Reasons not to legislate against cryptography Doug Hoyte Cryptography is the science of enciphering messages and cracking ciphered messages. On the surface it might seem like a relatively simple concept, but the topic can delve into incredible amounts of complexity. People have devised incredibly clever methods of securing communications, and incredibly clever methods of breaking them. Traditionally, all knowledge relating to this subject was kept under strict lock-and-key by large governments, with the US being one of the largest culprits. Today, in the age of digital communication, other parties are finding uses for cryptography, including large corporations, family businesses, and privacy conscious individuals. The US government has always imposed strict regulations on the distribution of cryptographic devices, especially computer software, which make truely private communications difficult at best. In the wake of the September 11, 2001 attacks, individuals will have an even more difficult time keeping their secrets. This is both shortsighted and irresponsible of the government, will deprive many citizens of basic human rights, and will do nothing to safeguard the country. For as long as encryption products have been available, the US government has restricted the export on cryptographic devices under the same act that regulates missiles, guns, and bombs: International Traffic in Arms Regulations. As long as cryptography is legally considered a military munition, the US government will have an incredible amount of leverage regulating the production, research, marketing, and even use of cryptographic products. Naturally, as Canadians, we aren't directly affected by legislation passed by the US, but we too have laws restricting various cryptographic products. The Canadian laws and regulations are very vague, but luckily, Canadian law specifically allows for not-for-profit cryptographic software to be written in, and exported from, Canada. "The Export Control List of Canada places no significant restriction on the export of cryptographic software, and is even more explicit about the free export of freely-available cryptographic software," says the OpenBSD project, which is based in Calgary, Alberta. OpenBSD is a freely available Unix-like operating system which is known for its security and reliability. If OpenBSD was developed in the US, it wouldn't legally be exportable. The US government has worked long and hard to force industry to build weak cryptography into its products by exercising its various legal footholds. IBM created an encryption algorithm now know as DES (Digital Encryption Standard), which they submitted as a cryptographic standard, which was reviewed and signifigantly crippled by the US' National Security Agency before being approved for export. The same goes for many other algorithms, including RC2. Software export restrictions are even worse. Generally, companies are not allowed to include any cryptographic security into their products unless the US government has ensured that they can break it. The impact of cryptographic restrictions extend farther than inhibiting security programs from being distributed; they also restrict academic and industrial research in the field. Within the last 20 years or so, there has been an unprecedented amount of academic research in the field of cryptography. Export restrictions can, and have, prevented legitimate research in this budding new field. Despite these restrictions, academic cryptography has come up with many revolutionary techniques in the field, a large portion of which is developed outside of the US. Much research has actually helped to improve the US government's cryptographic systems. The National Institute of Standards in Technology recently requested submissions for new methods of application (modes) for their Advanced Encryption Standard. Since this is a national standard, it was published for all to see and comment upon. As was published in September's Crypto-Gram newsletter: "Last month I mentioned that NIST is soliciting new modes of operation for AES. One of the modes submitted was "Dual Counter Mode," by Mike Boyle and Chris Salter of the National Security Agency. Within days of publication, there were at least two successful cryptanalyses of the mode. [...] Just over a week later, NSA withdrew the mode from consideration." Should the US government wish to monitor all global communications, it is quite right to be worried about widespread use of cryptography. Systems exist today that, for all intents and purposes, are completely uncrackable. The most widespread of which is PGP, or "Pretty Good Privacy". PGP was written by Philip Zimmermann, a US citizen, with the intent of transparently encrypting E-Mail messages well enough to keep out even the best equipped cryptanalyst of them all: the US government. Soon after he posted his software on an international medium, Usenet, he was arrested and charged for violating US export law. He has since been released and all charges have been dropped due to lack of evidence, but there is no guarantee that other programmers and cryptographers will be so lucky. The public's largest fear about cryptography is that criminals will plot and conspire over electronic channels free from worry of government surveillance. After the September 11th attacks on the US, this fear has been heightened and focused upon international terrorists. While there is certainly truth to this, it represents a detached view of reality in which cryptography actually is a threat to our saftey infrastructure, governments always play fair, one country's laws will influence foreign terrorists, terrorists are stupid, and civil rights and privacy must always be sacrificed in the interests of public safety. Strangely, the popular opinion on cryptography is that it will undermine the intelligence gathering capabilities of the US government, leaving the country defenseless to another large-scale attack. Few realize the potential of strong, unregulated cryptography to secure the information infrastructure. Cryptography has the potential to better protect passwords, login data, and other vital information that terrorists need to compromise the computers that are playing an increasingly important role in our day to day life. I shudder to think of the consequences of Osama bin Laden hiring a team of skilled computer hackers to take over an air traffic control computer. Granted, cryptography isn't a silver bullet in stopping computer intrusion, but it is an essential factor. Furthermore, strong cryptography could make "social engineering" (Pretending to be someone you aren't, usually over telephone or E-Mail in order to get information or fake credentials) much more difficult. Governments certainly don't have a spotless record when it comes to respecting human rights. Simply because a government's stated purpose in monitoring citizens is that it will be used to fight terrorism doesn't necessarily mean it won't also be used to read the E-Mail of other political candidates, known radical activists, people complaining about taxes, and other parties that the government simply has no business monitoring. Granted, our current western governments fall far short of an Orwellian police state, but offences have been known to occur. The US government placed an illegal wiretap on Martin Luther King's telephone, for instance. As Bruce Schneier says in his revolutionary text, Applied Cryptography, "The lesson here is that it is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics." Mathematics refers, of course, to the highly mathematical field of cryptography. National defence is the only logical reason for why cryptography suffers from such strong export restrictions today. This assumes, incorrectly, that our country is the only one actively working on cryptography, and that foreign nations will be signifigantly hindered by having our country's laws prohibiting them from getting cryptography over-the-counter from us. If terrorists have any interest in using cryptography, then they are almost certainly using it right now. Easy-to-use, free cryptographic software has been available to anyone with an internet connection for years. Any opportunity to put this back in the bottle has long since passed. Furthermore, any even reasonably organized terrorists would know not to send unencrypted communications on channels where law enforcement agencies could be eavsedropping. Certainly, Osama bin Laden and his terrorist network already use sophisticated cryptography that the government has no means of breaking, and they aren't likely to stop. We have to ask ourselves if sacrificing one of our fundamental freedoms necessary for a true democracy is worth the questionable amount of safety we recieve from invasions of privacy in general, and the outlawing of cryptography in specific. If the terrorists' goal was to shatter our very way of life and strip us of the liberties our Constitutions and Charters of Rights entitle us to, then they will win if we give up our privacy. Benjamin Franklin once said, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." Quotations: OpenBSD Team. http://www.openbsd.org/crypto.html Schneier, Bruce. "NSA's Dual Counter Mode." Crypto-Gram (2001): 6-8 Schneier, Bruce. Applied Cryptography. Minneapolis: John Wiley & Sons, 1996. Benjamin Franklin, unknown.