How will digital networks change the world? The history of mankind repeats itself – a series of wars and political strife and what now influences the outcome is the art of protecting secrets – cryptography. We will soon be in the 21st century: the era of the network socitey, where information will freely cross national borders. Cryptography will support the foundation of that network. This jumble of numbers and letters is a message that has been transformed into code by a computer. The only ones that can decode this message are those that hold a piece of data, called the key. Without this key the code cannot be broken, even if all the computers in the world were to work a million years. Who will control cryptography? The fight for supremacy over the network society has begun. Crypto Wars – America The San Francisco Bay Area, in the State of California The birthplace of the personal computer and where the internet was developed. Young computer talent comes from around the world to gather here. Love of freedom and individualism thrive on America’s west coast. The youth here let their ideas fly without restraint while seeking to build with their own hands tomorrow’s network society. Five years ago these talented bay area youths formed a group in open opposition to the government. They called themselves the Cypherpunks… …the renegades of cryptography. They stand opposed to government regulation of cryptography. The chose to confront the government head on, thinking that if if the current situation stays the same they would be unable to bring about a free network society. They hold a meeting every Sunday at a Thai temple on the outskirts of San Fransisco. Here, for more than two hours, they will exchange the latest information about the encryption technology. This is Ian Goldberg, a 23 year old exchange student from Canada. Ian is a graduate student doing research into electronic currency and he spends his spare time finding bugs in software, sending companies into a panic You might say he likes to stir things up. This is Sameer Parekh, a 22 year old second-generation Indian American. He is a professional cryptography software developer and was named by Newsweek as one of 50 influential internet personalities. He started a company last year and began selling his own SSL web server. Right now the computer industry is pouring their all into the technological development of the internet. They look toward encrpytion as a possible way to deal with the internet’s largest weakness – the ease with which data can be stolen. A cryptography conference held earlier this year at the end of January drew more than 2500 people from the industry who see the promise in the field’s future prospects. There a great many new techonolgies combining the internet and encryption were announced, like digital money and digital signatures. In the network society of the 21st century, the huge cryptography market is expanding. In any line of business the first product to hit the market, even by a little, sets the standard . However those in this business have been unexpectedly hindered by America’s cryptogaphy export regulations. The US government prohibits the export of encryption that it cannot break. For this reason businesses cannot release their products overseas. Modern encryption technology uses a computer to alter data so that it cannot be read by an outside party. An encryption program uses a piece of data called a key to change a message into a meaningless series of letters. This key is a fixed length string of 1s and 0s. Only those who know the correct ordering of these 1s and 0s are able to retrieve the original message. The more bits in the key, the stronger the resulting encryption and the more difficult it is to break. Government regulations limit the length of encryption keys to 40 bits. A key of this length has approximately one trillion different combinations. On the other hand, businesses have developed encryption that uses a 128 bit key. It can use more than a trillion times a trillion, times a trillion more different possible keys – a seemingly infinite number. So many that it’s impossible to find the one correct key. The 40 bit cryptography approved for export really isn’t secure enough. As those in the industry call for a relaxing of the regulation, the conference’s sponsors hold a contest on the internet, offering a prize to whoever can decrypt a message encrypted with 40 bit encryption. The winner, receiving $1000, was a Cypherpunk. Ian is an exchange student from Canada, studying as a graduate student at the University of California, Berkley. He decrypted the message using the university’s computers. Linking the computers together, he wrote a program to try each of the one trillion keys in a brute force search. Ian has been using a computer since he was 7. He found the Cypherpunks on the internet and was inspired by their activites. And two years ago he came to America’s west coast. He spends his entire day in this room, 14 hours in front of the comupter. After entering the problem’s cyphertext, the system tried keys at a rate of 37 million per second. All he had to do was sit there and watch. This is the cyphertext that Ian decrypted. The hidden message was revealed using the key he found. So we knew for a long time that 40 bit encryption is nothing but a joke. It’s OK for normal web traffic, but if you use the internet to do banking or business 40 bits is not enough. You can’t use that. America’s encryption export regulations were created during the cold war era. They saw encryption as military technology, as a matter having to do with national security. And the export of encryption strong enough to keep the government from decrypting it came to be strictly prohibited. Allowing it to spread would jeopardize America’s global strategy. Supporting America’s cryptography strategy is the National Security Agency, the NSA. The NSA is an intelligence agency formed shortly after WW2. To this day they haven’t even publicly acknowledged their existence. And likewise, they make no official disclosure of their activities or their budget. Even filming the building is prohibited. Stewart Baker, 49, is a former general legal advisor for the NSA. He agreed to our interview on the condition that he would not discuss any specific information concerning the agency. Having once been right in the middle of the crypto wars, Mr. Baker currently works out of Washington DC as an advisor to both the public and private sectors. What it is? Well, encryption and decryption are the reason the NSA exists. The NSA has two missions. To try to uncover the secrets of our adversaries And also to protect our secrets and communications against attack from the outside And it uses encryption to do that. This is the National Cryptologic Museum, opened by the NSA after the Cold War with the aim of disclosing information to the public. A large number of documents detailing how encryption was used during the war were declassified and put on display. The Enigma machine – used by the Nazis during World War II. It’s a device used for writing messages, using a combination of gears with tens of thousands of possible connections. At the time the strongest encryption was mechanical, because in this era messages were deciphered by hand, and it wasn’t possible to solve for tens of thousands of combinations. And so this is the cryptanalytical machine the Allies developed. This machine, which succeeded in deciphering the German messages and helping the Allies achieve victory, inspired the invention of the computers to come after it. From their very beginning computers have had a close relationship with cryptography. The times are changing. With the widespread use of computers, public encryption development has become popular, which has given birth to various troubles between such development and government policy. Government fears the wide dissemination of encryption technology, and has been sued in court by developers and researchers who have been seeking an export license. Then in 1991, a programmer working alone created a military grade encryption program that spread explosively throughout the world. The program, named Pretty Good Privacy(PGP) provides strong email encryption. However the government was unable to prosecute him for violating the Arms Export Control Act. Because all he did was to give the program free of charge to his friends within the US. But once the program got on the internet it instantly spread like wildfire. The State Department mailed a letter to me saying that I was required to register with the State Department as an arms dealer. Since I was exporting arms, I guess that made me an arms dealer. Then I would have to fill out a form, send in a $250 check to the State Department, Office of Defense Trade Contols, And I thought it was a strange thing because I’ve never been an arms dealer. The further encryptions spreads, the more difficult it becomes for intelligence agencies to gather information. As software like PGP spreads and becomes easier to get, we don’t know when it will be used by organizations that harm the US, like terrorists. The government’s concerned about that. The Cypherpunks have criticized the government, saying that cryptography isn’t a weapon reserved for the state. They claim that people have the right to freely use encryption that cannot be decrypted. And at end of last year the government decided to remove the restrictions that designated encryption as munitions. This t-shirt contains a very short encryption program on it. This program and this barcode is the RSA encryption scheme. It used to be a month ago that cryptography was regarded as a munition. In exactly the same way that nuclear weapons and other really bad things were. If you wanted to export crpytography you had to have a license as an arms dealer. And that’s a little bit silly. I mean, treating this t-shirt the same way you’d treat a tank. It actually is not a munition any more. They’re out of date. It hasn’t been a munition since December 30th. That’s the type of thing that’s easy to do if you’re a carefree graduate student without any sort of career or responsibilities to other institutions. And at a broader level, it’s not a good idea to be casual about the harm cryptography can do. Five years after their formation, the network of Cyberpunks is expanding around the globe via email. Their ultimate goal is to prevent anyone from controlling cryptography. They know that a networked society will, with one wrong move, devolve into one trapped in a web of surviellance and wiretap systems. What can we do to prevent this? People from top companies are joining one after another, and have come together to work out a plan. First, they will develop and distribute foolproof privacy protecting encryption software. Then they will open the technology to ensure that the encryption doesn’t fall victim to attack. Based on this strategy, they have made a commitment to collaborate only on encryption development that is outside government control. I work for a large American telecommunications company. The Cypherpunks are involved primarily with preserving privacy. It’s what the government isn’t doing peacefully. They’re interfering with our lives. It shoots people who don’t do what it wants, it’s trying to scare people to obey. That’s ridiculous That’s not the kind of society I want to live in. I want to live in a free and open society. Here’s a message, no one’s come here today to destroy things. It’s just that it’s time for the controls to be reformed, and that means changing the human condition. The catalyst for the formation of the Cypherpunks was an appeal from an engineer who retired in his 30s from Intel, a major semiconductor manufacturer. In the 80s, the rapid growth of the computer industry gave rise to a great number of very wealthy engineers. Tim May was one such engineer. After earning enough to last him the rest of his life he quit his job, moved to a house on top of a hill in the suburbs, and orchestrated the formation of the Cypherpunks. Well, Cypherpunks are people who believe that privacy and freedom can be protected not through government policy and not through lobbying for changes to privacy laws, but through direct seizure of privacy techniques and technology. The same technology as putting locks on doors, curtains on windows, shutters on windows, to protect privacy directly, mathematically. While in school, the younger generation of Cypherpunks decided that rather than working for large corporations they would start their own companies. Last summer, Sameer founded C2Net, a company specializing in encryption software. They have only nine employees. He’s assembled a team of Cypherpunks and friends from college. Startups are usually funded by an investor. However, Sameer avoided seeking outside capital so that he could retain control of his business His management policy is to make full use of the internet’s potential. The hardware occupying this office supports the business by handling internet traffic. It automatically handles all incoming traffic requests and instantly delivers software depending on what was ordered. The entire business is pretty much managed by these computers, from the time an order is received until the time it is delivered. Upon entereing college Sameer, who had known of the Cypherpunks since high school, immediately resolved himself to venture out into the business of cryptography. He was 19 at the time. His first business was an ISP that used encryption technology. He ran 10 phone lines into his apartment. After getting his business on track he dropped out of college. The school could always wait. But in the atmosphere of winning the race against making cryptography illegal I felt that it was more important to concentrate on the things that had to be done now. And I could get school issues done later when there was more time, once we’ve fought this battle, which must be fought now, then I could go back to school and finish that in a more leisurely manner. The logo he’s created for his company’s cryptography software is a high fortress wall protecting privacy. It protects web traffic in its entirety, using 128-bit encryption. They received a rush of orders from overseas, but naturally they were unable to export it. Sameer still can’t accept the reason why he’s not allowed to make this technology available to the rest of the world. The government’s explanation that criminals will use cryptography is nothing but an excuse. Their aim here is to make cryptography illegal and make it impractical for the people to use, so that the government can continue to keep their privacy infringing surveillance under wraps. They want to be able to look at all the traffic on the internet, to wiretap everyone without suspicion. So in fact cryptography does not help criminals at all. It’s something we have to have for our future society, to keep it secure so we won’t be held hostage to dangerous criminals who try to penetrate our file systems or who try to steal our data. Silicon Valley – the hub of the internet industry. The export restrictions on encryption are not unlikely to put companies dealing in the global market at a fatal disadvantage. Netscape’s web browsing software commands 70% of the world market. A mere one year since their founding, they’ve rapidly grown through a strategy of using the internet to instantly sell their software anywhere in the world. Encryption is crucial to their ability to implement their on-line sales and contracts. However due to the export regulations they’ve been unwillingly made to go through an extra step on their sales page. This is a standard view of our Netscape Navigator. We have within our site certain areas that are secure areas. And in those areas is where we allow our US customers to download more secure versions of our product. This is an area that allows you to fill out a form where you state what country you’re a citizen of, where your address is, You’re not allowed to proceed without filling this out. And it also asks you to agree to abide by all the regulations surrounding cryptography software. Ultimately they made two versions of their software. The is the US only version. It offers 7 different encryption schemes, including 128 bit encryption. This is the Japanese version of the same software. It offers only 2 encryption schemes, limited to 40 bits. We’re unable to provide the electronic distribution of our secure software package to people in countries outside the US. At tremendous cost for us we’ve developed seperate versions. And that’s part of our reason for pressing our government to reform this process, to give us a more level playing field to sell our secure versions in other areas of the world. Sun Microsystems, the largest maker of servers and workstations, is also highly critical of the current government policy. It sees the restrictions as an impediment, as something that will stunt the spread of the internet. As you know the restrictions are laws in this case that we must keep or we go to jail. Unfortunately these laws are archaic and out of date. In fact the current 40 bit restriction is laughable. The FBI is very concerned about its ability to wiretap. In practice this technology makes it much more difficult to do that. However in my experience technology happens. It’s very difficult to slow down. In fact, within the United States, they aren’t allowed to slow it down. So it makes no sense. While business and government continue to square off, a new company was created last year that looks to end the standoff. PGP Corporation was created by Phil Zimmerman, who in 1991 developed and distributed encryption software at no cost, and who also underwent a two year investigation. The most important feature of PGP is that it allows normal people to securely communicate, whether they know each other or not. It achieves this through a new method of encryption developed in 1973, called public key cryptography. In public key cryptography, each person uses their own personal pair of keys. One key will encrypt messages that can only be decrypted by the second key. The encrypting key is made public, and the decrypting key is kept private. When A wants to send a message to B, she will encrypt the message using the green key, B’s public key. The only key that will decrypt this message is B’s private key. When B wants to send a message back to A, he encrpyts his message with A’s public key. This time the only key that will work is A’s private key. Because it’s not necessary to exchange decryption keys there’s no fear of the message being read by someone else. Mr. Zimmerman wants to finish the latest version on PGP and once again distribute it free of charge. The Cypherpunks, sympatheic to this idea, are quitting their jobs one after another and joining the development camp. Meanwhile Zimmerman, who lacks business experience himself has recruited experienced managers from other companies and is entrusting them to run the business. With more than 70 employees now, PGP Corporation is starting to get on track. However they’ve sunk a lot of money into the development of PGP, and Zimmerman just can’t get the new management to understand his dream of releasing it for free. It’s like to say it’s expanding, like dandelion seeds on the wind Free software crosses national borders and like a living thing, it spreads. I’d like to convince everyone in my company that releasing freeware is something that ultimately helps our business. We’ll succeed if we can get PGP into widespread use. And for that free software is the best. PGP became the world standard because it was free. So to stop our release of freeware, would be to kill the goose that laid the golden egg. The programming is handled by young engineers. However under the direction of the management, the company has begun to move away from Zimmerman’s ideals. Zimmerman now works PR, as PGP’s walking billboard, and his schedule is taken up with TV appearances, lectures and events outside the office. The managment has set out on a plan to create a friendly public image for the business through a hardcore marketing effort. On this day, in Zimmerman’s absence, they’re holding a meeting with an advertising agency on how to best make use of his image. Zimmerman’s insistence of releasing PGP as freeware was finally agreed to during a meeting in March. However in the midst of the company’s sudden growth, Zimmerman is beginning to feel that he’s in danger of losing sight of his goals. My culture and experience before was at the user level, on user privacy. In corporate environments I’m relying on the expertise of other people. And what I am concerned about is there will come a time when there’s a conflict between making money and doing the right thing. It affects how they talk to me, and it affects how I talk to them, and I find that makes me very uncomfortable I wish there was a way to somehow preserve the relationship we had before, but I haven’t figured out how to do that. On the other hand, Sameer has put the project he’s been brooding over into effect. Sameer can’t export his software overseas because it was developed in the US. He has therefore hired a team of foreign programmers and is having development done entirely overseas, outside the reach of US laws. He holds development meetings once a week with an international phone call. Sameer, who is in America, owns the foreign company that developed the software. It will be sold internationally by an affiliate company in England In this way he is legally able sell encryption software with the same functionality both domestically and overseas. Having set up an organization spanning four countries, Sameer is aiming to create a multinational corporation with the world’s fewest employees. We’re setting up a worldwide infrastructure as a foundation for the development of cryptography software. We are not going to rely on any single country. It would be like putting all of our eggs in one basket. We’re setting up this infrastructure so that if one country shuts down, they won’t be able to stop us from developing in other countries. And even if the United States manages to succeed in getting most countries to institute export restrictions they’re not going to succeed in making every country follow suit. Last November President Clinton announced a change of course in the country’s encryption policy. Encryption technology was moved off the Munitions List and onto the Commerce Control List, where it could be exported with the permission of the Department of Commerce. However it clearly specifies that software must support key recovery in order to receive export permission. Key recovery is a system where keys are stored in advance with a trusted third party in case the government ever needs to use them to decrypt private communication. Basically the government will not license the export of any encryption that it cannot decrypt. We do not propose to expand in any way the to access these kinds of communications beyond the rights that we currently have. In our constitution, in our law, there are certain terms within which our law enforcement agencies are allowed get a warrant and obtain authorization from a court for a wiretap. Now not every country permits that, but according to our constitution we’re allowed to do that. What we’re trying to do with our policy is to apply the same constitutional and legal procedures to what is essentially new technology. We’re not broadening government’s rights. The United States and other societies around the world are facing a turning point a fork in the road, where one path leads to a surveillance society. Effectively, where people have television cameras recording their actions and conversations on a computer. All their transactions at stores, everything is completely tracked. The other path, the other fork in the road moves in a direction where government can’t even collect taxes any more because they don’t know what interactions people are making. People are buying things and information from other countries, and they won’t even know in what country the transactions are taking place. This is a fundamental decision, this fork in the road. Basically, goverment would like us to go in that one direction. Cypherpunks would like to take us in the other direction. Dorothy Denning, a professor at Georgetown University in Washington DC supports the government’s key recovery plan and is advancing its research. She insists that key recovery is the solution to the Crypto Wars. There’s actually several reasons why key recovery is necessary, and first and foremost in a business, when users encrypt their files, they need to be able to have access to that information. Sometimes the key can get lost the employee might leave the company and take the keys with him or destroy the keys and so you want to have some backup way of getting the keys in order to keep the data. In other words, the goal of key recovery is to protect the users themselves. And secondly, also very important is being able to give government agencies the ability to perform criminal investigations and collect evidence. There was actually a very recent example in Japan with the Aum cult(responsible for the Tokyo sarin attack) where there was a need to be able to get access to their encrypted files. Fortunately they were able to do that. As soon as the key recovery proposal came out in 1993 we immediately pointed out that it wouldn’t work because criminals would simply encrypt. They would encrypt their files and send them through the Clipper system, and you wouldn’t be able to stop them. Companies can’t hide their bewilderment at the sudden change in government policy. It’s a question that really goes beyond companies like ours and our products. It’s that encryption is already out there in the world. Think of a knife, for example. A knife can be used for evil purposes. But because you can also use it to cut food and open packages, it’s also a very useful tool. I think encryption is the same thing. It’s a tool that can be used for many many useful purposes. The main concern of industry is that they’re able to sell lots, ok? That’s exactly the way it should be. They want to make a lot of money. So they can pay their employees’ salaries. And so their big concern is that they’ll lose substantial market share to companies outside of the United States that have less restrictive policies about encryption. And that I think that is their number one concern. So we have had many discussions on this. And I can tell you that the individuals at Sun are troubled by key recovery because it raises many issues that would be much easier if you did not need key recovery. There are other problems with key recovery. It’s very difficult to use. There aren’t any systems fully operational today that have been certified safe. So my guess is that key recovery is just another political comprimise that will not be wildly successful because our customers already have the technology to have private encryption without key recovery. And we don’t manage our customers they manage us. A vareity of governmental restraints and incentives will lead to key recovery becoming commonplace. There are some trends that suggest that that’s going to happen. The French government is now especially telling companies that all encryption sold in France will have to have key recovery. The UK government is leaning that direction to enact requirements for licensing. And the US export control policy favors that. Finally there are some reasons for companies who use encryption to want to have key recovery in place for certain parts of their encryption systems. So all those policies, those trends favor the idea of key recovery being the common form of encryption. At the end of February Hoping to escape the chaos of America’s cryptography regulations Developers from corporations representing the cryptograhpy business have gathered in Anguilla, in the Caribbean Sea. The Financial Cryptography Conference This island, which does not levy taxes on corporations is willing to lend a hand to the Cyperpunks and those companies in the cryptography business. The Cypherpunks that have already arrived greet Sameer and his friends. They’ve all been asked to come by Cypherpunks member Vince Cate, a resident of this island. Three years ago Vince left America’s west coast to move here, a place without any internet service. At that time he had a plan in mind. Anguilla is a small island with a population of only 9,000. A tourism industry which depends on resort customers from America and the sale of commermative stamps are Anguilla’s primary sources of income, However revenue from tourism is sluggish compared to other islands in the area. After arriving here the first thing Vince did was to preach to the Anguillan government about how wonderful the internet was. And in the end, even though the island was poor it was wired for the internet. The government of Anguilla has attempted to lure corporations here, enticing them with a favorable tax policy. There are now more than 5,000 shell corporations registered here — more than half of the island’s population. But it’s still not sufficient to really support the island financially. Vince’s plan is that he wants Anguilla to host internet cryptography businesses. The goverment, hoping to revitalize the island, has joined hands with Vince and his dream. Sameer had been looking for a foreign headquarters. With help from Vince, he immediately established a subsidiary company of C2Net. Vince is attempting to build the infrastructure here to support the Cypherpunks’ activities. I think the idea of starting a business offshore will catch on. There’s no difficulty as long as you can start a company. You can do anything you want on the internet. Pretty soon 128 bit encryption will arrive no matter what country you’re in. It’s very clever, and it’s our answer to silly laws. Using the internet to draw participants from around the world, the Financial Cryptography Conference was a huge success. The Cypherpunks from both America and Europe have brought in well-known cryptography researchers and developers from major companies. Various ideas about how to develop encryption for things like digital money and internet banking were intensly debated. Without the promise of America relaxing its crypto regulations and fearing that their development of encryption technologies may be delayed, major corporations are beginning to give serious thought to the idea of overseas development. Armed with an internet that transcends borders, their business strategies are also beginning to boldly change I’m very impressed. Quite a number of reputable companies have chosen to come to this venue. It has surpassed my wildest expectations. During breaks in the conference Sameer and his friends have scheduled meeting after meeting. Their goal is launch an all-out effort to make this island an a international business haven without further delay. Today they’ve come to get advice on how to develop crpyto businesses from an attorney practicing in Anguilla. Turning toward their next development they begin embracing the island’s enthusiastic response The borderless network society will soon be upon us. These youths who grew up with computers are clearly focusing on their strategy for when it comes. Right now I think the current situation is that war is imminent. We’ve managed to spread the use of encryption, but we haven’t begun exchanging fire yet. No one’s been sent to jail yet either. In any case what we want to do is get everyone using encryption before it can be made illegal. If everyone’s already using it, they can’t outlaw it. On the other hand, making it illegal will halt its spread. Whoever can act faster will win. On that assumption it’s likely that we’re rushing headlong into a war-like situation. Mr. Baker, the former NSA attorney, is flying around making frequent visits to the west coast, trying to persuade bewildered companies to support the government’s key recovery proposal. He says that he himself can’t possibly predict how this chaotic crypto war will end. With the governerment on the east coast and the technologists on the west…yes I think you can say there is an enormous cultural divide there. I think it’s almost a generation gap. The technologists on the west coast, with some exceptions, are people who were born after Watergate. And they think government is crooked, when they think of Nixon or else they think of it as misguided, like Reagan and so they would like the government just to leave them alone, and they don’t believe that they do anything right. Whereas on the east coast the people, particularly those over 45, believe that government works for good and that government regulation is necessary to prevent abuses by companies and individuals. I think that is a very real difference between people over 45 and people under 45. It’s been three months since the enaction of the US Government’s new encryption policy. As of now 4 companies have promised to follow the government’s plan and have received permission to export. The battlefront is spreading overseas, and the Cypherpunks are now facing a critical moment in the conflict. We’ve entrusted our future to the network society, and this battle will decide its course.