Does private strong encryption pose a threat to society

views updated

Does private strong encryption pose a threat to society?

Viewpoint: Yes, while it's true that data encryption protects and furthers important civil liberties, it also poses a threat to public safety.

Viewpoint: No, private strong encryption contributes to American society by safeguarding basic rights, personal information, and intellectual exchanges. It protects individuals from over-zealous law enforcement agencies.

The increasing sophistication, interconnectedness, and ubiquity of communication and computer technologies have made information society's most valuable commodity. Protecting information is of vital importance to commerce, government, and private citizens. Technologies such as the Internet, which has greatly facilitated the transaction and exchange of all kinds of information, require a high level of protection to keep these exchanges secure and private. Coding and encrypting information has traditionally been the province of spies and their governments. Today, it is a part of everyday life for nearly all U. S. citizens. How do we balance the need for privacy and security with government's role in protecting its citizens from illegal and criminal activities?

The need for data encryption is undeniable. Private information about individuals and businesses is stored on computers and exchanged over computer networks, whether by health care providers, banks, insurance companies, or purveyors of commerce over the Internet. Without effective encryption of this information, any one of these transactions would be vulnerable to criminal interference. Identity theft, credit card fraud, and other kinds of "cyber-crime" would make Internet commerce impossible.

While data encryption protects the rights of citizens and their ability to conduct business on computer networks, it also provides security for criminals, petty crooks, and international terrorists as well. Law enforcement agencies have sought ways to gain access to encrypted data in order to prevent or prosecute criminal activity. Since the 1990s, the U. S. government has tried to make strong encryption techniques illegal, to force users of encryption to give "keys" to government agencies, and to restrict the export of encryption products. Each of these efforts has run into difficulties.

Critics of the government's efforts to control encryption have repeatedly raised two issues. Foremost, the critics argue, it violates various freedoms guaranteed in the Bill of Rights—for example, they suggest that encryption programs are protected by the First Amendment's provision on free speech, and that decrypting encoded transmissions would be unreasonable search and seizure in violation of the Fourth Amendment. The second charge is that government efforts to control encryption are technologically outdated and hopelessly flawed. By allowing government control of encryption, the entire system might crumble—criminals could exploit its many flaws, while innocent citizens would lose the protection that private strong encryption has afforded.

While it is important to protect privacy and commerce from government interference, it is equally important for government to protect its citizens from illegal and criminal activities. Clearly the government must be able to extend its traditional crime-fighting roles into cyberspace, and to do so will require some kind of access to encrypted information. Negotiating the competing interests of strong encryption is a complicated problem, but one whose solution is essential.

—LOREN BUTLER FEFFER

Viewpoint: Yes, while it's true that data encryption protects and furthers important civil liberties, it also poses a threat to public safety.

Introduction

On the bright, clear, and otherwise unassuming morning of Tuesday, September 11, 2001, an unprecedented and nearly unimaginable coordinated series of terrorist hijackings occurred aboard four commercial airliners within the United States. Within an hour of 9:00 A . M ., teams of hijackers overpowered the flight crews of the airliners, herded them into the back with the frightened passengers, and then flew two of the airliners at nearly 400 miles-per-hour (644 kph) into each of the two towers of the World Trade Center, causing their eventual collapse and the deaths of thousands of innocent civilians. A third slammed into the Pentagon, killing a few hundred, and a fourth crashed into a field south of Pittsburgh, Pennsylvania, after some passengers apparently fought back. That last airliner is widely believed to have been targeting either the White House or the Capitol building. President George Bush, along with many others in the federal government, called these despicable hijackings "acts of war" and vowed to retaliate by declaring a war on terrorism.

A commercial airliner had not been hijacked within the United States in over 10 years, and never before had multiple, near-simultaneous hijackings occurred anywhere on earth for the purpose of using the airliners essentially as guided missiles. Historically, hijackings occurred for the purposes of extorting money from authorities, or for coercing authorities into complying with other demands such as releasing certain prisoners from jails. No one had imagined that hijackers would hijack airliners for the sole purpose of committing murder-suicide on such a massive scale. No one had imagined that numerous, perhaps dozens, of international terrorists would be able to coordinate such a sophisticated series of terrorists strikes without being detected, which many experts believe would have taken many years to plan. As the hijackers are suspected of being part of a large international ring of terrorists, they had to communicate with each other over long distances. So, how did they do it without revealing themselves?

Almost immediately after the attacks, the FBI, CIA, the National Security Agency, and other law enforcement and investigatory agencies from around the world began the arduous task of identifying the hijackers and their co-conspirators in an effort to bring all those responsible to justice, as well as to head-off any possible further attacks by other co-conspirator terrorists who may be laying in wait. As with virtually all criminal investigations of today, the focus of the investigation immediately turned to computers and the Internet. Indeed, it now is believed that the terrorists exploited the secrecy afforded by electronic communication via encrypted messages and files sent over the Internet in order to plan, organize, and finance their attacks.

The purpose of this article is to examine how data encryption acts both as the backbone of the Internet as well as its Achilles Heel in the sense that data encryption both protects and furthers important civil liberties, but may also present a threat to public safety. Part II provides a brief overview of data encryption, and Part III discusses in more detail the dual nature of data encryption and the respective benefits and burdens it presents. Part IV then briefly discusses a current proposal by the United States government for balancing the sometimes conflicting interests between civil libertarians on one hand and law enforcement officials on the other.

What Is Data Encryption?

The term "data" simply refers to information. It is the plural form of the singular Greek word datum , which means a "gift" or a "present." A datum thus is a piece of information that is given and from which a conclusion may be inferred; data are a collection of datum (although we often speak as if data are a singular thing, as in "Where is the data?", correct usage is to speak of data in the plural, as in "Where are the data?"). The text on this page, for example, can be considered data from which you, the reader, now are inferring information.

Encryption simply is the process of taking information, or data, and translating it into a code. Here is an example of an encryption. Let's say you have the following message: "JACKIE." You also have chosen the following convention as your code: the letter 'A' is equivalent to the number '1'; 'B' to '2'; 'C' to '3'; and so on. Thus, when you translate or encode JACKIE into the code you have chosen, JACKIE becomes 10-1-3-11-9-5. Now, if you were to ask the average person on the street what this seemingly random group of numbers mean, few would be able to guess. However, given a few minutes of reflection, probably many would be able to decipher or decode the meaning of the numbers. Each number corresponds to a letter in an alphabetical arrangement.

Encryption at this level obviously is not very secure, as the "key" to the encryption can be easily discovered. A "key" simply is the clue that unlocks, or deciphers, the encrypted code. The key in the above example simply was the discovery that each number corresponds to a letter of the alphabet. Whoever has this key—or has discovered the key—can then decrypt the encrypted message. The point of encryption thus is to make the key extremely difficult for any one but the intended end-user to know. Cryptography, therefore, essentially is the art and science of hiding the meaning of messages from unintended users. So, when one purchases an airline ticket on-line using a credit card, the information is encrypted, and if it is intercepted by a hacker, the encrypted credit card information simply would appear as gibberish.

The type of encryption exemplified above is known as symmetric encryption. Symmetric encryption, however, has within it a fundamental flaw that makes encrypted messages susceptible to decryption no matter how sophisticated the encryption. That flaw is the key. Although the example above is rather simplistic, it does require, as noted, a key in order to decipher the scrambled message, namely, that 1=A, 2=B, and so on. The problem is that even though one may have an encrypted message that is absolutely impossible to decipher, if the intended recipient is to decipher the encrypted message, he or she will need the key to the encrypted message in order to decipher it. This requires the sender not only to deliver the encrypted message to the intended recipient, but also the key. Because someone always could intercept the key, one therefore has to figure out a way of getting the message to the recipient in a foolproof manner, i.e., without allowing the key to be intercepted. This dilemma raises an interesting question: if one could get a message to the recipient without it being intercepted, then why encrypt the message in the first place?

An alternative to symmetric encryption was announced in August 1977. Asymmetric encryption, or RSA cryptography, does not require the sender to transport a key to the recipient. (RSA represents the last names of Ronald Rivest, Adi Shamir, and Leonard Adleman, the three mathematicians and computer scientists who devised this form of cryptography). RSA is one of the more popular forms of so-called "strong" encryption freely available today, and is virtually impossible to crack.

In a nutshell, RSA works because there are two keys available for encrypting and deciphering messages. One key is known as the private key and is kept in secret by the recipient. The second key is known as the public key and can be known by anyone who wants to send the recipient an encrypted message. RSA cryptography works by exploiting a certain attribute of very large numbers, namely, that they are incredibly difficult to factor. (A factor of a number simply is a smaller number that divides evenly into it. For example, 2 is a factor of 6, but 4 is not). Before any message is sent to the recipient, the recipient chooses two very large prime numbers and keeps them secret. These two numbers constitute the private key. The recipient then multiplies these two numbers together to get an even larger number, which represents the public key. Anyone wishing to send the recipient an encrypted message then uses the public key to encrypt the message.

Without going into the details of how the process actually works, suffice it to say that asymmetric encryption is a one-way process (hence, its name) such that once the sender uses the public key to encrypt the message, the sender cannot then decrypt it (as he or she would be able to do under a symmetric encryption scheme). Indeed, the encrypted message is now nearly impossible to decrypt by anyone. Why? Because once the message is encrypted according to RSA methods, one must then have access to the private key in order to decrypt it, and presumably no one would if the sender has been diligent about guarding the private key. Someone, of course, could try to break the encryption by guessing the two primes numbers that make up the private key. But this would require factorizing the public key. For very large numbers, the factorization process quite literally could take billions of years. So, although RSA cryptography is not in principle unbreakable, for all practical purposes, it is. And this is what has governments, especially the United States government, worried. Because RSA cryptography is freely and publicly available, criminal conduct in cyberspace can potentially go unnoticed and undetected forever. Although strong encryption may give confidence to the public that their privacy is being protected in cyberspace, strong encryption also renders traditional methods of criminal investigation and monitoring of criminal conduct essentially worthless.

The Problem of Encryption

Without encryption, e -commerce, i.e., the millions of commercial transactions that take place over the Internet daily, likely could not exist, for no one would engage in transactions over the Internet if doing so presented a significant risk that their information could be intercepted and decrypted by others. Because strong encryption largely prevents decryption by third parties from occurring, more and more members of the public are engaging in commercial transactions online, and using the online world to send private communications to people all around the globe. It is not surprising that in light of the many benefits provided by computers and the Internet, a significant and growing proportion of all commerce today is e -commerce. Indeed, virtually every aspect of our society is inextricably linked to computers—from writing reports and memoranda and performing research, to checking the weather and stock quotes, communicating with loved ones, and storing the most personal information about ourselves on the computer.

So complete is our reliance on these electronic devices that without computers and the Internet, our society simply could not function in the manner it does now. Thus, inasmuch as encryption makes travel on the "information superhighway" safe and convenient, encryption protects one of our most fundamental social values—privacy—by making it difficult, if not impossible, for others to gain access to any information we deem private. With our privacy protected, we are free to engage in many intellectual, financial, spiritual, and commercial enterprises without fear of oppressive governmental oversight and regulation, or the prying eyes of nosy neighbors, or worse, the theft of our personal identities by criminals. Encryption protects liberty.

This same encryption that protects liberty, however, also can be—and is being—exploited by criminals and terrorists not only to facilitate crimes such as fraud and money laundering, but in alarmingly more cases, to engage in political acts of violence. Crime and terrorism, of course, are threats to liberty. Thus, encryption also harms the very same liberty it otherwise is intended to protect. As former Vice-President Al Gore has stated, "[u]nlawful criminal activity is not unique to the Internet—but the Internet has a way of magnifying both the good and the bad in our society."

In addition to the many criminals and terrorists who exploit encryption for nefarious ends, many foreign states also are suspected of launching cyber-attacks against the computer infrastructure of the United States, if for no other reason than to test our weaknesses and responses. Indeed, many analysts now believe that the "first-strike" in any major modern war likely will take place not on a battlefield, but in cyberspace. Under such a scenario, an enemy state would first "launch" viruses, worms, and logic bombs contained in file attachments over the Internet. These programs would be downloaded by the unsuspecting masses, stay hidden for a time, and then simultaneously begin erasing data, slowing networks, and crashing critical systems. Our ability to communicate and function would be greatly hindered, and while we were distracted and disoriented, the enemy state could then launch a series of terrorist attacks with various biological agents or even nuclear weapons. No massive air and land assaults would be needed to bring our country to its knees, just some well-written code encrypted within various emails and files would open the door to financial and social calamity. Although just few years ago such a scenario would be relegated to the realm of Hollywood science fiction and fantasy, the real possibility of this scenario is now part of our everyday reality.

Thus, and as expected, many clues behind the recent airliner hijackings are already emerging from the various Internet transactions that the terrorists engaged in prior to their suicide missions. Indeed, the FBI already has enlisted the assistance of various Internet Service Providers (ISPs) for purposes of ascertaining where and when the suspected hijackers accessed the Internet and for what purposes. The FBI, of course, is interested in who the terrorists emailed, and the contents of those emails. Further, the FBI wants to know what sites the terrorists visited and for how long, and whether they purchased anything or made deposits into or transfers out of their bank accounts.

The FBI and other agencies will also likely pore over the hard-drives of any computers and floppy disks they may come across during their investigations. They will look to see what programs and files, if any, are on the hard-drive and if any files have been deleted. If they find the remnants of deleted files on the hard drives they will attempt to recover those files to see what they contain. However, if any of these transactions or files have been encrypted, it will be very difficult to recover the information.

Thus, as mentioned earlier, the problem with encryption essentially is that it provides both a benefit and a burden. As a result, debates regarding encryption center on resolving the seemingly irresolvable tension between encryption as an essential element in the protection and advancement of our civil liberties, and encryption as a tool for criminals, terrorists, and rogue states for wreaking disharmony, chaos, and disaster on the public. The key, of course, is to find a balance between personal liberty and public safety.

Encryption Recovery and Law Enforcement

In light of the horrific terrorist attacks discussed in Part I above, Congress recently passed the Combating Terrorism Act of 2001, which makes it easier for the FBI, CIA, and the Department of Justice to monitor and investigate persons suspected of engaging in serious offenses, not the least of which is terrorism. Similarly, several Congressmen as well as the Department of Justice have voiced concerns over strong encryption for the reasons discussed in the previous section. Many wish to curtail or even outlaw such encryption. Given their fears about how it could be exploited by criminals and terrorists, one cannot blame them for such proposals.

Nevertheless, our nation fundamentally is built upon notions of civil liberties such as privacy, freedom of speech, freedom of association, and freedom of expression. These individual freedoms, by their very nature, provide a check on government action. The government simply cannot decide whether it will or will not honor these values—it must. Some civil libertarians argue, however, that many of the current proposals in response to criminal exploitation of strong encryption technology unnecessarily infringes on civil liberty. Of course, civil libertarians readily will admit that another cherished value of our society is the freedom from unnecessary harm and fear. To that end, we believe that it is the government's responsibility to ensure as much as possible that this value, too, is respected and protected. Thus, the government is left with the problem of balancing the various liberties against each other.

One current proposal that appears to be gaining momentum involves requiring manufacturers of encryption software to build in a "back-door" into the encryption. Under this proposal, the government would be given a "government key" that could be used to decrypt alleged criminal communications. As the government first would have to obtain permission from a court in order to use the key, it would not be unlike our present search warrant procedures. Of course, some argue that this still leaves room for abuse by the government with respect to the indiscriminate and potentially illegal use of its key. Further, what would happen if the government's key ever became public knowledge, especially by criminals? Massive problems could potentially ensue.

Another similar proposal would be to require users of encryption software to give copies of their private keys to so-called "trusted third parties" or TTPs. Rather than the government holding onto back-door keys, which could potentially be used to access information unbeknownst to anyone, these nongovernmental third-parties would be in possession of the private keys and would only give them out to the government upon court order. Although this proposal provides an added layer of protection from potential government abuse, that potential still remains. The government, some have said, may try to strong-arm TTPs into giving out private keys. (Although presumably such TTPs would have recourse to the courts to block such government tactics).

Conclusion

It is clear that we must make a decision on strong encryption. One option simply is to do nothing and pray that criminals and terrorists will cease exploiting encryption for their evil ends. That, of course, is dangerously naive. Conversely, another option is to outlaw strong encryption. As encryption is already firmly rooted in cyberspace, this option does not seem to have much promise. Indeed, it is ludicrous since it may essentially kill e -commerce.

A sort of middle-ground alternative option is to live with some weakened form of encryption that would allow the government to decrypt citizens' e-mail and computer files, but only in certain specified situations and only for legitimate reasons. To paraphrase Simon Singh in The Code Book , how weak a version of encryption we can live with will depend on whom we fear more—criminals and terrorists, or the government. As of this writing, it is clear that we fear criminals, especially international terrorists, far more than we do our own government.

—MARK H. ALLENBAUGH

Viewpoint: No, private strong encryption contributes to American society by safeguarding basic rights, personal information, and intellectual exchanges. It protects individuals from over-zealous law enforcement agencies.

Nearly as long as engineers have connected computers into networks, an essential tension has existed between those who write computer code and those charged with protecting the interests of national security. Philosophically, members of the computing community have believed in the free exchange of their ideas and programs, while the American companies employing many computer professionals have demanded the right to compete freely in the global marketplace by using encryption to safeguard the content of their wares. At the same time, however, certain federal agencies have desired the ability to infiltrate networks at will in order to catch criminals. Yet, the reality has been that encryption programs have been disseminated much more quickly than the government's capability to control them. As a result, contemporary networks depend upon private strong encryption. This system benefits private citizens in multiple ways: as they choose between the products of American and international businesses, as they are protected from consumer theft, and as their Bill of Rights freedoms are upheld.

The Problems with Governmental Controls

There are legitimate security concerns raised when strong encryption is held in private hands. For example, a criminal organization or individual could encrypt records of illegal activities and stymie law enforcement agencies attempting to examine those records for criminal evidence. Or, a terrorist group could shroud its arms trafficking and plots against American citizens. However, the solution is not turning control of the keys to strong encryption over to the federal government. Throughout the 1990s, the executive branch attempted to establish an escrow system which would require all makers of encryption systems to deposit their decryption keys with the government. That way, law enforcement and national security officials could ask the courts to allow them to decrypt any information they deemed necessary for preventing or prosecuting crime.

Not surprisingly, these federal attempts to control strong encryption have failed repeatedly. One of the more notorious examples is the Clipper Chip initiative endorsed by the Clinton administration in 1993. Designed by the National Security Agency (NSA), the chip was to be installed in devices requiring the encryption of conversations, such as secure telephones. A related chip called "Capstone" would be used for data encryption in computers. These chips contained a key deposited with the Commerce and Treasury Departments which allowed the government to retrieve the message being transmitted. Essentially, the Skipjack algorithm used in Clipper and Capstone would ultimately allow the United States government to eavesdrop on any exchange in which it believed a crime had occurred.

When the federal government holds copies of encryption keys, as it would have if any version of the Clipper Chip initiative were implemented, a number of freedoms guaranteed by the Bill of Rights are endangered. The most obvious intrusion caused by the eavesdropping in cyberspace possible with the Clipper Chip is upon Fourth Amendment rights preventing unreasonable searches and seizures, including wiretapping, and the Fifth Amendment protection against self-incrimination. Both of these Amendments provide for Americans to be secure in their persons, papers, and, by extension, their computer code. Additionally, on April 4, 2000, the United States Court of Appeals for the Sixth Circuit ruled in Junger v. Daley that encryption hardware and software are protected by the free speech provisions of the First Amendment "because computer source code is an expressive means for the exchange of information and ideas about computer programming."

Members of the computing community argue as well that some dissenting groups could feel stripped of their anonymity when they were required to deposit decryption keys in an escrow system. They would not be able to voice their opinions without fear of authoritarian reprisal and thus would lose their First Amendment rights to free speech and assembly. Some critics of the government's policies have also claimed that, since encryption tools are treated as arms by the International Trafficking in Arms regulations, they have a right to own and use strong encryption under the Second Amendment's guarantee that private citizens may keep and bear arms.

In addition to impinging on the Bill of Rights, Clipper illustrated a number of troubling characteristics of federal security agencies with respect to encryption. Complete control has been beyond the government's capability from the beginning. In fact, strong encryption had already been disseminated over the Internet and was available for purchase in other nations before the federal government even proposed its first escrow system. In addition, the Federal Bureau of Investigation (FBI) and NSA tried to push through their form of key escrow even though it was technically unsound. Its limitations prevent Clipper from demonstrating conclusively that one specific person in fact made the telephone call or sent the data in question. Criminal defendants could argue that the communications intercepted by the government were forged, and there would be no way to disprove their claim. Further, in the 1990s, there were already ways for criminals to evade the proposed escrow system while innocent citizens were not shielded from the prying eyes of Clipper.

NSA and the FBI have also demonstrated an intransigent attitude of self-interest toward strong encryption. NSA has continually attempted to circumvent the Computer Security Act of 1987, which gave the civilian agency, the National Institute of Standards and Technology (NIST), responsibility for the security of unclassified, non-military governmental computer systems. Not satisfied with undercutting NIST's authority, NSA then tried to control encryption in private industry by developing Clipper. NSA and the FBI have historically disregarded the valid concerns of industry leaders and shown an unwillingness to compromise. As Jim Barksdale, President and CEO of Netscape Communication Corporation, wrote in the Wall Street Journal on September 26, 1997, "The criminals will still be able to buy advanced encryption technology outside the United States … [but if] we and the network operators couldn't guarantee the government immediate access to data on everyone's computer, the federal government could put us in jail." People like Louis Freeh, former director of the FBI, have further damaged the image of the executive branch by making irresponsible public statements. For instance, Freeh used the crash of TWA Flight 800 in July 1996 to justify his call for federal control of encryption even though that tragedy was caused by mechanical failure and was not a terrorist act.

Governmental key escrows also feed the temptation for agencies to overstep their bounds. The federal government hoped that phones equipped with the Clipper Chip would be sold abroad, which would have raised questions about the United States monitoring activity outside its borders and the legality of these devices under the encryption laws of other nations. The FBI has also been prone to use its powers to intimidate rather than police. These tendencies have admittedly been exacerbated by the contradictory American encryption laws, under which an encryption program written in a book could be exported but a computer file containing the same program could not. Still, other nations have devised acceptable solutions for balancing the interests of law enforcement and private enterprise. For instance, Germany rejected restrictions on the availability of strong encryption in June 1999, while the United Kingdom abandoned its efforts in key recovery as detrimental to its desire to be a world leader in electronic commerce in May of that year. Unrestricted export of strong encryption was legalized in Finland in 1998. Even France has eased its long-standing ban on the import and export of encryption products.

Private Encryption Protects Corporations and Consumers

In the United States, legislators such as Rep. Bob Goodlatte of Virginia helped lead the way toward a more reasonable governmental approach to strong encryption. Goodlatte introduced in 1998 and re-introduced in 1999 the Security and Freedom through Encryption (SAFE) Act. SAFE prohibited any mandatory key escrow systems while it criminalized the use of encryption in the commission of other crimes. SAFE also allowed the export of encryption products after a one-time, 15-day technical review. Although the law was weakened during its two tenures in various committees of the House of Representatives and was not without other drawbacks, it was designed to prevent hackers and thieves from accessing digital information and communications, to allow American companies to retain their international technological and economic lead, and to advance national security by promoting democracy and the free exchange of ideas about encryption. A group of major computer companies, led by Cisco Systems, also volunteered to compromise with the NSA and FBI by submitting a "private doorbell" plan in 1998. Under this proposal, law enforcement and national security officials with a warrant could ask a network operator to intercept and record data at the point either just before encryption began or immediately after it ended.

The Clinton administration finally accepted the inevitable and issued a directive about private strong encryption in January 2000. These regulations eased restrictions on the export of strong encryption products by stating that open source code could be posted on the World Wide Web as long as the URL address was given to the Department of Commerce. The directive also instituted the one-time technical review of the SAFE law for encryption programs sold in retail or to other governments. The only prohibited customers were in Cuba, Iran, Iraq, Libya, Sudan, Syria, and North Korea, the nations on the State Department's terrorist list. This move made the SAFE law irrelevant. As a consequence, no further legislative action was undertaken on SAFE or on the "private doorbell" proposal. These plans, though, did demonstrate that American companies are willing to cooperate with law enforcement and national security interests by providing their technological expertise as long as governmental policies allow the companies to continue to innovate.

Indeed, the January 2000 directive enabled American companies to compete freely in global markets. They no longer had to make two versions of software products—one for domestic sales and a weaker version to distribute internationally. They could feel free to develop new, even stronger encryption products to make their data even more secure from outside attacks. After the European Union decided to create a "license free zone" for most encryption technologies in July 2000, the Department of Commerce further liberalized the export and re-export of encryption products to the 15 Economic Union members and Australia, the Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, and Switzerland. Still, the licensing rules that any potential American exporter of encryption software must follow remain complex and especially onerous for small companies. These guidelines also fail to exempt academic researchers from the paperwork.

Nevertheless, consumers are better protected with this access to private strong encryption than without it. Previous encryption schemes, such as the Digital Encryption Standard (DES) are no longer sufficient for safeguarding data. By 2000, the 56-bit DES could be broken in 22 hours and 15 minutes, while it required 10,000 years or more to crack 128-bit strong encryption. Credit card, banking, and telecommunication companies must be able to assure their customers that private information will not be exposed to identity thieves. These companies need powerful encryption tools and the capability to keep their decryption techniques out of the hands of third parties. In other words, they need free access to strong encryption to inspire confidence in their customers that their products are safe. As larger and larger segments of the economy come to depend on Internet transactions, it is imperative that these exchanges remain secure.

Private strong encryption is not a magic solution for every information security issue. The security of information on the Internet is a complex issue which will require constant and diligent attention. Allowing companies to hold their own encryption keys will not prevent unauthorized disclosures of sensitive financial or medical data. However, allowing companies to retain control of their keys and academics to freely exchange their ideas is the best of the available alternatives. The costs law enforcement and national security agencies would incur by demanding key escrow far outweigh any benefits they would reap in nabbing a few criminals. The difficulties raised by private strong encryption are not insurmountable, while cherished American Bill of Rights freedoms are upheld when private strong encryption is encouraged by the federal government. Far from a threat to society, private strong encryption is a necessity of the Internet Age.

—AMY ACKERBERG-HASTINGS

KEY TERMS

CIVIL LIBERTIES:

Includes those rights and freedoms contained in, or derived from, the United States Constitution, such as the right to privacy and the freedom of expression.

CRYPTOGRAPHY:

The science of encrypting messages or concealing meaning of messages.

CYBERCRIME:

Generally, computer crimes involving hacking or authoring viruses, worms, and logic bombs. Cybercrimes are generally engaged in for the purposes of financial gain or for intellectual excitement.

CYBERSPACE:

The aggregate of the thousands of cable and telephone lines and computers that are networked together to form the Internet.

CYBERTERRORISM:

Generally, computer crimes involving the disruption of a state's computer infrastructure for the purposes of intimidation. Cyberterrorists engage in cyberterrorism for political purposes.

DECRYPTION:

The process of unscrambling a message back into its readable format.

ENCRYPTION:

The process of scrambling a message into an unreadable format.

KEY:

A collection of bits, usually stored in a file, which is used to encrypt or decrypt a message.

KEY ESCROW:

A process that requires a copy of all decryption keys be given to a third party, such as a government entity, so that encrypted messages may be decrypted as required by a law enforcement agency.