Start using encryption now, and maybe it won't be outlawed

Click to follow
The Independent Culture
Secure encryption on the Internet is the key to confidence for people wanting to buy and sell goods and services online. But the US government is worried that secrecy could help terrorists and other undesirables, and is insisting on holding keys to the codes. While the argument rages, Charles Arthur suggests, readers should try out encryption for themselves.

There is a well-used American phrase that runs: "If you outlaw X, then only outlaws will use X."

The first few times you see it, it seems pretty powerful as an argument against outlawing X: I've seen it used for guns and, more recently, encryption, though X could just as easily be "cars" or "rice pudding". After a while it wears off. I've seen it used only on the Internet, where people are apt to use phrases without thinking what they may mean.

But in fact that second use (the encryption one, not the rice pudding one) has recently become very interesting. Usually the arcana of the encryption world bores me, as do the confused legal processes that surround it. Code-breaking may have won us the Second World War and (according to a weighty 1,186-page tome called The Codebreakers, which landed on my desk on Friday) got the US to enter the First World War. But generally encryption smacks of time spent chewing pencils in maths exams.

In the past few days, though, there's been plenty of cheering around the halls of cyberspace, after a US House of Representatives committee voted an amendment to a proposed Bill on encryption called Safe. Safe stands for "Safety and Freedom through Encryption" - a wonderfully Orwellian title, as it mostly means exactly the opposite: the various proposals in the bill would have meant that encryption was neither safe nor offered much freedom to its users. The only thing it really offered was reduced export controls.

The proposed amendment would have given the US government all sorts of daft rights, such as "back doors" into encrypted code, and the right to insist that you deposit the electronic keys to your encryption system with a third party (the "escrow" system) which the Feds could then access without telling you. As one aggrieved Internet user noted: "Do they want us to deposit copies of our house keys, too?" Safe isn't exactly wonderful in its original form, but it may mean "strong crypto" can be exported world-wide, which would put everyone on a level playing field.

Let's stop for a minute to ask who actually wants strong encryption - the sort of impossible-to-crack stuff that people are talking about here. According to some of the more foaming-at-the-mouth US politicians, it's obvious: child pornographers, paedophiles, spies and terrorists. Which, I'd say, is possible. But there's another, much bigger category: people in commerce.

Banks already use strong crypto, which is virtually impossible to crack in the lifetime of the universe. And governments think it's necessary for their diplomats. What worries them, though, is the idea that the ordinary person on the Net will get hold of it. Given industrial-strength encryption, people could even start sending each other money over the Net, and the taxman would never know. With electronic cash, you can have your own economy running without recourse to a bank: you send strings of digits (aka money) to your suppliers, and in the new digital economy they send back in digital form whatever their work is - perhaps a new CD (I'll take the new Portishead, please) or book in Adobe Acrobat form so that you can print it out and read it at your leisure.

Of course, you encrypt it all so that it can't be intercepted and read - you don't want the wrong person getting that CD meant for you, or having the money you want to go to the record company. That's easily done using "public keys", which are the encryption form of padlocks.

Using a program such as PGP 5.0 (Phil Zimmermann's Pretty Good Privacy, whose latest version - translated and exported by some Dutch hackers - is at you publish your electronic padlock; people send messages made with that. Then when you receive messages encoded with your padlock, you use your electronic key - the private one - to unlock it. The padlocks and keys are unique.

So why don't the FBI and other law-enforcement agencies in America (which generally decides what happens on the Internet, whether we like it or not) like encryption? Perhaps they think it will make it harder to catch terrorists. Considering their track record in this area, it seems that a little encryption is unlikely to make much difference.

No, I suspect that they are worried about huge amounts of digital cash flowing in and out of the country; and that the US Internal Revenue Service is also worried on that front. Where would the taxman get his money?

This is the real tension in the Safe bill. The US government can't quite square the circle of wanting to know where people's money is, and letting its software companies dominate the world with their strong crypto programs. So it's holding back on what people do want, which is a way to use the Internet for commerce without worrying that their credit card details - or even wads of digital cash - are being intercepted by rabid hackers or even bent cryptographers.

How long Safe will take to emerge from the labyrinthine digestive system of the American legislative process, and what it will look like (follow the metaphor, it may be apt) is unclear. In the meantime I would encourage you to try out PGP. You will be surprised how easy it is. If you get used to using encryption now, you'll be prepared for a digital economy.

And the more people who do use it, the less chance that governments will be able to come round and take it off everyone's hard disk.

Outlaw encryption? Then we'll all be Jesse Jameses. Still, if they want to outlaw rice pudding - they've got my blessing.