Why criminalizing Crypto is wrong

Felony SSL

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Opinion The Justice Department's plan to make routine encryption illegal in the hands of criminals will hurt law abiding citizens, and prove catastrophic for Internet security, writes Mark Rasch

There is nothing like the fear of weapons of mass destruction to bring out weary old legislative proposals. Earlier this month, it leaked out that the Justice Department was considering a broad expansion of its investigative authority, including the creation of new criminal offenses, ostensibly to assist in the fight against terrorism. Many of the proposals contained in the "Domestic Security Enhancement Act of 2003" had nothing to do with fighting terrorism, but would substantially increase penalties for such mundane offenses as wire fraud or claiming too many deductions on a federal tax return.

One such proposal -- which has been floated out many times before -- is the idea of making a new crime out of using encryption in during the course of commission of a different and unrelated crime.

The language would create a new offense which would punish anyone who "during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony." It defines encryption as referring to "the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information."

This is a bad idea.

A few preliminary observations: the proposed law applies to any federal felony, not simply terrorism or related offenses. And it punishes the encrypting of any communication related to the offense -- not simply encrypting communications with the intention to conceal or obstruct the offense. It also takes an expansive definition of encryption to include not only encryption that is used to protect the confidentiality of the communication, but also encryption that may be used to authenticate -- such as digital signatures.
If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony.

Is this Law Necessary?

It is true that terrorists have in the past used encryption both to conceal their activities and to authenticate themselves to others. Terrorist investigations like those of Ramsey Yousef, Aum Shinri Kyo, Bolivian terrorist organizations, and domestic terrorist plots including plans to bomb New York subways, and plots to attack IRS offices, have all revealed encrypted files, most of which were decrypted because investigators either found the keys or were otherwise able to crack the encryption.

It's also true that as criminals become more sophisticated, cracking their crypto will become more difficult. Make no mistake about it -- in the future, serious crimes, including terrorism, will go undetected because of the ubiquitous use of encryption.

But this is a bad proposal. For one thing, it's hopelessly overbroad. Even if it was limited to "terrorist offenses" it would be overbroad, since the government ultimately gets to determine what kinds of offenses are so defined. For example, from 2001 to 2002 federal "terrorism" prosecutions increased by over 1,000%, from 115 to 1,202. However, a closer look at these cases reveals a large number of minor crimes -- such as using fictitious social security numbers to obtain airport employment. In fact, the median sentences for these "terrorism" crimes dropped from 21 months in 2001 to a mere two months in 2002.

In any event, the proposal is not limited to encryption related to terrorism, but to encryption related to any federal crime. Sure, if you never do anything illegal, you have nothing to worry about -- or do you?

If you take too many deductions on your tax return (or fail to declare those frequent-flier miles as income), and then e-file over a Web site that uses SSL, this becomes an additional five-year felony.

Felony SSL

If you order a book from Amazon.com, and fail to pay the state "use tax" (yes, you still owe tax on it, even if it's shipped out of state), the SSL session with Amazon supports a five year felony, in addition to whatever penalty comes with the "wire fraud" scheme to defraud your state out of its five bucks in tax. Withdraw $9,000 twice from an ATM and you might get pinched for both money laundering and crypto crime -- even if the money is totally legitimate.

Significantly, the proposal does not even require that the encryption assist or further the crime or its concealment, or that it be intended to do so -- only that the encryption occur "during the course" of the commission of the felony and that the communication "relates" to the felony.

It is nearly a universal practice among prosecutors to "load up" a defendant with criminal charges: adding money laundering, racketeering, forfeiture, or conspiracy to garden variety crimes like theft or fraud. Many of these charges carry penalties and sanctions much more onerous than those for the underlying offense, a fact prosecutors frequently use to induce individuals to waive their right to trial and to plead guilty in return for dismissal of the additional charges. Now that people use encryption for routine e-commerce and communication, crypto crimes can be added to almost any type of federal felony.

We already have an effective obstruction of justice statute -- one that requires proof that a defendant's actions were designed to corruptly impede the due administration of justice. Federal sentencing guidelines already enhance sentences if the defendant took steps, including the use of encryption, to conceal or impede an investigation.

The new legislative proposal would be counterproductive. It could stigmatize encryption as a criminal tool. People will grow wary of using crypto, consequently vendors will become wary of building it in to products, and ultimately the nation will become less secure.

Let's go after crime and terrorism vigorously. This new proposal, unrelated to terrorism, is merely a tool to enhance penalties for ordinary crimes, and should be rejected.

© Security Focus Online

Mark D. Rasch, J.D., is the Senior Vice President and Chief Security Counsel at Solutionary Inc. He lives in McLean, Virginia.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.