FBI director William Freeh and Attorney General Janet Reno are supporting legislation in Congress that will prevent American companies from producing and selling products using encryption software. They argue that encryption will facilitate terrorism and organized crime because it will prevent the government from intercepting the communications of terrorists and organized crime groups. My experience in law enforcement leads me to believe that the controls favored by the FBI and the Justice Department are unachievable. Furthermore, imposing such restrictions on American companies is more likely to increase terrorism and crime than to decrease them.
|Illustration by Taylor Jones|
Encryption, the practice of coding messages, is now routinely used in computerized software programs designed to protect the privacy of telephone, fax, e-mail, and Internet communications, ATM transactions, storage of business and government data, and myriad other necessary and desirable applications. The controls that the federal government would impose are Orwellian in the scope of their intrusiveness. They amount to no less than the U.S. government asking software companies to provide them with a “key” to be held in escrow that would allow the interception of every telephone call, fax, e-mail, Internet transaction, and other electronic communication anywhere in the world.
The genius of American industrial technology has produced the most dynamic economy and the greatest individual prosperity in the history of civilization. Simultaneously, it has enabled the U.S. government to acquire the most powerful armed forces ever developed. It is no exaggeration to say that the innovations of American technology are responsible for the United States’ becoming the world’s foremost economic and military power. The resulting political stability and resources have likewise enabled America to provide leadership for the free world. Consequently, it is ironic that the federal government now constitutes the largest threat to the very industry on which our future economic health and continued leadership of the free world depend.
The Clinton administration is requesting legislation from Congress that will prevent American companies from producing and selling products using encryption software on the grounds that such products will prevent law enforcement agencies from intercepting and decoding the communications of terrorists and other criminals. Under legislation pending in Congress, American companies would be required to provide the government, or a third party known to the government, with a key to decode all encrypted communications and data. The key would then be accessible to a law enforcement agency if sometime in the future it obtained a court order permitting interception. The legislation further requires that the key provide a plain text version of the information within a two-hour period. This would apply to all e-mail, fax, telephone, Internet, and other electronic communications, whether foreign or domestic. In addition, the proposed legislation requires that the key prevent both the owner company and other parties to the communication from knowing that their communications or transactions were being monitored. In other words, if you operate a business that requires confidentiality of phone calls, fax messages, e-mail, Internet, or other electronic communications, you would be forced to use a system that gives another party the ability to decode all your messages without your knowledge. And your internal audit and control systems would never reveal that your system had been penetrated. Furthermore, you would not know if the communications systems of companies with which you communicate are being monitored.
THE ECONOMIC COSTS
The law enforcement demands for elaborate keys and the resulting security requirements for whoever possesses the keys rest on technology that does not exist and may not be possible. The costs for developing the technology are to be borne by the companies developing and marketing the product. This means that their products will cost more, possibly enormously more, than those produced by foreign competitors. Additionally, even if comparable in cost, American products would not be competitive with products of foreign companies that provide secure encryption systems.
Our government ignores the fact that secure encryption software is already common. The United States embargo against exporting encryption programs cannot halt the march of innovative technology. It simply encourages foreign entrepreneurs to fill the gap because the European Commission has refused to accept the U.S. standards for encryption control. Europe will not cripple its growing technology industry. Indeed, the Wall Street Journal recently reported that European technology firms were elated by U.S. restrictions on domestic companies and were capitalizing on the developing demand for secure encryption. American companies are restricted in their development of software programs for both domestic and foreign customers since many common computerized programs, such as ATM transactions, and e-mail, fax, and other data storage programs, are encrypted or contain audit components that alert the owners that their systems have been entered.
THE THREAT TO PRIVACY
The various keys would be so technologically broad and so discreet that they would allow government surveillance on an unprecedented scale. Billions of communications would be susceptible to interception, in contrast to present court-approved wiretaps of telephones. Although a court-approved order giving a law enforcement agency a key would be based on suspicions of criminal activity by a specific individual or group, the subsequent information gathering could involve anyone in the world. And the provision that the use of the key would not be detected by the system means that the parties whose confidentiality was compromised might not learn about it for years, if ever. The resulting jeopardy to First Amendment rights of freedom of speech, Fourth Amendment rights against unlawful search and seizure, and Fifth Amendment rights against self-incrimination and taking of property would be enormous. Because the government would mandate that software manufacturers and their customers provide a key with which law enforcement agents might surreptitiously scrutinize not just a single individual or group of individuals covered by the court order but a system or systems containing millions of pieces of data and communications, the legislation would negate constitutional rights we take for granted.
THE EFFECT ON CRIME AND TERRORISM
The FBI and some law enforcement groups claim that, without encryption control, organized crime and terrorism cannot be prevented. This is a powerful argument given the tragic deaths in the bombings of the World Trade Center in New York, the federal building in Oklahoma City, and the embassies in Africa. Playing the terrorism card raises strong emotions of patriotism and justifiable anger against terrorism. Yet public policy affecting the nation’s safety and economic health should be made on an objective basis.
No doubt some communications presently subject to interception will be secure as encryption becomes more widespread. However, little government eavesdropping focuses on terrorism or other violence. Wiretaps have almost doubled under the Clinton administration, reaching an all-time high in 1997. Authorities recorded over 2.7 million conversations, yet only about 20 percent of the conversations contained incriminating evidence and far fewer led to arrests. Seventy-three percent of the eavesdropping was related to drug crimes. Most of the rest involved gambling or racketeering investigations. Only two of the federal wiretaps were for assault or homicide. Despite the increases in government wiretaps and some successful cases against organized crime figures, few people in law enforcement contend that the nation’s drug or organized crime problem has significantly lessened. Likewise, encryption control would not significantly reduce crime and terrorism.
The terrorists responsible for the World Trade Center and Oklahoma City attacks did not use encryption. Furthermore, both the New York and Oklahoma City bombings were solved using traditional law enforcement methods of investigation, not electronic surveillance. Witnesses were located and interviewed, forensic evidence was gathered and analyzed, and convictions were obtained. Moreover, the validity of the government’s demand for unprecedented power to invade privacy in its concern over terrorism has to be considered in light of other preventive efforts.
Shortly after the Oklahoma City bombing the president and congressional leaders of both parties rushed before television cameras and vowed to expand FBI authority, despite the testimony of Mr. Freeh that the bureau did not need additional authority. I visited the federal buildings in both San Jose and San Francisco a week later and found no additional security measures in effect. Although the terrorists in New York and Oklahoma City had used vehicle bombs, it was still possible to park a truck or car bomb adjacent to the buildings. Likewise, in Africa, neither embassy building had been brought up to the government’s security standards. We must question why our government, with a spotty record of taking routine security precautions to prevent terrorist attacks, is proposing a scheme of incredible regulatory control of industry based on mere speculation that it might at some future time intercept a terrorist communication.
No one would deny the value of penetrating codes used by criminals or foreign enemies. Breaking the Japanese Purple code and the German Enigma encryptions during the Second World War was of great value. But such intelligence coups do not belong exclusively to the good guys. Our own military, law enforcement agencies, and legitimate businesses need secure encryption. Military and law enforcement groups will, of course, attempt to persuade Congress that keys to their systems must remain in their care and be securely encrypted. The government, however, will mandate that companies cannot have secure systems subject to audits. This will make sensitive communications systems more attractive targets for cybercriminals and terrorists. They will recognize that stealing a key from a third party will provide more access to information and will be less likely to be discovered in time to prevent the damage.
Encryption control is not only irrelevant in terms of protecting national security and preventing crime—but simply counterproductive.
The most frustrating aspect of the government’s encryption control proposal is that encryption control is not only irrelevant in terms of protecting national security and preventing crime but is counterproductive as well. The government supports its case by alleging that it is aware of five hundred instances in which foreign suspects used encryption. Why then is it not clear that terrorists and organized crime groups are presently capable of using secure encryption? This technology is already here. But even the more advanced secret programs will not remain that way. How can we forget that a far more guarded secret—the technology of making atomic bombs—was stolen by the Soviet Union despite being under the tightest government security in history? Try as we may, we cannot put the genie of technology back into the bottle.
A MISGUIDED POLICY
The main scheme suggested by the FBI and the Justice Department requires U.S. manufacturers to install “third-party” keys. These devices would be held by nongovernment organizations and made available to law enforcement only by judicial order. But if we cannot trust the White House, the FBI, and the Department of Justice to protect this information, why is it any more desirable to trust private businesses that have even fewer legal restrictions over the conduct of their employees?
Confidentiality of information can never be guaranteed, no matter how strict the laws and regulations and no matter who holds the keys. As always, a balance must be struck between the authority of the government and the individual freedom of citizens in a democracy. Third-party keys will be a more attractive target for terrorists than the present multiple encryption controls employed in sensitive industries. The magnitude of key security problems is breathtaking. There are roughly seventeen thousand law enforcement agencies in the United States, each of which would need access to keys on receiving a court order. How many companies would be involved? How many keys? How many third-party guardians? How would a third party determine the validity of a court order or the identity of those presenting themselves as law enforcement officers? Would keys and information be shared with foreign police? Could the police of other nations be trusted not to disclose the confidential data of American corporations to their own governments and industries?
The fundamental target of terrorists is the power and stability of America. Both can be undermined if citizens lose confidence that the government is protecting constitutional rights, if prosperity vanishes, and if crime flourishes. If Congress accepts the FBI plan, it will weaken America’s global edge in the high-tech industry. That industry has been important in creating jobs, thereby leading the nation out of recession and helping to reduce crime.
During my fifteen years as police chief of San Jose, America’s eleventh-largest city, it became the safest major city despite having the lowest per capita police staffing. Sure, we had some great cops, but the crime rate dropped because we were in the heart of the computer industry, which reduced the local unemployment rate to 2 percent. It would be tragic if Congress, in the name of helping law enforcement, produced more unemployment and crime by accepting the current encryption control proposals. No one would be happier than America’s terrorist enemies.