Encryption and Globalization, Essays (university) of Cryptography and System Security

This article discusses the history of encryption law and policy in the US and how it is relevant to the current global debate on encryption policies. It examines the technology, law, and policy of encryption and explains why it is important to ensure the widespread and global availability of strong encryption for data and communications. The article also discusses the recent changes to Indian and Chinese laws regarding encryption technologies and their impact on international trade, national security, and communications security. The article is written by Peter Swire and Kenesa Ahmad and was published in the Columbia Science & Technology Law Review in 2012.

Typology: Essays (university)

2021/2022

Uploaded on 05/11/2023

newfound
newfound 🇨🇦

4.5

(13)

362 documents

1 / 66

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
416 COLUM. SCI. & TECH. L. REV. [Vol. XIII
T H E C O L U M B I A
SC IE N C E & T E C H N O LOGY
LAW R E V I E W
VOL. XIII STLR.ORG SPRING 2012
ARTICLE
ENCRYPTION AND GLOBALIZATION
Peter Swire* and Kenesa Ahmad**
During the 1990s, encryption was one of the most hotly debated
areas of technology law and policy. Law enforcement and security
agencies initially supported limits on the export of strong encryption for
national security reasons. In 1999, however, the administration shifted
position to allow largely unrestricted export of encryption technologies.
Encryption law and policy discussions largely faded from view.
Recently, encryption is again resurfacing as a major point of pol -
icy discussion. Changes to Indian and Chinese laws regarding encryp-
tion technologies have raised questions of international trade, national
security, and communications security.
There are key lessons learned from the U.S. experience that are
highly relevant when the debate shifts from one country to a globalized
setting. However, since the U.S. encryption question was settled in
1999, a new generation of policy makers, lawyers, and technologists
† This Article may be cited as http://www.stlr.org/cite.cgi?
volume=13&article=9. This work is made available under the Creative Com-
mons Attribution–Non-Commercial–No Derivative Works 3.0 License.
* C. William O’Neill Professor of Law at the Moritz College of Law of the
Ohio State University. His work on this Article draws on his experience as chair
of the White House Working Group on Encryption in preparation for the Clin-
ton Administration’s 1999 announcement that it would support strong encryp-
tion. For financial support, the authors thank the Future of Privacy Forum,
Google, Intel, Microsoft, and the Moritz College of Law. The authors express
thanks for comments on versions of this Article at Financial Cryptography ’12,
the Intellectual Property Scholars Association 2011 conference, and a Moritz
College of Law Workshop, as well as at presentations to government and indus -
try experts in the United States and India. Thanks in addition to Stewart Baker,
Audrey Plonk, Bruce Schneier, Chris Soghoian, Claire Vishik, and others.
** Kenesa Ahmad received her J.D. from the Moritz College of Law of the
Ohio State University, where she served as an editor of the Ohio State Law Jour-
nal, and received her LL.M. from Northwestern University Law School. She is
currently a Legal and Policy Fellow with the Future of Privacy Forum.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42

Partial preview of the text

Download Encryption and Globalization and more Essays (university) Cryptography and System Security in PDF only on Docsity!

416 COLUM. SCI. & TECH. L. REV. [Vol. XIII

T H E C O LU M B I A

SCIENCE & TECHNOLOGY

LAW REVIEW

VOL. XIII STLR.ORG SPRING 2012

ARTICLE

ENCRYPTION AND GLOBALIZATION†

Peter Swire^ and Kenesa Ahmad* During the 1990s, encryption was one of the most hotly debated areas of technology law and policy. Law enforcement and security agencies initially supported limits on the export of strong encryption for national security reasons. In 1999, however, the administration shifted position to allow largely unrestricted export of encryption technologies. Encryption law and policy discussions largely faded from view. Recently, encryption is again resurfacing as a major point of pol- icy discussion. Changes to Indian and Chinese laws regarding encryp- tion technologies have raised questions of international trade, national security, and communications security. There are key lessons learned from the U.S. experience that are highly relevant when the debate shifts from one country to a globalized setting. However, since the U.S. encryption question was settled in 1999, a new generation of policy makers, lawyers, and technologists † This Article may be cited as http://www.stlr.org/cite.cgi? volume=13&article= 9. This work is made available under the Creative Com- mons Attribution–Non-Commercial–No Derivative Works 3.0 License.

  • C. William O’Neill Professor of Law at the Moritz College of Law of the Ohio State University. His work on this Article draws on his experience as chair of the White House Working Group on Encryption in preparation for the Clin- ton Administration’s 1999 announcement that it would support strong encryp- tion. For financial support, the authors thank the Future of Privacy Forum, Google, Intel, Microsoft, and the Moritz College of Law. The authors express thanks for comments on versions of this Article at Financial Cryptography ’12, the Intellectual Property Scholars Association 2011 conference, and a Moritz College of Law Workshop, as well as at presentations to government and indus- try experts in the United States and India. Thanks in addition to Stewart Baker, Audrey Plonk, Bruce Schneier, Chris Soghoian, Claire Vishik, and others. ** Kenesa Ahmad received her J.D. from the Moritz College of Law of the Ohio State University, where she served as an editor of the Ohio State Law Jour- nal, and received her LL.M. from Northwestern University Law School. She is currently a Legal and Policy Fellow with the Future of Privacy Forum.

2012 ] ENCRYPTION AND GLOBALIZATION 417

has emerged with little or no experience in the area of encryption pol- icy. This Article seeks to fll an important gap in the literature, and to inform the debate on encryption policies in the face of increasing glob- alization. By examining the relevant history, technology, law, and pol- icy, this Article explains why it is vital to assure the widespread and global availability of strong encryption for our data and communica- tions. Introduction................................................................................. 417 I. A Short History of Wiretaps for Phone and Data in the U.S.. 420 II. Encryption Concepts Relevant to the Legal and Policy Analysis ................................................................................................ 425 A. Private Key or Symmetric Encryption............................. 425 B. Public Key or Asymmetric Encryption............................. 427 C. Cryptographic Uses of Hashes and Authentication........ 429 D. Categories of Encryption Vulnerabilities ........................ 430 III. From the U.S. “Crypto Wars” to the New Global Encryption Debates................................................................................... 433 A. The Crypto Wars............................................................. 433 B. Encryption Issues Today in India, China, and Globally.. 441 IV. Why Globalization Strengthens the Case for Encryption..... 449 A. The Central Role of Encryption in Cybersecurity.......... 450 B. Globalization and the “Least Trusted Country” Problem .......................................................................................... 457 V. Responses to Common Concerns........................................... 459 A. Backdoors are Unlikely to Exist in Cryptosystems, but More Likely to Exist Elsewhere................................................. 460 B. “Going Dark” v. A “Golden Age for Surveillance”.......... 463 C. Domestic Industry, Trade Policy, and Encryption............ 474 D. Summary of trade policy considerations......................... 480 Conclusion................................................................................... 480 INTRODUCTION During the explosive growth of the Internet in the 1990s, encryption was quite likely the single most passionate area of legal and policy debate. Broadly speaking, law enforcement and national security agencies supported limits on the export of strong encryption, fearing that encryption would block their vital ability to protect public safety and national security. On the other side, sup-

2012 ] ENCRYPTION AND GLOBALIZATION 419

Good encryption policy results from a mix of history, technol- ogy, policy, and law. Part I of this Article offers a short history of wiretaps for phone and Internet data, illustrating why communica- tions across the Internet are far more vulnerable than traditional phone calls, unless encryption is used. Part II provides a primer on basic encryption concepts that are relevant to the subsequent legal and policy analysis. The discussion assumes no prior knowledge of the topic. Part III highlights key lessons learned from the U.S. crypto wars of the 1990s, informed by the perspective of one of the authors, who chaired the White House Working Group on Encryption in the lead-up to the 1999 change in U.S. encryption policy. This his- tory includes an explanation of the major technical and other flaws in the key escrow approach, such as that attempted with the Clip- per Chip proposal. The U.S. encryption debates provide highly useful background for the current global encryption debates. In addition to highlight- ing the most compelling arguments from the U.S. experience in the 1990s, the Article proposes two additional reasons why effective encryption becomes even more important when the debate shifts from one country to a globalized setting. The first is the large and growing importance of cybersecurity for nations around the world. In cybersecurity today, the “offense” (in the form of thousands of attacks per day) is significantly ahead of the “defense” (in the form of tools and systems deployed by individuals and organizations to protect their data). Cryptography has become deeply integrated into all aspects of computing since the 1990s, and is today the sin- gle most important category of cybersecurity tools. In an increas- ingly interconnected and globalized world, security holes in one country (such as India or China) directly lead to security holes else- where. The second reason why encryption is especially important for globalization is what we call the “least trusted country problem.” The U.S. encryption debates during the 1990s focused primarily on the best policy for one nation, the United States. A repeated criti- cism of the Clipper Chip was the lack of trust that the United States would escrow the encryption keys securely, or use its decryp- tion powers wisely. In a globalized setting, the consequences of limiting encryption are much more dire if key escrow or other lim- its are imposed in a dozen, 50, or 200 countries. How much trust would India place in its communications in the hands of Pakistan, China in the hands of Taiwan, and so forth? As the debate shifts from a setting of one to many nations, the level of trust placed in data traveling through the Internet becomes that of the country that we trust least.

420 COLUM. SCI. & TECH. L. REV. [Vol. XIII Part V addresses major criticisms voiced by those who wish to limit use of effective encryption. Notably, law enforcement and national security agencies fear they are “going dark” as criminals and terrorists increasingly use a bewildering variety of new com- munications tools. On more careful examination, however, this Article contends that this mix of new technology is actually enabling a “golden age of surveillance.” Understanding the enor- mous surveillance capabilities coming into the hands of agencies, rather than focusing on the manageable obstacles created by encryption, is important to reaching an accurate conclusion about the overall need for strong encryption. This Article concludes by synthesizing the key reasons support- ing effective encryption in today’s globalized world, despite the security objections of law enforcement and national security agen- cies, and the trade interests of some countries. By examining the relevant history, technology, law, and policy, this Article explains why it is vital to assure the widespread and global availability of strong encryption for our data and communications. I. A SHORT HISTORY OF WIRETAPS FOR PHONE AND DATA IN THE U.S. To understand the importance of encryption today it is helpful to consider how wiretap technology has evolved in recent decades.^1 Originally, wiretaps were conducted through copper telephone wires. In this scenario, Alice would make a phone call to Bob, as illustrated in Figure 1.^2 The police or other wire-tapper would touch a separate copper wire to the copper wire between Alice’s house and her local telephone company switch. Through the process of induction, the sound waves traveling through the circuit between Alice’s phone and Bob’s phone could be listened to through the wiretap. This was a fairly simple process, merely con- necting a listening device (the wiretap) to the circuit carrying sound waves between phones.

  1. See generally Paul Rosenzweig, Cyberwarfare: How Conficts In Cyberspace Are Challenging America and Changing The World, 12 J. Federalist Soc’y, (forthcoming
  1. (providing a basic history and policy discussion of wiretapping and encryption in the United States).
  1. The names Alice and Bob were first used in the seminal paper on public- key encryption. Ron Rivest, Adi Shamir and Leonard Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems , 21 Comm. of the ACM 120 (1978).

422 COLUM. SCI. & TECH. L. REV. [Vol. XIII cepted. Then, at the switch, the wiretap order could be imple- mented. Figure 2. Fiber Optic Wiretapping CALEA provided critical new tools for law enforcement and, in many ways, made wiretapping much more effective than before. Notably, CALEA made it far easier to implement wiretaps remotely, with a feed running from the switch to the agent’s office. Along with these advantages for surveillance agencies, a clear limit was written into the statute. The legislative compromise at the core of CALEA provided that new wiretap ready requirements only applied to voice networks and did not apply to internet protocol communications.^4 Coincidentally or not, the exponential growth of the Internet began just as CALEA was enacted. CALEA required telephone companies to submit new technologies to the FBI for review before they could be used. By contrast, new Internet software and hard- ware technologies proliferated as the estimated number of users grew at an incredible rate from 1994 to 2000, when the estimated number of Internet users exceeded 400 million people.^5 It is hard to imagine attaining this level of growth if software and hardware developers had been subject to the same FBI clearance require- ments as their voice network counterparts.

  1. 47 U.S.C. § 1002 (b)( 2 )(A) (2012) (excluding “information services”).
  2. Central Intelligence Agency, The World Factbook 2001 (2001), available at http://www.umsl.edu/services/govdocs/wofact2001/geos/xx.html (estimat- ing 407.1 million Internet users in 2000).

2012 ] ENCRYPTION AND GLOBALIZATION 423

Figure 3. Internet Packet Routing As the telephone networks complied with CALEA, the rapid growth of the Internet in the 1990s made the importance of strong encryption increasingly apparent. Figure 3 illustrates this basic point. In this diagram, Alice is once again communicating with Bob. The difference, however, is that she is now sending Bob an e- mail through the Internet. The connection between Alice and her local Internet Service Provider (ISP) is quite similar to the connec- tion between Alice and her local telephone switch. The crucial dif- ference arises, however, in how the communication travels from Alice’s ISP to Bob’s ISP. The Internet was originally designed to enable communication even in the face of severe damage to the networks. This resilience is possible through the availability of numerous nodes to receive packets of information from Alice’s ISP and route them on towards Bob’s ISP. Peter Huber termed this the “geodesic network” in which each node of the Internet is analo- gous to the nodes of the geodesic domes pioneered Buckminster Fuller.^6 Figure 4 provides an example of a geodesic dome. In a geo- desic network, there are innumerable paths between any two points in a large network. If one route is blocked, the communication can simply travel through alternate nodes to arrive at its destination.^7

  1. See generally Peter W. Huber, The Geodesic Network: 1987 Report on Competition in the Telephone Industry (1987) (discussing the geodesic network).
  2. Early Internet theorist John Gilmore popularized the concept that “[t]he Net interprets censorship as damage and routes around it.” Philip Elmer-

2012 ] ENCRYPTION AND GLOBALIZATION 425

attack from outsiders who had taken control of the amateurs’ com- puters. Additionally, nodes could be operated by hostile foreign governments or by entities reporting to such governments. The systematic insecurity of the intervening Internet nodes is a fundamental reason why encryption became essential to the growth of the Internet. As commercial and government use of the Internet grew, it became impractical to allow communications to travel unprotected and to be intercepted by unknown and possibly mali- cious parties third parties. Consider financial transactions that could be intercepted by criminals. These malicious parties could steal payments intended for others, or make copies of the transac- tions and attempt to cash in multiple times. Few would conduct serious business on the Internet if they believed that malicious par- ties would access and read their communications. Technical experts familiar with this vulnerability argued vehemently in favor of strong encryption so that personal communications and business transactions would be protected. As discussed below in Part III, technology industry leaders, civil right activists and technical experts alike quickly recognized the need for strong encryption on the Internet. II. ENCRYPTION CONCEPTS RELEVANT TO THE LEGAL AND POLICY ANALYSIS In order to understand the policy and legal issues discussed later in this Article, it is helpful to review some basic cryptographic concepts: private-key (or “symmetric”) encryption; public-key (or “asymmetric”) encryption; other cryptographic tools such as one- hashes and authentication; and major categories of how encryp- tion is subject to attack. A. Private Key or Symmetric Encryption Long before the advent of the Internet, there were numerous reasons for sending messages in a format that only intended recipi- ents could read and understand.^8 Since ancient days, military com- manders sought mechanisms for communicating with allies without revealing secrets to enemies. Merchants used codes when sending commercially sensitive information to distant lands. The telegraph created a new and significant need for encryption due to the numerous intervening parties between the sender and recipient. The radio also encouraged the development of encryption,

  1. See generally David Kahn, The Codebreakers: The Comprehensive His- tory of Secret Communication from Ancient Times to the Internet (1996) (pro- viding a useful history of cryptology).

426 COLUM. SCI. & TECH. L. REV. [Vol. XIII because both friends and enemies could listen to transmissions. One well-known example of radio encryption was the Enigma encryption system, used by the Germans during World War II to communicate between radio towers in Europe and U-boats operat- ing in the Atlantic Ocean. A cryptosystem consists of three major elements: (1) an encryp- tion mechanism, typically a mathematical algorithm for turning plaintext (the original message) into ciphertext (the message in encrypted form); (2) a decryption mechanism, typically an algo- rithm for turning ciphertext back into plaintext; and (3) a mecha- nism for generating and distributing keys. A cryptographic key functions similarly to a physical key or combination lock. A physi- cal key is cut slightly differently to fit a particular lock, such as for a car. Similarly, a combination lock, similar to those used for high school lockers, uses a sequence of numbers or symbols to open the lock. To take a simple example, suppose that encryption occurs by changing each letter in plaintext into a letter x spaces later in the alphabet. If x=2, then “a” shifts two letters to “c” and “b” becomes “d.” Decryption happens by reversing the operation, so “c” becomes “a” and “d” becomes “b.” In this example, the key is “2”, or the number of letters to shift in the alphabet. In this exam- ple, there are 26 possible keys, because “a” can turn into any one of the 26 letters of the alphabet (including “a,” which would leave the message in plaintext). In that situation, the key could range from the numbers 1 to 26. In this approach, Alice and Bob would use the same encryption algorithms for encoding and decoding a message. When Alice wishes to send a message to Bob, she wraps the plaintext message with an agreed-upon secret key. Upon receipt of the encrypted message, Bob unwraps the message using the same private key. This approach is known as “symmetric” encryption, because the key is the same on both ends of the communication. It is also known as “private key encryption,” because the key has to remain private—secret—to possible attackers, and known only to Alice and Bob. The critical element in this approach is to generate and share the key securely. To distribute and share the symmetric keys, the Germans printed codebooks for each U-boat and other naval ves- sel. German officers were instructed to destroy the codebooks if faced with imminent capture. Eventually the Allies captured Ger- man codebooks revealing the keys used for particular dates.^9 Large

  1. John Barratt, Enigma and Ultra: the Cypher War , Military History Online (Dec. 15, 2002), http://www.militaryhistoryonline.com/wwii/atlantic/enig- ma.aspx.

428 COLUM. SCI. & TECH. L. REV. [Vol. XIII Figure 5. Public Key Encryption System This simplified explanation of public key encryption leads to two important themes for encryption and the global Internet. First, the public key approach directly addresses the most glaring weakness of the private-key approach. It allows people to send messages to each other without first having to securely share a secret key. Instead, all communications to Bob are wrapped up with the same, publically available key. This public-key approach is a good fit for communication between geographically dispersed peo- ple on the Internet. It also addresses the traditional distrust for shared secrets among cryptographers, who often quote Benjamin Franklin’s observation that “three may keep a secret, if two of them are dead.”^15 A second and related theme of public key encryption is that the approach can scale to very large numbers of users. With the old symmetric key approach, the risk of compromise increased each time that one more unwanted party, or U-boat, gained access to the key. By contrast, the public key approach simply requires publi- cation of one additional public key when a new user wishes to par- ticipate. The addition of this incremental user does not change the risk for existing users.

  1. Benjamin Franklin, Poor Richard's Almanac (1735).

2012 ] ENCRYPTION AND GLOBALIZATION 429

C. Cryptographic Uses of Hashes and Authentication The term “cryptography” (Greek for “hidden writings”) applies to more than just encryption (Greek for “putting into hiding”). First, cryptography includes “one way hashes.” The term “hash” conveys the image of a one-way operation—it is easy to turn an animal into the “hash” that people sometimes eat for breakfast; it is impossible to turn that hash back into a breathing cow or pig. Hashes are used widely in modern computing. One category of one-way hashes is a digital signature. Hashes travel with a message and mathematically ensure that the original message has not changed in transit—if even one letter is altered, the hash of that message will not match the hash of the original message.^16 Hashes can be strong or weak, and similar to encryption, a stronger hash is more difficult for an attacker to reverse. Second, modern cryptography relies heavily on secure authen- tication to distinguish authorized from unauthorized users. One well-known example is the two-factor authentication key fob sold by RSA and other providers. These key fobs are widely used by government and businesses to provide secure, remote access to vir- tual private networks.^17 In a typical implementation, the fob dis- plays a randomly generated access code, which changes often, such as once a minute. The user must log in by entering the current access code displayed on the fob. The string of numbers on the user end must match the string of numbers calculated on the server end during that one-minute window. With this authentication sys- tem, any hacker who uses an old key will be blocked from entry.^18 D. Categories of Encryption Vulnerabilities Although public-key encryption greatly helps key distribution, all forms of encryption are subject to three basic categories of attack: 1) brute force attacks; 2) attacks that are more efficient than brute force; and 3) attacks assisted by a flaw known to the attacker,

  1. See Rivest et al., supra note 2.
  2. In 2011, an embarrassing data breach at the RSA Security division of the EMC Corporation resulted in the apparent compromise of RSA’s key fob encryption keys. The cryptosystem itself was apparently not compromised. See John Markhoff, SecurID Company Suffers a Breach of Data Security , N.Y. Times, Mar. 17, 2011, at B7 , available at http://www.nytimes.com/2011/03/18/technology/18secure.html.
  3. See RSA Authentication Manager Express , RSA.com, http://www.rsa.com/products/AMX/ds/11241_h9006-amx-ds-0711.pdf (last visited Apr. 18, 2012) (explaining how RSA’s two-factor authentication system works).

2012 ] ENCRYPTION AND GLOBALIZATION 431

Long key length is important in a cryptosystem, but by itself, does not guarantee that an encrypted message is secure. Flaws may exist in the implementation of the cryptosystem or the cryp- tosystem itself. As an analogy, imagine that an attacker is attempt- ing to break into a room. A long key is akin to a steel door—it is very difficult to penetrate. A short key is similar to a paper door—it is easy to break through. A steel door is useful but will not keep attackers out if a window is open or the wall is made out of flimsy wood. Sufficiently long keys are thus necessary but only one ele- ment of a secure cryptosystem.

  1. Improving brute force attacks and the importance of peer review An important category of decryption work is improving the efficiency of brute force attacks. An ideal encryption system would make the likelihood of each possible key precisely the same. In that setting, an attacker would on average need to attempt half of the total number of possible combinations in order to chance upon the correct key.^23 Suppose, however, that the attacker somehow discov- ers that only even numbers are used in the keys and no odd num- bers. For a long key, this would still leave the attacker with consider- able work. Importantly, however, the number of possible combina- tions would be reduced by half, and the average time needed to dis- cover the correct key would now be 25% of the time originally needed to test all of the combinations.^24 Cryptographers generally agree that it is extraordinarily diffi- cult to create an encryption algorithm that generates keys entirely randomly. Many algorithms proposed over time are flawed, as in the overly simplified example provided in the paragraph above. As a leading cryptography text states that: (2009), available at http://www.bits.org/publications/security/BITSSender- AuthDeployJun09.pdf. Mathematically, a 1024-bit key length has 2^984 more com- binations than a 40-bit key length.
  2. The average number is half of the number of total combinations because occasionally the attacker will get lucky and the key will occur in the first 1% of combinations attempted. Occasionally the attacker will be very unlucky and the key will occur in the last 1% of combinations attempted. Those lucky and unlucky occasions have an average of (1+99)/2=50% of occurring. This simple example illustrates why random chance will lead to an average outcome of about 50% of the combinations.
  3. The 25% figure results from: 1) the average time of 50% for all of the combinations; and 2) the fact that only half of those combinations are even (.5*.5=.25). Thus the average time to solve the key would be the time it takes to calculate ¼ of the total possible combinations.

432 COLUM. SCI. & TECH. L. REV. [Vol. XIII [t]here is no known way of testing whether a system is secure. In the security and cryptography research commu- nity... what we try to do is publish our systems and then get other experts to look at them.... Even with many sea- soned eyes looking at the system, security deficiencies may not be uncovered for years.^25 Until a cryptosystem has withstood public scrutiny and rigorous peer review, it will endure considerable skepticism from experts. This has been a controversial issue in relation to China’s encryp- tion algorithms, which, as described below, were developed without public peer review. In addition, a strong cryptosystem and a long key length are not sufficient to ensure security—many vulnerabili- ties may arise at the implementation level, when the cryptosystem is actually deployed in a larger information technology system.

  1. Backdoors Another category of possible encryption system vulnerabilities occurs when a programmer intentionally creates the vulnerability. These security flaws are known as “backdoors.” The image is that the front door to a house is securely locked, but someone can enter through a backdoor that appears to be locked, but is actually easy to open. Intentionally creating backdoors can be attractive to some stakeholders. For instance, a system administrator might retain access to all data and communications in a system to ensure that organization policies are being followed.^26 More importantly, for wiretaps, CALEA requires the traditional telephone system to install a backdoor—to be designed wiretap accessible. Law enforcement and national security agencies have also sought back-
  2. Niels Ferguson et al., Cryptography Engineering: Design Principles and Practical Applications 13 (2010).
  3. In the U.S., employees who send emails over corporate network systems typically do not have a reasonable expectation of privacy in their communica- tions. See, e.g. McLaren v. Microsoft Corp. , No. 05-97-00824-CV, slip. op. (Tex. App. May 28, 1999) (holding that employee had no reasonable expectation of privacy for emails stored in a password-protected folder on his employer’s network sys- tem); Smyth v. Pillsbury Co. , 914 F. Supp. 97, 101 (E.D. Pa. 1996) (finding “no rea- sonable expectation of privacy in electronic communications voluntarily made by an employee to his supervisor over the company email system notwithstand- ing any assurances that such communications would not be intercepted by man- agement”). In addition, the Electronic Communications Privacy Act, which authorizes criminal sanctions for those who intentionally access e-mail services without authorization, contains an exception providing that employers may access their own private network systems with full authority. Electronic Commu- nications Privacy Act of 1986, 18 U.S.C. 2511(2)(a)(i) (1986).

434 COLUM. SCI. & TECH. L. REV. [Vol. XIII cryptographers.^29 The NSA’s dominant role diminished as com- puter technology advanced and public key cryptography developed in public, rather than being classified as a national security secret. Law enforcement and national security agencies became increas- ingly concerned that the proliferation of private sector encryption would erode their ability to monitor criminals and foreign entities. The NSA in particular made numerous attempts to stifle the out- side development of encryption.^30 By the end of the George H.W. Bush administration in 1992, non-NSA encryption had become an important issue for national security policymakers.^31

  1. Key escrow and the “Clipper Chip” When President Clinton entered office, the concepts of “key escrow” and “Clipper chip” became the central battleground for debates about encryption.^32 For the administration, key escrow appeared to provide a way of allowing strong encryption for ordi- nary communications while still enabling access when needed to law enforcement and national security agencies. With key escrow, the government would permit the widespread use of strong cryp- tosystems and sufficiently long keys to protect communications against brute force attacks. The tradeoff, however, was that users of strong encryption would be required to store their keys with the government—the keys would be held in “escrow.”^33 The govern-
  2. Between 1949 and 1960 the NSA’s staff of cryptographers increased from 4,139 to 12,120. Thomas R. Johnson, American Cryptology during the Cold War, 1945‒1989, at 64 (Center for Cryptologic History, National Security Agency 1995) , available at http://www.nsa.gov/public_info/_files/cryptologic_histories/cold_war_i.pdf. The recruitment of talented young cryptographers is prominently featured in two popular movies. In A Beautiful Mind (Universal Studios 2001) actor Russell Crowe played the role of real-life mathematician John Nash who was hired by the government to work on cryptography. Similarly, in Good Will Hunting (Miramax Films 1997) the fictional Will Hunting, played by Matt Damon, was recruited to use his cryptographic talents for the government, but refused employment.
  3. This included the use of secrecy orders against researchers and the revocation of funding for outside cryptography research. See Steven Levy, Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digi- tal Age (2001).
  4. Id.
  5. In addition to the detailed history provided in the Levy book supra note 30, helpful resources on the U.S. encryption controversy are available from the relevant public interest groups. See Cryptography , Center for Democracy and Tech- nology, http://www.cdt.org/crypto (last visited Aug. 15, 2011). See also Cryptogra- phy Policy , Electronic Privacy Information Center, http://epic.org/crypto (last visited Aug. 15, 2011).
  6. Escrow is a legal term meaning “a deed, a bond, money, or a piece of property held in trust by a third party to be turned over to the grantee only upon

2012 ] ENCRYPTION AND GLOBALIZATION 435

ment planned to establish two separate key-escrow data banks, to be run by independent entities, each of which would hold one part of the key.^34 Upon proof of a proper court order for a suspect’s communications, the two key-escrow data banks would reveal their parts of the key to the agency.^35 That agency could then use the two parts of the key together to decipher the encrypted communi- cations and read them in plain text. Unrelated communications would remain strongly encrypted and unavailable to the govern- ment agencies. The Clipper chip was the government’s first attempt at imple- menting a key escrow system. The basic concept was that a chipset would be installed in all new voice communication devices, each of which would be designated an encryption key. Each half of the key would be escrowed with a different and separate entity. Through proper legal process, law enforcement and national security agen- cies could retrieve the escrowed keys and access the plaintext com- munications. The Clipper chip used a data encryption algorithm called Skipjack, which was sharply criticized by many in the encryption community because it had not been peer reviewed. The term “Clipper chip” soon became shorthand for referring to a much broader policy debate about government controls on encryp- tion. The Clipper chip was never launched on a meaningful scale, as manufacturers failed to warm to the controversial govern- ment-designed chip. Also, in 1994, cryptographer Matt Blaze dis- covered ways in which the Chip’s implementation was technically flawed, so that the escrowed key would not decipher phone com- munications.^36 Perhaps most importantly, the proposal incited impassioned opposition to government controls on encryption, especially from leading civil liberties groups and “techies”^37 —a vocal constituency who were in the midst of creating the revolution fulfillment of a condition.” Defnition of Escrow, Merriam-Webster, http://www.merriam-webster.com/dictionary/escrow (last visited Aug. 7, 2011). Applied to encryption, the key would be the property held in trust by an escrow authority established by the U.S. government. The key would be turned over to law enforcement or national security agencies when legal conditions were ful- filled.

  1. Statement by the Press Secretary, Office of the Press Secretary, The White House, The Clipper Chip Initiative (Apr. 16, 1993), available at http://epic.org/crypto/clipper/white_house_statement_4_93.html.
  2. The use of the split key, held by two different entities, was intended to allay fears that a single data bank could be compromised by insider abuse or out- side attack. The key would only be revealed if two separate data banks were accessed, and collusion between the two data banks would be difficult.
  3. Matt Blaze, Protocol Failure in the Escrowed Encryption Standard , Proceedings of the 2nd ACM Conference on Computer and Communications Security 59‒ 67 (ACM Press, 1994), available at http://www.crypto.com/papers/eesproto.pdf.