Encryption and key recovery

Private communication is basic to conducting political activity (and most other business). But the U.S. government maintains restrictions for security reasons that many believe have seriously held back development of secure communications and commerce over the past two decades. Knowing that all forms of communication, including telephone voice service, are moving to digital formats, and strongly desiring to preserve wiretapping capability on these communications, many governments are almost desperately trying to hold back the spread of encryption technology that would keep conversations secure.

Every year, a law lifting restrictions is introduced into Congress—backed by intense support from software companies—but so far none has passed. On the other hand, the administration has failed to pass bills that include harsher provisions. So the status quo mostly prevails, although it started to crack in late 1999 when the White House loosened restrictions for software marketed to commercial institutions. But many products must still be reviewed by the government, a regulation that erects a barrier and offers opportunities for meddling.

A more significant crack in the regime is the availability of Open Source software such as the classic Pretty Good Privacy (PGP). This software has the same export restrictions as proprietary software (although it lacks the patent and licensing restrictions that most proprietary encryption tools have). The revised 1999 regulations lift some of the restrictions on source code, a liberalization which could be politically and technically significant because strong Open Source encryption software would then be freely available to foreign countries, but the regulations do not clearly state how Open Source software would be treated. Showing a weariness with restrictions that hurt commerce, in November a German government agency gave a grant to an Open Source project called GNU Privacy Guard to produce strong encryption that will be freely available internationally and is easy to integrate with commercial products like Microsoft Outlook and Lotus Notes.

Department of Commerce regulations in U.S. that, for many decades, have restricted the export of encryption products, were challenged in 1995 by a computer science professor named Daniel Bernstein. His case rested on the argument that computer source code is a form of speech and therefore not subject to censorship (officially “prior restraint”), to which the government argued that the code was more functional than an expression of ideas. A federal court ruled in Bernstein’s favor in May 1999, but another court ruled in July 1998 that the government restrictions could stand, in a similar case brought by Peter Junger. Meanwhile, the EFF has shown it to be relatively easy to crack the 40-bit encryption technology that is the best form permitted for export.

Attempting to compromise between law enforcement agencies that want potential access to secret communications, and companies that want their communications protected against competitors and other snoops, the U.S. government has spent many years promoting an idea called key recovery or key escrow. The first such proposal, called the Clipper chip, was widely opposed and ridiculed on technical as well as political grounds. Key recovery means the government would have access to the keys that every person uses to encrypt messages (upon meeting certain legal requirements), and could decrypt the messages. Key recovery has been decisively criticized by leading cryptography experts and by CPSR.

Other governments have also tried to impose key recovery. A British government paper of March 20, 1997 was criticized by many organizations in a press release and letter initiated by the CPSR Cyber Rights working group, and by a more detailed and technical press release. The Labour government that later came to power originally opposed restrictions on cryptography, but they are reconsidering their position, a move criticized in (and perhaps aborted by) a GILC press release. The British government is still trying to introduce a key escrow bill, currently as part of an electronic commerce bill.

CPSR circulated a letter on German policy. Electronic Frontiers Australia has a campaign to eliminate encryption restrictions in Australia.

Canada has declared that it will not require key recovery, a statement praised by Electronic Frontier Canada, although export restrictions similar to those in the U.S. and other countries remain in place.

An international campaign tried to remove cryptography’s classification as a dual-use technology (that is, one that can be used as a weapon). Recent changes to a treaty called the Wassenaar Agreement went in the other direction and appear to restrict cryptography further. But countries signing the agreement have been ignoring it and moving toward free encryption; the most dramatic such move was an announcement from the French government removing restrictions on cryptography. In June 1999, the German government also announced it would not impose any restrictions at present, though it will “watch developments further” over the next two years.

A 1999 survey summarizes encryption policies in 230 countries, showing that most do not control its use. The report, which follows up on a 1998 survey, shows progress toward liberalization of cryptography. European laws under consideration are described on a Crypto Law Survey page.

For several years the U.S. government was also investigating Phil Zimmermann, the creator of the most popular form of encryption in current use, Pretty Good Privacy (PGP). More information on cryptography and export restrictions can be found at sites by the EFF and the CDT.

Back to Cyber Rights home page.

Last updated: June 14, 2001

Suggestions to: cyber-rights-owner@cpsr.org