1996-11-11 - So how does the crypto crackdown go?

Header Data

From: Hal Finney <hal@rain.org>
To: cypherpunks@toad.com
Message Hash: f1252fd6ffb213d3ea2c05912855487e18ca93a575cf0df91f21c43aa4d1cce3
Message ID: <199611111718.JAA31638@crypt>
Reply To: N/A
UTC Datetime: 1996-11-11 18:41:36 UTC
Raw Date: Mon, 11 Nov 1996 10:41:36 -0800 (PST)

Raw message

From: Hal Finney <hal@rain.org>
Date: Mon, 11 Nov 1996 10:41:36 -0800 (PST)
To: cypherpunks@toad.com
Subject: So how does the crypto crackdown go?
Message-ID: <199611111718.JAA31638@crypt>
MIME-Version: 1.0
Content-Type: text/plain


I've enjoyed Peter Hendrickson's provocative postings and the many good
responses.  However I don't think we should forget that the FBI and
other law enforcement agencies almost certainly do hope to ban strong
encryption in the U.S. and in other countries as well.  So it is worth
discussing how the ban is likely to happen and what impact, if any, it
would have.  I could see such a measure going into effect after the next
terrorist attack as part of a comprehensive bill that also includes
taggants in explosives, more permission for wiretaps and surveillance of
terrorists, and similar items on the LEA laundry list.

Keep in mind the effects of the current ban on U.S. exports of crypto
technology.  Obviously this have not stopped crypto from moving
overseas.  But it has definitely had significant effects.  It is _not_
widely ignored, at least in public.  That is why we work so hard to
overturn it; if it had no effect, we wouldn't care.  Companies are much
more careful about how and whether they will distribute crypto on the
net; for many months Netscape's free software didn't have strong crypto;
Americans even on this list are afraid to publish algorithms and envy
Adam Back's freedom to do so.

My guess about how a crypto ban would go is that it would be an extension
of the export ban, and be based on interstate commerce regulation.
It would ban distribution of crypto software, commercial, freeware,
and shareware, which had the ability to hide the content of messages.
Exceptions would exist along the lines of the recent export proposals,
where the software would be OK to use if it had a small key size with
an approved cipher, or other means to ensure law enforcement access.
The ban might also cover stego and stealth type software, at least if
that were the primary purpose of such programs.  The U.S. would also
work to convince foreign countries to implement similar bans.

One question is whether they would also try to make it illegal to use
(rather than to distribute) crypto software.  On the one hand, if they
don't do that, they have a problem with all the installed base of code.
But the legalities of stopping people from encrypting code on their own
computers, or writing crypto programs for personal use, seem a lot more
questionable to me, and I don't know how much precedent there would be
for that kind of restriction.

So as I see it the main target of the ban would be distributors of
software rather than end users.  This would be in line with the often
stated goal of the law enforcement people that their main concern is with
crypto that is built in, transparent, and trivial to use, rather than
hacker's crypto.

So what are the impacts of this kind of ban?  They might not be all that
bad.  Already on the net Americans have to be careful about what they
say.  We can't describe crypto algorithms because they might leak
overseas.  With a ban on domestic distribution we would still be
prevented from talking about crypto.  So this is not very different.

Commercial companies building in crypto would have to go back to
escrowed or weak encryption.  All those export controlled sites would
treat Americans the same as foreigners and prevent them from getting
the strong crypto.  The few commercial products sold in the stores which
do crypto would have to be changed.  Strong crypto might be distributed
via an underground network, but this would be about as risky as running
Internet sites that export strong crypto is today.   There are very few
such sites, although granted there is little call for them because
overseas crypto sites are widely available.

The end result is that almost nobody in the U.S. would have access to
strong crypto, except for the motivated few who write their own, keep
old strong versions around, or obtain new strong software illegally.
This sounds bad, but as far as actual _users_ of strong encryption it
is not so different from the way things are today.  Weak/escrowed crypto
would still be widely used and built in to communication software.

The big question in my mind is whether they could get away with banning
the use of strong crypto rather than its distribution.  This would be
much more effective from the law enforcement perspective.  But they
have not tried this so far even for international messages, presumably
due to the serious Constitutional questions it would raise.

Hal





Thread