Dear Mr. Chairman,
Thank you for the opportunity to appear before your Committee in support of H.R. 695, the Security and Freedom through Encryption (SAFE) Act. I am pleased to submit this written testimony with additional details about my case and pointers to more information on encryption, its worldwide availability, and the effects that the current export control regime have on the security and privacy of US citizens. This document is available on the Internet as
In that form it contains many links to related information on the Internet.
I maintain a comprehensive Internet archive of the Applied Cryptography case, including all my correspondence with the State Department and the briefs of both sides in our lawsuit.
The book Applied Cryptography by Bruce Schneier that is the subject of my case was first published in early 1994. Mr. Schneier estimates that the first edition sold 30,800 copies. The second edition, published in 1996, has sold 34,300 copies in the US. Another 15% have been sold internationally; there are translations into French (3,000 copies), German (2,000) and Polish. It is now being translated into Japanese and Spanish.
Mr Schneier's publisher, John Wiley and Sons, has kindly contributed a dozen copies of his book to the Committee. I consider it an excellent reference on modern cryptography and I hope the Members and their staffs will find it useful in understanding the subject. I should state that I have no connection to Mr. Schneier other than as a satisfied reader. Although I did contribute minor material to the book, I have no financial interest in its sales.
Applied Cryptography is a comprehensive book, but it is by no means unique in having source code listings of strong encryption algorithms (ciphers). Many other textbooks on cryptography describe ciphers such as the US Data Encryption Standard (DES) in complete detail, and some include source code. Computer magazines with worldwide circulation such as Byte and Dr. Dobbs Journal (DDJ) have featured source code listings of ciphers such as DES, IDEA (used in Pretty Good Privacy) and the like. DDJ specializes in articles for programmers that contain source code; Mr. Schneier is a frequent contributor to that magazine. They have long made all of their source code listings available on CD-ROM and over the Internet.
Computer books and magazines frequently print source code to illuminate the discussion of an algorithm in the accompanying text. The English language, or any natural language for that matter, is notoriously ill-suited to describe computer algorithms. Computer programming languages are designed not only for compilation by a computer into machine code for eventual execution, but also to communicate an algorithm in a concise, unambiguous way to a skilled human reader. As the preface to a computer science textbook stated:
Our design of this introductory computer-science subject reflects two major concerns. First, we want to establish the idea that a computer language is not just a way of getting a computer to perform operations but rather that it is a novel formal medium for expressing ideas about methodology. Thus, programs must be written for people to read, and only incidentally for machines to execute. (H. Abelson and G. Sussman, Structure and Interpretation of Computer Programs, MIT Press 1985.)
The source code in Applied Cryptography follows that philosophy. In a ruling in the related case of Bernstein vs Department of State US District Judge Marilyn Hall Patel specifically held that source code is protected speech under the First Amendment:
Defendants appear to insist that the higher the utility value of speech
the less like speech it is. An extension of that argument assumes that
once language allows one to actually do something, like play music or make
lasagne, the language is no longer speech. The logic of this proposition
is dubious at best. Its support in First Amendment law is nonexistent.
...
For the purposes of First Amendment analysis, this court finds that source
code is speech. (Opinion, Docket C-95-0582 MHP, April 15, 1996)
Yet the government totally ignored this and Judge Patel's subsequent ruling on December 6, 1996 holding that the ITAR as applied to encryption source code was a violation of the First Amendment. They continue to treat this information as a dangerous weapon. Indeed, on December 30, 1996 they dug their heels in deeper:
A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, notwithstanding Sec. 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see Sec. 734.3(b)(3)). The administration continues to review whether and to what extent scannable encryption source or object code in printed form should be subject to the EAR and reserves the option to impose export controls on such software for national security and foreign policy reasons. (Department of Commerce, Bureau of Export Regulation, Encryption Items Transferred From the U.S. Munitions List to the Commerce Control List, Federal Register, December 30, 1996, pp. 68572-68587).
This is from an "interim rule" transferring jurisdiction over civilian encryption items from the International Traffic in Arms Regulations (ITARs) administered by the State Department to the Commerce Control List (CCL) administered by the Bureau of Export Administration (BXA) in the Commerce Department. The new rules provide no substantive relief over the old rules. Indeed it is hard to understand why the Administration went to the trouble of making the change except as a cynical attempt to "respond" to the sustained public protests against US encryption policy by injecting further uncertainty and confusion. Perhaps they just got tired of us holding up our floppy disks and proclaiming that the US Government considers them "munitions". Now they're merely "encryption items", but I could still go to jail for exporting one.
One effect of the transfer was an additional delay in processing licensing applications. Our export department at Qualcomm reports that one license application had been pending at State for 42 days when the new rules were issued. State then returned the application without action. It took another 42 days to finally obtain approval from Commerce. Our export administrator does report that the paperwork requirements with Commerce are somewhat less onerous than with State.
The lengths to which the government appears willing to go to suppress readily available cryptographic software are truly remarkable. Indeed, it seems to be an even bigger threat than nuclear weapons information. Consider the 1979 case of US vs The Progressive, where the government tried to suppress an article on the principles of nuclear weapons based wholly on public information. The government predicted all sorts of dire consequences should this information be published. But the article appeared anyway in the US press. Once this happened, the government dropped its case. It did not then try to stop it at the borders because that was obviously impossible, even without a global Internet. Yet that is precisely what they are trying to do with encryption software. As the Los Angeles Times said recently in an editorial, the encryption horse has not only left the barn, it has been on a worldwide tour.
The Applied Cryptography source code is readily available on the Internet from a site in Italy (ftp://idea.dsi.unimi.it//pub/security/crypt/applied-crypto/). Countless other Internet sites around the world also have encryption software. Some are subroutine libraries like those in Applied Cryptography that are only of use to programmers who can incorporate them into complete applications.
Others packages are complete applications that can be installed and run by the end user. The well-known Pretty Good Privacy (PGP) package is only one example. Another more recent package with which I am familiar is the Secure Shell (SSH) by Tatu Ylonen of Finland. While PGP is primarily suited to electronic mail, SSH provides highly secure remote access, file transfer and command execution between Unix, Windows-95 and Macintosh operating systems. SSH provides a choice of strong ciphers, including "triple DES". Several years ago, the American National Standards Institute (ANSI) standardized triple DES at the request of the banking industry -- over the strenuous objections of the National Security Agency. Needless to say, SSH does not provide key escrow.
Mr. Ylonen has made the full source code of his software freely available on the Internet where in just two years it has become a de-facto standard. This shows how the foreign competition to the US software industry is not limited to large companies. One suitably motivated and talented individual, living in a country without export controls, can produce strong, unescrowed encryption software and have it rapidly adopted by the Internet community. Because Mr. Ylonen has encouraged free copying of his software he does not know precisely how many use it. He estimates that several tens of thousands of organizations and hundreds of thousands of individuals -- perhaps as many as a million -- use SSH.
As I stated in my prepared remarks, export controls on cryptography have prevented the use of strong, well-studied ciphers in the new crop of digital cellular telephone systems now being deployed in the US. The industry has instead pursued weak ciphers that can pass export muster. At first the industry tried to keep their designs confidential, out of concerns over export law and also to hide their weaknesses.
Now it turns out that these weaknesses are even worse than was thought. The new paper Cryptanalysis of the Cellular Message Encryption Algorithm by David Wagner, a graduate student at the University of California, Berkeley, and Bruce Schneier and John Kelsey of Counterpane Systems describes how to break this cipher:
This paper analyzes the Telecommunications Industry Association's Cellular Message Encryption Algorithm (CMEA), which is used for confidentiality of the control channel in the most recent American digital cellular telephony systems. We describe an attack on CMEA which requires 40--80 known plaintexts, has time complexity about 224-232, and finishes in minutes or hours of computation on a standard workstation. This demonstrates that CMEA is deeply flawed.
The paper concludes as follows:
Our cryptanalysis of CMEA underscores the need for an open cryptographic review process. Betting on new algorithms is always dangerous, and closed-door design and proprietary standards are not conducive to the best odds.
[...]
The attack described in this paper is practical, and can be used against existing cellphones that use CMEA for security. CMEA is deeply flawed, and should be carefully reconsidered.
Again, the closed-door design process was largely the result of concerns over export controls. The industry was concerned that even publishing their ciphers for review might violate the law. This deprived them of the benefits of free and open scientific inquiry.
I wish to emphasize that the new digital cellular systems are still much harder to intercept than the existing analog (AMPS) systems like that used by Speaker Gingrich in his now-famous phone call. But they are not nearly as secure as they could have been. While industry politics and public apathy were also to blame, export controls were clearly the major culprit.
The proposed legislation, H.R. 695, the Security and Freedom through Encryption (SAFE) Act, is a big step toward restoring common sense and reason to our encryption policy. I am especially gratified that it would completely deregulate the export of publicly available encryption software such as the Applied Cryptography code so that it can be used as easily by the "good guys" as well as the bad guys who already have it.
My main concern with the legislation as written deals with the provisions that allow the Secretary of Commerce to determine whether there is "substantial evidence" that encryption software will be diverted to terrorist or hostile military use, or whether "comparable" cryptographic hardware is available from foreign suppliers. Past experience with the existing export laws shows that such provisions are ripe for abuse by the Executive branch. They should be backed up with explicit provisions for judicial review, and the full provisions of the Administrative Procedures Act (APA) should apply.
I am also concerned with the provisions that would create a new federal crime of using encryption in the commission of a crime. This may well have the effect of making a federal case out of even a minor criminal offense because of the incidental use of a device that happens to include encryption-like functions, such as a digital cordless phone. I believe this provision, if it is retained at all, should be more carefully tailored to the deliberate use of encryption to substantially impair the investigation of a major federal crime. The states would still be free to establish similar statutes for state offenses.
Philip R. Karn, Jr. has been a Staff Engineer with Qualcomm Incorporated in San Diego, CA since 1991. He is actively involved in a variety of technical areas related to digital wireless communications, computer networking and security. He is the primary architect of the CDMA Internet packet data service recently announced by Qualcomm. He is also a participant in the Internet Engineering Task Force (IETF). Before coming to Qualcomm, Mr. Karn was with Bell Communications Research, Morristown NJ, and with Bell Telephone Laboratories, Naperville IL and Murray Hill NJ. Mr Karn has a BS degree in Electrical Engineering from Cornell University and a MS degree in Electrical and Computer Engineering from Carnegie Mellon University. He is a native of Baltimore, MD.
Links updated 10 Feb 1998