Crypto doesn't kill people, People do

[Warren Togami]

http://news.cnet.com/news/0-1272-210-7320099-1.html

Crypto doesn't kill--people do

By Charles Cooper
September 28, 2001

In June 1991, Phil Zimmerman sent the first release of Pretty Good Privacy,
an e-mail encryption program he developed, to a couple of buddies who
uploaded the code to the Internet.

Within a very short time, PGP had been ported to nearly every computer
platform out there in many different foreign languages as people latched
onto something that would help them maintain their electronic privacy in an
ever-more-connected world.

Some folks in powerful positions were not of a similar mind, and a
controversy was born as Zimmerman quickly became the subject of a criminal
investigation by the U.S. Customs Service. The probe came about because of
suspicions that Zimmerman had violated a federal regulation proscribing the
illegal export of munitions--even though the code was up there on the
Internet for anyone to download.

Simply put, the feeling inside the federal bureaucracy was that PGP was
potent enough to be lumped together with rocket-propelled grenades and
advanced jet aircraft, and this was just not acceptable.

Calmer voices ultimately prevailed, and the investigation was finally closed
without indictment in 1996.

But in the aftermath of the Sept. 11 suicide bombings in New York and
Washington, some people want to require U.S. software companies to build
so-called backdoors into their products. New Hampshire Sen. Judd Gregg has
been at the forefront of the debate, allowing that even if a perfect
solution isn't attainable, Congress shouldn't sit idly by since perfection
isn't attainable, in any case.

To be sure, terrorists can use encryption to hide their activities from the
likes of Interpol, the CIA or any other snoopy intelligence gatherer. Ramzi
Yousef, who was convicted of planning the 1993 World Trade Center bombing,
was found to have used encryption to shield his plot to blow up U.S.
airplanes while they were en route to this country over the Pacific. Thus
the temptation to reopen the 1990s' key escrow debate.

But would we then all be better off if law enforcement agencies had keys to
unlock encrypted messages? It's a philosophical issue that was never firmly
answered because market realities intervened. At the time, consumers and
companies steadfastly balked at the prospect of using software that included
built-in backdoor access for the feds. The Clinton administration realized
it was on a fruitless mission and dropped the issue.

So I'd like to take a stab at explaining why requiring backdoor access to
encryption software is a non-starter:

* First off, it's a quick-fix, feel-good measure that won't make a whit of
difference when it comes to stopping the bad guys. Terrorists don't need
U.S. encryption technology. Code makers long ago broke ahead of the code
breakers, and the fact is that the knowledge of cryptography has since
spread far and wide. Remember that Zimmerman wrote PGP from information that
was readily available in the open literature at the time.

I doubt whether the Osama bin Ladens of the world are so dumb that they
would use software that has already been compromised. No doubt there are any
number of capable computer scientists in the Middle East and Central Asia
whom these groups can turn to in a pinch for technical assistance.

* Then there are the obvious civil-liberty objections. Presumably, backdoor
access would be limited to instances in which the authorities need to track
e-mail communications between terrorists. The problem here is that you never
know which way the wind is going to blow. Once surveillance tools receive
legitimization, who can guarantee that they'll always be used in enlightened
ways by an administration in, oh, how about the year 2084?

* The competitive angle: If U.S. companies are forced to play by the these
rules, rest assured there are foreign companies aplenty that will get around
the Americans' export ban. Network defense is something governments are keen
on. Consulting company Frost & Sullivan estimates that sales of encryption
technologies to government and military agencies around the world will soar
to $457.6 million in 2007 from the current $176 million.
Assessing the blame

The fear now is that encryption technology will be unfairly singled out in
the debate over how to guard against future terror attacks.
A recent story in The Washington Post, for example, misrepresented
Zimmerman's views on the role PGP encryption may have played in the
terrorist attacks. Still, I suppose that a lot of people may be ready to
believe that encryption played a role in the deaths of the victims on Sept.
11. It's a flight of logic that makes as much sense as pointing a finger of
blame at Boeing, the company whose giant aircraft destroyed thousands of
lives in a matter of minutes.

In this ever-smaller world of ours, there are few tools that people can't
misuse to fulfill their own evil purposes. Nuclear power can be used to
provide cheap electricity to towns and cities; it also can be used to build
atomic bombs.
In the end, we're left with the unsatisfying conclusion that partisans on
both sides of the debate were right about encryption. PGP has become the way
for people--and that includes the bad guys--to encrypt their e-mail.

But there's no way--or at least none that I've heard about--to stop the use
of encryption. The hard truth is that the encryption genie has escaped from
the bottle. Somebody indeed deserves to shoulder the rap for the suicide
bombings of Sept. 11, but it's not Phil Zimmerman. If he hadn't invented
PGP, rest assured that somebody else would have.