Codes of practice

Internet

Peter Mandelson's departure has caused pain in some unexpected quarters. He turns out to have had a reputation as a libertarian when it comes to defending the privacy of ordinary citizens. If I say he was more liberal than Jack Straw, this may sound like a joke. But in the tug of war between the Home Office and the DTI over electronic commerce and the apparently arcane subject of key escrow, what is being pulled back and forth is the right of ordinary law-abiding citizens of European countries to communicate among themselves without the American government listening in. The Home Office is on the American side; and that's not a joke at all.

The question is not, unfortunately, how to prevent terrorists or mafias from acquiring the means of secure communications. That has been available to any interested party at least since 1991, when friends of an American programmer named Phil Zimmerman released on to the Net something he had written called Pretty Good Privacy, or PGP, a set of programs which enabled anyone sufficiently interested to wrap up their messages in a mathematical lock which not even the most powerful supercomputers imaginable can break.

The mathematical principles behind this were discovered, so far as we know, in 1976 by Whit Diffie, a charming, blue-eyed, bearded man with white-blond hair curling down his chest. It is possible that before then the NSA, the American cryptographic agency, had known them and not told anyone. What is certain is that the American government has since made strenuous efforts to stop the widespread use of these unbreakable mathematical locks, which are known as strong encryption.

The applications of these mathematical principles, and their incarnation in computer code, is controlled under the laws governing the export of strategic weapons. This was not wholly ridiculous in principle. In some ways these arcane mathematical discoveries have shifted the technological balance of advantage away from democratic governments and towards their enemies, whether these are drug cartels or terrorist groups, in ways that we should all regret. But in practice, the attempt has been both ridiculous and damaging. The anarchic and libertarian culture of the Net revolted against the attempt to stop the spread of ideas. People produced T-shirts with encryption programs on them: if they walked through customs wearing them, were they carrying the equivalent of atom bombs? Attempts to jail Zimmerman left him with the pleasures of martyrdom without the pains. The genie is out of the bottle for ever.

The question for governments is how to deal most constructively with this problem. Strong encryption is a technology that can be incredibly useful, and in fact the world's economy is already dependent on it. What else do you think protects your money when it travels around the computers of the banking system?

The growth of electronic commerce depends on cyberspace being a safe place for money, and that, in turn, depends on the widespread availability of uncrackable encryption. It is this commercial angle which brought Mandelson into the argument, since there is a clear competitive advantage to the country which allows businesses the most security in their transactions. But this advantage runs completely counter to the interests of the spooks.

Since terrorists and mafias can no longer be denied access to strong encryption, the American and British secret services have concentrated their efforts on denying it to the rest of us. The strength of any encryption scheme is measured by key length: the longer the key, the more time it takes a hostile computer to crack it. A key 128 bits long is completely impregnable; one only 40 bits long can be broken in real time by the kind of supercomputers that the secret services have access to, and in a couple of hours by anyone sufficiently interested.

What governments would like, of course, is a system which meant that they and they alone could read everyone else's messages - and there appears to be a technological compromise that makes this possible. It's known as key escrow, and really means that the government (in practice, this means the American government) holds at least half of all the keys in the world. So if you buy a popular and useful piece of software like Lotus Notes, which holds together organisations as diverse as the Swedish government and Amnesty International, it comes with 56-bit encryption: but the American NSA already knows 16 of these bits. So it can read all the internal documents it wants to, even if no one else outside the organisation can.

Looked at politically in this way, the story is terribly simple, though the technology behind it is completely incomprehensible. The British government's policy is still not clear, perhaps even to itself. But Mandelson, it would appear, was on the side of the angels in the DTI, and willing to let grown-ups keep their own secrets. Let's hope his successor is as clear-sighted.

This article first appeared in Stuff the millennium

1999-01-08