That’s all over now. At a White House briefing last Thursday, Janet Reno and other administration officials unveiled a new policy. Software companies will be able to include even the strongest crypto in their globally distributed products (for instance, Microsoft could build it into Windows, and ship it anywhere, except for countries supporting terrorism). The official line is that this is simply one step in an ongoing process to balance security needs and privacy. Others agree with the view of Stewart Baker, former counsel of the National Security Agency: “They caved.” No matter what the motives, it was a victory for Silicon Valley, whose high-tech executives had long been urging such a turnaround. Al Gore, who thus far has been eclipsed by Bill Bradley and George W. Bush in wrangling the digerati, also stands to benefit. But the most important questions in the crypto issue go beyond politics: can we afford to let this technology circulate freely? Can we afford not to?
This saga goes back to the days before the first Clinton Inauguration. The FBI and the NSA warned the president-elect that encryption software threatened our security and safety. Spies, terrorists, money launderers and kiddie pornographers would be able to communicate without worrying about wiretaps or surveillance satellites. The only way to stop the spread of this stuff was to maintain rigid export laws that treated the software as restricted weapons, like howitzers or nukes. Meanwhile, the administration would try to establish a global system by which crypto users would allow their government to access the keys to decode their messages. This was the goal of the ill-fated Clipper Chip scheme of 1994.
But the Valley has long maintained that the export-control solution is doomed. For one thing, American companies don’t own crypto: foreign customers (even bad guys) can buy encryption software elsewhere, and U.S. software companies lose out on sales. Compromises that allowed companies to ship two versions of software–a strong one domestically and a weaker one abroad–didn’t work. (Firms selling security solutions quickly discovered “weak” was not a great selling point.) Every year, the policy has lost supporters. Even Congress, traditionally a pushover on national-security issues, was balking: a bill to liberalize export controls had gathered 258 cosponsors in the House. The policy was also being challenged on First Amendment grounds; the government has already lost one case at the circuit-court level, and is appealing. So in a sense, this week’s announcement is, as one administration source says, “recognizing reality.”
Not all the government’s critics are celebrating. “I’m waiting for the other shoe to drop,” says David Sobel of the Electronic Privacy Information Center. He worries that the promises will be undermined when the details are revealed in December. Or that a new $80 million facility to help retrieve information from crypto-wielding crooks will cut secret deals with industry, providing “back doors” to decode scrambled messages. (Companies like Microsoft and RSA Security say that such arrangements are unthinkable.)
Some cynics view the turnaround as a stratagem to boost Al Gore’s struggling presidential campaign. It was no secret that the politico with the most miles on the Information Highway was getting pounded on this issue by potential supporters in high tech. Gore himself wasn’t at the press briefing to make the announcement that had industry groups doing cartwheels–but on Friday he celebrated at a fund-raiser packed with Silicon Valley bigwigs. To be fair, Gore has yet to claim that he invented encryption.
Obviously, no official would admit that politics occasioned the shift. But the administration did offer an even more compelling reason: agencies like the Department of Defense were finding it increasingly difficult to protect their own information and Web sites without it. “The Pentagon uses commercial software, and they need a beefed-up system for security and privacy,” says Under Secretary of Commerce William Reinsch. This realization–one already understood outside the Beltway–contributed to a significant shift in the government’s attitude. Crypto has gone from Snidely Whiplash to Dudley Do-Right. Before last week, it was depicted as an enabler of pedophiles, murderers and money launderers, and only secondarily as a way for citizens to protect information. Now it’s described as a bold protector of our newly networked society, the best means to safeguard our information. “It’s clear that encryption is viewed as a necessity,” says John Podesta, the White House chief of staff. Oh, and we should try to keep it from the bad guys whenever possible.
This flip-flop has been long overdue. The price of pretending that crypto could, or should, be bottled up has been a gaping weakness in cyberspace, a cybercalamity waiting to happen. If the administration’s intentions prove honorable, and companies can export the privacy-enhancing programs that will be produced in the next century, we can finally begin securing the leaky vehicle of the Internet. And maybe even the Pentagon will be able to protect its Web site.
