The latest weapon in encryption war: a T-Shirt

A T-shirt now available for sale through the Internet is the latest and most amusing
sign of the bankruptcy of current U.S. government policy on encryption. The T-shirt has a
machine-readable encryption algorithm that is subject to export controls under the
International Traffic in Arms Regulations (ITAR). In effect, the T-shirt is a munition.


The shirt actually is a weapon, but not in the way meant by the ITAR regulations. It's
a weapon in the policy battle over encryption. The government, led by the National
Security Agency, has tried for years to prevent the spread of high-level encryption.


For a long time, this attempt was successful. NSA closely watched everyone engaged in
encryption activities and bribed or scared them into keeping their developments secret.
Legal restrictions on the export of encryption devices and methods were a key part of the
strategy.


Eventually, encryption technology marched on beyond the ability of anyone to control.
With the development of public key cryptography, unbreakable encryption methods became
widely available. The T-shirt is evidence of this.


Phil Zimmerman used public key cryptography for a freeware encryption program known as
Pretty Good Privacy. The program can be downloaded from the Internet, and for three years
the Justice Department investigated whether Zimmerman violated export laws. The legal
theory--a shaky one at best--was that placing the program on the Internet where it could
be retrieved by foreigners amounted to an illegal export.


The encryption wars are not only between net users and the government. The business
community has a major interest. Encryption is already in widespread use, and there are
valid complaints that export barriers are undermining security. Net communications and
transactions need good encryption.


In addition, American hardware and software manufacturers scream that export
restrictions shut them out of a lucrative international market. Foreign developers, not
burdened by export laws, are taking business away from American companies.


The Internet community sees unrestricted use of encryption as a right protected under
the Constitution and as a necessary element of network commerce. National security and law
enforcement agencies cringe at the prospect that criminals and terrorists may use
unbreakable encryption to avoid detection and prosecution. This is an issue in which each
side has a strong argument.


It's too early to predict how the struggle will be resolved. There's no domestic
restriction on the use of encryption, so the burden of erecting a new barrier falls on the
national security and law enforcement agencies. The export restriction is all they have,
and it is such a significant impediment to business that it offers considerable leverage.


In 1986, the public interest community worked with business to overcome government
resistance to extending wiretapping restrictions to e-mail and digital communications.
That is how the Electronic Communications Privacy Act (ECPA) became law. Some of the same
dynamic can be found today, but the situation is more complex.


It remains to be seen if there is a middle ground that will permit expanded use of
high-quality encryption yet still allow access by the government with a search warrant.
Government is pushing commercial key escrow as an answer. There are many who argue that
encryption technology is simply beyond control and that the government should give up the
effort.


The forces that shaped the ECPA compromise are still at work. The digital telephony
compromise was forged in 1994 over strong objections from many in the Net community. The
political capabilities of this community are uncertain. Internet users are vocal and
well-connected (obviously), and many strongly support unrestricted encryption. But can Net
users demonstrate the political clout to prevent business and the government from striking
a deal?


Watching the encryption wars--political or technical--is interesting spectator sport.
If you want to watch them wearing your own T-shirt bomb, surf over to http://colossus.net/wepinsto/wshome.html.
  Just remember that if you export the shirt outside the United States or let a
foreigner see it, you may be breaking the law.


That absurdity is why something has to give sooner or later. Robert Gellman, former
chief counsel to the House Government Operations Subcommittee on Information, Justice,
Transportation and Agriculture, is a Washington privacy and information policy consultant.


 


inside gcn

  • Phishing

    Phishing is still a big problem, but users can help shrink it

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above