Rendering Unto CESA? - Cyberspace Electronic Security Act

Reason, May, 2000 by Mike Godwin

Clinton's contradictory encryption policy

It was September 28, 1999. Some officials from the Clinton administration were briefing the Congressional Internet Caucus, and Rep. Curt Weldon (R-Penn.) was getting visibly angry.

The officials were outlining the White House's new policy on encryption, the practice of coding and decoding electronic messages using computer programs. Since the Bush years, encryption software has been classified as a munition, meaning that companies need a special export license to ship products overseas, just as if they were shipping guns or warheads. Encryption has long been a contentious issue, pitting privacy advocates against the national security apparatus; now, with e-commerce expanding and requiring stronger protections against intruders, even more parties have been weighing in on the issue. The administration's new approach seemed to make it much easier to export encryption products, and Weldon, a long-time supporter of strict encryption controls, couldn't understand why.

How could you be implementing this policy? he asked the panel. On countless occasions, this administration has sent high-powered people to the Hill, including Attorney General Janet Reno and FBI Director Louis Freeh, warning us that if encryption is freely exported, it will create serious domestic and international security problems and hamstring our law enforcement and intelligence operations. And now you're telling us you've changed your minds?

Did they change their minds? At the same briefing, the White House reaffirmed its support for the Cyberspace Electronic Security Act (CESA), a bill rooted in the government's traditional distrust of private encryption. Along with some less controversial provisions, the bill said the government need not disclose, in the course of a criminal proceeding, how it recovered the decrypted information that it's using against the defendant. The theory is that if the government reveals its decryption secrets--which may involve classified techniques, industry trade secrets, or software flaws that government researchers have discovered--criminals will be forewarned and will be able to thwart decryption in future investigations. But civil libertarians point out that this will make it harder for defendants to authenticate the state's evidence. It may even pose constitutional problems: How can you confront your accuser in court if you don't know the basis of his charges?

The administration's crypto schizophrenia didn't end in September. Earlier this year, the White House announced a new set of crypto-export rules that, while complex enough to require a lawyer to parse, seem to take the lid off the export of encryption almost entirely. Most encryption tools will be cleared for export after a one-time review by the Commerce Department. There will still be restrictions on products that aren't widely available in domestic retail outlets, exports to "terrorist" pariah states will still be banned, and there will still be some restrictions on programs' source codes. But the new policy is unquestionably a significant deregulation.

And yet: At the same time, the Department of Justice is vigorously litigating for export restrictions in Bernstein v. U.S., a case involving a college professor who claims the First Amendment protects his right to distribute encryption-related source code. Between that and CESA, observers are beginning to wonder whether the United States has a consistent encryption policy at all.

For most of the post-World War II era, the government didn't need a general policy on encryption. Because of the massive computing power necessary to generate cryptographic codes, such activity was the province of intelligence agencies and almost no one else. Over the past couple of decades or so, as the personal computer revolution placed more (and cheaper) processing power within reach of virtually anyone, that changed. In response to a world of decentralized computing, U.S. law enforcement responded with a single, panicky policy: Stop the spread of cryptography at all costs.

The new stance was driven by some pioneering work in the late 1970s by American cryptographers--work that, for once, was not performed by people in the pay of the intelligence agencies, and therefore was not "born classified." This academic revolution--the development of a public science of cryptography and a resulting colloquy about it--was accompanied by a similar, equally dramatic revolution on the microcomputer front.

The result: Ordinary people with desk top PCs could encrypt their messages or data to a degree that only governments could have achieved not long before. For intelligence and police agencies, this ushered in a new era, one in which merely intercepting a terrorist's or criminal's (or dissident's) communications was no guarantee that the government could figure out what the communicator was saying. On top of that, telephone companies were relying more and more on computers to run their networks and phone services, raising the specter of a world in which every call might be encrypted. Effective wiretaps might become a thing of the past.