It's easy to list the tools that were used in horrific acts
and to argue that depriving ourselves of those tools will prevent
future similar incidents. It's easy, but it's wrong.
Following last week's terrorist attacks on symbols of U.S.
economic and military strength, the IT community needs to help
the nation focus on mitigating future threats—not on closing
the doors that the horse got through. Knee-jerk reactions, all
too likely from historically ill-informed legislators, could
easily cripple commercial and personal applications of encryption,
wireless communications, digital cash and media technologies,
with little inconvenience to criminals.
No information technology has been more demonized than cryptography,
especially since the advent of mathematically robust "strong"
techniques that all but defy even theoretically possible attacks.
Free access to encryption techniques, and unrestricted trading
in crypto products, "will be devastating to law enforcement
and damage national security," warned then-FBI Director Louis
Freeh in a 1999 testimony before the House Armed Services Committee.
But top law enforcement officials often reveal superficial
understanding of exactly what encryption does and of which public
threats are actually tied to crypto's use. For example, former
Attorney General Janet Reno warned of the hazards of crypto
by saying, "Terrorists are now actually using encryption, which
means that in the future we may wiretap a conversation in which
the terrorists discuss the location of a bomb soon to go off,
but we will be unable to prevent the terrorist act because we
cannot understand the conversation."
Unless future terrorists are thoughtful enough to speak English,
crypto controls won't solve this problem. According to James
Bamford's book on the National Security Agency, "Body of Secrets,"
published earlier this year, U.S. analysts are often unable
to make prompt use of even plain-language communication intercepts
due to shortage of translation staff—especially for Middle
Eastern and African languages. Even English-language communications
are easily rendered incomprehensible by judicious use of pronouns:
"We'll do it at the second place we talked about," for example,
can cover a lot of ground.
Terrorists don't have medical plans, 401(k) accounts or other
information assets requiring specific and confidential transaction
capabilities to maintain. Ordinary citizens do have these things,
and "most presently deployed encryption systems support rather
than hinder the prevention and detection of crime," according
to the 1998 white paper, "The Risks of Key Recovery, Key Escrow,
and Trusted Third-Party Encryption," by eleven authorities including
Ronald Rivest (the "R" in the RSA algorithm). Strong encryption,
the group observed, "helps to protect burglar alarms, cash machines,
postal meters, and a variety of vending and ticketing systems
from manipulation and fraud."
If terrorists can't get state-of-the-art crypto tools, they
can undetectably embed their messages in digital photos or music,
using software such as OutGuess (www.outguess.org) or Steghide
(steghide.sourceforge.net). Or are we prepared to ban all digital
Here is the fundamental paradox of modern strong encryption:
Its most irreplaceable function is enabling confidential transactions,
via public networks, among parties previously unknown to each
other. Criminals and terrorists can use other methods, such
as one-time pads or book codes, that are equally unbreakable
but that require previous arrangement—to them, a minor
If deprived of strong crypto, criminals and terrorists have
alternative means of secure communication, but freedom of commerce
is badly crippled—and the terrorists' work is done for
Technology Editor Peter Coffee can be reached at firstname.lastname@example.org.