The Crypto Boondoggle

By Jonathan Wallace

Congress would be very amusing if it were a little less dangerous. The way things are done is arcane, ridiculous, and often completely unfair; thank God we have the court system to straighten it out afterwards.

The House of Representatives has just been playing around with the crypto question. For some years, the Clinton administration has been advancing the basic idea that products which include encryption should have a back door, enabling easy decryption by the government (upon obtaining a warrant, of course.) FBI director Freeh complains to anyone who will listen that freely available encryption will cripple law enforcement.

At the same time, federal law treats encryption products as a "munition" so that exporting them may be a federal crime. In our book, we described the lengthy federal investigation of the PGP author, Philip Zimmerman, because his shareware product had been posted to the Net by someone and downloaded abroad by someone else. Meanwhile, US companies have been handicapped from competing with foreign producers of software with strong encryption capabilities.

Some Congressfolk recently introduced a bill named "SAFE" which would ease export restrictions on crypto (while criminalizing use of crypto in connection with a crime, as a compromise.) Here's where the Congressional tactics get really interesting. An attempt was made to gut SAFE and replace it with an amendment, Oxley-Manton, which would ban the *domestic* distribution of any crypto product if it didn't have a back door built in for the feds. The sinister beauty of this tactic is that the bill, as amended, would still have been called SAFE; it just would have done the exact opposite of what the original legislation set out to accomplish. Oxley-Manton was defeated in the Commerce Committee but the chair of the Rules Committee, has announced he will not allow any legislation to reach the House floor which does not contain Oxley-Manton.

In this case, gridlock is good; the chances that the House and Senate will get their act together and pass legislation this year are slight.

Obscured by the usual "Ohmigod, its the Internet" panic is the remarkable spectacle of the government trying to protect its access to private communications. As we said in the last chapter of the book, we get in trouble the moment we start regarding the Net as anything else than a form of print communications ("a constellation of printing presses and bookstores"). Every wrong adjudication, every ridiculous legislation, is based on the premise that the Net bears no relationship to anything that went before. Any Congressperson or judge considering a law affecting the Net should try the simple thought experiment of imagining its impact on print communications. A rating system for the Web? How would you feel about one for books? Back doors into crypto? How would you feel about a law against envelopes (postcards only)? Or one which said that you had to keep a copy of every private letter somewhere so that the government could request it if need be?

Many commentators on the pro-speech side of this issue have pointed out that some of the founders of our country encoded private communications when they didn't want them to become public. The government has no role in determining that we can't speak in murmurs, or use allusions, or speak Navajo if we want to.

Two good sources of information are Center for Democracy and Technology, and Voters' Telecommunications Watch.

The following is a copy of a letter signed by numerous law professors criticizing Oxley-Manton. It sets forth the constitutional arguments against government regulation of crypto.

September 23, 1997

The Honorable Thomas J. Bliley
2409 Rayburn HOB
Washington, DC 20515

Dear Chairman Bliley,

We write to express alarm about an unprecedented proposal that has been advanced to impose criminal penalties on the manufacturing or distribution of domestic encryption products that do not contain a government-mandated "back-door." The proposal, drafted in large part by the FBI, has already been adopted by the House Intelligence Committee, and may be offered soon in the Commerce Committee by Reps. Michael Oxley and Thomas Manton as an amendment to H.R. 695, the "Security and Freedom through Encryption (SAFE) Act." The SAFE Act was originally intended to loosen the export controls that have blocked U.S. companies from offering products with strong encryption on the global market. The Oxley-Manton amendment, however, changes fundamentally the nature of SAFE. Rather than liberalizing limitations on encryption, the amendment drastically increases the government's control over the use of both domestic and international encryption technologies.

We believe that this is a profound mistake. Never in peacetime has our government attempted so completely to monopolize a single form of communication; never has it required, in effect, a license to exercise the right to speak. But that is what this amendment would do. In our view, not only could this amendment make our citizens less secure, but it would also contravene fundamental principles of our constitutional tradition. We would no longer be a leader protecting individual rights internationally; we would instead become the architect of the most comprehensive surveillance plan the world has seen since the end of the Cold War.

We are law professors who believe this plan is as unconstitutional as it is unwise. We may individually differ in our reasons, but we have collected below at least some of the reasons that we take the position we do. We urge Congress not to take this step now. No showing has been made to justify so massive a change in our constitutional protections.

I. An Attack on Basic Constitutional Rights

Freedom of Speech

The amendment raises profound questions about rights of free speech. The right to speak freely includes not only the right to say what you want, to whom you want. It also includes the right to choose how to speak, and whether to speak at all. The right has no preconditions. In America, at least, you do not need a license to speak; you do not need the government's permission to speak in the language of your choice; and you do not have to organize your speaking in a way that happens to suit the needs of the government. The Constitution no more permits Congress the power to regulate the software within which speech may occur than it give Congress the power to say what kind of paper a diary may be written upon. These are choices rightly left to the individual.

These freedoms are a basic part of the fabric of American constitutional law. The Supreme Court has upheld them in innumerable rulings, including McIntyre v. Ohio Elections Commission (affirming the right to anonymous political speech); Riley v. National Fed'n of the Blind ("Mandating speech that a speaker would not otherwise make necessarily alters the content of the speech."); Wooley v. Maynard (holding unconstitutional New Hampshire's requirement that cars display license plates bearing the state motto); West Virginia State Board of Education v. Barnette (holding that compelled recitation of pledge of allegiance violates the First Amendment) .

The amendment would undermine these constitutional rights to free speech. By imposing requirements on cryptographic programs - used by individuals and corporations to protect the privacy and security of their papers and telephone or e-mail conversations - it would in effect be mandating the code software writers may write. Only governmentally approved code could be used to transmit speech the speaker wants to protect; authors and speakers would be required to use this code to say what they wanted to say. This forced speech, we believe, takes the government's power too far.

We accept that law enforcement agencies, if they obtain a warrant based on a showing of probable cause, can intercept a person's communications and seize a person's data. But that power exists after a finding of probable cause has been made. This amendment regulates citizens before any finding of probable cause. It regulates the programs that citizens may use before they speak at all. It requires every citizen to fit his speech to a program essentially designed by the government, so that the government is better able to monitor the citizen's speech. This preemptive strike on free speech is without precedent in our constitutional tradition. We believe it is profoundly misguided. Under the theory of the amendment, the only permissible encrypted speech is governmentally licensed encrypted speech. But this, we believe, the government cannot require.

Fourth Amendment Rights

The amendment also raises troubling questions about the right to privacy. Our Constitution presumes that there will be no secret searches. Not only must the government ordinarily obtain a warrant for a search, but its agents executing the warrant must also announce their presence. This is the knock and notice requirement, and the Supreme Court has made it clear that this is a fundamental element of Fourth Amendment protections. The amendment would abrogate this fundamental protection. By requiring users of encryption to place their key with third parties who can be compelled under the statute to hand that key over to the government, the amendment makes possible secret searches by the government on an unprecedented scale. These are not just telephone calls that the government needs contemporaneously to search. It includes documents on a computer disk, whether bank records or a diary. It is as if the state required the deposit of house keys with a local bank, so that the government could use that key secretly to gain access to an individual's house.

More fundamentally, the amendment does violence to our Fourth Amendment values by forcing all citizens to communicate in a way that limits their ability to protect their own privacy. In an effort to downplay the significance of its proposal, the FBI has argued that it is only seeking to ensure the ability to obtain plaintext of data that it has already obtained in encrypted form. On this basis, the FBI tries to argue that it is seeking no new authority. On the contrary, under current law and practice, if the government obtains access to encrypted data or communications using any of the surreptitious means now at its disposal, it has no power to assure access to the plaintext of that data. This country's Fourth Amendment has never guaranteed law enforcement's ability to search, seize, and understand every conversation, communication, or stored record of every citizen. We have never required that every person -- whether or not there is probable cause to believe they have committed a crime -- live in the legal equivalent of a glass house, just so the government can facilitate surveillance without the notice or consent of the searched.

II. The Risks of a Global Key Recovery Regime

We are most concerned, however, with the danger that this proposal presents internationally. The new communications media are global in nature. No nation regulates for itself alone. The proposed "solution" to the encryption issue offered by the amendment will be most effective for law enforcement only if it is widely adopted internationally. Section 501 of the House Intelligence bill in fact instructs the President to negotiate agreements with foreign governments for "mutual recognition of any key management infrastructures." Most countries, however, do not give their citizens the same privacy protection that our Constitution guarantees our citizens. Therefore this international recognition could present three problems for the privacy interests of our own citizens.

The first is the lack of privacy protection against foreign government access to keys, whether stored in the U.S. or elsewhere. Few countries assure privacy protections comparable to ours. Yet the "mutual recognition" agreements essential to a global key recovery system will require the exchange of key information with foreign governments. When other countries request keys, many of these requests will be made on the basis of procedures far less strict than those required under U.S. law. In these cases, it will be difficult or impossible to determine whether the requesting country has complied with anything comparable to our warrant requirements. The risk is even worse when decryption information is held outside of the U.S., for it will be impossible to assure that adequate security precautions are followed by the other government's key recovery system. As a result, American citizens using encryption, both within the U.S. and outside of the U.S., will do so without the privacy protections provided under U.S. law, and without the technical security protections provided by encryption without a backdoor.

The second, and more fundamental problem, is the threat the proposal does to the historic role of the United States as a defender of freedom. In countries throughout the world, the targets of surveillance include dissidents, religious groups, the press, and economic enterprises. We have long stood to protect the individual against such invasions by governmental surveillance. Ours is not the society of big brother. Yet in advancing this proposal, we would become the leader in establishing a new global surveillance society. Especially where political oppression exists, this will just increase the threats to liberty for these citizens, or for our citizens as they may interact with these countries. The risks of key escrow threaten the press, churches and other non-governmental organizations, as well as individual citizens.

Third, a global key escrow regime would be a threat to American economic security. Other countries will use key escrow as a tool for economic advantage. Following the American lead, other countries will be emboldened to criminalize strong encryption and establish a key escrow system along the lines of the proposed bill. As a condition of doing business, American companies will be required to hand over their keys, and in this way, foreign governments could gain the power to decrypt all business communications that cross their territory. This again would allow foreign governments to read confidential communications without any notice to the company that it is under surveillance.

Conclusion

Congress faces a historic choice about the shape of free speech and privacy in the next century. In making this choice, there will no doubt be many questions of profound importance to our constitutional values. But there is little doubt that the Intelligence Committee substitute and the Oxley-Manton amendment would inspire the creation of an unprecedented system of global surveillance, expanding law enforcement authority and circumventing the protections of the First and Fourth amendments. It is too radical a change to make with so little thought. We urge you to resist it.

Sincerely,

Keith Aoki
University of Oregon School of Law

Kevin D. Ashley
University of Pittsburgh School of Law

Jack M. Balkin
Yale Law School

William E. Boyd
University of Arizona College of Law

Darryl K. Brown
University of Dayton School of Law

Dan L. Burk
Seton Hall University School of Law

Julie E. Cohen
University of Pittsburgh School of Law

Peter L. Fitzgerald
Stetson University College of Law

Eric M. Freedman
Hofstra University School of Law

A. Michael Froomkin
University of Miami School of Law

Llewellyn J. Gibbons
Franklin Pierce Law Center

Timothy Hoff
University of Alabama School of Law

Jerry Kang
UCLA School of Law

Ethan Katsh
University of Massachusetts

Andrew Koppelman
Northwestern University School of Law

Mark Lemley
University of Texas at Austin School of Law

Lawrence Lessig
Harvard Law School

Jessica Litman
Wayne State University

Henry H. Perritt
IIT Chicago-Kent College of Law

David G. Post
Temple University Law School

Margaret Radin
Stanford Law School

William D. Rich
University of Akron School of Law

Jon Romberg
Seton Hall University School of Law

Jim Rossi
Florida State University College of Law

Pamela Samuelson
University of California at Berkeley School of Law

Mark S. Scarberry
Pepperdine University School of Law

David E. Sorkin
John Marshall Law School

Peter Swire
Ohio State University College of Law

Additional Signers After Initial Release:

Eben Moglen
Columbia University School of Law

Steven Shiffrin
Cornell Law School

Note: Institutional references are for identification only. The views expressed herein do not necessarily reflect the views of the organizations referenced.