The Key to the Kingdom

During World War II, the US assembled the largest intelligence organization in the world. The organization's code crackers were responsible for deciphering the messages the Germans sent to their U-boat fleet. This tactical effort contributed to Germany's defeat and changed the balance of power on the seas. The same intelligence team deciphered Japanese messages, giving the Allied forces a strategic edge in winning the war in the Pacific.

In this climate of wartime code breaking, the US government issued a law prohibiting US companies from exporting any software with an encryption scheme exceeding 40 bits. The government's idea at that time was to prevent any other country from using US technology against the US.

Several years ago, a developer named Phil Zimmerman challenged this law by creating a free email encryption program called Pretty Good Privacy (PGP). A user decided to post this program on the Internet, and users from all over the world downloaded it. Because PGP used an encryption algorithm beyond 40 bits, the government accused Zimmerman of violating the 50 year-old law. After many trials, the government finally dropped the charges. However, the law is still in effect, and the US government promises to prosecute any violators.

Today, non-US companies can ship products with encryption schemes greater than 1000 bits, leaving US companies at a competitive disadvantage. US companies face creating two versions of their software--one for domestic use and one for export. This restriction is too expensive.

Recently, legislators introduced a bill in Congress to let US companies distribute 56-bit encryption products. Such products are 65,000 times as powerful as their 40-bit counterparts. However, the Clinton administration is saying this proposal would prevent law enforcement officials from deciphering messages sent by terrorists, drug dealers, and other criminals. The government will let a US company export products with 56-bit encryption if the company agrees, in future versions, to let an authorized US government representative access the decryption key on request (for details about these developments, visit http://www.privacy.org/ipc/crypto_regs_1296.html).

Windows NT has become the strategic software platform for email, computer telephony, Internet, intranet, electronic commerce, and other products that require encryption. US vendors are shipping such products all over the world, and all kinds of organizations, including foreign governments, are using these products.

Letting the US government place an "email tap" on a US citizen is one thing, but giving the US government the ability to decipher messages sent by employees from a foreign government is scary. The CIA will no longer need to send operatives to other countries; the CIA can get whatever information it wants from a PC attached to the Internet.

Microsoft has developed the CryptoAPI, which lets developers put a layer between their security code and the encryption algorithm. Using CryptoAPI, a software vendor could create one version of its application that would work with any encryption algorithm. If the product is shipping within the US, the vendor could include a strong encryption scheme. The same vendor could adopt a non-US-based encryption scheme (say one from France) and ship it with products from that non-US country. This approach is an elegant way around the problem.

I encourage all NT-based software vendors to avoid the temptation of making the deal with the US government. Support the bill currently in Congress that allows unrestricted export of 56-bit encryption technology. Meanwhile, develop your software with CrtyptoAPI or something similar. In other words, don't stop working on encryption--we need it.

If you are considering buying a product that has 56-bit encryption today, consider the deal that has been made behind the scenes. Giving the US government access to that kind of key is like the apple in the Garden of Eden--it's too tempting. I want to know that something I've encrypted is readable only by the person I want to receive it--period.

Certainly, I don't want to prevent law enforcement from doing its job, but people who want to send secret messages will figure out a way. During World War II, the US Army came up with a unique encryption method: Navajo translators encrypted messages by translating them into the Navajo language. The opposition never cracked that low-tech scheme.

Likewise, criminals who want to hide their deeds will find a way to do it. Don't let the political spin on this issue fool you--the stakes are high. We have all come to depend on the Internet as a secure means for conducting communications and business worldwide. Knowing that the US government can demand access to 56-bit encrypted information on a whim clearly compromises privacy and the ability to conduct business over the Internet.