Encryption Battle Brewing

Firefighters walk through a flooded street in downtown Kent, Wash., Monday, Nov. 6, 2006, as they encourage residents in flooded homes to leave while it was still relatively safe to do so.
AP
Cheating on income taxes or neglecting to pay sales taxes on online shopping could get you five extra years in prison if the government succeeds in restricting data-scrambling technology, encryption-rights advocates fear.

Such a measure, they worry, might also discourage human rights workers in, say, Sri Lanka from encrypting the names and addresses of their confidants, in case they fall into the wrong hands.

Draft legislation circulating in the Justice Department would extend prison sentences for scrambling data in the commission of a crime, something encryption advocates fear would achieve little in catching terrorists - and only hurt legitimate uses of cryptography.

"Why should the fact that you use encryption have anything to do with how guilty you are and what the punishment should be?" asks Stanton McCandlish of the CryptoRights Foundation, which teaches human rights workers to use encryption. "Should we have enhanced penalties because someone wore an overcoat?"

Such law enforcement tools sought after the Sept. 11 attacks are expected to be among top discussion items at the annual Computers, Freedom and Privacy conference that begins Wednesday in New York.

The measures are sought by police and intelligence agents who worry that criminals who use encryption will commit crimes that will be tougher to solve or prevent.

Law enforcers hope the threat of added penalties - up to five years for the first offense and 10 years after that - would make criminals think twice before scrambling their messages. Longer sentences have already been approved for using guns as part of robberies, for instance.

"If you went the extra step to keep us from getting evidence, you should pay an extra price," said Jimmy Doyle, a former computer crimes investigator with the New York Police Department.

It's not the first time encryption is under assault.

For years, the government restricted the export of high-strength encryption. It also sought to require software developers to create a backdoor and hand investigators a set of keys upon request.

Encryption advocates - supported by the technology industry - resisted and thought they had won in September 1999 when the Clinton administration relaxed the export controls over the objections of his attorney general and FBI director.

Then came Sept. 11.

The new proposal is part of legislation dubbed Patriot II, a sequel to the 2001 USA Patriot Act, which gave law enforcers broad new powers.

Attorney General John Ashcroft has said that any draft circulating in Justice is far from official policy and has yet to be submitted to Congress. But when he was a senator, Ashcroft in 1998 introduced a similar bill, which never passed.

As drafted, the latest proposal would apply only to individuals who willfully and knowingly use encryption to commit a federal felony.

But critics worry that the language could cover almost all conduct online as encryption gets incorporated in Web browsers for e-commerce, virtual private networks for telecommuters and other day-to-day applications.

A mistake on an electronic tax return, if it leads to a conviction, could mean longer prison terms, warns Mark Rasch, a former Justice Department computer crimes prosecutor.

Or in the extreme, someone who neglects to pay a state tax for online shopping - few people do - could be prosecuted for federal mail fraud and face five extra years "for avoiding two dollars worth of taxes," Rasch said.

"If suddenly I find myself facing this big criminal penalty because I happen to use encryption, will that discourage people from using it?" said Alan Davidson, staff counsel for the Center for Democracy and Technology.

Rasch and other crypto-rights advocates add that encryption would help stop crime by making it harder to steal passwords or break into computers.

Many question whether such a law would even work.

"You have to be intentional about using encryption, and that's a tricky thing to prove," said Stewart Baker, a former National Security Agency counsel now in private law practice. "I do see this provision as largely symbolic rather than effective."

George Washington University law professor Orin Kerr believes fears are overblown. The requirements for knowing and willful use, he said, would in practice likely not cover incidental uses like e-commerce.

Law enforcers acknowledge that encryption has hindered few, if any, investigations so far.

According to the Administrative Office of the U.S. Courts, no federal wiretaps were blocked by encryption in 2001. Sixteen state and local wiretap cases ran into encryption, but in all authorities were able to get plain-text communications.

Agents have found novel ways to read scrambled messages.

Jailed mob boss Nicodemo S. Scarfo Jr. encoded gambling records, authorities say, so FBI agents secretly installed a key logger system to capture his password as it was typed in.

But authorities fear such tricks will become harder as encryption usage grows. Crypto proponents counter that encryption is already a part of online life - and no law will stop criminals.

"I know that law enforcement people have been beside themselves about the potential for the widespread availability of encryption," said Frank Gaffney, founder of the Center for Security Policy. "I don't know if there's any way you can legislate it. This is a case where the horse is out of that proverbial barn."


By Anick Jesdanun