Home| About Hoover| Library & Archives| Research| Publications| Campaign
HOOVER INSTITUTION

Uncommon Knowledge
"Cybersnoops"

filming of UK

Guests:
David Friedman - professor of law, Santa Clara University
Edwin Meese III.- former U.S. attorney general and distinguished visiting fellow, Hoover Institution
Film Date: October 21, 1997

ROBINSON Elcomeway otay Ncommon Knowledgenay, I'm Eterpay Obinsonray. Or, Welcome to Uncommon Knowledge, I'm Peter Robinson. Our show today- encryption. Pig Latin, the child's game, is a simple form of encryption. If you know the code, you know what's being said. Likewise, Leonardo DaVinci, student of a different form of Latin, used a simple technique to keep others from reading his notes. Leonardo wrote backwards. Once again, if you know the code, you know what's being said. From simple encryption to an immensely sophisticated tool, today encryption underlies computer communications of all kinds. If I want to order a book by computer, pick up my credit card, enter the number, hit "enter" and my message to the book company is encrypted. The trouble is, it's not just ordinary computer users that can make use of encryption, it's criminals and it's terrorists as well. That brings us to the issue of today's show. How much access should the government have to computer communications? With us today, two guests. Edwin Meese is the former Attorney General of the United States and a Hoover Institution fellow. David Friedman is a Professor of Law at Santa Clara University.

G-MEN AND E-MAIL
ROBINSON As matters stand today, if the FBI has what a judge considers due cause, the FBI can already open my mail, tap my telephone, bug my house. Is that correct? It has all kinds of ways-

MEESE Under unusual circumstances with the protection of a court-authorized warrant, yes.

ROBINSON Right. But it can do all that.

MEESE That's what the law is today.

ROBINSON And what David is in favor of is a kind of computerized encryption so strong that they just won't be able to read my email whether a judge says they can go ahead and try or not. They just won't be able to do it. That's roughly...?

FRIEDMAN That's correct. What we currently have and what I think we should keep, yes.

ROBINSON Okay. And now let me frame the policy issue as I understand it. The Director of the FBI, Louis Freeh, wants to solve this problem. He does not want such a situation to arise, that is to say, where the FBI can't get into my computer files if they think I'm about to blow up Manhattan so he has proposed that every encryption system send a key to some sort of agency which will hold all these keys in a sort of repository and then when the situation arises and they have evidence I'm about to blow up Manhattan, he goes to a judge, gets the warrant, goes to this neutral trustworthy agency, gets the key and is able to break into my email account. What's wrong with that?

FRIEDMAN Well, there are a number of things wrong.

ROBINSON If there's good evidence I'm going to blow up Manhattan?

FRIEDMAN There are a number of things wrong.

MEESE Let me...let me...

ROBINSON Sorry. Go ahead.

MEESE What we really have is a difference between the technological progress and the legal progress. The legal situation is it is proper for law enforcement or national security agencies to intercept communications as long as they get a court order. Now what has happened is that, in a sense, the technology has now eclipsed current methods of doing that through encryption and what we are seeking or what the FBI has been seeking through the Congress is to now bring because of this technology eclipse, to bring technology under the same general legal rubrics that we have for every other type of communication.

FRIEDMAN A couple of things. To begin with, it has never been the case that it was illegal for me to hide things where the police couldn't find them. The police were entitled to look, I was entitled to conceal them. So what you're...

MEESE And that's still the situation under what I propose.

FRIEDMAN That's the situation at the moment. Under current law the government can intercept my mail and I can do my best to make sure that they can't read it. A couple of further points. First, what Louis Freeh is asking for is the ability to get the key to communication in 30 minutes. That does not mean very large, secure precautions. What he is asking for, in fact, is a pass key to every lock in cyberspace and those locks have behind them first, a lot of private information and while I'm sure it would be useful to the FBI to be able to know all of our secrets it would certainly help them get the budget through Congress, uh, I don't think it's useful to me. And second, those locks have a great deal of money behind them because banks routinely send hundreds of billions of dollars on-line and that money is protected only by encryption in the form of both encryption and digital signatures which depend on the same kinds of keys as other forms of encryption. So you are describing a situation where a policeman who is sophisticated and dishonest is in a position to steal tens of millions of dollars and head off to Mexico.

MEESE No.

FRIEDMAN And I predict that in that world you will find that a few cops will become crooks and few crooks will become cops.

MEESE No, I disagree entirely because that is not what I'm advocating. What I'm saying is we have to have a way in which law enforcement representing the people of the country is not thwarted from obtaining information that they now could get but for the fact of encryption. And that's what were talking about at the present time.

ROBINSON David may have practical objections to the FBI proposal, but what is his objection in principle?

FOR YOUR EYES ONLY
ROBINSON Now encryption keeps email - I've been using the example of email: chatter back and forth between my computer and yours. Clearly encryption keeps that secret.

FRIEDMAN Can keep it secret if you choose to.

ROBINSON Can keep it secret if I choose to use it. All right. Now but it's also...

FRIEDMAN And you have to have encryption if you want to keep it secret because email is very easy to intercept. You have to realize that when you send an email to a friend in Finland your computer doesn't call up a computer in Finland. That would cost much too much.

ROBINSON Right.

FRIEDMAN It sends that message to some computer in the right direction which sends it some computer in the right direction. That means anybody controlling any of those machines which you have no control over could intercept your message so the only way to have serious privacy in the on-line world as it now exists is through encryption. That's why anything which makes it harder to have secure encryption seriously undercuts both individual privacy and the ability to do business on the net. You have to realize that none of what is being proposed has any effect against serious criminals talking to each other because somebody who is willing to break the laws against blowing up large buildings is going to have no reservations at all about breaking the laws against using unescrowed encryption. The relevant mathematics has been known for 20 years: there are lay people all over the world who write such software so that as a practical matter, what you are going to get is not the ability to tap the communications between two sophisticated terrorists. That simply isn't an option. There is no way you can get that.

ROBINSON This is the gun control argument. Crooks will still get guns; only honest people won't.

FRIEDMAN In order for what Freeh wants to be useful it can't be something you do 10 times a year. It can't be something used for very high profile cases because those are the sophisticated crooks. In order for it to be useful, he's got to be able to do the same thing at least that they can do now: namely, anytime you have a court order on any case very few of which involve blowing up large buildings, be able to tap the phone and decrypt it. And with that level of access by law enforcement you are essentially torpedoing both privacy and commercial privacy on the net.

MEESE I think the practical point is that that is simply not the case. Today we have a very limited number of electronic surveillances taking place in the United States. Very few if any of them have to do with commercial traffic.

ROBINSON What's the number? Can you...

MEESE I don't know the numbers now but it's under 10,000 a year.

FRIEDMAN That's right.

MEESE And that's all police departments, all FBI, all National Security...

FRIEDMAN And that's important because one of the arguments you're making is that all this does is bring us back to status quo.

MEESE That's exactly what we're going to do.

FRIEDMAN But that's not true.

MEESE Well, it is.

FRIEDMAN Let me explain why it isn't true.

MEESE Let's explain why you think it isn't true.

FRIEDMAN Sure, I'll do that and you get to rebut. The reason it isn't true is that a large part of the reason you have only something like 5,000 wire taps a year is the wire taps at present are very expensive. It takes a lot of resources, as I suspect you know, to do a wire tap. That is rapidly ceasing to be the case. With the same new technology that enables encryption you can also have a computer instead of a human being listening to a telephone. That computer can be listening for key words and for patterns of key words and that means that it is becoming technologically possible to tap very much larger numbers of phones than it was practical given the resources to tap 10 years ago.

MEESE I disagree with you entirely. The, it is not the cost of wire taps that limits their number: it's the fact that they can only be used in certain cases and only with a court order. And that the law enforcement people are not willy-nilly trying to tap phones every time they have the opportunity. Instead, they are reserving it for the most serious cases where it is something you can convince a judge that it's important enough. And I think this would be the same thing in terms of encryption.

ROBINSON Ed...

MEESE The problem is technically how do we provide a means whereby law enforcement is not thwarted from being able to, when they know that there are communications that are involved in criminal activity whether it's terrorism, whether it's kidnaping, whether it's some other form of perhaps very serious fraudulent activity, that they can have the ability to get a court order to obtain that information the same way they would in any kind of a telephone call.

ROBINSON Ed's concern that law enforcement can get crucial information when it needs to isn't hypothetical. He's dealt with security first-hand.

TERRORISM ONLINE
ROBINSON When you were Attorney General, when you were the chief law enforcement official in the United States, did cases arise in which thinking back on them, encryption would have hampered law enforcement?

MEESE Certainly. The, if the messages had been encrypted for example that ultimately gave us the evidence that the Libyans were responsible for the bombing of the discotheque in Germany which led the President to have the legal authorization and the moral authorization to retaliate against Libya. That would be a very good example.

FRIEDMAN How do you believe that U.S. restrictions on strong encryption would prevent the Libyan government from using encryption.

MEESE Well, there's a difference. There's a difference now...

FRIEDMAN You should a law against their using bombers too.

MEESE No, there's a difference and this gets back to what, to me, the gravement of this whole conversation is. I'm very much opposed to legislation, for example, that would limit the export of encryption unless it is so unique and can't be found elsewhere that it would be into the same category as some of the weapon systems and other things that would make weapon systems that we regulated during the Cold War. I think that by and large it is futile to try to regulate where we send encryption because what we develop but couldn't send out of this country somebody else is going to develop elsewhere.

FRIEDMAN And anybody can buy it at Egghead Software and take it out in their diplomatic pouch.

MEESE I agree with that. I agree with you on that. On the other hand, it seems to me that we have to find a way in which law enforcement can have the ability, either working through the manufacturers or elsewhere, in the appropriate case where there is a court order to be able to break the encryption. And I ask you, what are the technical means? If you were suddenly employed by the NSA to come up with a solution to what I see as a legal and law enforcement public safety problem, how would you go about it?

FRIEDMAN But we have to add one more question and that is what price are you willing to pay? If your price, to take the extreme case, is simply closing down the Internet then it's easy.

MEESE No. That's not a price I'm willing to pay.

FRIEDMAN All right! So, I understand. But my answer is that I don't think I can solve your problem at any tolerable price. I want to go back to the Second Amendment of the United States Constitution: the right to bear arms. The, I believe the purpose of many of the founders in passing the Second Amendment was to make sure that if all other defenses against tyranny failed, the civilian population of the United States could outgun the standing army. And I think that was a very clever idea; that they recognized that legal protections are all very well but they are only words on paper, and if things get bad enough what you want to do is not to make government doing certain things illegal but impossible. That protection I don't think works very well at the end of the 20th century for lots of reasons. I think, however, that unregulated strong encryption provides the equivalent of that for the 21st century; that if we have conflicts with our government and if other people with their government, there are going to be fought mostly with words and with ideas and not weapons. And what unregulated strong encryption gives you is a world where the government not merely mans suppressed freedom of speech but is literally unable to do so; is physically incapable of suppressing freedom of speech. And it seems to me that getting that world is worth a pretty high price

MEESE One of the things we have done as a people over the years is to say that the Second Amendment has some limitations and that it is possible not to prohibit guns but to regulate the use of guns so that they we preserve this balance between public safety on the one hand and the right of citizens to be armed and to protect themselves even against the government on the other. And so...

FRIEDMAN You're in favor of the ways in which this regulation has been done?

MEESE Well I think that there are some reasonable regulations, yes, I think the idea that people should not be allowed to have 105 Howitzers on their front lawn in case they have a dispute with their neighbor is not a bad idea. And the same is true with machine guns and a lot of other things. That doesn't bother me at all. As a matter of fact, I think we've done a pretty good job of maintaining that balance and, indeed, some of the gun regulations have gone overboard just as some of the proposals for regulating encryption, I believe, go overboard. But I think it is possible to get back to a balance between the two.

ROBINSON You talked about..

MEESE Now one of those...

ROBINSON Go ahead.

MEESE Let me just say that-

ROBINSON Ed wants Silicon Valley to solve the problem. Keeping communications private while at the same time letting law enforcement do its job. Sounds reasonable. Why does David object?

THAT DOES NOT COMPUTE
ROBINSON As a political matter, and we are after all talking about an issue which is being debated in the political marketplace, what do you have for ordinary Americans in this argument?

FRIEDMAN I want to go back for a moment to something related to what you were saying. You said honestly that you are not an expert in this field. You surely have noticed that essentially all of the experts in the field who are not working for the government believe that what you want to do isn't really do-able. What I'm arguing is that the people who are familiar with technology recognize - not that it can't be done - but it can't be done at a price you're willing to pay. That you can, you can certainly do, there are things you can do. You can say if we intercept your encrypted communication and you refuse to decrypt it for us we will use that fact before a judge and try and gauge that you're guilty and that you can do now. There are lots of legal ways you can try to force people to decrypt things themselves but a system in which the FBI can be reasonably confident that when they intercept a message they can quickly and reliably decrypt it can only be done at costs that you wouldn't be willing to pay and that's a statement about what the technology is like.

MEESE In light of my challenge to the, to those who are experts, is how can you do this in a way that gives the law enforcement agencies the ability that they now have. Now you talk about quickly. It may not be quickly: it may not be as quickly as say you can intercept a telephone call, but can there be ways in which the technology either by those who manufacture the encryption material, the facts that

FRIEDMAN Not, not...

MEESE Or an escrow system. It seems to me that there has got to be some way in which technically...

FRIEDMAN I want to explain a little technology.

MEESE You can achieve, technically you can achieve the same thing that we're able to do now in a very sophisticated situation.

ROBINSON Answer me this, and let me explain.

MEESE Let me just give an example.

ROBINSON Go ahead.

MEESE Cellular phones was a step up and the industry found ways so that that also could be intercepted even though it was much more difficult than ordinary land-wired telephones. What I'm saying is you can have a situation, it seems to me, that is beyond the range of technology helping to solve this legal problem.

ROBINSON And my point is simply it's a little unpersuasive or at least unsatisfying for a layman to listen to a technologist say it can't be done. When the whole ark of technology over the last 15 years is that things you wouldn't believe can be done can be done.

FRIEDMAN When you talk about doing it with the cooperation of the manufacturers the person who writes the program writes an encryption method but he doesn't create the key, and the reason he doesn't create the key is that if I am a bank moving ten million dollars around I don't want to have to worry about whether the company that wrote the software has got somebody in there who's really a crook who wants to steal my money. So what I want is software - part of the beauty of public key encryption is that it doesn't require you to trust anybody else. That the way public key encryption works is that I create a pair of keys one of which encrypts and one of which decrypts the messages. I make one of the keys, the public key, public. I give it to him. He can send me messages that are secret. If you steal it you can send me secret messages too. But it takes the private key to decrypt it. So it's a system which doesn't require me to trust any third parties or I can have my own security and my own control. And any way of trying to get past that has to compromise, has to destroy the features that make that a really secure and safe system. Netscape doesn't know how to decrypt their messages. They are the last people to find out when someone else figures out, Netscape pays them a bonus and fixes the program so it can't be done. You don't want holes in it. Now given infinite resources you can decrypt anything but you'd better use a candle because the sun will burn out while you're waiting. So you're really, I think, stuck in a situation where you can have something which gives you part of what you want, you can't get all of what you want because you can't keep the sophisticated criminal from just breaking your encryption laws. You can get part of what you want at the cost, as I was putting it earlier, of giving the cops a pass key to every lock in cyberspace which I think is an unacceptable cost or you can simply face the fact that there are other ways in which police catch people. You can stick a bug on the phone, literally on the phone not on the line, and now everything is in clear. You have, you know, inside agents. You do all sorts of other things. You take advantage of encryption to make it easier for your spies in the criminal agency to communicate with you because they can't be tapped either and you live with the fact that each new technology provides certain new opportunities for criminals and certain new opportunities against criminals.

MEESE But that's the point that I'm making is that there have to be these opportunities against criminals as well to counter the new opportunities for criminals.

FRIEDMAN But the...

MEESE That's what I'm seeking. The, and so far, so far

FRIEDMAN But encryption is an opportunity against criminals. Encryption is a lock. It's a way in which individuals protect themselves.

MEESE But so far it seems to me so that the technical people ought to be able to come up with some solution to this problem without a price that is beyond what we want to pay. I don't want to shut down the Internet and let criminals into bank secrets but there must be a way in which you can have assistance to solve a very real problem and maintain the balance we have at the present time.

FRIEDMAN Except for that the technical people who understand this field-

ROBINSON David wants to do a lot more than send e-mails to friends, he wants to overturn our government.

COUP D'TECH
ROBINSON Ed is the conservative here, and you are the wide-eyed radical and here's why. Ed wants merely a prudent extension of the status quo to a new form of technology and you want a technology- I think there are two strands to your argument as I hear it. One is simply practical matters. You can't give law enforcement the ability to read encrypted material without effectively shutting down the Internet or so crippling transactions that it's stunts the growth of the Internet and so forth. But also, there is a kind of libertarian bent here that you see...

FRIEDMAN That's right.

ROBINSON The thin edge of the wedge.

FRIEDMAN And I want to put that question to Ed.

ROBINSON And what we're doing is creating a new world order in which all kinds of sources for law enforcement officials, not just the computer but the telephone, ultimately more and more communication becomes digital and law enforcement gets shut out and further more more and more transactions take place in an encrypted way and the IRS gets shut out and government is forces into a corner bit by bit. Now you want that, don't you? Admit it. You do.

FRIEDMAN But I...

ROBINSON But that makes ordinary folks uncomfortable.

MEESE Let's not bias the argument by bringing the IRS in. Let's go back to law enforcement.

FRIEDMAN Right. Yeah, right. I want to put the question back to Ed because I want to see what kind of a conservative he is. I want to go back to my Second Amendment question. Let us suppose that, suppose I could find your solution, which I don't think I can, but suppose I could. We then have two alternative futures: one of them is in a future in which it's a little easier for the government to enforce the law and in which if we ever have a tyrannical government that government can in fact violate freedom of speech wholesale. And since you're trying in practice to impose a system on a world-wide system in which when other countries have tyrannical governments, it's easier for them to suppress freedom of speech wholesale. That's one world. The other is a world where it's a little harder to enforce some laws but where freedom of speech is like a fact of nature. It's something the government simply has to face. Which of these worlds do you like better?

MEESE I like the world that we have now where there's a balance between those two objectives and...

FRIEDMAN Worlds don't stand still.

MEESE Well they do because right now we have a balance. You talk about freedom of speech. We have freedom of speech but it doesn't include speech used in the commission of a crime. That's one of the exceptions to free speech in this country.

FRIEDMAN But we have a government that is physically capable of preventing free speech if it can persuade the courts and the cops to go along.

MEESE No. No.

FRIEDMAN It's physically capable of doing it.

MEESE Well it's physically capable...

ROBINSON What do you mean? Shutting down presses? That type of thing?

FRIEDMAN Yeah, sure. Governments have done that from time to time.

MEESE But you're assuming a tyrannical government. We have other means. Encryption is not going to keep us from having a tyrannical government.

FRIEDMAN I am arguing that, I am arguing that precisely the encryption will make it less likely in the future. You're a conservative. You don't believe in the doctrine that government is a dangerous servant and a terrible master?

MEESE Government is a dangerous servant and a terrible master and that, but governments were created for one primary purpose and that was to protect the public. That's the primary reason and to secure the rights that we have and what you want to do is turn over our rights to criminals and keep the government from enforcing the law against them and what I'm talking about is finding reasonable solutions to maintain the balance that we have at the present time and which we have.

FRIEDMAN My point is not that we want to make it illegal for the government to decrypt things just as you might have made it illegal for them to tap phones, in which case a tyrannical government could still have done it. What I'm saying is that if we develop an infrastructure of unregulated encryption, it's not merely that we will have laws against or won't have laws against the government decrypting, it's that they won't be able to do it. So again, you're not making the distinction between a law that says that governments can't be tyrannical and a state of affairs which prevents government from being tyrannical.

MEESE I want to get in that we want to change that state-

ROBINSON Sooner or later David, like all of us, is going to have to face up to political realities. Time for predictions.

PROPHECYBER
ROBINSON Ten years from now will Louis Freeh's proposal have been enacted, some form of it? I'm asking you to come into contact with the political world here.

FRIEDMAN Let me answer a slightly different version which is, will Louis Freeh have what he wants ten years from now? I don't know what laws are going to pass but my prediction is that it isn't going to prove possible to get the result that he wants at a price that practical politicians are willing to pay.

ROBINSON By ten years from now the political world will have accepted that?

FRIEDMAN You know, you can always declare victory and withdraw but my prediction which I've made in print before and I'm about to make in print again is that in the long-term it will not prove politically practical to prevent this set of developments.

ROBINSON Ten years from now, does Louis Freeh, does the FBI have what it wants?

MEESE What I want I think will happen and that is there will be some laws that will be passed to improve the ability of law enforcement to protect the public safety. It won't be everything they want probably. That really doesn't depend on the law. That's going to depend on the willingness of the people who are technically capable to assist law enforcement in finding a means of providing the kinds of abilities that they have now in regular communications and transfer that over and into encryption. I have greater faith in the technological capabilities of the experts in the field to do that perhaps than my friend does.

FRIEDMAN Meaning that you are sure that somebody will let you have your cake and eat it, too.

ROBINSON Edwin Meese and David Friedman. David Friedman, Ed Meese, thank you very much. You may now arm wrestle as the lights fade.

Although we were discussing cutting edge technology, both men made appeals to traditional values. Ed Meese to the government's limited right to enforce order. David Friedman to the individual's considerable right to assert his own freedoms. Applying traditional values to cutting- edge problems. I'm Peter Robinson. Anksthay for atchingway.

Funding for this program was provided in part by grants from the Starr Foundation, Ann and Peyton Lake, and the Seaver Institute.


top