6.805/STS085: Readings on Encryption and National Security

Transmittal letter from FBI Director William S. Sessions to National Security Council official George J. Tenet, February 1993, forwarding a report prepared by FBI, NSA and DOJ and titled "Encryption: The Threat, Applications, and Potential Solutions". The report was classified SECRET and called for a national policy prohibiting cryptography that does not ensure real-time access to law enforcement. U.S. administrations continue to insist that they do not support domestic restrictions on encryption technology. The redacted document shown here was obtained in 1996 under the Freedom of Information Act by the Electronic Privacy Information Center.

We are at one of those important cusp points in history. The technologies of networks and of encryption make it very easy for exciting new structures to develop (cryptoanarchy, privacy, transnational entities, persistent organizations, anonymous systems, digital banks). But the same technologies make it possible for a cyberspatial police state to develop. The race is on.
-- Tim May, "The Coming Police State," (March 1994)


There is a very real and critical danger that unrestrained public discussion of cryptologic matters will seriously damage the ability of this government to conduct signals intelligence and the ability of this government to carry out its mission of protecting national security information from hostile exploitation.
-- Admiral Bobby Ray Inman (then Director of the NSA, 1979)


Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege."
--Vin McLellan, A thinking man's creed for crypto


Unless the issue of encryption is resolved soon, criminal conversations over the telephone and other communications devices will become indecipherable by law enforcement. This, as much as any issue, jeopardizes the public safety and national security of this country. Drug cartels, terrorists, and kidnappers will use telephones and other communications media with impunity knowing that their conversations are immune from our most valued investigative technique.
--FBI Director Louis Freeh, Testimony before the House Judiciary Committee, March 30, 1995


Encryption technology, once the province only of affluent countries, had, with the advent of personal computers, become readily available to the humblest citizen in America and other technically advanced countries, and an unexpected spin-off of that fact was the current availability of highly advanced communications-security apparatus to the humblest nations. Now Malaysia had codes nearly as hard to break as Russia's -- and so did Iraq, courtesy of Americans who worried about having the FBI read their fictitious e-mail adulteries.
-- Tom Clancy, Executive Orders, 1996


We propose to permit the export of 56-bit key length Data Encryption Standard (DES) encryption products, without key recovery, on the same terms as we now permit the export of 40-bit key length products. This relaxation would last two years, renewable annually thereafter. Export licenses would be contingent on exporters' commitment and adherence to explicit benchmarks and milestones for developing and incorporating key recovery into their products (including an identified trusted part) and building the supporting infrastructure internationally. Once key recovery is globally viable, only such products would be licensed for export.
-- Memo from CIA Director John Deutch to President Clinton, September 15, 1996, describing the Administration's plan for "liberalizing" export restrictions on encryption technology.


There is one comforting conclusion which is easy for a real mathematician. Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers or relativity, and it seems very unlikely that anyone will do so for many years.
-- G.H. Hardy A Mathematician's Apology, 1940


Required Readings

Read all the text on this page and on the subsidiary pages in the section The encryption controversy, 1994-1997 (This does not include following all the links.) In addition, read: Note: The links in the list above connect to the place on the page where each item is described, so that you can see it in context. Follow the link from there to the actual reading.


The Encryption Controversy, 1994-1997

This is an extensive topic, which is addressed on
a page of its own, with three sub-pages.


Constitutional issues

The regulations on encryption can be viewed as constraints on Freedom of Speech, and the Constitutionality of such regulations is not clear, either for export restrictions or domestic controls. There are legal challenges to the export restrictions currently underway, and there would certainly be immediate challenges if domestic controls were to be implemented. Due to the national security aspcets of encryption, the Constitutional issues have not been pressed until recently. For good historical context, see:

Legal Challenges to Encryption Export Regulations

There are currently three legal challenges to the encryption export regulations beofre the courts. The first two are bogged down in procedural matters:
The third case has evolved into a major challenge to the export regulations:

Bernstein v. U.S. Dept. of State, et. al.

On February 21, 1995, the Electronic Frontier Foundation filed suit against the government on behalf of Prof. Dan Bernstein of the University of Illinois. The basis for the suit was the State Department's denial of Bernstein's request for permission to publish a paper on an cryptographic algorithm he invented when he was a graduate student at Berkeley. The suit claims that this is an unconstitutional restriction of speech in that algorithms and source code are protected expression under the First Amendment.

In December 1996 the U.S. District Judge Marilyn Patel ruled in favor of Bernstein, in effect striking down the State Department export regulations. The decision was somewhat moot, however, because a few weeks later the government transferred regulation of crypto export controls from the Department of State to the Department of Commerce. EFF renewed the suit against Commerce, arguing that the jurisdictional transfer did not change the underlying issues.

In August 1997, Judge Patel once again ruled in favor of Bernstein:

"The court declares that the Export Administration Regulations . . . insofar as they apply to or require licensing for encryption and decryption software and related devices and technology, are in violation of the First Amendment on the grounds of prior restraint and are, therefore, unconstitutional as discussed above, and shall not be applied to plaintiff's publishing of such items, including scientific papers, algorithms or computer programs."
Although this decision technically strikes down the export control laws, the government filed an emergency request, and Patel agreed to stay her order until the Appeals Court could rule on her decision. The case was heard by the 9th Circuit Court of Appeals in San Francisco in December, 1997. In May 1999, the Court ruled 2-1, upholding Judge Patel's decision. In June 1999, the Government petitioned for a rehearing, and that petition is still being considered (as of August 1999).

Here is a summary of the case provided by the Electronic Frontier Foundation. Complete documentation on the case can be found at Bernstein's web site for the case.

Constitutionality of domestic controls on encryption

Several countries, including France, Israel, and Russia, impose control on the domestic use of encryption by their citizens. Would such controls be Constitutional in the U.S.? The answer is apparently not clear. Here are some resources on this question:


Cryptoanarchy

It's not only the FBI that views the spread of strong cryptography as a threat to government authority. Since around 1992, an informal group of techno-libertarians, who have become known as the Cypherpunks, have been theorizing about how the ability to keep communications private can lead to cryptoanarchy. Given their libertarian bent, they tend to view this as a healthy counter to the increased power of government and the growth of the surveillance state.

For several years, this discussion was carried out on the Cypherpunks mailing list, which served as a major forum for discussion of cryptography and privacy. The list still exits, but it has degenerated over the past year due to a deluge of spam (and the resulting flames about whether cypherpunks ought to restrict spam).

In 1994, Tim May, one of the founders of the list and a major contributor, published a large compendium of cypherpunk material called the Cyphernomicon -- WARNING: it is long (1.3Mbytes!). Before attempting to download it, read the README file that explains the format. It would be a good idea to first look over the table of contents so you can find your way around the long document. Also, before looking at the whole thing, you should read the following pieces by May:

Here are some other pieces on cypherpunks and cryptoanarchy.


Technical background on Cryptography

We won't deal much with the technical aspects of cryptography -- there are other MIT subjects that cover this. But if you're curious, there are lots of good sources of information.


More information

Bert-Jaap Koops,
Crypto Law Survey. An extensive survey of current and proposed cryptography regulations world-wide.

Counterpane Systems' WWW Cryptography Article Database


Hal Abelson (hal@mit.edu)
Mike Fischer (mfischer@mit.edu)
Joanne Costello (joanne@mit.edu)

Last modified: July 13 2011, 10:25 AM