Communications sent over the Internet are inherently insecure. E-mail sent from an address in Los Angeles to an address in Paris could theoretically at least be read at any of several points along the way. A malicious hacker could even gimmick the system to reroute the entire file to their own server.
The solution to this problem is encryption. However, not just any encryption would do. Passwords for most common software files, such as PKZIP, Excel, and MS Word, can be broken by over-the-counter applications readily available over the net, which typically crack these passwords in a few minutes and generally cost less than $100 to buy.
The most common theoretically secure commercial encryption scheme, DES (Data Encryption Standard) was written by IBM in the 1970's, and is widely in use across the United States. Examples of DES-encrypted transactions include communications between sidewalk ATM machines and central banks, instructions between remote stock broakerage offices and the trading floor, and the like. However, two encryption specialists in Utah and Colorado tested its security by cracking DES, using processors operating in parallel and linked via the public network, using a brute force method over several months. Someone with access to a Cray, such as a foreign government at odds with the US, could almost certainly manage to crack this even faster. And the US Government has demonstrated its own lack of confidence in DES by prohibiting its use for confidential or top secret communications. Happily, the National Institute of Standards and Technology (NIST) has recognized its vulnerability and is now advertising for a replacement standard.
One other encryption tool which is gaining great favor is PGP, for Pretty Good Privacy. This is a two key system which to date has appeared to be unbreakable. To demonstrate how it works, let's suppose someone wants to send me a PGP-encrypted message. I have two keys, one public and one private, as does the person sending me the message. The public key can be made widely known (I have it posted on my personal web page, for instance). The person sending me the file encrypts it with my public key, but only through the application of my private key, which I keep secret, can I decrypt the file. My private key at home is what the PGP folks refer to as military grade. To date, no one has succeeded in decrypting anything which has been encrypted with the military grade PGP key, to the best of my knowledge. And there is a new version out now which is even stronger.
The other big debate concerns export controls. Unbreakable encryption tools such as PGP currently are illegal to export either as electronically readable source code or load modules. These tools are classified as munitions, and their export is controlled by the US government under ITAR (International Trafficing in Arms Reduction). The controls, however, are ineffective. For starters, tools just as good as PGP have been written overseas. The RSA algorithim which PGP is based on has been widely and legally published. One report, which I can not attest to the accuracy of, claim that as many as 40% of all encryption tools have been developed outside of the United States. In addition, ITAR only prohibits the export of machine-readable code. A printed version of PGP was quite legally mailed overseas, where it was scanned into a computer in Norway and is now publicly and legally available internationally via the University of Oslo.
So the sole impact of the existing ITAR legislation is to limit legal US exports by the authors of PGP and other encryption tools, while accomplishing no other plausible government objective. Because of this, we should support legislation which would remove the controls on encryption export and give American businesses the ability to compete globally with secure software.
Which brings us to key escrow. The concept of key escrow is that you can use and/or export strong encryption tools if the US Government is given access to the private keys so that they can decrypt your messages at will. The real life equivalent would be to outlaw deadbolt locks on your doors at home unless you first went down to the local police department and gave them one of your keys.
This rule raises several issues. First, can the government keep information that we provide it secure? The Washington Post recently reported that about 400 IRS agents were disciplined for unauthorized trolling through the tax returns of celebrities and their friends. If the government can not keep tax returns confidential, how can it be relied on to safely protect a key escrow database. And second, key escrow would not effectively remove export controls, because it would cause foreign companies and governments to think twice about purchasing encryption tools from a US company. What would you do as a Dutch business, faced with the option of purchasing a Scandanavian package which is unbreakable, or a package developed by a US company which was already cracked the minute your keys were given to the US government.
Legislation has been introduced in the US House of Representatives this year to address some of the problems described above. HR695, by Representative Goodlatte (R-VA) as initially introduced would remove export controls from encryption tools. The bill has over 250 co-sponsors. 6 committees have held hearings on this bill and approved different versions of the bill. Among them, the House Intelligence Committee, and the House Internal Security Committee voted to rewrite the act to strengthen the controls on strong encryption, rather than make them more rational. Fortunately though, the House Commerce Committee, which was the last committee to vote on the bill, voted 35-16 to restore the original Goodlatte language which would bring some rationality to US rules on encryption software. That bill made it as far as the House Rules Committee when Congress recessed for the year, the final stop before floor action. However, public opposition by the chairman of the Rules Committee may delay action on the floor. And after that, the bill would still need to get through the Senate and be signed by the President before it became law.
On October 24, the AITP National Board, at the recommendation of the AITP National Legislative Committee, enacted the following position on encryption:
The effect of this position is to endorse the language passed by the Commerce Committee and awaiting floor action.
= = = = = = = = = = = = = = = =
Additional background
encryption primer
in depth analysis of key escrow
(general privacy info
Internet Privacy Coalition
International PGP source and history
Global Information Infrastructure background
ITAR text