Originally created 09/24/01

Terrorism attacks renew debate over encryption software



NEW YORK -- In a terror-induced climate of heightened electronic vigilance, debate is brewing over whether makers of encryption software should be obliged to provide law enforcement with the keys to open scrambled messages.

Phil Zimmermann and fellow encryption supporters thought they had won the battle two years ago when the U.S. government decided to permit the export of full-strength encryption software without requiring programmers to hand over spare keys.

The Sept. 11 attacks changed the atmosphere, and at least one senator has since called for making keys available. U.S. intelligence says Osama bin Laden's terrorist organization has used e-mail and encryption to communicate.

Currently, agents monitoring e-mail traffic may know two suspected terrorists are talking but can't determine what they are saying. Giving government the keys could help terrorists before they strike, says Gene Poteat, president of the Association of Former Intelligence Officers.

"You have to be quicker on your feet," Poteat said. "You have to have the keys to be able to intercept the messages quicker."

In a Sept. 13-14 Newsweek poll, 54 percent of Americans said they would support eroding encryption protection to help law enforcement monitor terrorism suspects - even if it might affect privacy and business practices. Thirty-nine percent were opposed, the rest undecided.

Zimmermann, inventor of the most popular technique for encrypting e-mail, insists the arguments have not changed, even if the circumstances have. He said encryption's potential use by terrorists and criminals was central to the debate that raged through the 1990s.

"Our society collectively decided that strong crypto had more benefits for society than harm," Zimmermann said. "If we try to reverse that ... under incredible emotional pressure, we will make a terrible mistake."

For decades, the government classified encryption as munitions and tried to keep it from the private sector and foreigners. But mathematicians outside government developed encryption independently in the 1980s - and Zimmermann released his Pretty Good Privacy software in 1991.

The government then tried to block its export and sought to require a "back door" accessible to law enforcement and intelligence agencies. Under some "key escrow" systems proposed, users encrypting messages would turn over a copy of their keys to a third party, or software manufacturers would build in a second key that law enforcement could use with a warrant.

Technologists denounced key escrows as costly, misguided and risky.

Should the spare keys fall into the wrong hands, private files and messages about bank accounts, illnesses and romances could become public fodder - as could e-commerce transactions.

"It inevitably tends to render systems built on the technology very vulnerable," said Scott Schnell, a senior vice president at RSA Security Inc., which has produced encryption products since the early 90s.

Encryption supporters argued that a back door would be pointless - that key escrow systems are unenforceable and only hurt the law-abiding - because encryption software without the feature is already freely available worldwide - released by foreign mathematicians or sneaked out of the United States.

Faced with U.S. restrictions, they argue, outlaws would simply turn to an unrestricted products.

The Clinton administration relented in September 1999, relaxing export controls over the objections of his attorney general and FBI director. The debate remained dormant until Sept. 13, two days after terrorists believed tied to bin Laden hijacked and slammed airliners into the World Trade Center and the Pentagon.

That's when Sen. Judd Gregg, R-N.H., said software manufacturers had an obligation to give law enforcement "the technical capability to get the keys to the basic encryption activity." He did not specify whether it should be voluntary or through legislation.

FBI and CIA officials have refused comment on whether terrorists used encryption to plan the recent attacks, or whether having a back door could have helped thwart the catastrophe.

Encryption advocates may have an ally in the Justice Department. When he was senator, Attorney General John Ashcroft supported loosening export controls and opposed backdoor requirements.

Despite the challenges of encryption, law enforcement agents have found novel ways to read scrambled messages.

Authorities say mob suspect Nicodemo S. Scarfo Jr. used Zimmermann's PGP techniques to encode gambling records. So FBI agents secretly installed a key logger system on Scarfo's computer to capture his password as it was typed in.

Investigators could also exploit existing vulnerabilities in PCs, said Bruce Schneier, a crypto expert with Counterpane Internet Security Inc.

"There's always a weak link," he said. "The FBI has lots of ways in."

Frank Gaffney, an assistant defense secretary in the Reagan administration, acknowledges that agents have other options.

"But it's exceedingly time consuming and computer-power intensive," Gaffney said. "That's not feasible in the kind of environment we're talking about."

On the Net:

PGP software: http://www.pgpi.org