Knight Ridder/Tribune Information Services, March 2, 1999

Despite recent events highlighting the futility of its policy, the White House insists on regulating encryption technology. This policy is ineffective, harms U.S. encryption makers, and damages the economy. As they debate encryption reform, legislators should consider a better, proven approach. The ideal policy would eliminate encryption controls and embrace the free market.

Encryption programs scramble information into unreadable text, ensuring the privacy of electronic data and communications. But while business transactions can be encrypted, so can communications between criminals. Consequently, law enforcers fear that encryption will empower a new crime wave.

Responding to this fear, the White House policy attempts to limit the spread of strong encryption by using three tools: export controls, "key recovery" requirements, and industry exemptions.

Encryption strength is measured in bits: the more bits, the harder the encryption is to break. The Administration generally prohibits firms from exporting programs stronger than 56-bits. In December, the Clinton Administration extended these regulations overseas by orchestrating the Wassenaar Agreement. Thirty-two countries caved to U.S. pressure and agreed in principle to bar the export of encryption stronger than 64-bits.

Encrypted data is unscrambled using an electronic "key." U.S. firms wishing to export stronger products must incorporate "key recovery" features. These features create spare keys law enforcers can use to decrypt suspect communications. The Administration wants to store these keys in central databases police can access with court authorization. This scheme is strongly opposed by companies wishing to use strong encryption when communicating with foreign affiliates.

In response to this opposition, the White House has issued exemptions. The financial services industry is permitted to use the strongest available encryption to communicate with overseas subsidiaries. The health and insurance industries are also exempt.

These exemptions take dollars away from encryption reform lobbyists but do not make current policy sensible. According to Vice President Gore, the regulations "will protect our national security and safety, and advance our economic interests, and safeguard our basic rights and values." But Administration policy actually hinders these goals.

Export restrictions do not deter criminals. Because most countries have no encryption regulations, criminals can buy strong encryption from foreign firms. Today, anyone can download unrecoverable, 128-bit encryption from companies in several countries including Germany and South Korea. The 56-bit encryption favored by the Administration is weak, obsolete, and regularly broken by hackers.

In January, RSA Data Security offered $10,000 to the first group to decrypt a message enciphered with a 56-bit program. It took only 22 hours for a group of computer enthusiasts to crack the code. Attacks on encryption will become even more efficient as the value of information transmitted across the Internet increases.

The White House claims that the 56-bit export ceiling is not too low because firms may export stronger, key-recoverable products. But key recovery is a recipe for disaster. The databases storing the keys will be prime targets for spies and hackers. Foreign encryption buyers recognize this and avoid U.S. products.

The global encryption market reached $1 billion in 1995 and, according to the National Research Council, could total "many tens of billions of dollars" as use of the Internet expands. Encryption controls lock U.S. firms out of this market, forcing them offshore.

Last month, RSA set up an Australian affiliate to avoid U.S. regulations. Companies such as Sun Microsystems have already partnered with foreign encryption producers. This means fewer jobs and fewer dollars for Americans.

Recognizing these harmful effects, legislators such as Senators John Ashcroft and Conrad Burns are trying to curb encryption controls. As Congress debates reforms, legislators should recognize that the sensible policy would eliminate regulations altogether.

An unhindered market would strike the appropriate balance between the needs of business and law enforcement. Those seeking guaranteed security could buy unbreakable encryption. High-tech firms could compete globally, returning jobs to U.S. soil.

While criminal communications would likely increase, law enforcers would not be powerless. They could subpoena email, electronic transactions records, and encryption keys. More significantly, they could respond with innovations of their own.

The idea of eliminating encryption regulations remains painfully absent from the U.S. debate. But many other countries – even some left-wing governments – have seen the light.
In France, socialist Prime Minister Lionel Jospin rolled back France’s strict encryption controls in January. Recognizing that these regulations harmed the French economy, Jospin replaced them with more funding for police efforts to counter the encryption threat.

Congress should follow Jospin’s lead and abolish encryption controls. Just as industries can respond creatively to regulations, the police and other public institutions can respond creatively to private-sector innovations. Until this reality is incorporated into policy, national security will remain at risk and the economy harmed.

Justin Matlick is Director of the Center for Freedom and Technology at the Pacific Research Institute for Public Policy, a San Francisco think tank. He can be reached via e-mail at: jmatlick@pacificresearch.org