July 10, 1997, The New York Times, Cyber Times

FBI, Security Chiefs Ask Senate For Keys to All Encrypted Data

By Jeri Clausing

One week after President Clinton touted a tax-free, market-driven Internet policy, his top crime fighters went to Capitol Hill on Wednesday to argue that encryption technology had to be regulated to protect the nation from terrorism and organized crime in the next century.

"I think it is a matter of life or death in years to come that law enforcement have some access to this technology," Louis B. Freeh, the Director of the Federal Bureau of Investigation, told the Senate Judiciary Committee. It was Freeh's strongest statement to date backing a Clinton Administration encryption "key recovery" plan.

"I do not believe we can leave this issue solely to market forces," said Freeh, who was joined by Deputy National Security Director William P. Crowell.

Researchers and software industry representatives, however, warned the committee that any plans for government control of encryption codes could increase crime, make the country more vulnerable to "info-terrorism" and give Europe and Asia a strong edge in controlling the direction of Internet-based commerce.

Unlike the Senate Commerce Committee, which two weeks ago with little review passed out a bill by Senators Bob Kerrey, Democrat of Nebraska, and John McCain, Republican of Arizona, the Judiciary Committee and most of its members approached the topic with trepidation. Most of the members seemed receptive to arguments from both sides of the complex, highly technical issue and seemed unwilling to make any quick decision.

"Every solution seems to create more problems," said the committee's chairman, Orrin Hatch, Republican of Utah. "I commend Senators McCain and Kerrey for what they've done. But I have real qualms about what they've done. I'm worried about Congress really messing this up. We have that tendency, I've been told."

Wednesday's hearing was an informational meeting, and Hatch said he hoped to have more hearings on both the Kerrey-McCain bill and a competing measure by the ranking minority member of the Judiciary Committee, Patrick Leahy, Democrat of Vermont. The Judiciary Committee has not been given any control over the Kerrey-McCain bill, but Hatch said he planned to ask for it.

"I don't think Senator McCain would have any problem with that," Hatch said.

Freeh came to the hearing with a prepared statement that "the looming specter of the widespread use of robust, virtually uncrackable encryption is one of the most difficult problems confronting law enforcement as the next century approaches." For example, he said, encryption "will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity."

But when questioned about how a voluntary key recovery plan would give law enforcement access to criminal codes, he readily admitted it the would not prevent "the John Gottis, the Aldrich Ameses or the Cali Cartel from using encryption."

However, Freeh said, criminals might unwittingly use encryption systems with key recovery systems open to the police, giving law enforcement agencies more windows of access to computer communications. As an analogy, he said that in the past, the FBI had not always been able to eavesdrop on John Gotti's private conversations, but agents often learned the contents by listening in on the phone calls of the underlings who were carrying out Gotti's orders.

Freeh's testimony before the committee, however, seemed much more conciliatory and less focused than his prepared remarks. Some senators, staff members and outside lobbyists had speculated that Freeh would call for making the key recovery system mandatory for all United States citizens.

In the end, he seemed to suggest that certificate authorities be licensed and be forced to keep copies of people's private keys. These authorities act like a combination of a notary publics and telephone books by providing a certificate guaranteeing a particular person's public key.

Freeh suggested that anyone who wanted to use a certificate authority would be forced to surrender his or her key, but anyone wanting to live without the services of certificate authority could use arbitrary encryption.

Such a requirement would still force many Americans to turn over their private keys because certificate authorities are expected to serve a vital purpose on the Net. Many proposals for secure commercial transactions on the Internet, for example, would issue each person a certificate that would be used to secure credit card transactions.

The 3-hour-20-minute hearing drew an overflow crowd as each side claimed that the competing position would hurt the United States both economically and in public safety.

Senator Dianne Feinstein, a Democrat whose constituents include many high-tech firms in California's Silicon Valley opposed to any government regulation of encryption, seemed content to let Freeh and Crowell make the call on what the nation's best plan of action should be.

"I get so many conflicting signals," she said. "I, for one, will be guided by what you gentlemen say is in the interest of national security."

Feinstein then left the hearing before industry representatives, including a scientist from her home state, testified that a rush to adopt an imperfect key recovery system could pose much greater threats than unregulated encryption would pose.

Peter Neumann, a scientist at the nonprofit SRI research institute in Menlo Park, Calif., and the editor of the highly influential Internet newsgroup comp.risks, stated "building the secure infrastructure necessary . . . would be enormously complex and far beyond the experience and current competency of the field." Human weakness, he asserted, make the systems fragile.

"Anyone who says that they can build this system is either lying to you or doesn't know what they're talking about," said Neumann, who was a member of the National Research Council panel that studied the issue last year and produced a report that many consider to be a good balance of public and private interests. The report concluded that it would be very hard, if not impossible, to secure any key recovery center against bribery, theft and sabotage.

Hatch also represents a state with a very significant computer industry. Novell, one of the leading developers of network software, is based in Provo, Utah.

Testifying on behalf of the Business Software Alliance, Michael MacKay, the vice president for computer architecture at Novell, told senators, "The Administration's key recovery scheme is too complex, too costly and too vulnerable."

He also emphasized that "encryption prevents crime by protecting the trade secrets and proprietary information of businesses and correspondingly reducing economic espionage."

On the same panel, Ray Ozzie, the leading creator of Lotus Notes, another popular network software product, repeatedly emphasized that "strong secure encryption prevents crime." Ozzie, who accrued a great deal of experience implementing encryption software when he developed Notes, said he felt that key recovery schemes "just don't scale" to the comprehensive sizes demanded by the FBI.

In many ways, Leahy summarized the quandary facing the Congress when he asked Freeh, "Do you put an imposition on every American on the odd chance that out of the 10 million phone calls that day, there is one you want to go after."

Jeri Clausing at jeri@nytimes.com covers Washington for CyberTimes. She welcomes your comments and suggestions.