Encryption Policy for the 21st Century: A Future without Government-Prescribed Key Recovery

Full Document Available in PDF

Encryption technology encodes computer files so that only someone with special knowledge, such as a unique secret “key,” can read them. The widespread use of strong encryption technology is essential to protect consumers and businesses against spies, fraud, and theft over the computer networks used in electronic commerce.

The federal government has just announced a new policy that will maintain restrictions on the export of encryption stronger than 56 bits. Stronger encryption technology may be exported only to subsidiaries of U.S. companies in most countries, or to certain economic sectors in 42 countries (insurance, health, banking, or online merchants), or if the exporter builds in a key-recovery infrastructure that will enable law enforcement officers to access the secret keys.

Some law enforcement interests support legislation that would force U.S. citizens and residents to give the government access to their keys. Government-prescribed key recovery and export controls are a grave danger to the privacy of law-abiding citizens and businesses, not only in the United States but around the world. And the development of the key-recovery infrastructure might well be technically impossible and would be prohibitely expensive.

Export controls and government-prescribed key recovery will not keep strong encryption out of the hands of criminals and terrorists, because the technology is readily available worldwide without key-recovery features. Law enforcement interests should explore other options for dealing with strong encryption. Recent calls for “balance” make enticing sound bites (who would be opposed to “balance?”) but compromise the freedom to innovate and sacrifice vital civil liberties.