Encryption and the Government
For chapter 15

Encryption is the process of encoding an electronic message that is sent to a second party who has a "key" that will decode the message. Encryption is used to protect messages on the Internet. For example, industries such as banking, insurance, medicine, military, and finance use encryption to protect financial transactions and personal information from being read by unauthorized personnel. These industries utilize a variety of encryption standards and methods including RSA (developed by RSA Data Security), SSL, (Secure Sockets Layer), and DES (Data Encryption Standard).

These three encryption standards ensure that the message is properly encrypted and that the receiver, and only the receiver, has the ability to read the message. SSL (Secure Sockets Layer) is the most famous of the standards as it is used throughout the World Wide Web to ensure privacy and integrity of electronic commerce transactions. These transactions include business-to-business transactions and exchanges as well as business-to-consumer transactions. With the continual increase in the importance and use of electronic commerce in today´s society, the level of encryption and the trust given to encryption by the public has become a higher priority for many. Though encryption comes in many forms and methods, the main point is the "strength" of the encryption - i.e., how difficult it is to decode the message without the key. For more information on encryption and a sampling of products see http://www.nai.com/default_pgp.asp.

There are currently two major issues related to encryption strength:

1. Should the government be allowed to have a "master key" so that it can enforce national security?
2. What should the encryption regulations be when foreign countries are concerned. For example, should messages leaving the United States be allowed to be fully encrypted when they may contain information regarding national security?

Issue #1: Should the government have a "master key" to enforce national security?

The stronger the encryption, the more secure the message and the harder it is to decode the message without the key. The government is concerned that the availability of "strong encryption" that cannot be decoded will lead to terrorist and other illegal activities that cannot be monitored by the government. For example, hate groups and criminal organizations will be able to transmit secure messages without the fear or possibility of government knowledge. These people, will in essence, have a secure form of communication that is immune to government intervention. Business leaders feel that "strong encryption" is necessary for completely private transmissions and full, global competitiveness, and they are willing to take the risk involved with the potential improper usage. The possibility of law enforcement decoding a message will hamper the privacy of the message.

To solve the above problem, the government has proposed that it be given a "master key" that could be used if necessary to decode "strong encryption" messages. This key would not be used without extreme need. Industry leaders are still reluctant to agree to this plan and are fighting for "strong encryption" without a master key.

Issue #2: What should the encryption regulations be for foreign countries?

While many countries have similar Internet security laws and standards as the United States in terms of the allowed level of encryption and other areas, there are many other countries, such as suspected terrorist harboring countries like Libya, that do not. Because of these lower standards, United States companies are not allowed to use "strong encryption" in their interactions with their offices in foreign countries. Doing so violates national security! However, financial institutions, insurance companies, and medical organizations are allowed to use "near-strong encryption" for communication with their offices in a small group of foreign countries, such as England, Germany, France and others. This exception was made to help protect the extremely sensitive nature of the communication.

Points to Ponder:

1. Should the U.S. government own a "master key" that would allow it to decode any encrypted message sent over the Internet? If not, why not since this is somewhat analogous to obtaining a search warrant? If so, what regulations should there be on the use of this key?

2. How can a truly global economy and global Internet work if there are different regulations for domestic and foreign encryption? What solution do you propose to this dilemma?