Encryption

General Overview
Encryption is a means of protecting any computer-related communication from wiretapping or interception. It scrambles information generated by a computer, storedin a computer, or transmitted through a computer so that the information can only be retrieved in an intelligible form by someone with the key to unscramble it.

In its most basic form, encryption amounts to a "scrambling" of data using mathematical principles that can be followed in reverse to "unscramble" the data. File encryption thus simply converts a file from a manipulable file format (e.g., a word processor document or a picture file that can be opened or viewed with appropriate software) to a scrambled format. Authorization in the form of possession of an appropriate "key" is required to "decrypt" the file and restore it to its manipulable format.

Encryption Technology
Encryption techniques use "keys" to control access to data that has been "encrypted." Encryption keys are actually strings of alphanumeric digits that are plugged into a mathematical algorithm and used to scramble data using that algorithm. Scrambling means that the original sequence of binary digits (i.e., the 1s and 0s that make up a digital file) that constitute the information object is transformed using a mathematical algorithm into a new sequence of binary digits (i.e., a new string of 1s and 0s). The result is a new sequence of digital data that represents the "encrypted" work. Anyone with the key can decrypt the work by plugging it into a program that applies the mathematical algorithm in reverse to yield the original sequence of binary digits that comprise the file. Although most commonly thought of as a tool for protecting works transmitted via computer networks, encryption can be and is used with virtually all information delivery technologies, including telephone, satellite and cable communications. Of course, once the work is decrypted by someone with the key, there may be no technological protection for the work if it is stored and subsequently redistributed in its "decrypted" or original format.

Issues in Law Enforcement and National Security
Encryption is important for the protection of government, commercial, and private information and communications, but over the last several years, police and intelligence authorities have expressed growing concerns that unregulated access to, and use of, encryption might have unfortunate consequences. “If unbreakable encryption proliferates, critical law enforcement tools would be nullified. For example, even if the Government satisfies the rigorous legal and procedural requirements for obtaining an order to tap the phones of drug traffickers, the wiretap would be worthless if the intercepted communications amount to an unintelligible jumble of noises or symbols.

Or we might legally seize the computer of a terrorist or a child molester using the Internet and be unable to read the data identifying his targets or his plans.” Security and Freedom Through Encryption (SAFE) Act: Hearing Before the Subcomm. on Courts and Intellectual Property of the House Comm. on the Judiciary, 105th Cong., 1st Sess. 33 (1997) (testimony Deputy Ass’t Att’y Gen. Robert S. Litt). See also The Administration’s Clipper Chip Key Escrow Encryption Program: Hearing Before the Subcomm. on Technology and the Law of the Senate Comm. on the Judiciary, 103rd Cong., 2d Sess. 4-5 (1994) ((testimony of Ass’t Att’y Gen. Jo Ann Harris) (“if intercepted criminal conversations are encrypted, we need the ability to cut through the encryption, just as we need a translator to cut through the foreign language. . . . [H]igh-quality voice encryption in an affordable, portable easy to use form will soon be widely available on the market. . . . We worry. . . that such devices will also be used by criminal organizations to shield their illegal enterprises”); Encryption and Computer Privacy: Hearing Before the Senate Comm. on the Judiciary, 105th Cong., 1st Sess. (1997) (FBI Director Louis Freeh) (“If we have access per court order to the conversation of someone who has committed a crime or is about to commit a heinous crime, whether it be an act of terrorism or kidnapping, and the federal, state, and local officers who are listening to that court-authorized conversation or looking for the data which is stored somewhere can’t understand it, the access really is not meaningful. If we have all the legal authorities and the technical accessibility to that information but we can’t understand it in real-time, it doesn’t do us and the people that we have to protect and the country very much good.”).

The difficult question is how best to ensure the benefits of encryption while avoiding the dangers it might also bring. Law enforcement officials and others have argued that the proper equation consists of four elements: (1) strong encryption available to protect governmental, business and private information; (2) criminal laws outlawing the use of encryption in furtherance of greater crimes or perhaps even more broadly; (3) a key recovery feature in all encryption that allows the encrypted affairs of terrorists and other criminals to be unlocked; and (4) development of a profession of trusted custodians for those keys (sometimes referred to as a key escrow or key management infrastructure). Reaction to their proposals has thus far been mixed.

The federal government has been a major contributor to the development of stronger encryption.

Export Controls
Although it enacted no new criminal penalties for the criminal use of encryption, for several years the federal government greatly restricted exports of encryption technology backed by the threat of criminal penalties. Encryption products were subject to export restrictions whose generosity depended upon the strength of the encryption and the receptivity of their exporters to a “key recovery” system. The International Emergency Economic Powers Act (IEEPA) authorizes the President to regulate certain import and export activities (50 U.S.C. §1702), in order to deal with “unusual and extraordinary threat[s]. . . to the national security, foreign policy, or economy of the United States.” 50 U.S.C. §1701. The President relied upon these powers, E.O. 12131 (as amended, 50 U.S.C. §1701 note), to revive otherwise expired portions of the Export Administration Act of 1979 (50 U.S.C. App. 2401 to 2410c) and regulations promulgated thereunder. Pursuant to these powers he authorized the Department of Commerce to promulgate regulations for the issuance of the necessary export licenses covering encryption products. E.O. 13026, 61 Fed. Reg. 58767 (Nov. 19, 1996). The Department of Commerce issued interim encryption export license regulations. 61 Fed. Reg. 68572 (Dec. 30, 1996) (date omitted hereafter). Violations of any license, order, or regulation issued under IEEPA are punishable by civil penalties of up to $10,000 and by criminal penalties of imprisonment for not more than 10 years and/or a fine of not more than $50,000. 50 U.S.C. §1705. Encryption software and equipment could not be exported without a license. 15 C.F.R. 736.2(7), 61 Fed. Reg. 68579 (Dec. 30, 1996). Certain “cryptographic equipment specially designed and limited or use in machines for banking. . . transactions” was not controlled by these restrictions, 15 C.F.R. Supp. No.1 to part 774, 61 Fed. Reg. 68586. Export licenses for 40-bit mass-market encryption software were issued subject to a one-time expedited review process. 15 C.F.R. 742.15 (61 Fed. Reg. 68581) and Supplement No.6 to Pt. 742 (61 Fed. Reg. 68583-584).

Export licenses for 56-bit encryption software were issued for software that contained key escrow, key recovery or key recoverable features or for 56-bit software] without such features but whose producers submitted a detailed plan for the steps to be taken before January 1, 1999 for the creation of 56-bit [[software with such features. 15 C.F.R. 742.15 (61 Fed. Reg. 68581-582) and Supplements 4, 5 & 7 to Pt.742 (61 Fed. Reg. 68582-584). “Key escrow,” “key recovery,” and “]]key recoverable]]” all refer to features where a “key” that will unlock encrypted information is held by the manufacturer of the encryption product or some other individual or entity from whom it may be obtained by authorities, Office of Tech. Assessment, Issue Update on Information Security and Privacy in Network Environments 6 (June 1995); Supplemental Information, 61 Fed. Reg. 68575 (“For purposes of this rule, ‘recovery encryption products’ refers to products (including software) that allow government officials to obtain under proper legal authority and without the cooperation or knowledge of the user, the plaintext of encrypted data and communications”).

Prior to the invocation the President’s authority under IEEPA, the Arms Export Control Act, 22 U.S.C. §§2751 to 2596. and the International Traffic in Arms Regulations, 22 C.F.R. 120-130 (rev. as of Apr, 1, 1996), had been used for some time to restrict encryption exports. National Res. Council, Cryptography’s Role in Securing the Information Society, A Brief History of Cryptography Policy (1996); "Public Cryptography, Arms Export Controls, and the First Amendment: A Need for Legislation," 17 Cornell Int’l L.J. 197 (1994); "Cryptography, Export Controls, and the First Amendment in Bernstein v. United States Department of State," 10 Harv. J. of L. & Tech. 667 (1997). Effective enforcement of the export restrictions, however, posed certain First Amendment complications. "Constitutional Law &mdash; Free Speech Clause &mdash; Sixth Circuit Classifies Computer Source Code as Protected Speech &mdash; Junger v. Daley, 209 F.3d 481 (6th Cir. 2000)," 114 Harv. L. Rev. 1813 (2001). The restrictions, however, have been substantially reduced, particular with respect to exports to the European Union and several other industrialized countries.

VoIP
Encryption serves two purposes for VoIP: privacy protection, by encrypting voice data, and message authentication, which protects the origin and integrity of voice packets. Encryption may be done using either a stream or block cipher. If a stream cipher is used, very little delay is introduced if the key stream can be produced before or at least as fast as voice data arrives. In this case there will be only one bit of delay as the cipher stream is applied. Block ciphers may require one block of delay, which will vary with the method used, but still require relatively little overhead.