YOU ARE HERE: LAT HomeCollections


Decoding the Controversy Over Exports of Encryption

Security: From terrorism to privacy, debate touches everyone. A new report says U.S. controls do more harm than good.


It's a nightmare scenario: Foreign terrorists plan to blow up a passenger terminal at a major U.S. airport. Our spies know that much. But no one knows where or when the attack will occur because the criminals communicate using a super code--an encryption method exported from the United States, no less.

For years, such terrifying possibilities have been trotted out to justify a federal policy that defines encryption as a weapon and restricts the export of hardware and software capable of encoding information.

But experts say a change in the political climate is likely to force the government to ease long-standing rules that prevent U.S. companies from selling overseas products, such as cell phones and personal computers, that contain strong encryption technology.

A blue-ribbon report released May 30 states that national security actually is threatened more than helped by the export controls because they ultimately deprive corporate America of adequate encryption devices to protect sensitive information from computer hackers. Within days of the report's release, a Japanese company confirmed that it has already begun to sell powerful encryption chips that U.S. companies are forbidden to export.

The developments come at a time when Congress has been pressuring the Clinton administration to ease restrictions. Three versions of such proposals are pending on Capitol Hill, and the Senate Commerce subcommittee on science, technology and space will have a hearing Wednesday on the issue of export controls. Sen. Conrad Burns (R-Mont.), who chairs the panel, is the author of one of the bills.

"What's going to happen is that the export restrictions will become moot," says Daniel Cohen, professor of computer science at Hunter College in New York and an expert on export control question. "The technology already is leaking out of America. The idea that we have a monopoly and can keep it out of the hands of other countries is out of date. The restrictions only hurt American entrepreneurs."

The outcome of this seemingly esoteric battle over export policy will have a major impact on how much privacy the average American will enjoy in the coming century, experts say. With confidential personal records such as medical histories stored in electronic databases and an increasing push toward an information economy in which routine banking and credit card transactions are conducted online, encryption may be the only way to assure privacy.

"We've been holding back security domestically, and at this point the Internet provides less protection than it should," says Kenneth Dam, the University of Chicago law professor who chaired the National Research Council panel that prepared the new National Academy of Sciences report titled "Cryptography's Role in Securing the Information Society."

"We need an agency that has primary responsibility for promoting domestic security. We have the NSA [National Security Agency] for classified security, but no part of government considers itself responsible for civilian computer security," he says.


The power of cryptography has been put to use during wartime ever since Julius Caesar sent military messages using a simple code to replace one letter of the alphabet with another. Like the more complex codes that would be devised in the next centuries, Caesar's cipher relied on a single key, which a sender would use to encrypt a message and a recipient would use to decode it.

Protecting the key from enemy hands was the problem that plagued cryptographers until the 1970s, when a young computer scientist named Whitfield Diffie came up with a remarkable solution: split the key in half.

Here's how it works: A so-called public key encryption system, which uses mathematical recipes called algorithms to scramble data, relies on two keys, one private and one public. Whatever is encoded by one key can be decoded by the other. Encryption users distribute copies of their personalized public keys but keep their private keys to themselves. A sender uses a public key to encode a message; the recipient uses a private key to decrypt it.

A commercial public key encryption system is now marketed by RSA Data Security, a Silicon Valley company. But the government rules only allow the export of products with relatively simple keys, in order to preserve the ability of spy agencies to crack the codes.

The National Research Council report, prepared over 18 months at the behest of Congress, calls for the government to ease restrictions enough to allow the export of strong codes that rely on 56-bit digital keys to encrypt and decrypt information. Currently, keys of no more than 40 bits may be exported.

Domestic access to strong encryption technology has also been limited because U.S. companies were unwilling to manufacture two separate grades of products to sell at home and abroad.

Los Angeles Times Articles