The following text is copyright 1997 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Hooded Freedom
This is not the first column I've written about the US policies on encryption technology and I fear it will not be the last. According to The New York Times, the Clinton administration is quietly circulating proposed legislation that would mandate the inclusion of key escrow features in any encryption software distributed in the US. At this time they are not proposing that use of the features be also mandated, just that they must be included in all software. If this is true it is either a very fast turnaround or another example of the perfidy that passes for normal discourse in Washington since as recently as Sept. 4th Heidi Kukis, a spokesperson for Vice President Gore, said there was no such effort and that "The administration does not support domestic controls on encryption."
Kukis's statement came in response to the testimony of FBI Director Louis Freeh in front of the a Senate Judiciary Subcommittee. In his testimony Freeh said that "if we had legislation that required the immediate decryptability of any product used, sold or distributed in the United States, our domestic law enforcement interests would be protected." While asking for new laws he stated more than once that "we're not asking for any new powers or new authorities."
At least three questions are raised here: would the requested laws be effective, is the proposal secure and are they asking for new powers?
Very good non-key escrow encryption technology is freely available today. MIT, one of many sites around the world distributing PGP (a n encryption package), has been distributing 300 to 500 copies of PGP per day for more than two years. (http://bs.mit.edu:8001/pgp-form.html) In light of this level of existing distribution it is very hard to see how establishing rules for new software in the US will make the existing software go away - or are they depending on bit rot? Are the drug dealers, spies and terrorists so dumb that they can not find existing software or buy a copy from someplace that has not outlawed it?
It is hard to judge how secure a system this could be since the details of how the escrow agents themselves would operate are yet to be disclosed but there is more than a little bit of all eggs in one basket feeling here. Just how hard would it be for someone who really wanted to know a particular escrowed key to persuade with money or threats a system operator with legitimate access to the information?
Even without requiring the escrow features to be turned on they are asking for new powers (and if this passes expect the on/off switch to go away soon). Before this proposal, even though the law could listen in, there was nothing that said that they had to be able to understand what was being said. This proposal is the equivalent of requiring that you speak English when talking on the phone.
The poet Robinson Jeffers, speaking to America about freedom wrote "You will tame it against it burn too clearly, you will hood it like a kept hawk, you will perch it on the wrist of Caesar." These proposals do little but bind our freedom.
disclaimer: Although Harvard has been on the side of freedom for rather many years, long before the US was the US, the above warning is my own.