Ban crypto, cripple commerce

It's easy to list the tools that were used in horrific acts and to argue that depriving ourselves of those tools will prevent future similar incidents. It's easy, but it's wrong.
Written by Staff , Contributor and  Peter Coffee, Contributor

It's easy to list the tools that were used in horrific acts and to argue that depriving ourselves of those tools will prevent future similar incidents. It's easy, but it's wrong.

Following last week's terrorist attacks on symbols of U.S. economic and military strength, the IT community needs to help the nation focus on mitigating future threats—not on closing the doors that the horse got through. Knee-jerk reactions, all too likely from historically ill-informed legislators, could easily cripple commercial and personal applications of encryption, wireless communications, digital cash and media technologies, with little inconvenience to criminals.

No information technology has been more demonized than cryptography, especially since the advent of mathematically robust "strong" techniques that all but defy even theoretically possible attacks. Free access to encryption techniques, and unrestricted trading in crypto products, "will be devastating to law enforcement and damage national security," warned then-FBI Director Louis Freeh in a 1999 testimony before the House Armed Services Committee.

But top law enforcement officials often reveal superficial understanding of exactly what encryption does and of which public threats are actually tied to crypto's use. For example, former Attorney General Janet Reno warned of the hazards of crypto by saying, "Terrorists are now actually using encryption, which means that in the future we may wiretap a conversation in which the terrorists discuss the location of a bomb soon to go off, but we will be unable to prevent the terrorist act because we cannot understand the conversation."

Unless future terrorists are thoughtful enough to speak English, crypto controls won't solve this problem. According to James Bamford's book on the National Security Agency, "Body of Secrets," published earlier this year, U.S. analysts are often unable to make prompt use of even plain-language communication intercepts due to shortage of translation staff—especially for Middle Eastern and African languages. Even English-language communications are easily rendered incomprehensible by judicious use of pronouns: "We'll do it at the second place we talked about," for example, can cover a lot of ground.

Terrorists don't have medical plans, 401(k) accounts or other information assets requiring specific and confidential transaction capabilities to maintain. Ordinary citizens do have these things, and "most presently deployed encryption systems support rather than hinder the prevention and detection of crime," according to the 1998 white paper, "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption," by eleven authorities including Ronald Rivest (the "R" in the RSA algorithm). Strong encryption, the group observed, "helps to protect burglar alarms, cash machines, postal meters, and a variety of vending and ticketing systems from manipulation and fraud."

If terrorists can't get state-of-the-art crypto tools, they can undetectably embed their messages in digital photos or music, using software such as OutGuess (www.outguess.org) or Steghide (steghide.sourceforge.net). Or are we prepared to ban all digital media?

Here is the fundamental paradox of modern strong encryption: Its most irreplaceable function is enabling confidential transactions, via public networks, among parties previously unknown to each other. Criminals and terrorists can use other methods, such as one-time pads or book codes, that are equally unbreakable but that require previous arrangement—to them, a minor nuisance.

If deprived of strong crypto, criminals and terrorists have alternative means of secure communication, but freedom of commerce is badly crippled—and the terrorists' work is done for them.

Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.

Editorial standards