I've been engaging in another little back-and-forth with Robert X. Cringely, this time on the matter of cryptography, and whether or not the US government could conceivably regulate it. This is another of those Spetember 11 fallout things: there has been some suggestion that the US government should mandate the use of cryptography that has a back door built into it, so that law enforcement can always decrypt any message, should they need to. This isn't a new concept, but what with Spetember 11 and suggestions that this could be used to catch terrorists (a dubious claim, but that doesn't seem to matter), there might be considerable public support for it this time, albeit only among those people who don't really understand cryptography (which, incidentally, happens to be a majority).

As one small subsection of a much longer and wide-ranging column, Cringely suggests that mandating backdoored crypto is wrongheaded for two reasons. First is getting people to actually use the backdoored stuff when strong, secure crypto is still available elsewhere for download on the Internet. Second is the monitoring and enforcement requirement of such a mandate. Cringely asks, rhetorically, whether many would stand for the FBI randomly sampling email to monitor compliance.

These objections struck me as having the wrong focus. Let us start by asking, "why mandate backdoor crypto in the first place?" It's reasonably clear that the point of such an exercise would be to make all communications (within the US at least) intelligible by US law enforcement. If they intercept an encrypted message, they won't be able to understand it unless they can decrypt it, and such a law would guarantee that they can decrypt it.

Based on this, I think the "monitoring and enforcement" objection is bogus: the only instances they need to enforce are the ones they intercept. If the FBI is tapping someone's email, then presumably they have shown reasonable cause to do so — some sort of other evidence linking the subject to criminal activity. If this person turns out to be using strong crypto in his communications, then the FBI can nail him for it. If he's not using strong crypto, then they can gather their evidence, if there is any.

Perhaps the law could be expressed as, "thou shalt not use strong cryptography to hinder the efforts of law enforcement." That would make it legal to use strong crypto unless the long arm of the law got involved. Would this be at odds with the infamous Fifth Amendment, which protects against self-incrimination? If the law wants to read your mail and requests your crypto keys, could you legitimately refuse on the basis of self-incrimination? Would a law mandating that you divulge your crypto keys to law enforcement be unconstitutional? Quite possibly.

So what if it were a blanket ban on strong crypto, with severe penalties? Cringely tells me it wouldn't work, because it would face immediate and massive civil disobedience, and as such could not stand. "If one person speeds, he gets a ticket. If 250,000 people speed, they raise the speed limit." I'm unpersuaded by this. Is there some guarantee that publicly breaking the law on a large scale invalidates the law? What recourse exists against selective enforcement?

The speed limit comparison is a bit strained, because speeding is a matter of degree, not a black and white issue like whether or not you are using a backdoored crypto algorithm. I think, in Australia at least, many people speed most of the time, and whether or not you actually get booked for it is a bit arbitrary. The faster you go, the more likely it is that you'll get booked, but it's also a matter of luck, circumstance, and whether the cop in question felt like it. Even so, the most recent trend in my neck of the woods was for speed limits to be revised downward in the name of safety, not upwards because people generally want to drive faster than the existing limits.

On the matter of selective enforcement, Cringely responded like so.

Selective enforcement doesn't work if the deliberate violators are very forward about their violations. National "Be a Felon and Send an Encrypted Mothers' Day Card Day" would be difficult to ignore, yet ignoring it means those few who ARE charged can claim racial or ethnic profiling and violation of their civil rights. So it's throw 500,000 people in jail or change the law. They'll change the law.

I'm still unconvinced. If I were acting in the role of law enforcement (and playing Devil's Advocate whilst I'm at it), then I'd use a strong anti-crypto law as a trump card. Go ahead: have your Encrypted Mothers' Day Card event and watch me smile and ignore you. I don't care how publicly you claim to have used strong crypto: I'm not likely to see any real evidence for it, and nor is anyone else — another reason that crypto is unlike speeding. I'll shrug it off and call it naïve, telling the press that these eccentrics don't really understand the sinister forces that we are aiming to catch here, and how much safer this anti-crypto law makes us all. If I'm going to use my anti-crypto trump card on anyone that day, it will be a suspected pedophile or terrorist, or some other such poor unfortunate that nobody is likely to want to defend.

Whether or not the US government actually does anything about crypto in the wake of September 11 remains to be seen. I leave it to you, dear reader, to determine whether Robert X. Cringely or The Famous Brett Watson is more finely attuned to the potential realities of the situation.