US ATTACK: Encryption advocates resist legal limits

Advocates for the free availability of encryption technology are on the defensive as U.S. lawmakers raise questions about the future of the technology in the aftermath of last week's terrorist attacks.

Some observers have suggested that plotters of the attacks used encrypted Internet communication to evade law enforcement detection. U.S. Senator Judd Gregg, Democrat of New Hampshire, raised some hackles among encryption advocates with comments in the Senate last week suggesting legal limits on encryption.

"We have electronic intelligence of immense capability. It needs to be improved, especially in the area of encryption," said Gregg, in remarks published in Wednesday's "Congressional Record."

His remarks were widely interpreted to mean that law enforcement should be granted back-door access to encryption technology, such as the e-mail scrambling program Pretty Good Privacy (PGP), developed by PGP Security, a division of Network Associates Inc.

"We've already seen government proposals for increased wiretapping capabilities and renewed rhetoric about encryption limitations," wrote privacy advocate Bruce Schneier, the founder of Counterpane Internet Security Inc., in his "Crypto-Gram" newsletter, published Saturday. "I fully expect more automatic surveillance of ordinary citizens, limits on information flow and digital-security technologies, and general xenophobia . . . If our freedoms erode because of those attacks, then the terrorists have won."

But aides insist Gregg is calling for voluntary cooperation from encryption companies, not for new legislation.

"He does not legislatively desire a moratorium. He does want some cooperation, as needed under search and seizure laws and with a court order. But he does not support a complete ban," said Gregg spokesman Brian Hart.

It's possible that suspected terrorist mastermind Osama bin Laden has used some sort of encryption technology to evade monitoring, said James Bamford, the author of two books on the U.S. National Security Agency (NSA), which conducts electronic espionage.

"In the past, NSA had been able to eavesdrop on bin Laden's communications; they were listening in on him fairly regularly, and all of a sudden they lost him about a year ago. They suspect it's because he's changed his technology," Bamford said in an interview Monday.

NSA director General Mike Hayden warned last February that bin Laden had access to more sophisticated technology than did the agency.

"Osama bin Laden has at his disposal the wealth of a $3 trillion a year telecommunications industry that he can rely on," Hayden said in an interview with the TV news program "60 Minutes II." "We are behind the curve in keeping up with the global telecommunications revolution." However, Bamford said terrorists can easily elude surveillance without using encryption technology.

"I think he's mostly using methods that are not susceptible to eavesdropping: using couriers, hiding things in the Internet, not the standard telephone calls," he said.

"There are so many easy, less visible ways of transmitting information across the Web; one can bury things within news groups, bury things on Web sites," said Peter Sommer, a senior fellow at the Computer Security Research Centre at the London School of Economics. "From a terrorist point of view, the fact that you are using encryption at all will draw attention to you ... but the reality is that your dedicated terrorist can get his message across the Internet without using particularly sophisticated technology."

Sommer cautioned against precipitous legislation, along the lines of the U.K.'s Regulation of Investigatory Powers Act (RIPA) act, which empowers government officials to demand encryption keys to any and all data communications, on pain of penalties of up to two years in prison.

"The mistake that was made in the United Kingdom was that law enforcement was allowed too free a rein in terms of the framing of legislation," said Sommer, who added that overzealous limitations on encryption could pose problems for electronic commerce, which relies on encryption for identification and secure payment procedures.

"Yes, there's a possibility that your terrorists are going to use it, but there is a certainty that you are going to incur considerable economic costs," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CounterpaneCounterpane Internet SecurityNational Security AgencyNSAPGPPGP Security

Show Comments