No issue has generated more controversy on the Internet than the question of government regulation of encryption. Without encryption, all network transactions are essentially public. Email has the approximate privacy of a postcard. Passwords, credit card numbers, and personal information transmitted in the clear over the network may as well be published in the newspaper. If the Internet is to be a suitable vehicle for communications and commerce, then much of the information that flows on it must be encrypted.
The quandary is that modern cryptographic techniques are good -- very, very good. A small amount of computing power suffices to implement codes that are virtually unbreakable, whether by an eavesdropping neighbor, an organized crime syndicate, the FBI, or (for all anyone knows) the intelligence agencies of the world's most powerful governments. Indeed, until recently, encryption hardware and software was classified by U.S. law as a munition; someone who sent encryption software out of the country was (from the viewpoint of U.S. law) acting as an arms dealer. These regulations were changed in December, 1996, but U.S. law still restricts the export of cryptographic hardware and software.
Boiled down to starkest terms (in the words of Ron Rivest), the encryption dilemma is this:
Should privacy and security of data storage and communications be available to everyone -- even in the face of authorized government requests?
Over the past few years, the U.S. Administration has attempted to resolve this dilemma by floating a succession of technical proposals that would provide "exceptional" methods for government access encrypted information, together with legislative proposals to lift exports restrictions for cryptographic systems containing such access methods. They have also lobbied vigorously to convince other governments to institute similar policies.
Opponents of the encryption regulations claim that the attempt to control encryption is largely pointless and counterproductive, because the bad guys will use encryption to hide their activities despite what the law says. The U.S. computer and telecommunications industries argue that regulations on encryption technology are hampering their ability of be competitive on the world market. Civil liberties groups contend that encryption regulations are unconstitutional, and that increasing control of encryption will pave the way for massive invasions of privacy on the Internet.
At the same time, the FBI is extremely worried that the widespread use of encryption will destroy law enforcement's ability to conduct wiretaps; and the U.S. Intelligence establishment claims that increased use of encryption will endanger national security.
Congress, caught in the middle, has responded by introducing bills that run the gamut from decontrol of the export of cryptography to outlawing the sale of strong cryptography even for domestic use.
The three chapters below provide an overview of this highly controversial debate, ranging from the Digital Telephony Bill in 1994 through the latest developments this month. They also provide links to some of the key documents in the debate, which is nevertheless only a tiny fraction of the extensive material available on the Web.
- 1994: The Digital Telephony Act (CALEA)
- 1994: Clipper (The Escrowed Encryption Standard)
- 1995-97: From Clipper to Key Recovery