John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys
Following the horrible terrorist attacks in Paris, there have been renewed calls to impose restrictive government control over encryption by some analysts studying the attack. Their logic seems to be that such a large group of terrorists could not have planned the attacks over time without using some form of encryption to shield their activities from authorities, even though no actual evidence of encrypted communications has yet been found.
I’m actually somewhat surprised encryption remains a controversial topic thousands of years after its creation. The ability to encrypt and use cyphers to hide messages from unauthorized readers goes back at least as far as Roman times, when notes were written on leather strips wound around a pole of a certain diameter. To reassemble the message once the leather was unwound, the exact size pole needed to be employed on the other end.
Over the years, hundreds of manual forms of encryption and an almost unlimited number of codes have been created to protect information. In fact, of the few ancient technologies still being used today, probably only encryption still carries such controversy.
The last time government control was seriously considered for encryption was the massive fubar that was Skipjack and its accompanying Clipper chip back in 1996. I talked with chief security architect for NetIQ, the security portfolio of Micro Focus, Michael Angelo, who was part of the industry and government working group that studied the feasibility of Skipjack.
The idea behind Skipjack was that all devices that needed to use encryption would use the Skipjack algorithm, developed by the National Security Agency in secret. It would live on a special Clipper chip that would then be embedded in devices. Each Clipper chip had a built-in backdoor the government could use to unlock and read or listen-in on anything created with it.
Almost needless to say, not many people in the general public or any U.S.-based businesses wanted to standardize on something with a built-in backdoor. Exporting devices with Clipper chips to foreign countries was also a complete nonstarter. Governments in Europe and Asia didn’t want NSA to be able to read their mail or tap their phones. As such, Skipjack and Clipper were proposed in 1993 and dead by 1996.
But it was not a total loss, because at least it got the government thinking about encryption.
“About three years of meetings ensued, but suffice it to say that we in the industry were able to convince various U.S. government agencies that controls on strong encryption would not be a deterrent to criminals and terrorists, and that U.S. industry needed encryption to compete in a global market,” Angelo told me. “In the end, encryption was reclassified from a military-only technology to a dual-use technology for both military and civilian use.”
As a dual-use technology, control was moved to the Commerce Department. They are now studied by Commerce's Information Systems Technical Advisory Committee. Angelo remains on the ISTAC committee today.
As to the terrorists operating in Paris, Angelo thinks it is unlikely they used encryption, or would have needed to do so. It’s even possible that using encryption would have done more to call out their activities to authorities.
“For direct calling one another, the GSM system uses encryption as part of its basic technology,” Angelo said. “But the cellular communications are decrypted at the base stations and law enforcement can access the contents of the calls there. Hence, encryption on standard GSM phones would not have hindered law enforcement.”
For email, the use of strong encryption might have protected the contents of a message, but Angelo says it would not have hidden the fact that the two parties were talking, and probably would not have masked their locations.
Also, an encrypted email might have raised a flag in a system, especially if one party was already being watched. France recently loosened its own government restrictions on encryption so as long as cryptography is only used for authentication and integrity purposes, it can be freely employed by anyone in that country. Thus, using strong encryption to protect the contents of a message might have been illegal to begin with in France, and made the sleeper cell easier to spot.
Whether we discover the terrorists in Paris used encryption, those horrible events have stirred the pot in the age-old encryption debate. Angelo believes the many good uses of encryption far outweigh the potential bad, and I have a tendency to believe him.
Plus, as Skipjack showed, there may be no technical or practical way for a single government to control encryption without seriously harming its economy or pushing too far into its citizens’ rights to privacy.
“We need encryption to protect ourselves and our businesses, and to protect things like personal information from being stolen,” Angelo said. “Before we make any quick decisions about a technology that is so fundamental to our survival, we need to think long and hard about just what we want to accomplish and focus on the advantages of it, not just the bad side.”