Encryption and Globalization

Abstract

During the explosive growth of the Internet in the 1990s, encryption was quite likely the single most passionate area of legal and policy debate. Law enforcement and national security agencies supported limits on the export of strong encryption, fearing that encryption would block their ability to protect public safety and national security. Supporters of strong encryption most basically argued that encryption was essential to securing communication over the Internet. During the “crypto wars” of the 1990’s, government policy initially supported surveillance, with the Clipper Chip proposal and a policy of escrowing encryption keys. The administration shifted position in 1999, allowing export largely without restrictions. After this shift in policy, encryption law and policy largely faded from view.Encryption is now resurfacing as a major issue, most visibly in India and China. Indian law currently forbids the use of encryption keys longer than 40 bits, which is far below international standards. China, meanwhile, insists that hardware and software made or used in China only employ cryptosystems developed in China.The article seeks to fill an important gap in the literature. Because the U.S. encryption problem was “solved” in 1999, a new generation of policy makers, lawyers, and technologists has emerged with little or no experience in the area of encryption policy.Part I of this article offers a short history of wiretaps for phone and Internet data, illustrating why communications across the Internet are far more vulnerable than traditional phone calls, unless encryption is used. Part II provides a primer on basic encryption concepts that are relevant to the subsequent legal and policy analysis.Part III highlights key lessons learned from the U.S. crypto wars of the 1990s, informed by the perspective of one of the authors, who chaired the White House Working Group on Encryption in the lead-up to the 1999 change in U.S. encryption policy.Part IV builds on the U.S. experience, and proposes two additional reasons why effective encryption becomes even more important when the debate shifts from one country to a globalized setting. The first is the large and growing importance of cybersecurity for nations around the world. In cybersecurity today, the “offense” (in the form of thousands of attacks per day) is significantly ahead of the “defense.” Cryptography is quite possibly the largest category of effective defensive tool. In a globalized world, security holes in major countries (such as India or China) directly lead to security holes elsewhere. Globalization also leads to what we call the “least trusted country problem -- the level of trust placed in data traveling through the Internet becomes that of the country that we trust least.Part V synthesizes the key reasons supporting effective encryption in today’s globalized world, despite the security objections of law enforcement and national security agencies, and the trade interests of some countries. By examining the relevant history, technology, law, and policy, this article explains why it is vital to assure the widespread and global availability of strong encryption for our data and communications.