals.

   The debate focuses on the tensions between the importance of government agents' ability to detect and fight crime committed or furthered over the Internet, and whether that interest supersedes or can be reconciled with the privacy interests of the American public. The key questions are: (1) should the government be able to access every electronic message and transaction regardless of the originator's desire that a message remain absolutely private; and (2)would the government's power to access that information violate the Constitution, federal statutes, or other privacy interests?

   Privacy advocates argue that mandatory, and perhaps even voluntary, key-recovery regimes are illegal because they violate constitutional and statutory privacy protections.(5) They maintain that encryption products should not be regulated by government, especially not by privacy-bashing agencies like the National Security Agency ("NSA") or the Federal Bureau of Investigation ("FBI").(6) These advocates assert that governmental attempts to manipulate the development of encryption approaches the dawn of George Orwell's "Big Brother."(7)

   The government argues that access to encrypted data is critical to its ability to protect citizens and businesses against criminal activity.(8) Such criminal activity could cost billions of dollars and an untold number of lives.(9) Government representatives assert that key-recovery violates neither the Constitution nor federal statutes,(10) They argue also that procedural restraints on the use of key-recovery will sufficiently protect privacy interests.(11)

   Much of the current debate surrounding key-recovery has a glaring flaw: the debaters fail to define the central terms of the debate. Both sides invoke the terms "privacy" and "right to privacy" as if those terms had concrete, universally understood meanings. This Note ultimately concludes that key-recovery does not violate "the right to privacy" but does violate "privacy." As explained in Parts IV and V, "privacy" is a much more expansive concept than the "right to privacy." Privacy has many definitions and purposes including a moral sense that a person should be able to control information about herself. Additionally, privacy includes both substantive and procedural aspects.

   On the other hand, the right to privacy is more narrow. It includes only the privacy protected by our Constitution and by statute. A governmental action may violate a person's privacy without violating his right to privacy.

   In this Note, Part II briefly explains some of the technicalities of encryption and key-recovery. It then addresses what various agencies of the government are doing to regulate encryption, from export regulation, to statutes, to purchasing power. Because many privacy advocates do not fully and clearly consider the risks of a system where the government lacks the power to decrypt data, Part HI catalogues some crimes being committed via computer and explores the costs associated with those crimes. Part IV discusses the meaning of privacy, and explores whether key-recovery violates privacy. Next, Part V analyzes claims that key-recovery violates the legally recognized "right to privacy." Finally, Part VI considers how the law should address the privacy violation caused by key-recovery.

2. GOVERNMENTAL REGULATION OF ENCRYPTION

   The government directly or indirectly regulates encryption software and hardware in a number of ways. This Part first discusses the basics of encryption: what it is and how it is done with modern technology. Second, this Part explains the basics of key-recovery. Finally, this Part explains by what authority, and through what various means, the government regulates encryption.

   1. The Mechanics of Modern Encryption

      Generally, encryption is achieved by employing a mathematical algorithm through which data is systematically scrambled so that it is unintelligible except to those possessing a key which can reassemble the data.(12) This process of coding and decoding has been around for centuries.(13) However, with the advent of computer technology and its proliferation in personal and business settings, encryption has recently become a common concern of ordinary civilians.(14)

      Data and messages are placed on the Internet with the idea that they will be accessible to someone.(15) The problem is granting access to intended receivers while simultaneously denying access to everyone else.(16) To protect personal and business secrets, programmers and hardware designers have created encryption systems for digital information.(17)

      In order for encryption to be useful, both the sender and the receiver must be able to encrypt and decrypt. There are two popular encryption systems: secret key regimes and public key regimes.(18) In a secret key system the users share the same key.(19) This system is not easy to manage, however, because it is difficult to distribute the key confidentially and anyone who has the key can read the message.(20)

      More secure and popular than the secret key system is the public key system.(21) In this regime, each person has two keys, one that the user keeps to herself and one that is publicly listed.(22) Thus, if Julia wants to send Bob an encrypted message, she types the message, looks up Bob's public key and uses it to encrypt the message. Bob receives the message and decrypts it with his private key. To respond to Julia, Bob encrypts his response with Julia's public key and she then decrypts it with her own private key.(23)

      Historically, the United States government has been very involved in encryption technology.(24) The government also funded the think tank which first conceptualized the Internet and built its components.(25) It was only natural, then, that the government would play a role in the merger of encryption and the Internet.(26)

      Currently a number of bills which deal with encryption are pending in Congress.(27) The Administration's policy is considered embodied in the Secure Public Networks Act.(28) This bill contains a provision for storing encryption keys with trusted third-party private agents.(29) The government would license and regulate these agents.(30) Most important to Administration and law enforcement officers,(31) government agents could recover any keys necessary to decrypt evidence.(32) While the key-recovery system is voluntary on its face,(33) opponents charge that participation in the key-recovery regime would, in reality, be mandatory.(34) In the past, FBI Director Louis Freeh threatened that only mandatory key-recovery would enable the government to carry out its law enforcement and national security mandates.(35)

      Law enforcement officers fear that if encryption continues to develop unchecked, criminals and terrorists will be able to shield themselves by using encryption codes the government cannot break. For example, Pretty Good Privacy ("PGP"), a program created by a Colorado programmer, has such a complex encryption algorithm that allegedly the government cannot decrypt a message encrypted with PGP in several lifetimes.(36) The solution? Key-recovery.(37) In a key-recovery system there are a number of players and a number of keys.(38) First, there are the two parties, Julia and Bob, sending and receiving encrypted messages. Bob and Julia are using a public, key system. Thus, each knows his or her own private keys and both know their own and each other's public keys.(39) Next, because law enforcement agents suspect one of these parties of criminal wrongdoing, the government wants to intercept their messages. The government gets a court order to perform a wiretap and intercepts the message. But because it is encrypted, the government must decrypt the message to make it comprehensible.

      This is how it works: The decryption process begins with a family key (layer 1).(40) Law enforcement officers already have the family key, which is the same for all messages encrypted with that product.(41) They use the family key to decode a Law Enforcement Access Field ("LEAF") (layer 2).(42) This leaves the message between the two parties encrypted but provides the officers with the information to identify the necessary decryption key. Enter the fourth and possibly fifth players, the recovery agents. These agents have...