[364] in Best-of-Security
BoS: Terrorists made me do it.
daemon@ATHENA.MIT.EDU (Nev Dull)
Mon Sep 22 22:15:38 1997
Date: Fri, 19 Sep 1997 16:17:00 -0400 (EDT)
From: Nev Dull <nev@bostic.com>
Old-X-Originally-To: To: nev@bostic.com (/dev/null)
Old-X-Originated-From: From: Nev Dull <nev@bostic.com>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Forwarded-by: Phil Agre <pagre@weber.ucsd.edu>
Date: Thu, 18 Sep 1997 13:08:56 -0400
From: Andrew Grosso <agrosso@ACCESS.DIGEX.NET>
Approved: darrenr@cyber.com.au
X-Originally-To: To: nev@bostic.com (/dev/null)
X-Originated-From: From: Nev Dull <nev@bostic.com>
[Published last year in the Federal Bar Journal.]
THE LAW ENFORCEMENT ARGUMENT FOR MANDATORY KEY ESCROW ENCRYPTION:
THE "DANK" CASE REVISITED
by Andrew Grosso
(This article is a revised version of a talk given by the author at
the 1996 RSA Data Security Conference, held in San Francisco, California.
Mr. Grosso is a former federal prosecutor who now has his own law practice
in Washington, D.C. His e-mail address is agrosso@acm.org.)
I would like to start by telling a war story. Some years ago, while
I was an Assistant U.S. Attorney, I was asked to try a case which had been
indicted by one of my colleagues. For reasons which will become clear,
I refer to this case as "the Dank case."
The defendant was charged with carrying a shotgun. This might not
seem so serious, but the defendant had a prior record. In fact, he had
six prior convictions, three of which were considered violent felonies.
Because of that, this defendant was facing a mandatory fifteen years
imprisonment, without parole. Clearly, he needed an explanation for why
he was found in a park at night carrying a shotgun. He came up with one.
The defendant claimed that another person, called "Dank," forced him
to carry the gun. "Dank," it seems, came up to him in the park, put the
shotgun in his hands, and then pulled out a handgun and put the handgun
to the defendant's head. "Dank" then forced the defendant to walk from
one end of the park to other, carrying this shotgun. When the police
showed up, "Dank" ran away, leaving the defendant holding the bag, or, in
this case, the shotgun.
The jurors chose not to believe the defendant's story, although they
spent more time considering it than I would like to admit. After the
trial, the defendant's story became known in my office as "the Dank
defense." As for myself, I referred to it as "the devil made me do it."
I tell you this story because it reminds me of the federal
government's efforts to justify domestic control of encryption. Instead,
of "Dank," it has become, "drug dealers made me do it;" or "terrorists
made me do it;" or "crypto anarchists made me do it." There is as much of
a rationale basis behind these claims as there was behind my defendant's
story of "Dank." Let us examine some of the arguments the government has
advanced.
It is said that wiretapping is indispensable to law enforcement.
This is not the case. Many complex and difficult criminal investigations
have been successfully concluded, and successfully argued to a jury, where
no audio tapes existed of the defendants incriminating themselves. Of
those significant cases, cited by the government, where audio tapes have
proved invaluable, such as in the John Gotti trial, the tapes have been
made through means of electronic surveillance other than wire tapping,
for example, through the use of consensual monitoring or room bugs. The
unfetted use of domestic encryption could have no effect on such
surveillance.
It is also said that wiretapping is necessary to prevent crimes.
This, also, is not the case. In order to obtain a court order for a wire
tap, the government must first possess probable cause that a crime is
being planned or is in progress. If the government has such probable
cause concerning a crime yet in the planning stages, and has sufficient
detail about the plan to tap an individual's telephone, then the
government almost always has enough probable cause to prevent the crime
from being committed. The advantage which the government gains by use of
a wiretap is the chance to obtain additional evidence which can later be
used to convict the conspirators or perpetrators. Although such
convictions are desirable, they must not be confused with the ability to
prevent the crime.
The value of mandating key escrow encryption is further eroded by
the availability of super encryption, that is, using an additional
encryption where the key is not available to the government. True, the
government's mandate would make such additional encryption illegal;
however the deterrence effect of such legislation is dubious at best. An
individual planning a terrorist act, or engaging in significant drug
importation, will be little deterred by prohibitions on the means for
encoding his telephone conversations. The result is that significant
crimes will not be affected or discouraged.
In a similar vein, the most recent estimates of the national cost
for implementing the Digital Telephony law, which requires that commercial
telecommunications companies wiretap our nation's communications network
for the government's benefit, is approximately three billion dollars.
Three billion dollars will buy an enormous number of police man hours,
officer training, and crime fighting equipment. It is difficult to see
that this amount of money, by being spent on wire tapping the nation, is
being spent most advantageously with regard to law enforcement's needs.
Finally, the extent of the federal government's ability to legislate
in this area is limited. Legislation for the domestic control of
encryption must be based upon the commerce clause of the U.S.
Constitution. That clause would not prohibit an individual in, say, the
state of California from purchasing an encryption package manufactured in
California, and using that package to encode data on the hard drive of
his computer, also located in California. It is highly questionable
whether the commerce clause would prohibit the in-state use of an
encryption package which had been obtained from out of state, where all
the encryption in done in-state and the encrypted data is maintained in-
state. Such being the case, the value of domestic control of encryption
to law enforcement is doubtful.
Now let us turn to the disadvantages of domestic control of
encryption. Intentionally or not, such control would shift the balance
which exists between the individual and the state. The individual would
no longer be free to conduct his personal life, or his business, free from
the risk that the government may be watching every move. More to the
point, the individual would be told that he would no longer be allowed to
even try to conduct his life in such a manner. Under our constitution,
it has never been the case that the state had the right to obtain evidence
in a criminal investigation. Rather, under our constitution, the state
was given the right to attempt to obtain such evidence. The distinction
is crucial: it is the difference between the operation of a free society,
and the operation of a totalitarian state.
Our constitution is based upon the concept of ordered liberty. That
is, there is a balance between law and order, on the one hand, and the
liberty of the individual on the other. This is clearly seen in our
country's bill of rights, and the constitutional protections afforded our
accused: evidence improperly obtained is suppressed; there is a ban on
the use of involuntary custodial interrogation, including torture, and
any questioning of the accused without a lawyer; we require unanimous
verdicts for convictions; and double jeopardy and bills of attainder are
prohibited. In other words, our system of government expressly tolerates
a certain level of crime and disorder in order to preserve liberty and
individuality. It is difficult to conceive that the same constitution
which is prepared to let a guilty man go free, rather than admit an
illegally seized murder weapon into evidence at trial, can be interpreted
to permit whole scale, nationwide, mandatory surveillance of our nation's
telecommunications system for law enforcement purposes. It is impossible
that the philosophy upon which our system of government was founded could
ever be construed to accept such a regime.
I began this talk with a war story, and I would like to end it with
another war story. While a law student, I had the opportunity to study
in London for a year. While there, I took one week, and spent it touring
the old Soviet Union. The official Soviet tour guide I was assigned was
an intelligent woman. As a former Olympic athlete, she had been permitted
in the 1960's to travel to England to compete in international tennis
matches. At one point in my tour, she asked me why I was studying in
London. I told her that I wanted to learn what it was like to live
outside of my own country, so I chose to study in a country where I would
have little trouble with the language. I noticed a strange expression on
her face as I said this. It was not until my tour was over and I looked
back on that conversation that I realized why my answer had resulted in
her having that strange look. What I had said to her was that I had
chosen to go to overseas to study; further, I had said that I had chosen
where to go. That I could make such decisions was a right which she and
the fellow citizens did not have. Yes, she had visited England, but it
was because her government chose her to go, and it was her government
which decided where she should go. In her country, at that time, her
people had order, but they had no liberty.
In our country, the domestic control of encryption represents a shift
in the balance of our liberties. It is a shift not envisioned by our
constitution. If ever to be taken, it must be based upon a better
defense than what "Dank," or law enforcement, can provide.
