Data encryption programs are enabling telecommunicators to hide information from government agencies. The federal government claims that the Clipper Initiative, an encryption standard, will both protect privacy and allow law enforcers to decode needed information.
In October 1992, the arrest of a small-time child pornographer named William Steen marked the close of a technological window opened more than a century earlier when Alexander Graham Bell invented the telephone. Bell did more than make it possible for two people to talk to each other over a phone line: A third person could surreptitiously listen in as well. Thus as Bell begat the telephone, the telephone begat the wiretap. Supreme Court Justice Oliver Wendell Holmes called wiretapping “a dirty business” back in 1928, yet wiretaps became a standard tool of intelligence gathering for cops and spies.
But what technology giveth, technology taketh away. The shift to a digital world is fundamentally changing the nature of communications. Voice, video and print are increasingly transmitted the same way, in bits–strings of 1s and 0s–from sender to receiver. And all this data can be transformed by encryption so that a wiretapper can’t understand the 1s and 0s flowing through the phone lines. By using a powerful software program or computer chip, anyone who transmits digital data–words, pictures or sound–can “lock” it away from anyone who doesn’t have the right “key.”
William Steen did just that, using a software program to scramble his files. When sheriff’s deputies in Sacramento County, California, arrested him for sending child-porn pictures to associates via electronic mail two years ago, they seized his computer containing the pictures and correspondence. According to Deputy Tom McMahon, who investigated the case, Steen used a powerful encryption program called Pretty Good Privacy (P.G.P.) to hide potential evidence. “I believe they were his diaries,” McMahon says, “but we never could crack them.” It is not clear, in fact, that P.G.P. can be cracked at all. McMahon says he asked the F.B.I. and the National Security Agency to help him invade Steen’s files, but they declined, leading McMahon to speculate that the two agencies may not know how to do it.
The Steen case pinpoints a critical shift in the use of encryption. No longer are powerful computer-based encoding tools under the sole control of the federal government; instead, they are freely available to millions through on-line computer networks. And as the line between telecommunications and computer networks blurs, those same encoding tools can scramble voice messages, effectively ending law enforcement’s ability to conduct wiretaps and enhancing the privacy of law-abiding and law-breaking individuals alike. Of course, the Feds aren’t very happy about this development. Right now both Congress and the Clinton Administration are looking for a way to stuff the encryption genie back into its bottle, though it may be too late for anything they try to be effective. This fall, Congress will debate the Digital Telephony Bill, designed to extend law-enforcement officials’ privileged access to data flowing through phone lines into the new digital age. But access is only half the battle; police departments and intelligence agencies want to be able to understand what they intercept. That’s why the federal government is pushing for an encryption standard, called the Clipper Initiative, which the government claims would protect privacy while giving it the technical ability to unscramble what flows through communications networks.
Traditionally, cryptography–the study of secret codes–has been an instrument of war. During the cold war years it was the National Security Agency, chartered to monitor electronic communications abroad, that funded advances in encryption. The N.S.A. even classified academic papers about mathematics that could be used for cryptography, all to keep enemy spies in the dark. But the agency began to lose control in the 1980s, when the proliferation of computer networks gave rise to private companies selling ciphering products to protect computer data. “Up until ten years ago, the N.S.A. had a hammerlock on encryption research and development,” says Clifford Stoll, an author and astronomer who electronically tracked down a hacker in the pay of the K.G.B. while the latter was rooting around in the computers of a government facility in Berkeley, California.
Encryption for commercial use has been around for nearly two decades. Its primary users have been banks, which employ a government-sponsored coding algorithm called D.E.S., or Data Encryption Standard, to wire countless trillions of dollars around the globe. Now that computer networks are becoming a basic communication tool, encryption is spreading with them. Today, more than 838 commercially available cryptographic software products are sold in thirty-three countries, according to the Software Publishers Association. Although the total number of cryptography users isn’t known, one of the largest cryptography companies in the United States, RSA Data Security, in Redwood City, California, will have sold more than 5 million units of its powerful encryption software by the end of this year. RSA has licensed its ciphering products to Apple, Microsoft, Novell and Lotus. (P.G.P., the program William Steen used to scramble his files, is a bootleg version of RSA’s software.)
Encryption is a crucial component of the coming information superhighway. With it, businesses can verify signatures on electronic contracts; home shoppers can order cubic zirconia on their interactive TV sets without worrying about their creditcard numbers flowing through cable lines; digital cash becomes a reality through the use of “digital signatures.” P.G.P. is now available free on the Internet. Anyone with a computer, modem and password can pull it out of cyberspace. It works, like all computer encryption programs, by using a mathematical algorithm to transmute ordinary words, called “plaintext” in computerspeak, into strings of random-appearing characters. Only the holder of the correct “key” can unscramble the characters back into plaintext.
P.G.P.’s great advantage is that it avoids the age-old cipher problem of how to get the key securely from sender to recipient. P.G.P. uses a patented formula called “public-key cryptography,” in which the key used to scramble a message is different from the one used to unscramble it. By utilizing a special group of mathematical algorithms, public-key cryptography offers two keys, a “public key” and a “private key.” The public key is shared and the private key is kept secret. To send encrypted messages with P.G.P., senders use their recipient’s public key to code the message. The recipients then decode the message with their private key.
Public-key cryptography is such an improvement over the old system of single-key cryptography that it is now considered the standard in computer networks. Thanks to the international reach of the Internet, P.G.P. has traveled all over the world, popping up in such places as Russia, Latvia and Hong Kong. P.G.P. is even used in San Francisco to set up “raves.” According to Captain Crunch, a legendary phone-hacker-turned-raver, organizers of these all-night dance and drug marathons send each other P.G.P.-encrypted messages to keep the cops from discovering their plans.
As the use of public-key cryptography spreads, the federal government has not been sitting idly by. In February, after nearly a year of study, the Clinton Administration announced it was introducing legislation to replace D.E.S. with the “Escrowed Encryption System,” better known as the Clipper Chip. The Clipper Chip contains a classified encryption algorithm, code-named SKIPJACK, etched into its silicon. SKIPJACK uses a longer key than D.E.S. and is far more powerful–16 million times stronger, according to the F.B.I. One study estimates that trying every possible key combination on a Clipper Chip would take 400 billion years using today’s computer power. Because Clipper is so powerful, the government hopes it will displace other encryption technology, hardware and software, from the market.
The biggest difference between Clipper and D.E.S., the previous cipher standard, is that with Clipper the government keeps a copy of the coding key. That way, if law-enforcement agencies obtain legal authority to listen in on an encoded message, they can do so. To prevent unauthorized access, the key is split into two parts, with each part held in escrow by the National Institute of Science and Technology and a branch of the Treasury Department. If law-enforcement officers get a court order permitting them to use the key, they then get both halves and decode the encrypted messages.
And because a bit is a bit is a bit, whether it is carrying text, sound or video, this digital wiretap would permit a lot more than eavesdropping on phone conversations. Clipper would also allow law-enforcement officials to collect digital photographs sent across phone lines or even check on your cable movie-watching habits. “It’s collecting digital fingerprints in cyberspace,” says Marc Rotenberg, director of the Washington-based Electronic Privacy Information Center.
The first step toward getting that fingerprint is maintaining access to phone lines, which is why the gumshoes want the Digital Telephony Bill. F.B.I. Director Louis Freeh told a Congressional subcommittee in August that an informal F.B.I. survey of other law-enforcement agencies produced 183 cases in which new technology prevented wiretaps or call-pattern analysis from being either partly or fully implemented. Phone access, Freeh said, is “one of the most important issues facing law enforcement today.” Freeh also is pushing for Clipper.
The measures the government has proposed have provoked an angry reaction from many computer users, however. Opposing Clipper are the nomads and settlers of the electronic frontier, who are generally suspicious of most snooping, government or otherwise (unless they are doing it themselves). On the same side are the high-tech heavy hitters, like Microsoft, Apple, I.B.M. and Sun Microsystems, who have come out in force against Clipper. They fear they won’t be able to sell their products overseas because foreign customers will suspect the U.S. government of monitoring their activities. Last July, after months of intense lobbying by Silicon Valley, Clipper’s opponents declared victory after Vice President Al Gore sent a letter to Representative Maria Cantwell, who is sponsoring a bill that would relax export requirements for encryption tools. The letter said that any encryption standard would have “to be acceptable to computers worldwide.” Some people have concluded that this spells Clipper’s demise, but authorities on both sides of the debate say the chip is by no means dead. In fact, there is now a Son of Clipper in the works called Capstone, a more sophisticated version of the chip that the Defense Department will use to provide secure e-mail, among other things.
As the Clipper lives, so lives the privacy debate around it. Whitfield Diffie, an engineer and one of the developers of public-key cryptography, calls Clipper the equivalent of the combination lock used on schoolchildren’s lockers. Each lock has a combination, but also a keyhole in the back for the teachers. “The children open the locks with the combinations, which are supposed to keep the other children out, but the teachers can always look in by using the key,” Diffie told a Congressional subcommittee last year. But Dorothy Denning, a professor of computer science at Georgetown University who has worked for the N.S.A. on cryptography issues, insists that adopting a new encryption standard like Clipper or Capstone will not increase the government’s legal power to monitor our daily lives. “The standard will not make it easier to tap phones, let alone computer networks. All it will do is make it technically possible to decrypt communications that are encrypted.” However, Clipper is voluntary, which means that anyone could get around it if she really wanted to. For example, there is the problem of super-encryption, which essentially means scrambling data before it reaches the Clipper or Capstone stage. Although Denning says super-encryption is “not all that easy,” John Gage, director of the science office for Sun Microsystems, disagrees. He envisions a little encryption box that can be attached to any phone, computer or TV set and used as an alternative encryption program, like P.G.P., to scramble data before it hits Clipper. “A smart kid with $50 to spend on hardware could securely encrypt a telephone conversation,” he says. So even if a copy of the data flowing from your personal computer ends up in the J. Edgar Hoover Building, it would be difficult, if not impossible, to decipher.
“Down the road encryption will be commonplace, used for everything,” says Denning. One group, the so-called cypherpunks, envisions the day when anything can be hidden from the government. Tim May, a self-described “crypto-anarchist” and co-founder of an electronic cypherpunk forum, says the age of encryption will kill off the nation-state. “I believe we will end our 200-year experiment with democracy in fifty years,” he says, because encryption “nukes the tax base” by making it possible to conduct private financial transactions.
Such predictions may be little more than a binary pipe dream. But Mike Godwin, an attorney for the Electronic Frontier Foundation, says, “In general, encryption decreases the power of government to monitor us.” Godwin adds that while encryption won’t bring down the Capitol, “it’s a technological advance that’s taking us back.” Back, in fact, to Alexander Graham Bell’s era, a time when the Supreme Court decided (in an 1886 case called Boyd v. United States) that private papers were off-limits to legal opponents, even government prosecutors. A little over a century later, those papers can once again be put off-limits–only this time electronically so. While prosecutors may be able to require a defendant to turn over a metal key, it’s not clear that they can force him to relinquish a mental key–especially if he says “I can’t remember,” as William Steen did. (Prosecutors were never able to crack Steen’s P.G.P.-encrypted files; he went to prison in part because of an informant.)
Whether or not Clipper and the Digital Telephony Bill become law, they are no more than plugs in a dam that is already washing away. And unless the federal government tries something drastic–and probably futile–like banning non-Clipper products, it soon may be possible to buy anti-wiretap equipment on-line while shopping for cubic zirconia.