Advertise with InfoWorld

Posted at 6:55 AM PT, May 21, 1999
WASHINGTON -- The battle over U.S. encryption policy raged here again Thursday at a conference where outspoken privacy protection advocates were pitted against a U.S. Department of Justice lawyer who defended current restrictions on the export of strong encryption as an absolutely essential component of law enforcement.

If the FBI and other U.S. law enforcement agencies lose the ability to break into the computer systems of criminal suspects, they will have to operate without one of their most effective tools, said Philip R. Reitinger, senior counsel of the computer crime and intellectual property section in the Justice Department.

U.S. law enforcement depends on its ability to search a suspect's computers to prosecute all kinds of crimes, from terrorism to drug trafficking, child pornography, and fraud, Reitinger said during a panel discussion at a conference here on privacy sponsored by the Smart Card Forum.

There's no worse feeling for a law enforcement official, Reitinger said, than finding that a confiscated computer is full of documents that have been sealed up by strong encryption.

"That's a horrible feeling because that's the smoking gun evidence that enables you to really try the person and prosecute him," Reitinger said.

The idea of absolute information privacy -- a view advocated by another panelist, Dan Geer, vice president and senior strategist at CertCo -- would lead to "a situation where there can be no law enforcement," Reitinger said.

It would mean a law enforcement official could not prosecute someone who broke into a person's computer system electronically and stole the data in it, he said.

"It won't be provable because we won't be able to get the data from the person who did that," Reitinger said. "What that leads to is tyranny of the powerful. You should have privacy, but there should be a mechanism for law enforcement to be able to prove a criminal case when it's necessary."

Geer spoke from the other end of the spectrum, expressing views that reflected those of many people in the information technology field who believe the U.S. restrictions on the export of strong technology should end. Currently, it is illegal to export any program stronger than 56-bit encryption without a waiver from the Department of Commerce. The policy is hampering the development of strong encryption products by U.S. companies and hindering e-commerce, according to people who want the policy changed.

Geer said the government's approach has resulted in "a very large negative outcome with a very low probability" of effectiveness. He spoke in favor of the right to absolute privacy for an individual's personal data.

"I will take the side effects of absolute privacy ... over the alternative because I think I can recover should I someday decide I cannot afford the cost of absolute privacy," Geer said.

Americans already are expected to sacrifice too much personal information about themselves just to shop, and "once you lose control of [your private data] you can't get it back, hence it will be a cold day in hell when you want to let it go," Geer said.

Citing familiar arguments, Geer also said the U.S. position on encryption is flawed because strong encryption is available elsewhere and the Internet makes it impossible to control its import.

"I wish [the U.S. government] would quit disarming me in a world in which they can no longer protect themselves," Geer said.

But Reitinger said he favored a "balanced choice" on encryption that would let law enforcement maintain the right to break encryption codes under very strict standards.

"I think that saying we have to choose one side or the other is a false course," Reitinger said. "We all need to be talking ... in a public realm about what the appropriate balance ought to be, and I don't think we should undervalue either the interest of privacy or the interest of public safety."

Another panel pitted Marc Rotenberg, director of the Electronic Privacy Information Center, against Stewart A. Baker, an attorney with Steptoe & Johnson and former general counsel for the National Security Agency.

Rotenberg said regions outside the United States are using the European Union's data privacy directive, which went into effect late last year, as their model for ensuring the privacy of Internet users, while the United States is pushing internationally to limit privacy legislation.

But Baker said that despite the EU's directive, various laws already on the books in the United States make enforcement of privacy violations tougher here.

France, for example, does not investigate many privacy violations and is five years behind on issuing citations, Baker said. By contrast, the U.S. Federal Trade Commission has taken the view that if a company promises not to sell data collected at its Web site and it does, it risks prosecution for unfair and deceptive trade practices.

The FTC "can come enforce it and they have a team of people they are assembling to do just that," Baker said. "So actually, it's more likely you'll end up on the receiving end of enforcement in the United States than in Europe."

Margret Johnston is a correspondent in the Washington bureau of the IDG News Service, an InfoWorld affiliate.