The Key to the Kingdom

During World War II, the US assembled the largest intelligenceorganization in the world. The organization's code crackers were responsible fordeciphering the messages the Germans sent to their U-boat fleet. This tacticaleffort contributed to Germany's defeat and changed the balance of power on theseas. The same intelligence team deciphered Japanese messages, giving the Alliedforces a strategic edge in winning the war in the Pacific.

In this climate of wartime code breaking, the US government issued a lawprohibiting US companies from exporting any software with an encryption schemeexceeding 40 bits. The government's idea at that time was to prevent any othercountry from using US technology against the US.

Several years ago, a developer named Phil Zimmerman challenged this law bycreating a free email encryption program called Pretty Good Privacy (PGP). Auser decided to post this program on the Internet, and users from all over theworld downloaded it. Because PGP used an encryption algorithm beyond 40 bits,the government accused Zimmerman of violating the 50 year-old law. After manytrials, the government finally dropped the charges. However, the law is still ineffect, and the US government promises to prosecute any violators.

Today, non-US companies can ship products with encryption schemes greaterthan 1000 bits, leaving US companies at a competitive disadvantage. US companiesface creating two versions of their software--one for domestic use and one forexport. This restriction is too expensive.

Recently, legislators introduced a bill in Congress to let US companiesdistribute 56-bit encryption products. Such products are 65,000 times aspowerful as their 40-bit counterparts. However, the Clinton administration issaying this proposal would prevent law enforcement officials from decipheringmessages sent by terrorists, drug dealers, and other criminals. The governmentwill let a US company export products with 56-bit encryption if the companyagrees, in future versions, to let an authorized US government representativeaccess the decryption key on request (for details about these developments,visit http://www.privacy.org/ipc/crypto_regs_1296.html).

Windows NT has become the strategic software platform for email, computertelephony, Internet, intranet, electronic commerce, and other products thatrequire encryption. US vendors are shipping such products all over the world,and all kinds of organizations, including foreign governments, are using theseproducts.

Letting the US government place an "email tap" on a US citizen isone thing, but giving the US government the ability to decipher messages sent byemployees from a foreign government is scary. The CIA will no longer need tosend operatives to other countries; the CIA can get whatever information itwants from a PC attached to the Internet.

Microsoft has developed the CryptoAPI, which lets developers put a layerbetween their security code and the encryption algorithm. Using CryptoAPI, asoftware vendor could create one version of its application that would work withany encryption algorithm. If the product is shipping within the US, the vendorcould include a strong encryption scheme. The same vendor could adopt anon-US-based encryption scheme (say one from France) and ship it with productsfrom that non-US country. This approach is an elegant way around the problem.

I encourage all NT-based software vendors to avoid the temptation of makingthe deal with the US government. Support the bill currently in Congress thatallows unrestricted export of 56-bit encryption technology. Meanwhile, developyour software with CrtyptoAPI or something similar. In other words, don't stopworking on encryption--we need it.

If you are considering buying a product that has 56-bit encryption today,consider the deal that has been made behind the scenes. Giving the US governmentaccess to that kind of key is like the apple in the Garden of Eden--it's tootempting. I want to know that something I've encrypted is readable only bythe person I want to receive it--period.

Certainly, I don't want to prevent law enforcement from doing its job, butpeople who want to send secret messages will figure out a way. During World WarII, the US Army came up with a unique encryption method: Navajo translatorsencrypted messages by translating them into the Navajo language. The oppositionnever cracked that low-tech scheme.

Likewise, criminals who want to hide their deeds will find a way to do it.Don't let the political spin on this issue fool you--the stakes are high. Wehave all come to depend on the Internet as a secure means for conductingcommunications and business worldwide. Knowing that the US government can demandaccess to 56-bit encrypted information on a whim clearly compromises privacy andthe ability to conduct business over the Internet.