ABSTRACT
Between 1990 and 2000, all Internet stakeholders were engaged in an international campaign to reduce or abolish all state control on the individual use of encryption software products. In democratic countries around the world, civil liberties NGOs and ICT firms forged an ‘‘accidental’’ alliance and fought long legal and technical battles, the so-called cryptowars, with national security and law enforcement agencies to allow Internet users to encrypt personal communications and protect their on-line identities. National security communities strove to securitize cryptography by maintaining a monopoly on its research and use. By 2000, democratic policy-makers accepted the economic and social arguments for private use of encryption. Cryptography was thus liberalized in the majority of democratic countries and has remained strictly controlled only in autocratic states. This chapter examines the events of the cryptowars and their consequences. There is no date for when the struggle about cryptography began but
June 5, 1991, the day when Phil Zimmermann released Pretty Good Privacy (PGP), the first popular encryption software based on public key cryptography, could be considered a starting point.1 By 1999, The Economist (1999a: 23) warned that, given the easy availability of increasingly complex codes, ‘‘governments may just to have to accept defeat, which would provide more privacy not just for innocent web users but for criminals as well.’’2 The cryptowars ended in 2000 (Levy, 2001), after the United States, France (Segell, 2000), and other democracies relaxed their limitations on the export and individual use of encryption software (and in the midst of the dot.com crash). Against the background of the growing diffusion of the Internet and the increased international dependability on information infrastructures, the 1990s battle to guarantee the free use of encryption truly epitomized one of the epochal moments in Internet control. Cryptography comes from two ancient Greek words that together mean
‘‘secret writing.’’3 For most of its history, the science and technology of cryptography have been the exclusive domains of national governments that wanted to protect their communications and intercept those of their adversaries and competitors.4 When the British and the Americans broke the Japanese and German codes during World War II, they secured an
enormous strategic advantage. In the last two decades, the ICT and software revolutions, the diffusion of the Internet, and the meshing of the Internet and of public key information infrastructures (PKI) have popularized cryptography but also made it a controversial issue.5
All communications exchanged on the Internet (personal data, system maintenance data, individuals’ preferences, locations visited) are open; anyone with minimal training and technology could see or read anything. Security is guaranteed only through encryption. Several authors (Barth and Smith, 1997; Singh, 1999; Schneier, 2000; Levy, 2001) have identified this problem, and have emphasized the extreme importance of encryption software for Internet communications. Presently, the private sector would stop functioning without strong
encryption software; electronic business and financial transactions would be impossible, as would the business of government agencies and offices. Strong encryption means strong secrecy and secrecy is also at the foundation of privacy. But secrecy can be ‘‘a two-edged sword for a democratic nation’’ (Dam, 1996: xiii). If the privacy of law-abiding citizens is protected, then the identities and communications of criminals and terrorists are also protected. The double-edged sword is reflected, for example, in the words of Barth and Smith (1997: 283), who note how, since its advent, government encryption regulation has been driven by ‘‘two distinct interests’’: a foreign intelligence interest in gathering information implicated in national security and a law enforcement interest in collecting evidence of criminal activity. Szafran (1998: 45) wrote that governments face a real dilemma as two contradictory political objectives are at play. In a networked environment, sophisticated cryptography is a necessity
for protecting the privacy of personal information and the secrecy of confidential business or classified national security information. At the same time, the use of cryptography may impair the ability of law enforcement agencies to combat crime and protect national security. Since cryptographic freedom would allow everyone, including criminals, drug dealers, and terrorists, to be confident in their Internet communications, governments have had to face the fundamental question of whether or not they should legislate against cryptography (Singh, 1999). Denning also warned that the widespread availability of unbreakable encryption software, coupled with anonymous re-mailing services, could well lead to ‘‘a situation where practically all communications are immune from lawful interception (wire-taps) and documents from law search and seizure’’ (1997: 176). How much information can a democratic nation collect in order to ensure
public order and defend national security, without violating its citizens’ ‘‘right to be left alone’’? Tellingly, throughout the whole of the 1990s, the US government position on the question was torn between two conflicting interests. On the one hand, law enforcement (the FBI) and the national intelligence community (mostly the NSA) wanted to maintain the status quo, that is, cryptography under strict federal control. On the other side, civil
