Encryption advocates resist legal limits

Advocates for the free availability of encryption technology are on the defensive after a U.S. lawmaker raised questions about the future of the technology in the aftermath of last week's terrorist attacks.

Some observers have suggested that plotters of the attacks used encrypted Internet communications to evade law enforcement detection. Sen. Judd Gregg (R-N.H.) raised some hackles among encryption advocates with comments in the Senate last week suggesting legal limits on encryption.

"We have electronic intelligence of immense capability. It needs to be improved, especially in the area of encryption," said Gregg, in remarks published in the Congressional Record.

His remarks were widely interpreted to mean that law enforcement should be granted back-door access to encryption technology, such as the e-mail scrambling program Pretty Good Privacy (PGP), developed by PGP Security, a division of Santa Clara, Calif.-based Network Associates Inc.

"We've already seen government proposals for increased wiretapping capabilities and renewed rhetoric about encryption limitations," wrote privacy advocate Bruce Schneier, the founder of San Jose-based Counterpane Internet Security Inc., in his "Crypto-Gram" newsletter, published Saturday. "I fully expect more automatic surveillance of ordinary citizens, limits on information flow and digital-security technologies, and general xenophobia. ... If our freedoms erode because of those attacks, then the terrorists have won."

But aides insist Gregg is calling for voluntary cooperation from encryption companies, not for new legislation.

"He does not legislatively desire a moratorium. He does want some cooperation, as needed under search-and-seizure laws and with a court order. But he does not support a complete ban," said Gregg spokesman Brian Hart.

It's possible that suspected terrorist mastermind Osama bin Laden has used some sort of encryption technology to evade monitoring, said James Bamford, the author of two books on the National Security Agency (NSA), which conducts electronic espionage.

"In the past, NSA had been able to eavesdrop on bin Laden's communications; they were listening in on him fairly regularly, and all of a sudden, they lost him about a year ago. They suspect it's because he's changed his technology," Bamford said today.

NSA Director Gen. Mike Hayden warned in February that bin Laden had access to more sophisticated technology than did the agency.

"Osama bin Laden has at his disposal the wealth of a $3 trillion-a-year telecommunications industry that he can rely on," Hayden said in an interview with the TV news program 60 Minutes II. "We are behind the curve in keeping up with the global telecommunications revolution."

However, Bamford said, terrorists can easily elude surveillance without using encryption technology.

"I think he's mostly using methods that are not susceptible to eavesdropping: using couriers, hiding things in the Internet, not the standard telephone calls," he said.

"There are so many easy, less visible ways of transmitting information across the Web; one can bury things within newsgroups, bury things on Web sites," said Peter Sommer, a senior fellow at the Computer Security Research Centre at the London School of Economics. "From a terrorist point of view, the fact that you are using encryption at all will draw attention to you ... but the reality is that your dedicated terrorist can get his message across the Internet without using particularly sophisticated technology."

Sommer cautioned against precipitous legislation, along the lines of the U.K.'s Regulation of Investigatory Powers Act, which empowers government officials to demand encryption keys to any and all data communications, with penalties of up to two years in prison.

"The mistake that was made in the United Kingdom was that law enforcement was allowed too free a rein in terms of the framing of legislation," said Sommer, who added that overzealous limitations on encryption could pose problems for e-commerce, which relies on encryption for identification and secure payment procedures.

"Yes, there's a possibility that your terrorists are going to use it, but there is a certainty that you are going to incur considerable economic costs," he said.

Related stories:

Copyright © 2001 IDG Communications, Inc.

Shop Tech Products at Amazon