Why criminalizing Crypto is wrong

Opinion The Justice Department's plan to make routine encryption illegal in the hands of criminals will hurt law abiding citizens, and prove catastrophic for Internet security, writes Mark Rasch

There is nothing like the fear of weapons of mass destruction to bring out weary old legislative proposals. Earlier this month, it leaked out that the Justice Department was considering a broad expansion of its investigative authority, including the creation of new criminal offenses, ostensibly to assist in the fight against terrorism. Many of the proposals contained in the "Domestic Security Enhancement Act of 2003" had nothing to do with fighting terrorism, but would substantially increase penalties for such mundane offenses as wire fraud or claiming too many deductions on a federal tax return.

One such proposal -- which has been floated out many times before -- is the idea of making a new crime out of using encryption in during the course of commission of a different and unrelated crime.

The language would create a new offense which would punish anyone who "during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony." It defines encryption as referring to "the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information."

This is a bad idea.

A few preliminary observations: the proposed law applies to any federal felony, not simply terrorism or related offenses. And it punishes the encrypting of any communication related to the offense -- not simply encrypting communications with the intention to conceal or obstruct the offense. It also takes an expansive definition of encryption to include not only encryption that is used to protect the confidentiality of the communication, but also encryption that may be used to authenticate -- such as digital signatures.
If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony.

Is this Law Necessary?

It is true that terrorists have in the past used encryption both to conceal their activities and to authenticate themselves to others. Terrorist investigations like those of Ramsey Yousef, Aum Shinri Kyo, Bolivian terrorist organizations, and domestic terrorist plots including plans to bomb New York subways, and plots to attack IRS offices, have all revealed encrypted files, most of which were decrypted because investigators either found the keys or were otherwise able to crack the encryption.

It's also true that as criminals become more sophisticated, cracking their crypto will become more difficult. Make no mistake about it -- in the future, serious crimes, including terrorism, will go undetected because of the ubiquitous use of encryption.

But this is a bad proposal. For one thing, it's hopelessly overbroad. Even if it was limited to "terrorist offenses" it would be overbroad, since the government ultimately gets to determine what kinds of offenses are so defined. For example, from 2001 to 2002 federal "terrorism" prosecutions increased by over 1,000%, from 115 to 1,202. However, a closer look at these cases reveals a large number of minor crimes -- such as using fictitious social security numbers to obtain airport employment. In fact, the median sentences for these "terrorism" crimes dropped from 21 months in 2001 to a mere two months in 2002.

In any event, the proposal is not limited to encryption related to terrorism, but to encryption related to any federal crime. Sure, if you never do anything illegal, you have nothing to worry about -- or do you?

If you take too many deductions on your tax return (or fail to declare those frequent-flier miles as income), and then e-file over a Web site that uses SSL, this becomes an additional five-year felony.

Felony SSL

If you order a book from Amazon.com, and fail to pay the state "use tax" (yes, you still owe tax on it, even if it's shipped out of state), the SSL session with Amazon supports a five year felony, in addition to whatever penalty comes with the "wire fraud" scheme to defraud your state out of its five bucks in tax. Withdraw $9,000 twice from an ATM and you might get pinched for both money laundering and crypto crime -- even if the money is totally legitimate.

Significantly, the proposal does not even require that the encryption assist or further the crime or its concealment, or that it be intended to do so -- only that the encryption occur "during the course" of the commission of the felony and that the communication "relates" to the felony.

It is nearly a universal practice among prosecutors to "load up" a defendant with criminal charges: adding money laundering, racketeering, forfeiture, or conspiracy to garden variety crimes like theft or fraud. Many of these charges carry penalties and sanctions much more onerous than those for the underlying offense, a fact prosecutors frequently use to induce individuals to waive their right to trial and to plead guilty in return for dismissal of the additional charges. Now that people use encryption for routine e-commerce and communication, crypto crimes can be added to almost any type of federal felony.

We already have an effective obstruction of justice statute -- one that requires proof that a defendant's actions were designed to corruptly impede the due administration of justice. Federal sentencing guidelines already enhance sentences if the defendant took steps, including the use of encryption, to conceal or impede an investigation.

The new legislative proposal would be counterproductive. It could stigmatize encryption as a criminal tool. People will grow wary of using crypto, consequently vendors will become wary of building it in to products, and ultimately the nation will become less secure.

Let's go after crime and terrorism vigorously. This new proposal, unrelated to terrorism, is merely a tool to enhance penalties for ordinary crimes, and should be rejected.

© Security Focus Online

Mark D. Rasch, J.D., is the Senior Vice President and Chief Security Counsel at Solutionary Inc. He lives in McLean, Virginia.