Top Secrets

NATIONAL JOUNRAL, Vol. 28, No. 37

uying a pair of chinos from Lands' End Inc., the popular mail-order catalog business, couldn't be easier these days. The company has a site on the World Wide Web, the multimedia corner of the Internet, that offers an electronic order form. Punch in your request, provide your credit card number, click the send button and your new duds will soon be on their way.

But wait a minute. You're worried about the credit card number. What if some computer hacker steals it as the order zips through the ether of cyberspace? No problem. The Lands' End site automatically scrambles your information into an unreadable code. When the order reaches the company's Dodgeville (Wis.) headquarters, computers there unscramble the code.

Lands' End initiated its encoded order form last year after customers demanded it, William E. Doyle, the company's manager for advertising and electronic media, said. Electronic sales are ``still a relatively small number'' compared with the company's billion-dollar-a-year catalog sales, ``but increasingly more and more people are feeling comfortable with putting their credit card out on the Internet in a secure manner,'' he added.

``Secure'' is the operative word here. L.L. Bean Inc., the venerable sporting goods outfitter in Freeport, Maine, and Lands' End's chief competitor in the mail-order business, also advertises its wares on a Web site. But for now, if you want chinos from Bean, you must order them the old-fashioned way, by mail or telephone. The company put up the Web site almost a year ago, and ``we were concerned about security issues from the very beginning,'' Catharine A. Hartnett, the company's public relations manager, said.

Slacks are just slacks, but the difference in the approaches Lands' End and L.L. Bean take to electronic ordering is a microcosm of a much larger debate over computer encryption technology that's been building this summer in Congress and the White House. The Commerce Department is scheduled to release a report on the controversy later this month, and no less than the futures of American law enforcement and the U.S. software industry may be at stake.

Blocking the Message

The debate over encryption, or coding, arises from a complex set of technical issues. But the question that policy makers must decide is fairly straightforward. Federal law currently prohibits American software companies from selling ``strong,'' or military-grade, encryption programs overseas on the ground that such programs can be used as weapons. The world encryption market is growing rapidly, however, and computer experts expect it to generate billions of dollars in annual sales by the end of the decade. American software makers want the federal government to ease its export restrictions on encryption technology, or drop them altogether, because foreign software companies--several of which face no restrictions--are cornering the market outside the United States.

The Justice Department and the FBI, on the other hand, are adamantly opposed to easing or dropping limits on foreign encryption sales unless U.S. software makers agree to surrender the keys to their codes so that they are available to law enforcement agencies armed with search warrants. Without this system, popularly called key escrow, law enforcement agencies don't have the technical ability to break the computer codes that criminals are bound to use in the future, Justice officials say.

``If [strong] encryption proliferates internationally, in the absence of the development of a key recovery system we will find ourselves increasingly shut out of the traditional means we have utilized to combat organized crime, terrorism and narcotics trafficking,'' deputy attorney general Jamie S. Gorelick said in a recent interview.

For several years, the Clinton Administration has tacitly supported the law enforcement perspective on encryption by proposing a series of regulations that would give the federal government ready access to computer codes. The first of these proposals--to add a ``Clipper'' chip to new computers that would give law enforcement a technological back door into encryption programs--raised such a furor among industry representatives and civil libertarians that Vice President Albert Gore Jr. recalled it in early 1994.

A series of recent events, however, has brought the encryption debate from its simmer to a rolling boil. In May, Sens. Conrad Burns, R-Mont., and Patrick J. Leahy, D-Vt., introduced a bill that would abandon the encryption export restrictions entirely. Then-Senate Majority Leader Robert Dole of Kansas, now the Republican candidate for President, publicly gave the measure his blessing--an unusual step, in that technology bills rarely attract this much attention from congressional leaders.

The Burns-Leahy encryption bill has since gained bipartisan steam. Four of the 13 co-sponsors are Democrats, and lobbyists for the software industry say that the Commerce, Science and Transportation Committee is on the verge of reporting the bill to the floor. Some congressional aides even speculate that because of Dole's support, passage of the Burns-Leahy bill could become an issue in the presidential campaign.

The bill got a crucial boost on May 30, when a blue-ribbon commission of the National Research Council, an arm of three quasi-federal science agencies--the National Academy of Sciences, the National Academy of Engineering and the Institute of Medicine--released a report recommending that export controls on encryption be greatly relaxed.

On July 12, however, the White House issued an official statement opposing congressional attempts to eliminate the encryption export controls and affirming the Clinton Administration's support for a key escrow scheme. In the wake of that statement, the Commerce Department began holding urgent meetings with software makers in an effort to persuade them to go along with the key escrow proposal.

Meanwhile, opposition to the Burns-Leahy bill has begun to surface in the Senate. Earlier this summer, Senate Banking, Housing and Urban Affairs Committee chairman Alfonse M. D'Amato, R-N.Y., filed a request to assert sequential jurisdiction over the bill, a move software industry representatives say could kill the measure.

On-line activists and civil libertarians also contend that the wave of sentiment against the Internet that marked last year's debate over the Communications Decency Act, a bill to prohibit the electronic transmission of pornography, is emerging again in the Senate. The bill, which became law in February, was recently overturned in federal court.

This spring, Sens. Dianne Feinstein, D-Calif., and Orrin G. Hatch, R-Utah, tried to attach a version of Feinstein's 1995 bill outlawing bomb-making information on the Net to both anti-terrorism legislation and the Defense Department appropriations bill. Those attempts failed. But after a pipe bomb exploded in Atlanta's Centennial Park during the 1996 Olympics, Feinstein redoubled her efforts. Sens. Joseph R. Biden Jr., D-Del., and Judd Gregg, R-N.H., have also argued that Feinstein's bill has merit.

``The Administration's looking for ways to shore up its anti-encryption strategy, which is to delay the Burns-Leahy bill and keep a finger in the dike'' holding back industry demand for loosening the export controls, said Jerry Berman, executive director of the Washington-based Center for Democracy and Technology, an on-line advocacy group. ``To do that, they're using the hysteria and fear created by terrorist incidents. That's the same argument they tried with the Communications Decency Act. They're saying that the Internet is a dangerous thing.''

Internet Dangers

Darn right it's dangerous, when terrorists, South American drug cartels and the like are using the Net to communicate, law enforcement and Administration officials respond.

Encrypted computer files have been used to hide child pornography on the Internet, and to shelter the financial records and illegal gun sales of militia groups, the White House said in its July 12 statement. Alleged CIA mole Aldrich Ames ``was instructed by his Soviet handlers to encrypt computer files that he passed to the Soviets,'' the statement added. ``Grave crimes, such as a plot to shoot down several airliners over Chicago, have been foiled by the use of wiretaps. Had the FBI been unable to read those transmissions, however, a major tragedy might have ensued.''

Encoded computer transmissions can be particularly destructive in circumstances where terrorists try to disrupt the operations of air traffic control systems, banks, utilities and other key elements of daily life, Gorelick said. ``We know terrorists use encryption. We know encryption is more dangerous when a person using it can connect to legitimate society. And we know if law-abiding citizens will, upon a court order, provide access to encoded computer communications, we will increase our ability to penetrate these groups,'' she said. ``So this issue is real. This is now.''

Computer experts and industry representatives insist that the encryption debate can't be stated in such black-and-white terms. If the federal government can easily get its hands on the software tools necessary to break a code--as would be possible under a key escrow system--then the notion of Internet security is a farce, many computer experts in private industry said.

In 1930, Germany's Weimar Republic conducted a census and stored the resulting information on punch cards, the storage devices for the machines that were the forerunners to the modern computer, said Barbara B. Simons, a computer researcher in San Jose, Calif., who is chairwoman of the public policy committee of the Association for Computing Machinery, a professional organization whose members include some of the country's foremost computer scientists.

``When the Nazis came to power they had all this information at their fingertips, and they used it to track down `undesirables.' Even though the Weimar Republic had done this survey in good faith, the technology was subsequently used against innocent people,'' she said. ``If the federal government insists on making it impossible for law-abiding citizens to communicate electronically without, in theory, the government being able to listen in, then an outlaw government becomes more and more possible.''

If the export restrictions on encryption technology aren't loosened or eliminated, the role of federal intelligence agencies in domestic matters may well expand, civil liberties advocates and industry representatives also said.

This argument centers on the economics of the computer software market in the United States. The highest encryption code length allowed under the federal export regulations is 40 units, or ``bits,'' of data. After a French graduate student broke a 40-bit code last year using borrowed computers, an increasing number of companies with international operations have switched to a 56-bit code.

Because it's too expensive for most American software makers to produce one 40-bit encryption program for overseas sales and another 56-bit program for sales within U.S. borders, many companies have stuck to the lower limit, according to the Business Software Alliance (BSA), a Washington-based lobbying group that represents most major players in the software industry. Meanwhile, foreign software makers are busily producing far stronger codes and selling them almost as fast as they make them.

Nippon Telegraph & Telephone Corp., the Japanese electronics giant, for example, recently announced that it would begin selling computer chips embedded with a 128-bit code. Mitsubishi Electric Corp. has also developed a 128-bit code, while Hitachi Ltd. has produced an encryption program that reportedly runs a 256-bit code.

``The Japanese see the lack of strong encryption programs as a big hole in the market. They're putting it into a lot of products, like [software programs for] virtual shopping, cybercast technology [for voice and video broadcasts through the Internet] and smart cards [with computer chips],'' said Rebecca M.J. Gould, the BSA's vice president for public policy.

With stronger and stronger encryption programs flowing into the U.S. market from foreign producers, law enforcement agencies such as the FBI will have to turn to the National Security Agency (NSA) for help, on-line activists argue.

As part of its mission to monitor potential threats to U.S. security, NSA has developed the most powerful computers and the most sophisticated code-breaking techniques in the world, according to computer experts. But ``a caution light has to go on when we talk about relying on the NSA'' to break down the codes shielding criminal communications within the United States, Berman of the Center for Democracy and Technology said. ``We don't want agencies that are in the business of foreign investigations to be subtly involved in domestic law enforcement, because they're not trained to balance security issues against constitutional issues.''

Internet Boom

Most of the fears the computer industry and civil libertarians have about law enforcement trampling electronic privacy rights will prove moot, however, because the boom in commerce on the Internet will make a key escrow system inevitable, Administration officials said.

``Companies are going to want to have ways to validate the information they're sending and receiving,'' said William A. Reinsch, Commerce undersecretary for export administration, who is conducting the meetings with the software industry. ``Over time, the industry will have to get together and develop systems that permit [data authentication] to take place. So we're trying to devise a key escrow system that will fit into a lot of what we think will happen anyway.''

On-line activists say that argument is bunk. The Administration ``is attempting to blur the line between a key certification system, where you confirm who you are by giving a public code to some kind of authority, like the Postal Service, and key escrow, which means giving the key to your program to a third party,'' said David Banisar, a policy analyst with the Electronic Privacy Information Center, a Washington advocacy organization. ``Reinsch testified before Congress that software won't be trustworthy without key escrow. Commercial transactions [over the Internet] may not be trustworthy without certification, but that problem has nothing to do with key escrow.''

The federal law enforcement community shows no sign of backing down from its demand for a key escrow system. But Reinsch shied away from the suggestion that the Administration is trying to strong-arm software producers into complying with the system.

``We're not trying to compel behavior but to influence the market in the direction we want,'' he said. ``If the great mass of the commercial community buys into [key escrow] and gets comfortable with it, what you'll have is a lot of other people wanting to buy this software. It will become a market standard without the government having to intrude. If the BSA and the computer software and hardware people say, `We don't want to do this,' it will be hard to get the market moving in that direction. That's why their skepticism about key escrow is important, and their cooperation is a serious matter.''

That cooperation, however, may be long in coming. Meetings between the Administration and the computer industry over the question of encryption controls ``have been going on for years, with no result. It's quite frustrating,'' the BSA's Gould said. Also, ``the Vice President's July 12 statement said nothing that we could count on, or hang our hats on.''

When President Clinton took office in January 1993, the Administration promised to review the feasibility of the 40-bit standard every 12 months, Gould said. That review has never taken place. When Gore canceled the Clipper chip proposal, the computer industry was also left with the impression that the key escrow concept was dead. Instead, the Administration has proposed revised key escrow plans twice since then.

``I think mid-September has the potential to be a very important time for us,'' Gould said. ``Unfortunately we have met that moment of potential several times in the last few years and have been beyond disappointed. But we keep hoping. The President or the Vice President could resolve this issue on their own, but Congress can also resolve it.''