|E-mail Wes Simonds|
Professional policymakers are attempting to portray this issue as a question of balanced priorities, and taking their cue thereby, so are many in the media. Civil liberties must inevitably take a bow to national security, says this school of thought, and strong encryption and national security are incompatible concepts. Current polls suggest that in the wake of the senseless tragedies of Sept. 11th, Americans are leaning toward security even if it comes at the expense of convenience.
In many respects, such as airport policies and border control, this makes perfect sense. In the question of crypto legislation, however, it doesn't.
I'm not saying this because I'm some sort of propellerheaded privacy nut. Really. If government employees feel the need to go through my e-mail to Dad, let them, say I. (Though I doubt they'll be able to get through Dad's history of the automotive internal combustion engine without losing consciousness - a form of potent encryption in its own soporific sense; certainly I can't.)
No, my objection is simpler. Limiting crypto simply won't work.
First, domestic talent is hardly the only source of such technology. It's true that the U.S. is the premiere stronghold of high tech, true, but encryption technology is simply not so abstruse and impossibly challenging an arena that we can expect sheer weight of programming talent to allow our government to dictate terms. Requiring U.S. coders, and the firms they work for, to fork over copies of crypto keys to the government - one concept under discussion - is a feeble approach at best; U.S. firms are just a fraction of the total.
Perhaps the best-known example of strong crypto is Pretty Good Privacy, which is largely the work of a single man, Phil Zimmerman. With all due respect to Zimmerman and his achievements, however, it's difficult to believe that his individual work outruns the vast collective power of international software engineers by a margin of more than a few weeks.
The fact of the matter is that skillful, dedicated coders do exist in every corner of the world, and given obvious successes in the last decade, it seems reasonable to conclude that creating strong and versatile crypto is certainly within their range of talents. Consider Linux, the wildly successful open-source operating system, which was founded by a Finnish undergraduate working in his spare time. Linux is maintained and modified by an international coalition of talented, unpaid programmers who have ushered into existence not only a sophisticated modern operating system portable to multiple platforms, but (arguably more impressively) the open-source process itself. These guys are certainly up to a cryptographic challenge (and, in fact, have already addressed it in a wide variety of ways).
In short, U.S. legislation is hardly going to apply to non-U.S. programmers.
Second, it's not even a question of foreign development talent, because strong crypto is already all over the world. For two years now, ever since the U.S. relaxed exportation limits, sophisticated encryption technology originating here has been duplicated on FTP sites globally, both in precompiled form and, more importantly, source code. Those archives are hardly going to disappear if a few hundred guys in Washington vote one way or another; they will continue to serve as a powerful resource for anyone who wants to make use of them.
The crypto genie is definitely out of the bottle, folks. It gave us our three wishes - which appear to have been secure e-commerce/banking, VPNs, and individual privacy - and it's touring the globe with a gleeful indulgence. It's surfing the waves off the coast of Australia, sipping espresso in Rome, shivering in Siberia and making a yicky Calvin face at sushi in Japan.
Fat, drunk, and cheerful behind a pair of Ray-Bans, Strong Crypto has its feet propped up in the Caribbean islands. The sun is out, the sky is blue, it has a massage scheduled for later in the day, and even though it's not even noon yet, it's already asking for another umbrella drink.
It won't come home no matter how nicely we ask. It just won't.
This was first published in September 2001