Myths
vs. Reality on Encryption Myth # 1:
Strong encryption is not necessary to protect consumer privacy and ensure security on
electronic networks.
Reality: In fact, encryption is a critical foundation of
electronic transactions. Almost all transactions (involving sensitive data) conducted over
the Internet are currently protected by strong 128-bit encryption. For example, 128-bit
encryption is currently required by all major banks in order to conduct banking
transactions over the Internet.
Myth # 2: The widespread use of
encryption will leave Americans more vulnerable to crime and terrorism.
Reality: Actually the opposite is true. Strong encryption will
help protect America from growing computer crime, fraud, and theft. Moreover, in a 1996
Presidential Commission report, the National Research Council, recognizing the
vulnerabilities of the nation's critical infrastructure, called for the "broad use of
cryptography " to meet today's information security needs.
Myth # 3: Encryption technology
currently is controlled by the National Security Agency and law enforcement.
Reality: Encryption is not controlled by law enforcement. It
is prevalent today and used regularly to protect bank records, financial transactions,
e-mail, and medical records. State-of-the-art encryption is sold in the United States
"over the counter" at thousands of retail outlets and over the Internet. Any
attempt by the FBI to mandate a system in which "third parties" hold encryption
"keys" would represent a substantial new limitation on an individual's ability
to protect his or her privacy.
Myth # 3: The Fourth Amendment gives
law enforcement the right to access your data and computer communications without your
knowledge.
Reality: The Fourth Amendment establishes only a right of the
people against unreasonable searches and seizures. It does not grant an affirmative power
to the federal government ensuring reasonable and convenient access to evidence. The
federal government has only the power to search - it does not have the right to find.
Outlawing the use of encryption where no "key" is held by a
"third-party" turns the Fourth Amendment inside-out. The police would have a
"right to find" evidence, while the people would be jailed for best securing
their "papers and effects."
Myth # 4: The FBI's "key
recovery" plan is workable.
The Administration and the FBI have proposed a "key recovery" infrastructure
designed to enable law enforcement access to the plaintext of encrypted data and
communications. Specifically, the FBI wants "immediate access to the plaintext of
encrypted communications or electronic information without the knowledge or cooperation of
the person using such product or service."
Reality: For today's commercially sold encryption products,
the technology does not exist to provide "immediate access" to
"communication without the knowledge of the user." (This can be roughly
comparable to the FBI mandating compact disk quality sound recording in the days of the
45-RPM record.)
Myth # 5: Because law enforcement
officers would be required to obtain a court order to view personal information without
the owner's knowledge, innocent people are not at risk.
Reality: Law-abiding citizens are most at risk. Imagine a
system where all citizens, not just criminals, would have to deposit a copy of their house
key or a copy of their safe combination with a "trusted third party," just in
case law enforcement ever wanted covert access to their private information. So-called
"key recovery" gives the government and third-party key holders the ability to
access the private data of every American -- well before a crime is committed or a court
order is secured.
Myth # 6: "Trusted third
parties" would ensure that encryption keys aren't misused.
Reality: "Key recovery" is an inherently insecure
system because "keys" would be held by either "trusted third parties"
or governments. Under such a system, security rests with the integrity of the institutions
and individuals holding the "keys," not with the underlying technology. The 1996
National Research Council stated it best: "Escrowed encryption (encryption for which
a "third party" holds a key) by design introduces a system weakness and
so if the procedures that protect against improper use of that access somehow fail,
information is left unprotected." No government policy can guarantee those
"third parties" will be scrupulous with those "keys."
Myth # 7: Strong encryption is
available only in the United States.
Reality: Strong, state-of-the-art, non-"key
recovery" encryption is freely available abroad from major multinational corporations
like Siemens and Brokat. Some foreign companies market unrestricted products as
"stronger security than any U.S. company can provide."
Myth # 8: The Administration and the
FBI have secured global support for their "key recovery" infrastructure.
Reality: Since the Internet is global, any "key recovery" technology scheme
must be global AND interrelated. There is no global legal infrastructure to support
"key recovery." In fact many countries have already decided not to participate.
Currently, the OECD (26 countries) and the European Commission have both indicated
opposition to a mandatory "key recovery" scheme. Moreover, despite the
Administration's best efforts over a number of years, not one bilateral or multilateral
agreement has been reached regarding the global exchange of encryption keys.
Myth # 9: Current U.S. export controls are constitutional.
Reality: This is not a settled matter. Today's export controls
may be unconstitutional as "prior restraint" of speech under the First
Amendment. The District Court in the Northern District of California has already held that
the current export control regulations are unconstitutional.
Above information coutesy of
the Computer Privacy Organization
Next
|