New encryption laws for e-mail unlikely
October 6, 2001
As lawmakers re-examined the nation's security in the aftermath of Sept. 11th's terrorist attacks, the liberal encryption policy established by the Clinton administration appeared to be a likely target for change.
After all, some reasoned, the policy makes it possible for anyone including possible terrorists to send secret e-mails cloaked by codes so strong the National Security Agency can't crack them.
But now it appears that no crackdown on encryption programs is coming.
The technology industry and others who fought for years for free encryption were alarmed when, shortly after the attacks, Sen. Judd Gregg, R-N.H., suggested giving the federal government the keys to unscramble everyone's encoded messages.
In a Senate speech, Gregg called for a system known as "key escrow," in which all the keys are stored in a database that authorities could access with a court order.
But the Department of Justice in the past the leading proponent of such limits did not mention encryption when it asked Congress for expanded surveillance powers for fighting terrorism.
"It's not going to happen," said Stewart Baker, a Washington, D.C., technology lawyer and former general counsel to the NSA. "The Bush people, who watched the Clinton administration struggle with that unsuccessfully for years,
aren't going to revisit this."
Gregg has yet to put his idea into a bill, and staffers say he has no specific plans to do so soon.
"I'm feeling more and more confident each day that it won't be (introduced), " said Rep. Bob Goodlatte, R-Va., who pushed for liberalized encryption laws the first time around.
"I think that time is on our side on this. If it was on the table ready to go right after the attack, such legislation probably would have had a better chance of passing. But as time goes on, there's more time to contemplate its full effects," said Phil Zimmermann, a computer programmer who created Pretty Good Privacy, the most widely used e-mail encryption program.
Encryption is used in all kinds of Internet programs. Web browsers like Internet Explorer and Netscape use it to make secure online credit card transactions possible.
Before January 2000, government regulations made it difficult or impossible to export programs containing strong encryption. The tech industry and civil liberties advocates battled lawmakers' concerns, eventually convincing the Clinton Administration to lift the restrictions without establishing any kind of "back door" through which law enforcement could spy.
Zimmermann and legislators who fought this battle the first time around say that the key escrow plan Gregg has advocated would not only diminish the privacy of individual e-mail users, but that it wouldn't achieve its goal.
Terrorists probably wouldn't use encryption to which U.S. officials had the keys, said Goodlatte, who co-chairs the Congressional Internet Caucus. U.S. authorities wouldn't get the keys to encryption products made in other countries, for example.
"Anybody bent on misusing encryption could buy it from hundreds of foreign sources or create it themselves," said Goodlatte. "It's been revealed that (Osama bin Laden) has some very top-notch software engineers."
The plan could also endanger the security of everyone who uses encryption, critics say.
"The escrow or recovery mechanisms themselves may actually be compromised by criminals," warned members of the Association for Computing Machinery, a New York society for technology professionals. Hackers who broke into the database where the keys were held might use the keys to compromise millions of computers.
While spokesman Brian Hart said Gregg has gotten some positive feedback from other lawmakers, no one has seconded his idea publicly.
"Gregg seems to be an isolated case," said Bruce Heiman, a Washington attorney who serves as executive director of Americans for Computer Privacy, a technology industry group.
Sen. Conrad Burns, R-Mont., has joined Goodlatte in speaking out against encryption limitations.
Like Goodlatte, Burns pushed for liberalized encryption laws in the 1990s.
Others who joined their fight are still in Congress, such as Rep. Zoe Lofgren, D-San Jose and Sen. Pat Leahy, D-Vt.
But one of the major proponents, former Missouri Sen. John Ashcroft, is now the attorney general.
"Ashcroft was on our side at that time. It could be that maybe that's why we're not seeing something from the Justice Department specifically about encryption," Zimmermann said.
by Carrie Kirby, Chronicle Staff Writer, Copyright © 2001 San Francisco Chronicle