Limit Encryption Keys for Big Brother

By Jon Roland

Much has been discussed about the absurdity of the federal government attempting to prohibit the export of strong encryption products as "munitions", such as the Diffie-Hellman (D-H) class of algorithms represented by RSA and PGP using keys of more than 40 digits. Comparisons have been made to King Canute trying to command the tides. The abandonment by the U.S. Justice Department of their case agains Phil Zimmerman on Jan. 11 is indicative that they might be beginning to appreciate the futility of their position on this issue.

However, there is another side to the issue. While we don't want Big Brother to be able to break our encrypted messages, there are good reasons why we want to be able to break his.

The departure from office of the previous Administration was characterized by a mad scramble to erase computer files and destroy their records. Fortunately for history and law enforcement, many of those files were not overwritten on their hard disks and could be recovered. We must expect that the next departing Administration will not make the same mistake.

The longstanding method of keeping records of wrongdoing without subjecting them to public scrutiny has been to classify them under the National Security Act and other legislation. This method is still used in the defense sector, but nondefense agencies must usually find other methods. Now they have one: they can encrypt their files using RSA/PGP keys of 1024 bits (about 307 digits), keep personal copies, then "lose" the keys to the copies left with the agencies, making it effectively impossible for investigators to uncover what they had been doing.

While we are pressing for recission of the export restrictions, we should also be pushing for a law making it illegal for federal officials to encrypt their records using RSA/PGP keys of more than say, 36 digits, and require that they keep all such records on federal territory subject to exclusive national jurisdiction (so that the criminal penalties could be constitutionally applied). The law should extend to the records kept by government agents and contractors that pertain to work done for the goveernment or available for their use, to avoid having government agents subcontract the recordkeeping of their wrongdoing. The law should also provide that all records should be associated with an "owner", that is, a responsible individual who can be held accountable for them.

A key length of 36 digits should protect the information from casual decryption efforts, while leaving it feasible for decryption in response to a court order or congressional subpoena, even if the keys are missing. If the keys cannot be found and the key is longer, then the "owner" of that record would be prosecuted, even if the contents could never be uncovered.

Big Brother watching us? No. But us watching Big Brother? Absolutely!