The committee said that such a broad application of cryptography -- which is the use of mathematical formulas to encrypt electronic information so it is indecipherable without the proper digital "key" -- will benefit the nation in many ways. These include making it easier to protect from crime and terrorism such nationally critical assets as banking and telecommunications networks; providing greater privacy to individuals; and boosting the international competitiveness of U.S. companies.

The congressionally requested report says that no law should bar the manufacture, sale, or use of any form of encryption within the United States, and that export controls should be relaxed but not eliminated. The development of encryption technologies should be driven largely by market forces than by government-imposed requirements.

"While the use of encryption technologies is not a panacea for all information security problems, we believe that adoption of our recommendations would lead to enhanced protection and privacy for individuals and businesses in many areas, ranging from cellular and other wireless phone conversations to electronic transmission of sensitive business or financial documents," said committee chair Kenneth W. Dam, professor of American and foreign law at the University of Chicago. "It is true that the spread of encryption technologies will add to the burden of those in government who are charged with carrying out certain law enforcement and intelligence activities. But the many benefits to society of widespread commercial and private use of cryptography outweigh the disadvantages."

The committee said that the government should explore "escrowed" encryption for its own use, rather than aggressively promote this unproven technology to the private sector. In escrowed encryption, the decoding key would be held by a trusted third-party organization or institution. This is attractive to law enforcement agencies because with a court order, they could obtain the key and unlock even the most unbreakable code. However, many companies don't like the idea of giving a third party the key to all their secrets, even if the third party is considered trustworthy.

The U.S. government's current support of escrowed encryption as a technical pillar of its cryptography policy is inappropriate now, the report says, because there are many unresolved questions about this approach. Even when these problems are resolved, adoption of escrowed encryption or of any specific technology or standard by the commercial sector should be voluntary and based on business needs, not government pressure.

NOT JUST FOR SPIES

The report notes until recently, cryptography was of interest chiefly to the intelligence-gathering community. However, the revolution in information technologies that has occurred over the past 10 years has resulted in much more information -- including trade secrets, research and development notes, and pricing and bidding information -- being sent over electronic networks. As a result, companies are seeking ways to keep these data out of unauthorized hands, such as those of competitors, criminals, and foreign governments. And in response to this demand, computer companies are developing better encryption software and hardware.

Cryptography's new popularity has created a policy dilemma for the U.S. government because the growing importance of cryptography as a tool for protecting sensitive personal and business information increasingly conflicts with the traditional interest of national security and law enforcement agencies in assuring their access to information. And even in the realms of law enforcement and national security, encryption is now the proverbial double-edged sword, the committee said. If used by crooks or others will ill intent, it can hinder criminal investigations. But its use by law-abiding individuals and business can help prevent crime. For example, use of cryptography to ensure confidentiality, provide reliable user authentication, and detect unauthorized tampering with electronic data can help to deter electronic bank fraud and many other types of illegal activity.

The report notes that current federal restriction on the export of encryption technologies allow only the export of relatively weak cryptography. This is done to protect the nation's ability to gather foreign intelligence. However, these export laws not only inhibit U.S. companies from selling their best cryptographic technology overseas, but they also limit what is available in this country. Even though there are no legal limits on the kinds of encryption that can be sold in the United States, many companies find it impractical to develop and market different products for both U.S. and overseas markets.

One common way to measure the power of a cryptographic product is by the number of information bits in the deciphering key: the more bits, the tighter the security. The federal government should allow the ready exportation of cryptography products that provide a level of confidentiality sufficient for most general commercial requirements, the committee said. Encryption products with 56-bit keys currently would provide this level of confidentiality and should be readily exportable. However, under current federal law, companies cannot easily send products with a key longer than 40 bits outside the country.

U.S. technology vendors should be allowed to export cryptography products with keys longer than 56 bits, as long as the users of these products agree to provide the U.S. government access to decoded information, the report says. In addition, the export licensing process should be streamlined.

The committee said that the U.S. government needs to foster an open public debate so that a national consensus on cryptography policy can be achieved. For several years, the stakeholders -- including law enforcement agencies, the national security community, the information technology industry, and the civil liberties community -- have been unable to come to a consensus on a national cryptography policy. Debate has been complicated, in part, by the position that effective public deliberation are impossible since much relevant information in this area is classified.

However, the report refutes this view. The 13 members of the committee who have security clearance examined the arguments based on classified materials and concluded that, although important to specific situations, classified material is not essential for understanding current cryptography policy or how the technology should evolve. "The feasibility of achieving national consensus is demonstrated by the fact that the study committee -- which represents many different perspectives on subject -- was able to come to a strong consensus," said Dam.

ENCOURAGING PRIVACY

The report recommends that the government take a number of additional steps to promote widespread use of encryption technologies. These include:

• encouraging the use of cryptography as a way to determine whether data have been altered by unauthorized individuals, and to assure the identity of authorized users;

• promoting the security telecommunications networks more actively, starting with the encryption of cellular phone and other wireless voice communications; and

• pursuing government development and use of escrowed encryption as a way of gaining working experience with this technology and making escrowed encryption more useful to the commercial sector.

The study was funded by the U.S. Department of Defense and Department of Commerce. The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. It is a private, non-profit institution that provides science and technology advice under congressional charter.

Return to the EPIC Crypto Policy Page