GILLMOR: Encryption poses classic Gordian knot Published: January 27, 1997 BY DAN GILLMOR Mercury News Computing Editor PRIVACY, in the pre-digital age, has teetered in an uneasy balance between liberty and security. But as we move more of our lives onto digital networks today and in coming years -- voice and video phone calls; e-mail; shopping; learning; exchanging medical records with doctors and financial records with banks; etc. -- technology will topple the status quo. Why, then, are so many people avoiding reality in the debate over encryption, the scrambling of electronic information to keep it from prying eyes? Perhaps they don't understand that the issue defies reasonable compromise: Either we keep strong encryption legal, or we do not. Most of the people gathering in San Francisco this week for the annual RSA Data Security Conference surely know this. (I'll be on a panel there Friday.) Amid technical discussions and political jockeying, perhaps they'll chew over the hard truth. There's probably no such thing as unbreakable encryption. But clever programmers have devised ways to scramble digital communications so effectively that the cost of unscrambling them, if you don't have the keys to unlock them, is prohibitive. Privacy advocates applaud encryption technology. They call strong encryption the best tool to ensure social and financial privacy in the emerging networked world, as well as keeping potential dictators at bay. Law enforcement people look at the same facts and see vast troubles. They envision terrorists and other violent criminals using essentially unbreakable encryption to plan bloodthirsty acts and evade capture. They see financial criminals, if not ordinary citizens, using encryption to hide their assets and thereby undermine the foundations of our economic system. What neither side wants to admit is that the other side may be right. Whichever direction we choose, there will be consequences. Some law enforcement and national security officials assert they only want to maintain the status quo: the ability to monitor the communications of terrorists and other criminals. There are two ways to view such claims -- ignorant or deceptive. Law enforcement today can tap a phone, open mail and trace the flow of money. That's possible in part because most people don't bother with any sort of real security in their communications. But the more business (social, financial, medical and otherwise) that people conduct on public networks, more easily accessible to all sorts of onlookers or outright snoops, the more they'll be inclined to use privacy tools such as encryption. Then, when the government wants access, it'll have to unscramble the communications. So the government wants us all to adopt a ''voluntary'' system, known as key-escrow, in which we'll leave the keys to our digital locks with some ''trusted'' third party or parties. Then, with proper legal authority, the government would obtain the key and unlock the communications. The scheme unravels upon inspection. Among other flaws, only stupid criminals would use key-escrow. Any key repository would draw intensive attacks, ranging from computer cracking to government excess to old-fashioned bribes. The definition of proper legal authority would undoubtedly lead to widespread abuse. Once a key was obtained, even with proper safeguards, there would be no way to limit the degree or duration of surveillance. That leaves what I believe will be the government's real goal: to outlaw encryption it can't break, period. Use strong encryption, go to jail. Try to keep your private life private, go to jail. Civil libertarians, meanwhile, must also recognize that widely used, strong encryption alters the status quo. Evil people will use this tool, too. Yes, criminals will hold conversations that law enforcement can't understand even if overheard. Yes, warped people will abuse children, make videos of the abuse and trade their filth -- and, if they're careful, with less chance of capture. And, yes, money will be easier to hide. To the extent that people shield their transactions from government scrutiny, the tax system may become considerably more voluntary than it is today, with enormous potential consequences to our republic. I lean toward the libertarian side on this issue, not solely from my fervent belief in liberty. I also believe that law enforcement officials can find ways to do their jobs even though they consider themselves hampered by civil liberties -- just as they do their jobs today hampered by that pesky Fifth Amendment and other parts of the Bill of Rights not yet dismantled by the Supreme Court. Realistically, moreover, no law can cram the encryption genie back into the bottle. But I would be wrongheaded not to recognize, and appreciate, the other side's arguments. Sooner or later, we'll have to make up our minds as a society. Before we do, we'll need to face the truth: We can have the tools to keep snoops of all kinds out of our lives, or we can live in an unfree surveillance society where horrible crimes are more likely to be solved, even deterred. Given today's climate, I suspect society will opt for the latter. Maybe there is a middle ground. I can't find it. --- Dan's contact info is (djf) Dan Gillmor, Computing Editor E-mail: dgillmor@sjmercury.com San Jose Mercury News Voice: 408-920-5016 750 Ridder Park Drive Fax: 408-920-5917 San Jose, CA 95190 http://www.sjmercury.com/business/gillmor/