Why criminalizing Crypto is wrong

Felony SSL

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Opinion The Justice Department's plan to make routine encryption illegal in the hands of criminals will hurt law abiding citizens, and prove catastrophic for Internet security, writes Mark Rasch

There is nothing like the fear of weapons of mass destruction to bring out weary old legislative proposals. Earlier this month, it leaked out that the Justice Department was considering a broad expansion of its investigative authority, including the creation of new criminal offenses, ostensibly to assist in the fight against terrorism. Many of the proposals contained in the "Domestic Security Enhancement Act of 2003" had nothing to do with fighting terrorism, but would substantially increase penalties for such mundane offenses as wire fraud or claiming too many deductions on a federal tax return.

One such proposal -- which has been floated out many times before -- is the idea of making a new crime out of using encryption in during the course of commission of a different and unrelated crime.

The language would create a new offense which would punish anyone who "during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony." It defines encryption as referring to "the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information."

This is a bad idea.

A few preliminary observations: the proposed law applies to any federal felony, not simply terrorism or related offenses. And it punishes the encrypting of any communication related to the offense -- not simply encrypting communications with the intention to conceal or obstruct the offense. It also takes an expansive definition of encryption to include not only encryption that is used to protect the confidentiality of the communication, but also encryption that may be used to authenticate -- such as digital signatures.
If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony.

Is this Law Necessary?

It is true that terrorists have in the past used encryption both to conceal their activities and to authenticate themselves to others. Terrorist investigations like those of Ramsey Yousef, Aum Shinri Kyo, Bolivian terrorist organizations, and domestic terrorist plots including plans to bomb New York subways, and plots to attack IRS offices, have all revealed encrypted files, most of which were decrypted because investigators either found the keys or were otherwise able to crack the encryption.

It's also true that as criminals become more sophisticated, cracking their crypto will become more difficult. Make no mistake about it -- in the future, serious crimes, including terrorism, will go undetected because of the ubiquitous use of encryption.

But this is a bad proposal. For one thing, it's hopelessly overbroad. Even if it was limited to "terrorist offenses" it would be overbroad, since the government ultimately gets to determine what kinds of offenses are so defined. For example, from 2001 to 2002 federal "terrorism" prosecutions increased by over 1,000%, from 115 to 1,202. However, a closer look at these cases reveals a large number of minor crimes -- such as using fictitious social security numbers to obtain airport employment. In fact, the median sentences for these "terrorism" crimes dropped from 21 months in 2001 to a mere two months in 2002.

In any event, the proposal is not limited to encryption related to terrorism, but to encryption related to any federal crime. Sure, if you never do anything illegal, you have nothing to worry about -- or do you?

If you take too many deductions on your tax return (or fail to declare those frequent-flier miles as income), and then e-file over a Web site that uses SSL, this becomes an additional five-year felony.

Felony SSL

If you order a book from Amazon.com, and fail to pay the state "use tax" (yes, you still owe tax on it, even if it's shipped out of state), the SSL session with Amazon supports a five year felony, in addition to whatever penalty comes with the "wire fraud" scheme to defraud your state out of its five bucks in tax. Withdraw $9,000 twice from an ATM and you might get pinched for both money laundering and crypto crime -- even if the money is totally legitimate.

Significantly, the proposal does not even require that the encryption assist or further the crime or its concealment, or that it be intended to do so -- only that the encryption occur "during the course" of the commission of the felony and that the communication "relates" to the felony.

It is nearly a universal practice among prosecutors to "load up" a defendant with criminal charges: adding money laundering, racketeering, forfeiture, or conspiracy to garden variety crimes like theft or fraud. Many of these charges carry penalties and sanctions much more onerous than those for the underlying offense, a fact prosecutors frequently use to induce individuals to waive their right to trial and to plead guilty in return for dismissal of the additional charges. Now that people use encryption for routine e-commerce and communication, crypto crimes can be added to almost any type of federal felony.

We already have an effective obstruction of justice statute -- one that requires proof that a defendant's actions were designed to corruptly impede the due administration of justice. Federal sentencing guidelines already enhance sentences if the defendant took steps, including the use of encryption, to conceal or impede an investigation.

The new legislative proposal would be counterproductive. It could stigmatize encryption as a criminal tool. People will grow wary of using crypto, consequently vendors will become wary of building it in to products, and ultimately the nation will become less secure.

Let's go after crime and terrorism vigorously. This new proposal, unrelated to terrorism, is merely a tool to enhance penalties for ordinary crimes, and should be rejected.

© Security Focus Online

Mark D. Rasch, J.D., is the Senior Vice President and Chief Security Counsel at Solutionary Inc. He lives in McLean, Virginia.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.