Texas Review of Law & Politics
Fall, 1999
4 Tex. Rev. Law & Pol. 77
* Counsel, Better Business Bureau's Children's Advertising Review Unit. At the
time this speech was given, Ms. Sehgal was counsel for the ACLU.
SUMMARY:
... There is a solid consensus in the scientific, business, and privacy
communities that strong encryption is vital for the continued growth of
electronic commerce. ... If strong encryption can protect trade secrets and
sensitive business information thereby reducing economic espionage--which it
can--it also can support the job of law enforcement. ... Citing vague threats
and reports about teenage hackers, government authorities repeatedly claim that
strong encryption will mean that lives will be lost because law enforcement's
ability to investigate crime will be compromised. ... Fighting terrorism has
been the rationale for the ever-expanding role of federal agencies and enhanced
surveillance techniques, such as the Communications Assistance for Law
Enforcement Act (CALEA). ... The rules continue to limit the export of strong
encryption products and require that all American companies or individuals
seeking to export products receive approval by the Department of Commerce. ...
The U.S. standard--limiting exports to 56-byte encryption--has long outraged
privacy advocates and the computer industry because it has effectively served to
halt the development of new technologies. ... By overstating the utility of
electronic surveillance in law enforcement, the administration ignores
cryptography's critical role in preventing crime and protecting national
security. ...
TEXT:
[*77]
There is a solid consensus in the scientific, business, and privacy communities
that strong encryption is vital for the continued growth of electronic commerce.
Without strong encryption, online commerce will leave users far too vulnerable
to thieves, hackers and nosy neighbors. Weak encryption technology will
compromise efforts to communicate with dissidents in tyrannical countries, and
it will compromise the security of sensitive medical and financial information
that is exchanged daily in electronic form. In a landmark presidential
commission report, the National Research Council warned that the failure to
implement strong encryption mechanisms for computer networks would result in
system vulnerability that could compromise United States' security. n1 The
report concluded that strong encryption is necessary to protect national
security, stating,
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n1. National Research Council, National Academy of Sciences, Cryptography's Role
in Securing the Information Society C-2 (1996).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
If strong encryption can protect trade secrets and sensitive business
information thereby reducing economic espionage--which it can--it also can
support the job of law enforcement. If cryptography can help protect nationally
critical information systems against unauthorized penetration--which it
can--then it can also support the national security of the United States. n2
Thus, the restrictions on encryption actually create an environment in which
criminals and terrorists flourish with impunity due to the ease with which they
can break into computer systems.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n2. National Research Council, National Academy of Sciences, A Note from the
Chair, in Cryptography's Role in Securing the Information Society (1996).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*78] Despite encryption's protective powers, the government has relentlessly
sought to limit its availability in order to maintain sweeping surveillance
techniques. Citing vague threats and reports about teenage hackers, government
authorities repeatedly claim that strong encryption will mean that lives will be
lost because law enforcement's ability to investigate crime will be compromised.
n3 Through this rhetoric, they have held closed-door meetings with Congress to
prevent the passage of any bills that would lead to the relaxation of encryption
exports. n4 They have also, for the first time, acknowledged that what they want
is backdoor access to keys for all domestic communications made by Americans. n5
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n3. See generally Federal Bureau of Investigation, Encryption: Impact on Law
Enforcement (1999).
n4. See id. at 9.
n5. See Id. at 7-8. But see Export Administration Regulations, 50 C.F.R. 740.8,
740.17, 742.15 (1999). The Clinton Administration has amended these regulations
- effective December 15, 1999 - to permit U.S. companies to export their
encryption products to any non-governmental end-user on the planet, following a
one-time technical review. See Administration Announces New Approach to
Encryption, 37 Weekly Comp. Pres. Doc. (Sept. 16, 1999).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Even members of the administration have acknowledged the inferiority of this
approach. In a memo obtained earlier this year by civil liberties groups,
William Reisch, the Commerce Department's Undersecretary for Export,
acknowledged that key escrow encryption is more costly and less efficient than
non-escrowed systems. Why, then, has the United States' policy remained so
restrictive? Any discussion of cyberterrorism threats and encryption needs to be
seen as part of a larger set of issues about the power and authority of the
federal government in the electronic age.
Increasingly, the threat of terrorism is used as a justification for federal
surveillance power. Often, however, there is little or no support for such
claims. Fighting terrorism has been the rationale for the ever-expanding role of
federal agencies and enhanced surveillance techniques, such as the
Communications Assistance for Law Enforcement Act (CALEA). n6 CALEA is a
multi-billion dollar plan that has given federal agents the cover [*79] to
require that digital telephone providers make all phones capable of being tapped
on demand. n7 Interestingly enough, in looking to create programs like CALEA,
the Federal Bureau of Investigation (FBI) has repeatedly stated that it is not
looking for additional authority to conduct these surveillance techniques. n8
The FBI asserts that these surveillance techniques are merely a continuation of
the capabilities that we currently have. Such arguments have been heard at every
level when the American Civil Liberties Union (ACLU) has tried to have open
discussions about the implementation of CALEA. In contrast to that argument, we
have since witnessed the use of unprecedented and unimagined new powers. For
example, the Federal Communications Commission (FCC) is currently considering a
proposal by the FBI under CALEA that would require that all cell phones be used
as location-tracking devices or be capable of being used as location-tracking
devices. n9 Interestingly, just a month and a half ago, as I was sitting in a
meeting with the Attorney General herself, high level members of the FBI who
have been advocating resolution of CALEA promised us that location tracking was
something that they would not seek.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n6. Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 108
Stat. 4279 (codified in scattered sections of 47 & 18 U.S.C.) (1994); see also
Bruce Schneier & David Banisar, Electronic Privacy Papers ch. 10 (1997)
(containing reprinted copies of declassified executive branch documents obtained
by the Electronic Privacy Information Center under the Freedom of Information
Act, including detailed discussions of the increased use of surveillance and
insight into the government's desire for enhanced capabilities).
n7. Comments filed with the FCC by the American Civil Liberties Union,
Electronic Privacy Information Center and Electronic Frontier Foundation, in The
Matter of Communications Assistance for Law Enforcement Act, CC Docket No.
97-213 (Dec. 12, 1997). Reply Comments filed with the FCC on Communications
Assistance for Law Enforcement Act (Feb. 11, 1998).
n8. See FCC Proposes Rules to Meet Technical Requirements of CALEA, FCC News,
Oct. 22, 1998 (news release) (visited Oct. 20, 1999)
<http://www.epic.org/privacy/wiretap/calea/fcc release 10 22 98.html>.
n9. See, e.g., Frank James, FCC Cell Phone Proposal Spurs Privacy Alarms, Chi.
Trib., Sept. 10, 1990, at 1 (noting that the FCC wants to make mobile phones
disclose their locations when used to place emergency 911 calls).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
History has shown us that each time the FBI has asked for a surveillance
capability, it has gotten far more than the public had expected. Fighting
terrorism has been behind the Clinton Administration's refusal to relax
restrictions on exports and the use of strong encryption. Across the board, the
administration has ignored the importance of privacy safeguards.
All of us on this panel can agree that fighting terrorism and crime is a
laudable objective. The question is what price we are willing to pay to
accomplish that objective, and whether in the process we will do unacceptable
harm to freedom and individual liberty by employing these crime-fighting
techniques. [*80] Surveillance techniques are extremely devastating to
individual privacy. For example, wire tapping has always picked up far more
innocent communications than incriminating ones. n10 This problem has become
worse in recent years as the number of wiretaps per year has increased
dramatically. n11 In fact, from 1989 through 1996 the courts denied only one
order for a wiretap. n12 In the past decade, the number of wiretaps per year has
more than doubled n13 even though wiretapping is relatively expensive. n14 By
the government's own statistics, wiretapping is almost never used to investigate
bombings, arson, or firearm violations. n15 Instead, it is routinely used for
non-violent offenses, including gambling and drug sales. n16
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n10. See, e.g., Scott v. U.S., 436 U.S. 128 (1978) (upholding wiretapping where
40% of intercepted conversations were relevant to the investigation); Ozar v.
U.S., 50 F.3d 1440, 1448 (8th Cir. 1995) (upholding wiretapping where 2.75% of
intercepted conversations were relevant).
n11. Statistics Division, Admin. Office of the U.S. Courts, Wiretap Report 7
(1997).
n12. See id. at 7, 29.
n13. See id. at 7.
n14. See, e.g., Jim McGee, Wiretapping Rises Sharply Under Clinton; Drug War
Budget Increases Lead to Continuing Growth of High-Tech Surveillance, Wash.
Post, July 7, 1996, at A1.
n15. See Wiretap Report, supra note 11, at 8.
n16. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Privacy advocates in the United States are not alone in fearing the growth of
Big Brother. This September, in response to increasing reports about abuses by
law enforcement agencies, the European Parliament announced that it will
investigate the practices of a decade-old, massive American-British spying
system called Echelon. n17 The European Union Report charged that within all of
Europe, e-mail, telephone, and fax communications are routinely intercepted by
the USNSA, transferring all target information from the European mainland to Ft.
Meade in Maryland. n18 The report calls for the adoption of protective measures
for economic information and effective encryption to guard against abuse and
threats to civil liberties posed by the clandestine intelligence system. n19
Seen through the context of enhanced surveillance, it becomes clear that
government control of encryption through restrictions on its [*81] strength
and key escrow requirements is the key to controlling a new era of wiretapping
in the digital as well as the analog age.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n17. See Niall McKay, Eavesdropping on Europe, Wired News (last modified March
27, 1999) <http://www.wired.com/news/print version/politics/story/15295.html>.
n18. See id.
n19. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Of course, cryptographic techniques have been around for thousands of years. In
fact, when James Madison and Thomas Jefferson exchanged correspondence before
the signing of the Declaration of Independence, they carefully encoded their
messages to preserve the confidentiality of their letters. And on that point, I
would argue that the legal history of Fourth Amendment protections is quite
different from what Robert Litt has suggested. n20 I would argue that--as
Justice Brandeis said in his famous dissent in Olmstead n21--the framers of our
Constitution sought to protect Americans in their beliefs, their thoughts, their
emotions, and their sensations. n22 They conferred, as against the government,
the right to be let alone, the most comprehensive of rights of man and the right
most valued by civilized men. n23 Thus, the right to privacy in our
communications, though not explicitly mentioned in the Constitution, was
certainly a right that was contemplated.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n20. See Robert S. Litt, Crime in the Computer Age: The Law Enforcement
Perspective, 4 Tex. Rev. L. & Pol. 59, 66 (1999).
n21. Olmstead v. United States, 277 U.S. 438 (1928) (Brandeis, J., dissenting).
n22. Id. at 478.
n23. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
According to a recent survey by the Global Internet Liberty Campaign, only five
countries currently have strong domestic controls of cryptography, and even
fewer nations are considering new controls. n24 Moreover, most nations have
rejected export limitations on encryption, n25 recognizing that encryption is
not a weapon, but a defensive tool that protects critical computerized
infrastructures.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n24. See Global Internet Liberty Campaign, Cryptography and Liberty 1998: An
International Survey of Encryption Policy (Feb. 1998)
<http://www.gilc.nl/crypto/crypto-survey.html>.
n25. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Notwithstanding the international recognition of the importance of strong
encryption, United States policy remains excessively restrictive and outdated.
While the United States announced that it was relaxing its policy in September,
n26 the relaxation offers little comfort. Even under the new rules, [*82]
encryption software is classified as munitions. n27 The rules continue to limit
the export of strong encryption products and require that all American companies
or individuals seeking to export products receive approval by the Department of
Commerce. n28 Some products may be exported only where the government has access
to encryption keys, even though extremely strong encryption programs are readily
available in foreign markets. In fact, just yesterday, I did a simple search on
Yahoo!© to see what types of encryption programs are downloadable, and I found a
wide array of encryption programs that far exceeded the U.S. byte standard. n29
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n26. See Frank Hayes, The feds crack the code; It's your turn to get the
message: Start encrypting - now, Computerworld, Sept. 21, 1998, at 12.
n27. See John Leyden, Security; U.S. Strong Encryption Rules to Be Relaxed
"Selectively', Network News, Sept. 8, 1999, at 1.
n28. See Jack McCarthy, Clinton relaxes encryption export controls, InfoWorld,
Sept. 20, 1999, at 5.
n29. Under U.S. rules, the strongest encryption is 56-byte encryption, a
standard that was established by the government in 1977. Since then, the
government has claimed that the vast difficulty and expense in cracking the
standard makes it sufficiently safe and anything stronger would be unnecessary
and could be used, as Mr. Litt said, by criminals.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The U.S. standard--limiting exports to 56-byte encryption--has long outraged
privacy advocates and the computer industry because it has effectively served to
halt the development of new technologies. It is even more absurd when you
consider how readily stronger products are available abroad and on the Internet.
But this summer, scientists and civil libertarians together proved the
inaccuracy of the claims that 56-byte encryption was enough. n30 Using
relatively inexpensive technology, which is infinitely scalable, they cracked
the 56-byte standard. n31 Interestingly, just weeks before they cracked the
standard, Mr. Litt argued that the standard could not possibly be broken, even
by the National Security Agency's supercomputers. n32 Needless to say,
cryptography experts chuckled at that claim. In fact, opponents continue to
argue that cracking encryption will still take too long and that it will hamper
law enforcement's ability to investigate. But these claims are even more
implausible when one considers the fact that most investigations involving
surveillance and wiretapping take place over the course of weeks, if not months.
Thus, the argument that every second counts and that law enforcement [*83]
needs to be able to decrypt on demand is simply not acceptable, especially when
you consider the price to privacy protection.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n30. See Jim Kerstetter, Quick Crack Dooms DES; Electronic Frontier Foundation
breaks Data Encryption Standard EDS in 56 hours using a simple PC, PC Wk., Aug.
3, 1998, at 25.
n31. See id.
n32. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
What does it mean that the United States standard can be broken? It means that
the standard has failed, and the administration's export policy must be
repealed. It means that federal agencies must stop calling for copies of
encryption keys because key recovery creates an inherent and unnecessary risk of
unlawful interception of communications--risks that have repeatedly been
documented by leading experts in cryptography and security. n33 A continuation
of the current encryption restrictions is like having a law that prevents people
from using the strongest locks on their doors and windows. We are vulnerable not
only to government surveillance, but also to peeping toms and thieves. By
overstating the utility of electronic surveillance in law enforcement, the
administration ignores cryptography's critical role in preventing crime and
protecting national security. In the end, free citizens must be able to conduct
instantaneous, direct, and private communications using whatever technology is
available. Without the knowledge that private communications are indeed private,
fear and insecurity will quickly replace habits of freedom.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n33. See, e.g., Hearing Before House Permanent Select Comm. on Intelligence
Encryption, 106th Cong. (1999) (statement of Alan B. Davidson, Staff Counsel,
Center for Democracy and Technology).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Document 12 of 14.
Search Terms: technolog! w/10 surveillance, privacy w/10 right!,
electronic or computer
To narrow your search, please enter a word or phrase:
Copyright© 2000, LEXIS-NEXIS, a division of Reed Elsevier Inc. All Rights
Reserved.