Encryption and the Consequences of Public Policy

June 12, 2015

In a world where the development of technology moves quickly and governments tend to move slowly, it is common for public policy to become out of sync with the realities of the market. In many cases, this proves to be a costly nuisance for companies trying to market products and generally engage in business. In others, the consequence can be more severe.

A few weeks ago, we blogged about how difficult it was for someone to crack encryption in light of debates on Capitol Hill about whether policies should be put in place to limit its strength. In March and May, security researchers uncovered two related flaws in the secure sockets layer (SSL) and transport layer security (TLS) protocols commonly used to encrypt web traffic. Both of these flaws appear to be the result of encryption export policies from 1990s.

The first of the two flaws is FREAK, which allows an attacker monitoring web traffic to inject a packet into a traffic flow between two parties that will force them to use an encryption key that complies with 1990s era export requirements. The second flaw, Logjam, relies on injecting a packet during the negotiation phase of the communication that forces export-grade encryption to be used. Both bugs can allow communications over the web, email, and virtual private networks (VPNs) assumed to be secure to be intercepted.

So how did we end up here?

Up until the 1990s, encryption software was classified as a munition which made it subject to similar export controls as a tank or a stealth bomber. Secure communications are essential to military operations, and prior to the widespread commercial adoption of the Internet, this policy made sense. As Internet usage became more ubiquitous, the task of limiting the export of encryption technology fell to the Department of Commerce.

The policy rationale for limiting the export of encryption was to give US law enforcement and military the ability to intercept encrypted communications and ensure that the US had the best cryptography in the world. This is similar to the rationale that some are providing in the present for the introduction of backdoors into and limits upon encryption technology. During the 1990s, several unsuccessful attempts were made to limit encryption strength ultimately making export controls the only viable option for controlling its spread and development.

During this time, if a company wished to export encryption of even modest strength, the Department of Commerce had to issue it a license. Companies attempting to export their products containing encryption technology found themselves frequently negotiating with the government and facing the threat of being unable to market their products overseas. Ultimately, this resulted in companies creating US versions of their products and versions for export containing weaker encryption. To ensure that both versions could communicate, the US versions usually included an option for the encryption to be downgraded to export levels.

Over time, the business value of using encryption to protect online communications—specifically in the area of e-commerce where sensitive financial information was being transmitted—became increasingly apparent. This coupled with the use of the Internet as a means for the distribution of software outside of the control of the US government ultimately made the encryption export control regime unworkable. As a result, the Clinton Administration lifted most controls on the export of encryption in 1999.

Fast forward to 2015

The use of export-grade encryption still remains an option in most modern software. Often this is to ensure backwards compatibility with legacy systems. As technology has progressed at a dizzying pace over the last 16 years, encryption that was intentionally weak in 1990s is relatively easy to crack now given access to the right resources.

If nothing else, the discovery of FREAK and Logjam is proof that the law of unintended consequences does not have a statute of limitations. Beyond that, it informs the current debates on whether law enforcement should have a backdoor into encryption technologies and whether limitations should be placed on encryption strength. Opponents of measures to limit encryption could easily cite these two flaws as evidence that such policies are harmful to consumers.

In the ever-evolving world of data privacy, policies that were common sense one day can become catastrophic on the next. Proactive engagement with policy makers and close monitoring of policy developments informed by an understanding of the technologies involved is crucial for businesses to remain competitive.