March 25, 1996

The current uproar over the Internet is about smut
and what can be made public on the global computer
network. But the next public policy tangle will be about
what we’re allowed to keep secret.

Earlier this month, a bipartisan group from both houses
of Congress introduced versions of legislation called
the Encrypted Communications Privacy Act of 1996.

This bill, which outlines the proper use of encryption
technologies for privacy and security, is by far the
most critical piece of Internet legislation yet
introduced.

Encryption uses a mathematical key to scramble and
unscramble digital messages so they can be read only by
their intended recipients and not by human or electronic
snoopers. Legislation about this powerful technology is
especially important when viewed in light of two laws
already on the books.

One of these, the Digital Telephony Act, signed into law
in 1994, allows federal law-enforcement agencies to
update the telephone network with the most pervasive
surveillance equipment in history.

The other, the freshly signed Communications Decency
Act, bans “indecent” material from the Internet. It is a
law that many legislators seemed to feel was on shaky
ground even as Congress was passing it. A constitutional
challenge to the law is currently being heard in U.S.
District Court in Philadelphia.

Though the encryption bill as written is receiving
qualified support from industry and civil libertarians,
some worry that changes made in committee could make the
bill too restrictive, completing a triumvirate of Big
Brother legislation that would give law enforcement the
ability and rationale to monitor all the electronic
messages of citizens, leaving little or no recourse for
private or secure communication.

Such restrictions threaten to suffocate the Internet. As
new users and businesses flock daily to the Internet,
their need to protect confidential business data and
messages becomes a key issue in making the Net safe
enough to be useful.

Computer security experts say that many of today’s
problems on the Net — minors getting access to
pornography, security breaches of corporate data, the
need to prove one’s identity and so on — could be
solved by using encryption.

Today, using encryption of any kind is still perfectly
legal inside the United States. Historically, it was
mostly used to protect secret military communications,
so the technology is still classified as munitions –
the same threat to national security as a boatload of
artillery shells. Thus any products containing
encryption are subject to strict export controls.

[L] aw-enforcement and national security officials say
that widespread use of strong encryption would
enable terrorists and organized-crime syndicates to
communicate with impunity. They say export control is
the only way to keep this genie in its bottle, at least
when it comes to foreign, not domestic crime.

In addition, the security community has persuaded the
Clinton administration to propose an encryption method
called “key escrow” that would give the government
access to information even after it had been encrypted.
Key-escrow systems generate a decrypting key that is
held by a “trusted” third party. When law-enforcement
agents show up with a court warrant, the trustee hands
over the key to unlock the message.

So far, the Clinton administration’s proposals, which
include a key-escrow system called Clipper, have been
universally reviled by both civil libertarians and the
computer industry, which claims it stands to be deprived
of up to $60 billion annually by the year 2000 because
of export controls.

They argue that any country today can make and sell
encryption products stronger than what can be legally
exported from the United States, and that people won’t
use a system like key escrow because it has a built-in
security compromise.

One defender of key-escrow policy is Dorothy Denning, a
professor of computer science at Georgetown University
and a consultant to the military industry. She argued in
a letter to Senator Patrick Leahy, Democrat of Vermont
— one of the sponsors of the new legislation — that
such a system was vital to public safety and security.

James Barksdale, president of Netscape Communications
Corp., whose popular Web-browser software has built-in
encryption capabilities, called Ms. Denning’s solution a
“stop-gap meaure.”

“Key escrow is an unworkable idea, and we do not support
it,” Barksdale said. “Key escrow will be defeated just
like Prohibition was defeated by bathtub gin — all it
took was a big bag of sugar and a long weekend.”

Policy watchdogs like the Center for Democracy and
Technology and the Electronic Frontier Foundation, both
outspoken advocates for privacy rights and due process,
agree that the bill is headed in the right direction.

It does not dictate the use of a key escrow system,
eases export controls for “mass market” products (like
Netscape’s), prohibits any restriction on the domestic
use or sale of encryption, and provides a “personal use”
policy for American travelers who use encryption while
outside the country.

But the bill is sure to face a fight as it moves through
the House and Senate, and the key-escrow and
export-control proponents marshal their experts.

David Farber, a professor of computer science at the
University of Pennsylvania and a board member of the
Electronic Frontier Foundation, says encryption policy
always turns into “a religious discussion” between those
who fear terrorism and those who want to live without
fear of constant surveillance.

But, he adds, if you take privacy discussions to the
people, their attitudes are pretty clear. “If you ask
the American public what they think of national ID
cards, for example, a huge percentage are opposed to
them,” he said. “Why? They’re not hiding anything. They
just don’t want the government to have that type of
power.”

Denise Caruso

Copyright 1996 The New York Times Company