The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- CRYPTOGRAPHY: POLICY AND TECHNOLOGY TRENDS Lance J. Hoffman Faraz A. Ali Steven L. Heckler Ann Huybrechts December 1, 1993 under contract DE-AC05-84OR21400 Work supported in part by the U. S. Department of Energy under contract DE- AC05-84OR21400. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. CONTENTS EXECUTIVE SUMMARY 1. INTRODUCTION 2. TECHNOLOGY 3. MARKET ANALYSIS 4. EXPORT CONTROLS 5. PUBLIC POLICY ISSUES 5.1 EXECUTIVE BRANCH 5.2 CONGRESS 5.3 TRENDS 6. POTENTIAL SCENARIOS REFERENCES EXECUTIVE SUMMARY During the past five years, encryption technology has become easily available to both individuals and businesses, affording them a level of security formerly available practically to only military, national security, and law enforcement agencies. As a result, a debate within the United States about the proper balance between national security and personal freedom has been initiated. Law enforcement and national security agencies would like to maintain tight control over civilian encryption technologies, while industry and individual and privacy rights advocates fight to expand their ability to distribute and use cryptographic products as they please. This report analyzes trends in encryption technology, markets, export controls, and legislation. It identifies five trends which will have a strong influence on cryptography policy in the United States: * The continued expansion of the Internet and the progressive miniaturization of cryptographic hardware combined with the increasing availability and use of strong cryptographic software means that the strongest encryption technologies will continue to become more easily obtainable everywhere in the years ahead. * Additional growth in networked and wireless communication will fuel a strong demand for encryption hardware and software both domestically and abroad, causing the U. S. high-technology industry to be increasingly interested in selling encryption products overseas and in modifying current export restrictions. * Due to the responsibilities and bureaucratic dispositions of key Executive Branch agencies, products using strong encryption algorithms such as DES will continue to face at least some export restrictions, despite the widespread availability of strong encryption products overseas. * The American public is likely to become increasingly concerned about its privacy and about cryptographic policy as a result of the increased amount of personal information available online and the growing number of wireless and networked communications. The development and increasingly widespread use of the National Information Infrastructure will heighten these concerns. * Encryption policy is becoming an important public policy issue that will engage the attention of all branches of government. Congress will become increasingly visible in this debate due to its power of agency oversight and its role in passing laws accommodating the United States' rapid rate of technological change. Agencies will remain very important since they have the implementing and, often, the planning responsibilities. Since individuals and industry have more direct influence over Congress than over most other branches of government, Congress may place somewhat more emphasis on personal freedom than many other government actors. Four potential scenarios are likely: mandatory escrowed encryption, voluntary escrowed encryption, complete decontrol of encryption, or domestic decontrol with strict export regulations. 1. INTRODUCTION During the past five years, encryption technology has become easily available to both individuals and businesses, affording them a level of security formerly available practically to only military, national security, and law enforcement agencies. This availability and the desirability of encrypting some communications is just starting to be generally recognized by American business, and the encryption market is just now beginning to emerge as a significant part of the computer security market. As a result, a debate within the United States about the proper balance of national security, law enforcement, and personal freedom has been initiated. Law enforcement and national security agencies would like to maintain tight control over civilian encryption technologies, while industry and individual and privacy rights advocates fight to expand their ability to distribute and use cryptographic products as they please.1 This report analyzes trends in encryption technology and policy against this backdrop. It is one in a trilogy of research papers being prepared under the direction of Professor James Chandler of the George Washington University National Law Center and Professor Lance Hoffman of the George Washington University School of Engineering and Applied Science, Department of Electrical Engineering and Computer Science. The papers cover the following topics: Issues Regarding the Use of Cryptographic Technologies in the Commercial Sector. Review and analysis of U.S. laws, regulations, and case law pertaining to the use of commercial encryption products for voice and data communications between private parties located within continental U.S. boundaries and with parties in foreign jurisdictions, including examination of all applicable Federal statutes, regulations, executive orders, and other publicly available sources of legally binding directives. Laws or regulations which have been interpreted as mandating the use of cryptographic systems are also included. 2 Foreign Encryption Technology Controls. Identification and analysis of foreign laws and regulations pertaining to the use and control of commercial encryption products for voice and data communications. 3 Cryptography: Trends in Technology and Policy (this paper). Encapsulation of current legislation and analysis of trends based on the above papers with future implications for encryption technology and the use of commercial encryption products. This report is divided into four primary sections: * Technology: future trends in high technology and, more specifically, encryption technology. * Market Analysis: trends in the global market for encryption products, especially DES- and RSA-based products. * Export Controls: trends that may influence the wording and implementation of laws restricting export of encryption products manufactured in the United States. * Public Policy Issues: factors and trends that may determine the future direction of policy decisions and legislation related to cryptography in the United States. After discussions of these topics, four potential scenarios are briefly presented as possibilities. The authors appreciate the constructive criticism of early drafts and helpful suggestions made by Diana Arrington, Donna Berkelhammer, James Chandler, Larry E. Christensen, Dorothy Denning, Bill Franklin, Lou Giles, Lamaris Gill, Lynn McNulty, Randolph Williams, Doug Miller, Robert Rarog, Allan Suchinsky, and others. Conclusions or opinions in this paper are, however, those solely of the authors and are not necessarily shared by any of the other persons. 2. TECHNOLOGY Commercial encryption technology has evolved since the popular 'Data Encryption Standard' (DES)4 was released to the public in 1977 and will continue to do so during the foreseeable future. From a situation then when only private key systems were generally in use, public key systems have become increasingly popular, especially for authentication. Detailed reviews of the evolution of cryptography over the last sixteen years or so can be found in [5] and [6]. In particular, hardware encryption devices will become smaller, users will use signatures and digests (typically public key systems7, 8 as well as private key systems), and encryption algorithms will become increasingly powerful.9 A cryptographic system generally provides for two functions: encryption and decryption. The encryption function converts data from 'plaintext,' or normal text, into 'ciphertext,' which is incomprehensible to the casual observer. The decryption function reverses this process, restoring the data to its original form. In order to perform either of these functions (i.e. to send or receive an encrypted message), the system's user must have a unique 'key,' a sequence of bits. This key is input to the algorithm to successfully perform the desired conversion. The strength of an encryption scheme is dependent both upon the strength of its algorithm and, often, on the length of the keys used for encryption and decryption. Longer key lengths mean more possible keys for an intruder to try and thus imply greater security. Encryption and decryption are generally performed by a computer with the assistance of hardware and/or software cryptographic products. A trend in encryption products, concurrent with the same trend in computer technology in general, is towards increasing miniaturization. For example, in 1988 the primary encryption device manufactured by AT&T weighed seventeen pounds. Now, with the advent of PCMCIA (Personal Computer Memory Card Industry Association) technology, it is widely anticipated that one or more manufacturers will soon release encryption-capable modems the size of a credit card. Some observers feel a trend is developing from hardware or software/hardware products to software-only products9, 10 because software is cheaper, easier to install and use, and takes up less space on a computer than hardware. Others disagree, thinking that the future of encryption technology may be in hardware-based products, because they are faster, harder to compromise, and also take up very little space now because of developments in VLSI (Very Large Scale Integrated) chip design .11 There is also a growing use of 'public-key' cryptography systems.9, 13 Under a more traditional single key system, the same key is used both for encrypting and decrypting the message. Although this is reasonably secure, there is a risk that this key will be intercepted when the parties involved exchange keys. A public key system, however, does not necessitate the exchange of a secret key in the transmission of messages. The sender encrypts the message with the recipient's freely-disclosed, unique public key. The recipient, in turn, uses her unique private key to decrypt the message.7 It is also possible to encrypt messages with the sender's private key, allowing anyone who knows the sender's public key to decrypt the message. This process is crucial to creating digital signatures, as discussed later. Coincident with the increase in electronic communications is the need to write one's own signature on both business and personal transactions. At the moment, writing one's own signature requires written messages. Now, however, electronic communications have become so heavily used that many business and personal transactions will flourish between parties who never actually see each other and physically sign no paper; increasingly, digital signatures will be used to provide message authentication. Public-key cryptography also enables the user to produce a digital signature by encrypting with her private key, which, when decrypted with her public key, provides verification that the message originated from that user. Possible applications for this technology include online financial transactions and business negotiations. The DES (Data Encryption Standard) and RSA (named after its inventors Rivest, Shamir, and Adelman) algorithms are generally considered two of the strongest algorithms on the market. DES is a strong, private-key algorithm developed by IBM and made a standard by the United States government in the late 1970's. RSA, in turn, is the most popular public-key algorithm.14 It is based on prime number generation, using the fact that it is very difficult to factor the product of two large prime numbers. Encryption hardware and software products incorporating DES and RSA are widely available both domestically and abroad. Over two million instantiations of RSA have been distributed in the United States, in almost every case seamlessly embedded by the vendor. By the end of 1994, this number will rise to five million and by the end of 1995, it will double.15 PGP (Pretty Good Privacy), 16 which originally incorporated RSA, employs public-key cryptography and puts together strong algorithms for both authentication and message transmission. It now uses a combination of the IDEA (International Data Encryption Algorithm)17 and DES algorithms, is free, and can be obtained over the Internet via anonymous FTP ("file transfer protocol"). DES continues to be an important standard for encrypting data, particularly within the U. S. and foreign financial communities. The National Institutes for Standard and Technology (NIST) is in the process of recertifying DES as a national standard for the next five years. However, the security of DES in the future is worrisome to some scientists, who contend that advances in technology will soon make it possible to break DES by 'brute force,' using a powerful computer to try every possible combination of keys until the correct key is discovered. Indeed, in ten years, DES may no longer be secure.18 In contrast, SKIPJACK, the classified encryption/decryption algorithm used in the White House's key escrow ('Clipper') initiative, utilizes an 80-bit key, 24 bits longer than the 56-bit key used in DES. The interim report of the SKIPJACK evaluators chosen by NSA and NIST came to three conclusions:19 1. Under an assumption that the cost of processing power is halved every eighteen months, it will be 36 years before the cost of breaking SKIPJACK by exhaustive search will be equal to the cost of breaking DES today. Thus, there is no significant risk that SKIPJACK will be broken by exhaustive search in the next 30-40 years. 2. There is no significant risk that SKIPJACK can be broken through a shortcut method of attack. 3. While the internal structure of SKIPJACK must be classified in order to protect law enforcement and national security objectives, the strength of SKIPJACK against a cryptanalytic attack does not depend on the secrecy of the algorithm. Other sources report that many industry representatives believe that processing power doubles about every six months to a year. This would reduce the "safe time" of the first point above to approximately 12-18 years, rather than 30-40 years. Other escrow schemes are also available. Micali20 has proposed a multikey escrow capability in which multiple trusted parties authenticate a message and/or allow eavesdropping. In a recent unpublished paper, Desmedt, Frankel, and Yung state that threshold cryptosystems (as presented at recent Crypto, Asiacrypt, and Eurocrypt conferences) can have the same functionality as key escrow schemes without relying on "(expensive) tamperproof devices."21 The increasing use and availability of encryption technology logically accompanies the exponential increase in electronic communications over the past few years. Commercial use of the Internet has increased dramatically during the past two years, and noncommercial use is on the rise as well.22 Indeed, as the New York Times whimsically notes, "Forget Elaine's. Internet is currently the world's most fashionable rendezvous." It touches down in 137 countries and links 15 million to 30 million people and is growing by a million users each month.23 This growth in the popularity of the Internet has created a demand for security. Electronic mail users who desire confidentiality and sender authentication increasingly are demanding encryption. Some are already using PGP. Others are starting to use Privacy Enhanced Mail (PEM), an Internet encryption mechanism which was funded by the Advanced Research Projects Agency of the Defense Department and has recently been introduced as a commercial product by Trusted Information Systems, Inc. It uses the DES algorithm for encryption and the RSA algorithm for sender authentication and key management. Privacy Enhanced Mail also provides support for nonrepudiation; this allows the third-party recipient of a forwarded message to verify the identity of the message originator (not just the message forwarder) and to verify if any of the original text has been altered.24, 25 Although PEM is not yet widespread, a number of vendors are offering it in conjunction with or integrated into their commercial electronic mail applications and the European Community has adopted PEM for its PASSWORD project26 which is part of an attempt to establish a pilot security infrastructure for network applications for the European research community. Ironically, a Federally funded chip, Clipper, now is being pushed as a substitute for this mechanism which has already been paid for largely by government funds and is already in place. The increasing number of electronic funds transfers (EFTs) between banks has necessitated the increasing use of message authentication systems, to determine if a message has originated from its proper source and to determine if there have been any modifications.27 One institution alone, the Clearing House Interbank Payment System, currently moves an average of one trillion dollars each day via wire and satellite.28 Strong encryption is necessary to provide security and authentication for these electronic money transfers (and is also why export restrictions on the DES algorithm have been relaxed for financial institutions). Despite these leaps in technology, telefacsimile (fax) transmissions are not yet widely encrypted, even though fax is a widely used form of data communications. According to a Datapro 1993 report27, there are only 11 encryption devices which accommodate FAX transmissions. It is inconvenient to equip both the sending and receiving machine with compatible encryption before facsimile transmission; the fax protocol has no convenient place for inserting non-fax functions such as encryption; and, until recently, there has been little awareness of security threats among fax users. However, increasing use of fax transmissions by businesses who wish to keep their corporate information and finances confidential and an increasing awareness of the security problems will require the availability of more products which encrypt fax communications. Credit cards and ATMs are the forerunners of what may soon become 'digital cash.' On the average, people use less pocket cash every year. Indeed, credit-card purchases are now used for one-tenth of all consumer payments.29 David Chaum, head of the Cryptography Group at the Center for Mathematics and Computer Science (CWI) in Amsterdam, has proposed a distributed smart card system which, using public key cryptography, allows anonymous cash embodied by the cards to be used like real money.28 This is another consequence of the increasing digitization of financial transactions: 'Ubiquitous digital cash dovetails well with massive electronics networks. It's a pretty sound bet the Internet-today's version of the Net-will be the first place that e-money will infiltrate deeply.' 29 One of the consequences of an increasingly electronics-oriented economy will be the need to provide some amount of anonymity and privacy for users of such a digital cash system in order to ensure that electronic money remains anonymous and untraceable, except by the payer and payee. Government approval will be requisite for digital cash to gain full approval by the business community and public, and the government may require access to these transaction records to prevent what might otherwise become "perfect crimes." 30 In conclusion, the current trends in encryption technology include increasing miniaturization, increasing use of public and private-key cryptography, and the continued development of increasingly secure algorithms. These trends are all coincident with the skyrocketing use of the Internet and other types of electronic communications, particularly electronic money communications. 3. MARKET ANALYSIS The market for encryption products is rapidly growing.27 This market trend is concomitant with the increasing use of personal computers, fax machines, and e-mail for electronic communications. A large encryption market has also arisen because of wireless communications, such as cellular telephones. There are already 12 million subscribers to cellular telephone services in the United States, and the trend is toward more wireless communications in the future. Since they are easier to intercept than wire-based ones, the demand for encryption technology will increase as concern for data integrity increases.9 This growth in the market for encryption is occurring both in the United States and abroad. According to International Resource Development, the U. S. data encryption market reached an estimated $384 million in 1991, and will jump to $946 million by 1996. The total worldwide market, estimated at $695 million in 1991, is predicted to grow at a similar rate, reaching $1.8 billion by 1996.31 The encryption market is no longer left to United States companies to dominate. A Software Publishers Association (SPA) survey shows 264 foreign encryption products and 288 domestic products. These findings contrast sharply with the large global market shares (approximately 75%) enjoyed by United States software publishers and hardware manufacturers in other areas.32 Of the 264 foreign products, 123 products use DES.36 Citing the relatively stringent export controls enforced by the United States government as being one of the main reasons for the increasing market share of foreign cryptographic products in the global market, many manufacturers are currently lobbying the government to relax these export controls in an effort to keep United States technology competitive abroad. The SPA claims that most software and hardware vendors, aware of these export controls, decide not to manufacture encryption technology because they realize that their very best technology cannot be exported. Thus, they claim, there are far fewer domestic vendors than would otherwise exist.10 Many commentators have speculated on the influence of the escrow encryption standard (Clipper) on the global market. Georgetown University Professor Dorothy Denning, one of the evaluators of the SKIPJACK algorithm used in the proposed key-escrow arrangement and an advocate of its deployment, states that if the technology provided by Clipper catches on, it could become the de facto standard in the United States, either the only device or the predominant device available on the market.33 Marc Rotenberg, director of the Washington office of Computer Professionals for Social Responsibility (CPSR), believes that the government would be able to wield considerable clout in making the key-escrow arrangement a de facto standard on the market.13 He explains that the government can exert enormous authority on creating, developing, and enforcing technical standards through the procurement process. Through this procurement process, the government can require any manufacturer selling phones to the government or government contractors to install the key-escrow arrangement in their phones. AT&T supplies an enormous amount of telecommunications services and equipment to the government, thus making the government one of AT&T's largest customers. In response to the Presidentially approved Clipper initiative, AT&T has started incorporating the key-escrow arrangement in some of its phones, a powerful illustration of the enormous spending power of the government. However, the Federal government does not represent a large percentage of the market or the revenue for all American companies providing communications or computer technology. For example, Bill Ferguson of Semaphore Communications Corp. states that government purchases are less than one percent of Semaphore's global sales potential. With trade restrictions applied, the government still supplies less than five percent of Semaphore's expected sales.34 Companies such as Semaphore and many represented by the SPA see foreign markets as potentially larger sources of income than the U. S. government and therefore want trade restrictions relaxed so that more market opportunities can open up. As it stands now, many in the encryption industry fear that products using the Clipper chip will be effectively unexportable due to United States government retention of the keys.35,36 The Clinton administration has stated that use of a key escrow system will not be mandatory ("The Administration has progressed far enough in its review to conclude it will not propose new legislation to limit use of encryption technology.")37. However, if this decision were reversed (perhaps by a later administration), there is some danger that the proposed key-escrow arrangement could function as a 'Digital Volstead Act,' the 1920's prohibition on alcohol. Like Prohibition and the organized crime that resulted from it, the key-escrow arrangement could encourage contempt for law enforcement and a complete disregard of the law.35 Doug Miller of the SPA feels that a black market would almost certainly arise if the United States government makes some standard mandatory.10 Given the increased use of computers and networks, a steady increase in the market for encryption products is likely, as is a continued expansion into this market by foreign manufacturers. United States hardware and software producers, stymied by relatively stringent export restrictions imposed by the United States government and possibly further hindered by the necessity of accommodating what may be an unexportable Clipper standard, may find it even more difficult to remain competitive players in international markets. 4. EXPORT CONTROLS Existing controls on the export of encryption software and hardware has been a topic of concern for United States manufacturers and vendors. Despite a February 1991 COCOM decision to decontrol all mass market software, including encryption software, as other commercial, dual-use items, United States export control policy continues to categorize many encryption items as 'munitions-related', thereby subjecting them to applicable export laws.38 Anyone wishing to export the strongest encryption products is therefore required, under the Arms Export Control Act, to obtain individual licenses from the Office of Defense Trade Controls at the State Department (though some products of lesser strength are under the control of the Commerce Department).39 This has led to a prohibition on export of encryption products using the popular and relatively powerful DES algorithm for file and data encryption (except for financial applications and use by subsidiaries of U. S. companies abroad). Obtaining a license for these restricted encryption products includes a review of the product by the National Security Agency (NSA) to determine its exportability. According to Allan Suchinsky, Chief of Electronic and Combat Systems Licensing at the Office of Defense Trade Controls at the Department of State, this process normally takes between one and six weeks.40 According to some officials and business people, however, a newly developed encryption product can actually take up to ten months to go through the review process, although products employing certain algorithms are either on a list of automatically approved items or eligible for 'fast track' consideration. In the high-tech arena where product cycles are often measured in months, large market shares can be lost due to such delays. Some industry representatives have complained that the average time it takes to obtain a similar license for encryption products outside the United States is much less.34 The market analysis above describes the steadily growing global market for strong encryption products, one that is potentially worth millions (if not billions) of dollars. But United States manufacturers believe that their hands are tied by stringent export laws which, for 'national security' reasons, prohibit the export of encryption products of DES strength or stronger to anyone other than financial institutions. They also believe that foreign manufacturers in Europe and elsewhere are not similarly restricted, and are free to manufacture and export DES- and RSA-based products. This asymmetry in export laws has undesirable consequences for United States manufacturers of encryption products. DES-based products are already being used in encryption products manufactured in foreign countries including Japan, Russia, Germany, France, Austria, UK, Switzerland, Netherlands, Austria, Australia and Sweden.32 The DES algorithm, in fact, is also freely obtainable via the Internet, as is DES-based encryption software. The encryption 'genie' would appear to be out of the bottle, and at this point it is not clear to United States companies why the State Department is inhibiting the wide proliferation of DES technology,41 now that it is not in a position to prevent it. Along with this, one must consider the trends towards implementation of encryption products in software, and the miniaturization of encryption hardware. Taken together, these trends indicate that it will become increasingly difficult to enforce the existing export laws, and tougher to prevent the spread of DES-caliber algorithms. Despite this, many government officials have continued to speak strongly in favor of continued restrictions on DES, stating that attempting to control export of products using the algorithm still prevents a significant number of international terrorists, criminals, and unfriendly foreign powers from acquiring advanced encryption technology. As a result, they believe that export restrictions on DES remain in the United States' best interest, even if they may not always be fully effective.40 The current export restrictions have a detrimental effect on many U.S. companies. According to Addison Fischer of Fischer International, "export controls are estimated to have cost Fischer International millions of dollars in lost revenue for cryptographic products"42 due to rejection by foreign customers of the weaker encryption products United States companies are forced to supply, lost sales opportunities, and delays with paperwork necessary for obtaining the appropriate licenses. And since DES is already easily available overseas, Fischer feels that existing export restrictions are simply placing an embargo on United States DES-based products. Similar complaints have been voiced by other United States companies. The Computer Systems Security and Privacy Advisory Board agrees that "current controls are negatively impacting U. S. competitiveness in the world market and are not inhibiting the foreign production and use of cryptography [DES and RSA]." 43 Thus, if the United States government continues to control DES-strength encryption manufactured in the U.S., the following results may come to pass: * Foreign competitors of United States encryption companies will likely gain control of the global market for encryption products. * United States companies will lose significant market share in the global market for encryption products. They are likely to lose sales opportunities as they compete in the electronic security market against products based on DES and RSA with their own weaker versions based on RC2 and RC4. * DES strength encryption will continue to proliferate to foreign destinations, either through foreign companies or through the ever-growing Internet. The effort of current United States export policy to inhibit this by restricting exports on DES-based technology is unlikely to succeed. * If, indeed, United States companies get displaced in the international encryption marketplace, United States 'national security' will also be threatened by a weakened domestic encryption (and computer) industry. In July 1992, the Software Publishers Association reached an agreement with the Bush Administration that would permit an expedited 7-day review process for products based on RC2 and RC4 algorithms. These algorithms are still much weaker than DES; but they are also stronger than any other algorithms which were exportable prior to this agreement. This was an important development in the effort to decontrol the export of encryption products from the United States. Projecting forward from this milestone, it is likely that as the private sector continues to push for further relaxation of these controls, more and stronger encryption products will be put on similar 'autolists' for automatic export approval. The Federal government seeks to encourage the use of key escrow systems for encrypting telecommunications.44 The standard proposed for these systems, the "Clipper" escrowed encryption standard,45 is particularly noteworthy in light of the fact that law enforcement officials, with a court order, can obtain both parts of a special key that enables them to decrypt transmissions encrypted with a particular chip. At the time of this writing, how Clipper will be treated for export purposes is not clear. If it is treated the same way as DES, it will certainly provide another example of the Byzantine nature of U. S. export policy. In any case, it is likely that foreign customers will reject these products, due to fears of both United States tampering and the possible existence of a secret 'trap door,' which would enable unauthorized parties to decrypt Clipper-encrypted transmissions, even without the escrowed parts of the special key. Chris Sundt of the multinational International Computers Ltd. (ICL) claims this very fear will be the basis of rejecting Clipper as an encryption alternative in international markets.46 Other United States based companies share his concern that the key escrow chip is effectively unexportable.47 In spite of the concerns described above, it appears unlikely that United States export laws will become as relaxed as those in many European countries. DES-based products for file and data encryption will probably not be removed from the munitions list in the near future. Almost everyone interviewed for this report felt that NSA will continue to play an increasingly dominant role in the debate over cryptography in the U.S., and will continue to have influence much stronger than NIST's on encryption policy issues. NSA will continue to strongly voice its opinions to the President and pressure him to keep DES-based encryption on the munitions list and under the jurisdiction of the Department of State. 5. PUBLIC POLICY ISSUES 5.1 EXECUTIVE BRANCH Due to the increasing public availability of strong hardware- and software-based encryption products, a debate over their regulation and use is emerging.48 The debate over Clipper and regulation of other encryption technologies is, in many ways, the continuation of an ongoing discussion in the United States about the proper balance between national security and individual freedom of action. On one side of the debate are those agencies charged with defending America from crime, terrorism, and external threat, such as the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Central Intelligence Agency, the Department of State, and the Department of Justice. These powerful agencies, in turn, are challenged by advocacy groups and high-technology industries, which place a greater emphasis on individual rights, in particular personal privacy, or corporate profits. The United States Congress may play a major role in determining the balance between the two. There are several powerful agencies which are leading the Administration's effort to control encryption technology. First and foremost among these is the National Security Agency, which for years was the sole controller of strong encryption in the United States. NSA has two primary goals on its agenda. The most overt one is the protection of United States national security, which the NSA does largely with the help of signal intelligence.49 If terrorists of foreign agents were to obtain and use strong encryption hardware or software, NSA's efforts to learn about and thwart their activities would be considerably more difficult. Indeed, as Marc Rotenberg of Computer Professionals for Social Responsibility comments, the continued development of encryption technologies poses one of the most significant challenges the agency has faced during the post-Cold War era.13 Less obvious but also important is NSA's effort to protect its preeminent role in civilian cryptography. For years, NSA had almost complete control over developments in the encryption field. In recent years, however, this control has begun to erode as private firms and individuals have begun aggressively developing and using encryption technologies. The end of the Cold War and the assignment of responsibility by the Computer Security Act of 1987 50 for development of federal unclassified computer security standards (including cryptography standards) to NIST has threatened many aspects of NSA's traditional role. Doug Miller of the Software Publishers Association observed that 'NSA throughout its existence . . . has had every incentive to delay the inevitable' (individuals obtaining full control of their own cryptography).10 The FBI is primarily concerned with investigating serious crimes and thwarting domestic terrorism. In a small number of important cases, such as those involving drug trafficking, organized crime, or terrorism, the FBI gathers information via wiretaps. Indeed, wiretaps have been used in to gather evidence in 90% of terrorism cases brought to trial.51 However, the FBI has not been able to point to a single case to date where encryption has hampered their investigation of a case. Several developments, however, are making these wiretaps progressively more difficult to conduct. Two of these are the increasing complexity of the United States telecommunications infrastructure and the gradual replacement of copper wires by fiber optics, which can carry thousands of conversations in a single strand of fiber. Both of these changes make it more difficult for agents, even with phone companies' help, to isolate individual conversations.49 In addition, the development of publicly available encryption threatens to delay or prevent the FBI's ability to utilize the contents of these wiretaps. This poses serious risks to the lives and safety of the American people whom the FBI is charged to protect, especially in cases where the Bureau is relying on real-time interception of phone calls to protect citizens from harm or to apprehend a suspect.52 Most of the other executive agencies and departments involved in the regulation of encryption technology have similar agendas: protecting American citizens from harm and defending their areas of responsibility and influence within the government.49 There are Constitutional issues related to encryption controls, and the Clinton administration recognized this when it announced the Clipper initiative.44 Its later review has so far found no impinging on Americans' Constitutional rights.37 Our colleagues at the GW National Law Center basically agree.2,3 Other lawyers have differing points of view.53, 54 Professor James Chandler of the George Washington University National Law Center observes that some United States industries and proponents of individual rights tend to place a stronger emphasis on freedom of action than national security and thus oppose stringent limitations on encryption technology.55 The software publishing community and vendors of hardware-based encryption devices have generally focused their opposition on current United States export restrictions, which cost them millions of dollars annually.11 Making a somewhat different argument, individual rights advocacy groups such as Computer Professionals for Social Responsibility (CPSR) and the American Civil Liberties Union (ACLU) assert that government is too often intrusive in people's lives and needs to be restrained in this domain. As a result, they tend to oppose any policy initiative which would increase the ability of the government to monitor activities of persons.55 5.2 CONGRESS Congress, with its power to make laws and oversee the activities of federal agencies, can be a significant factor in this ongoing debate. While the players named so far have their own, narrowly defined agendas, Congress' actions are more likely to pay closer attention to the will of the American people, on whose vote and support their jobs depend. Indeed, this dynamic has already been demonstrated. In 1991, the FBI sponsored the Digital Telephony Proposal, which required telecommunications equipment manufacturers and service providers to make sure that their products had a built-in means whereby law enforcement officials could successfully tap into any conversation provided they obtained a warrant.1 This initiative was undertaken by the FBI in response to increasing fear that with the advent of digital phone lines, fiber optics, and advanced telephony in general, law enforcement might no longer be able to conduct wiretaps in the near future. Unfortunately for the FBI, the Digital Telephony Proposal angered a large number of voters and telecommunications equipment manufacturers, who in turn put pressure on their congressmen.10 As a result, the proposal was never allowed to reach the House floor. Congress has very recently mandated a comprehensive study of cryptography technology and national cryptography policy by the National Academy of Sciences.56 Opponents pointed out that this proposal, while in some ways meritorious, might also have the effect of preserving the status quo for several years, even though the status quo was characterized by some as early as 1981 as needing to be "realigned to promote both national security, broadly defined, and encourage private-sector competence in designing and applying secure systems."57 The study will start up in late 1993 or early 1994. Marc Rotenberg of CPSR observed that the FBI and NSA have learned from the fate of the Digital Telephony Proposal and have attempted to avoid Congressional intervention with the Clipper initiative by going through the White House instead of Congress. Barring such intervention at this point, he feels the administration will likely face only limited opposition within the Administration to the Clipper initiative.13 Thus, any slowdown of this initiative is more likely to materialize, if it does at all, in Congress. As more people perform an increasing number and range of transactions over electronic networks, they are becoming increasingly concerned about the integrity of their personal information and about maintaining their privacy. Of those interviewed in a Macworld poll released July 1993,58 78% expressed concerns about their personal privacy (up from 64% in 1978) and 68% felt their privacy was threatened by computers (up from 38% in 1974). Other independent surveys confirm this trend.59 While many of the survey results relate specifically to databases, often in specific sectors such as credit reporting, computer systems as a whole, including those with insecure communication lines, are coming under increasing scrutiny. Congress will be placed under escalating pressure to pass new laws governing information technology, especially with the increased attention being devoted to the design and development of the National Information Infrastructure.60 Congress' decisions in this area and indeed the outcomes of the debate over encryption policy in general will be the result of the ongoing struggle in American society among government, individuals, and industries. Although this struggle will likely result in oscillations in policy, national security may be gradually redefined in terms of economic security. This is the expectation of Professor James Chandler,55 who anticipates that controls on the export of encryption hardware and software will eventually be lifted. There are already some signs that Congress may be willing to ease restrictions on the export of encryption products and perhaps in other encryption-related areas as well. In early 1991, the Software Publishers Association suggested an amendment to the renewal of the Export Administration Act that would have transferred authority over software exports to the Commerce Department. This amendment, the Levine Amendment, was accepted by the House Foreign Affairs Committee, prompting aggressive lobbying by the National Security Agency of key congressmen in order to prevent inclusion of this amendment in the reauthorization bill. Despite this lobbying, the full House kept the amendment in the Export Administration Act reauthorization.61 NSA later succeeded in persuading President George Bush to promise a veto of any reauthorization bill which included the Levine Amendment or similar provisions, but this incident does demonstrate Congress' more liberal stance on encryption export regulation. And, of course, there is a different administration now in power. H. R. 3627, introduced in the closing days of Congress' 1993 session,62 effectively does the same thing, and it is conceivable that it will pass in 1994. 5.3 TRENDS To summarize public policy trends, * Due to their strong emphasis on national security and fighting crime, the FBI and the NSA will continue to advocate restraints on encryption technology and encourage the development of encryption devices and telecommunications systems which allow the government to continue conducting wiretaps. * The National Security Agency is likely to continue protecting its 'turf' by advocating continued restrictions on encryption technology. It may attempt to expand its domain within the government, most likely at the expense of NIST. * As part of its efforts to reassert its control over encryption technology, the NSA will likely continue to favor closed forums where it can present sensitive, classified material which may not have been obtained had U. S. enemies been able to obtain effective encryption. These forums such as the National Security Council, will be favored by them over open ones. The agency will continue its effort to keep relevant decisions out of the hands of Congress. * Many high-technology industries, particularly software publishing, will place increasing pressure on the government to liberalize restrictions on the use and export of encryption software and hardware. * Since the encryption policy issue has now been politicized63, any action taken to reverse the Clinton administration's progress on the Clipper initiative or the current system of export controls will involve Congress as well as the executive branch. The judicial branch (notably the Supreme Court) has not had occasion to rule on the issues surrounding the debate. 6. POTENTIAL SCENARIOS If and when a new cryptography policy emerges, there will be winners and losers among the pool of 'players,' a pool that roughly consists of law enforcement agencies, United States manufacturers and vendors of encryption products, and the United States public. Based on the results of the preceding analysis, four scenarios can be envisioned. 1. Complete decontrol of cryptography. The use of strong encryption by the United States public, as well as its export by United States manufacturers, could be completely decontrolled by the government at the direct expense of law enforcement and national security. This would please some members of the public, for they would have maintained control over their privacy. United States manufacturers of encryption products would also likely benefit from this move. 2. Domestic decontrol of cryptography with export regulations. Strong encryption could remain decontrolled for use by the general public, but strict regulations would remain on its export. While the American public would still be relatively content, United States industries would lose sales and potential market share due to exclusion from the lucrative international market for encryption products. The large domestic market, however, would remain open, guaranteeing some revenues for encryption product manufacturers. Law enforcement agencies, on the other hand, would lose in the short term in either of these scenarios, because their electronic surveillance abilities would be diminished. 3. Voluntary escrowed encryption. Escrow a de facto standard. (This is the Clinton administration's proposed scenario.) The escrowed encryption standard could become a de facto national standard for voice, fax, and data communications over the public switched telephone network. While other encryption products would be built, they would gain little market acceptance because of demand for interoperability. Thus, law enforcement would be able to listen in on most transmissions. The encryption technology might be exportable to countries that implemented the same or a similar scheme and agreed to cooperate in international investigations. United States manufacturers might gain or lose in this scenario; they would gain only if Clipper received widespread acceptance. Law enforcement agencies would gain. 4. Mandatory escrowed encryption. The government could choose to keep complete control over encryption and enforce a technology similar to the escrowed encryption standard. Law enforcement agencies would come out as winners for having maintained their surveillance capabilities. But a black market for foreign encryption products smuggled into the United States would probably be created by members of the public, including criminals, who desire more secrecy. How United States companies would react in this scenario depends on whether this government enforced standard is designed to be exportable or not. If it is unexportable, United States companies currently involved in the manufacture and sale of encryption products would be almost completely blocked from the international market and would be restricted to marketing the government enforced standard domestically. This would result in considerable financial loss for the industry. Some observe [65] that mandatory escrowed encryption can never be exportable, since if it were then products would be used in one country whose keys were escrowed elsewhere (or not at all), and this would not come to the attention of the exporting country's authorities until they attempted to snoop on someone; they would be reduced to prosecuting that person, if at all, for using a non-escrowed encryption device. If, on the other hand, the standard is an exportable item, and designed with an eye to the requirements of the international market, then United States companies would be better off and could maintain a level of international economic competitiveness. It is very difficult to determine which scenario is most likely and what its consequences really might be. The policy debate has to date been carried out with each side making their own assumptions, not all of which are publicly stated. The economic implications for the Clipper proposal have not been examined adequately.43 Use of an explicit model of the situation would make these assumptions explicit, thus contributing to an informed discussion. Recently, a user-friendly computer model64 based on an Excel spreadsheet has been developed to investigate the costs, risks, and benefits of issues related to the National Information Infrastructure. Issues addressed include digital telephony, export controls of cryptography, key escrow systems, security features in communications hardware, etc. It is designed to allow users with varying political perspectives to make tradeoffs based on varied parameter values, which the users have complete control over. While conceding that no mathematical model can adequately represent intangible values or political tradeoffs completely, it offers a useful first step towards a common ground for analyzing at least some of the problems described above. It has recently been offered to both to government and its opponents in the key escrow debate. Though it is beyond the scope of this particular project, some of the investigators of this study plan to use it to further explore the scenarios above. REFERENCES 1. Dorothy Denning, 'To tap or not to tap?' Communications of the ACM vol. 36, no. 3 (March 1993): 25-44. 2. J. Chandler, D. Arrington, and L. Gill, "Issues Regarding the Use of Cryptographic Technologies in the Commercial Sector," George Washington University, National Law Center, 1993. 3. J. Chandler, D. Arrington, and L. Gill, "Foreign Encryption Technology Controls," George Washington University, National Law Center, 1993. 4. National Bureau of Standards, "Data Encryption Standard," FIPS PUB 46, (Washington, D. C.: January 1977). 5. G. Simmons, Contemporary Cryptology (Piscataway, NJ: IEEE Press, 1992). 6. Dorothy Denning, Cryptography and Data Security (Reading, Massachusetts: Addison-Wesley, 1982). 7. R. Rivest, A. Shamir, and L. Adelman, 'A method for obtaining digital signatures and public-key cryptosystems,' Communications of the ACM (February 1978): 120-126. 8. W. Diffie and M. E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, vol. IT-22 (November 1976): 644- 654. 9. Peter Wayner, Statement in "Cryptographic Issue Statements Submitted to the Computer System Security and Privacy Advisory Board," by NIST, 27 May 1993, pp. 13-17. 10. Douglas Miller, Interview by Steven Heckler and Ann Huybrechts, 26 July 1993, Software Publishers Association, Washington, D. C. 11. Martin Hellman (Stanford University electrical engineering professor), Interview by Faraz Ali, 11 August 1993, phone. 12. Ilene Rosenthal, Testimony before the Computer System Security and Privacy Advisory Board, 3 June 1993. 13. Marc Rotenberg (Computer Professionals for Social Responsibility), Interview by Steven Heckler and Ann Huybrechts, 27 July 1993, Washington, D. C. 14. Ivars Peterson, 'Encrypting Controversy,' Science News, 19 June 1993, 394-396. 15. Jim Bidzos, Private communication with Lance J. Hoffman, 3 November 1993. 16. Philip Zimmerman, Pretty Good Privacy 2.2 Manual, 6 March 1993. 17. Peter Schweitzer, Statement in "Cryptographic Issue Statements Submitted to the Computer System Security and Privacy Advisory Board," by NIST, 27 May 1993, 200-203. 18. Dorothy Denning, Testimony before the Computer System Security and Privacy Advisory Board, 29 July 1993. 19. E. Brickell et al., "SKIPJACK Review Interim Report: The SKIPJACK Algorithm", 28 July 1993, Posted on sci.crypt and many other places on the Internet. Available from NIST. 20. S. Micali, Fair Cryptosystems, Report MIT/LCS/TR-579.b, MIT Laboratory for Computer Science, Cambridge, Mass, November 1993. 21. Y. Desmedt, Y. Frankel, and M. Yung, "A Scientific Statement on the Clipper Chip Technology and Alternatives," paper distributed at the Clipper session of the 16th National Computer Security Conference, 21 September 1993. 22. Gary H. Anthes, 'Use outpaces addresses on Internet,' Computerworld vol. 27, no. 17 (26 April 1993): 51-52. 23. John Markoff, "Thing," The New York Times, 5 September 1993, Section 9, p. 11. 24. Stephen Kent, 'Internet Privacy Enhanced Mail," Communications of the ACM vol. 36, no. 8 (August 1993): 48. 25. Stephen Crocker, 'Internet Privacy Enhanced Mail,' The Third CPSR Cryptography and Privacy Conference Source Book, 7 June 1993. 26. Peter Williams, OSISEC Introduction and Overview, University College, London, 15 April 1993. 27. Datapro, Inc., Datapro Report on Encryption Devices, Delran, NJ, March 1993. 28. David Chaum, 'Achieving Electronic Privacy,' Scientific American vol. 267, no. 2 (August 1992): 96-101. 29. Kevin Kelly, 'E-Money,' Whole Earth Review, Summer 1993. 30. S. Von Solms and D. Naccache, "On Blind Signatures and Perfect Crimes," Computers and Security vol. 11, no. 6 (October 1992): 581- 583. 31. International Resource Development, Data, Fax, and Voice Encryption Equipment Worldwide, Report #782 (December 1991), New Canaan, CT, pp. 267-271. 32. Douglas Miller, Statement before the Computer System Security and Privacy Advisory Board, 1 September 1993. 33. Dorothy Denning, Interview by Steven Heckler and Ann Huybrechts, 26 July 1993, Georgetown University, Washington, D. C. 34. William Ferguson, Testimony Before the Computer System Security and Privacy Advisory Board, 29 July 1993. 35. Lance J. Hoffman, 'Clipping Clipper,' Communications of the ACM vol. 36, no. 9 (September 1993): 15-17. 36. Stephen T. Walker, Testimony before the Subcommittee on Economic Policy, Trade and Environment of the Committee on Foreign Affairs of the U. S. House of Representatives, 12 October 1993. 37. J. Podesta, White House memo to Jerry Berman, Digital Privacy and Security Working Group, on Key Escrow Encryption Technology, July 29, 1993. 38. L. E. Christensen, "Technology and Software Controls" in Law and Policy of Export Controls: Recent Essays on Key Export Issues, Section of International Law and Practice of American Bar Association, August 1993, pp. 3-33. 39. International Traffic in Arms Regulation (ITAR), 22 CFR 120-130. 40. Allan Suchinsky, Presentation at George Washington University, Washington, D.C., 30 June 1993. 41. Edward Regan, 'United States Business Views On Encryption and The Key Escrow Chip,' Testimony before the Computer System Security and Privacy Advisory Board, 30 July 1993. 42. Addison Fischer, Statement in "Cryptographic Issue Statements Submitted to the Computer System Security and Privacy Advisory Board," by NIST, 27 May 1993, pp. 204-215. 43. Computer System Security and Privacy Advisory Board Resolution 93-5, 1-2 September 1993. 44. The White House, Press release concerning the key escrow initiative, 16 April 1993. 45. National Institute of Standards and Technology, "A Proposed Federal Information Processing Standard for an Escrowed Encryption Standard (EES)," Federal Register vol. 58, no. 145 (30 July 1993): 40791- 40794. 46. Chris Sundt, Testimony before the Computer System Security and Privacy Advisory Board, 29 July 1993. 47. Testimony of representatives from Fisher International, Hewlett-Packard, and Racal-Guardata before the Computer System Security and Privacy Advisory Board, 29 July 29 1993. 48. Clark Weissman, 'A national debate on encryption exportability,' Communications of the ACM vol. 34, no. 10 (October, 1991): 162. 49. Lou Giles, Presentation delivered at George Washington University, Washington, D. C., 4 August 1993. 50. Computer Security Act of 1987, Public Law 100-235 (H.R. 145), 101 Stat. 1724-1730. 51. James Kallstrom, Testimony before the Computer System Security and Privacy Advisory Board, 29 July 1993. 52. Alan MacDonald, Interview by Steven Heckler, 22 July 1993. 53. Statement of the American Civil Liberties Union in "Cryptographic Issue Statements Submitted to the Computer System Security and Privacy Advisory Board," by NIST, 27 May 1993, pp. 195-199. 54. Digital Privacy and Security Working Group, white paper on key escrow encryption technology, 30 September 1993. 55. James Chandler, Interview by Faraz Ali and Steven Heckler, 6 August 1993, George Washington Univeristy, Washington, D. C. 56. National Defense Authorization Act for Fiscal Year 1994 (H.R. 2401, Sec. 267). 57. V. C. Walling, Jr., D. B. Parker, and C. C. Wood, "Impacts of Federal Policy Options for Nonmilitary Cryptography," SRI International Research Report 32, April 1981, Menlo Park, CA. 58. Charles Piller, 'Privacy in Peril: Macworld Special Report on Electronic Privacy," Macworld, vol. 10, no. 7, July 1993, pp. 8-14. 59. L. Harris and Associates, Harris-Equifax Consumer Privacy Survey 1992, New York: Louis Harris and Associates, 1992. 60. Information Infrastructure Task Force, The National Information Infrastructure: Agenda for Action, Department of Commerce, 15 September 1993. 61. Jonathan Groner, 'When it Comes to Software, U.S. Sees Military Hardware; Concern over Spread of Encryption Codes Hurts Exports,' The Connecticut Law Tribune, 21 December 1992, p. 12. 62. H. R. 3627, "A Bill to Amend the Export Administration Act of 1979 with respect to the control of computer and related equipment," 1993. 63. J. Mintz and J. Schwartz, "Encryption Program Draws Fresh Attacks," The Washington Post, 18 September 1993, p. C1. 64. Dave Kohls and Lance J. Hoffman, "TurboTrade: A National Information Infrastructure Cost/Risk/Benefit Model," Report GWU-IIST-93-17, Department of Electrical Engineering and Computer Science, The George Washington University, Washington, D. C., September 1993. 65. R. Needham, private communication, 21 December 1993.