Why criminalizing Crypto is wrong

Felony SSL

  • alert
  • submit to reddit

Seven Steps to Software Security

Opinion The Justice Department's plan to make routine encryption illegal in the hands of criminals will hurt law abiding citizens, and prove catastrophic for Internet security, writes Mark Rasch

There is nothing like the fear of weapons of mass destruction to bring out weary old legislative proposals. Earlier this month, it leaked out that the Justice Department was considering a broad expansion of its investigative authority, including the creation of new criminal offenses, ostensibly to assist in the fight against terrorism. Many of the proposals contained in the "Domestic Security Enhancement Act of 2003" had nothing to do with fighting terrorism, but would substantially increase penalties for such mundane offenses as wire fraud or claiming too many deductions on a federal tax return.

One such proposal -- which has been floated out many times before -- is the idea of making a new crime out of using encryption in during the course of commission of a different and unrelated crime.

The language would create a new offense which would punish anyone who "during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony." It defines encryption as referring to "the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information."

This is a bad idea.

A few preliminary observations: the proposed law applies to any federal felony, not simply terrorism or related offenses. And it punishes the encrypting of any communication related to the offense -- not simply encrypting communications with the intention to conceal or obstruct the offense. It also takes an expansive definition of encryption to include not only encryption that is used to protect the confidentiality of the communication, but also encryption that may be used to authenticate -- such as digital signatures.
If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony.

Is this Law Necessary?

It is true that terrorists have in the past used encryption both to conceal their activities and to authenticate themselves to others. Terrorist investigations like those of Ramsey Yousef, Aum Shinri Kyo, Bolivian terrorist organizations, and domestic terrorist plots including plans to bomb New York subways, and plots to attack IRS offices, have all revealed encrypted files, most of which were decrypted because investigators either found the keys or were otherwise able to crack the encryption.

It's also true that as criminals become more sophisticated, cracking their crypto will become more difficult. Make no mistake about it -- in the future, serious crimes, including terrorism, will go undetected because of the ubiquitous use of encryption.

But this is a bad proposal. For one thing, it's hopelessly overbroad. Even if it was limited to "terrorist offenses" it would be overbroad, since the government ultimately gets to determine what kinds of offenses are so defined. For example, from 2001 to 2002 federal "terrorism" prosecutions increased by over 1,000%, from 115 to 1,202. However, a closer look at these cases reveals a large number of minor crimes -- such as using fictitious social security numbers to obtain airport employment. In fact, the median sentences for these "terrorism" crimes dropped from 21 months in 2001 to a mere two months in 2002.

In any event, the proposal is not limited to encryption related to terrorism, but to encryption related to any federal crime. Sure, if you never do anything illegal, you have nothing to worry about -- or do you?

If you take too many deductions on your tax return (or fail to declare those frequent-flier miles as income), and then e-file over a Web site that uses SSL, this becomes an additional five-year felony.

Felony SSL

If you order a book from Amazon.com, and fail to pay the state "use tax" (yes, you still owe tax on it, even if it's shipped out of state), the SSL session with Amazon supports a five year felony, in addition to whatever penalty comes with the "wire fraud" scheme to defraud your state out of its five bucks in tax. Withdraw $9,000 twice from an ATM and you might get pinched for both money laundering and crypto crime -- even if the money is totally legitimate.

Significantly, the proposal does not even require that the encryption assist or further the crime or its concealment, or that it be intended to do so -- only that the encryption occur "during the course" of the commission of the felony and that the communication "relates" to the felony.

It is nearly a universal practice among prosecutors to "load up" a defendant with criminal charges: adding money laundering, racketeering, forfeiture, or conspiracy to garden variety crimes like theft or fraud. Many of these charges carry penalties and sanctions much more onerous than those for the underlying offense, a fact prosecutors frequently use to induce individuals to waive their right to trial and to plead guilty in return for dismissal of the additional charges. Now that people use encryption for routine e-commerce and communication, crypto crimes can be added to almost any type of federal felony.

We already have an effective obstruction of justice statute -- one that requires proof that a defendant's actions were designed to corruptly impede the due administration of justice. Federal sentencing guidelines already enhance sentences if the defendant took steps, including the use of encryption, to conceal or impede an investigation.

The new legislative proposal would be counterproductive. It could stigmatize encryption as a criminal tool. People will grow wary of using crypto, consequently vendors will become wary of building it in to products, and ultimately the nation will become less secure.

Let's go after crime and terrorism vigorously. This new proposal, unrelated to terrorism, is merely a tool to enhance penalties for ordinary crimes, and should be rejected.

© Security Focus Online

Mark D. Rasch, J.D., is the Senior Vice President and Chief Security Counsel at Solutionary Inc. He lives in McLean, Virginia.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.