All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
The reports sound ominous:
In Italy, the Mafia is downloading PGP to help ward off investigators.
In Colombia, the Cali cocaine cartel maintains encrypted personnel files - complete with lists of relatives to be leaned on when necessary - and has scrambled some of its telecommunications.
In Japan, the Aum Shinri Kyo cult kept RSA-encrypted plans for launching a chemical and nuclear campaign of mass murder both at home and in the United States.
A study by two authorities on the US encryption debate lists many more incidents in which cops have faced down criminals armed with the cryptographic means to hide what they're doing. But amid the discussion of all that these developments imply, the doom scenario one might be tempted to cut to in a report by government-friendly crypto experts is remarkably missing.
Instead, the authors - Georgetown University computer scientist Dorothy Denning and William Baugh, vice president of Science Applications International Corp. and former assistant director of the FBI - conclude that strict export controls and key-management systems are unlikely to stop criminals.
"No approach to encryption will be foolproof. Whereas export controls clearly have an impact on product lines, they do not keep unbreakable encryption out of the hands of criminals entirely," says the report, which Denning and Baugh developed over the past six months and began circulating late this spring. It was published last week.
The report is part of a series by the National Strategy Information Center's US Working Group on Organized Crime, a group that includes academics, congressional staffers, and officials from the Defense Department, FBI, Drug Enforcement Administration, and Federal Reserve.
Sifting through accounts of criminal cases involving encryption - some from law officers or security professionals, some from academic or government studies, some from journalists' accounts - Denning and Baugh estimate the total number of criminal cases involving encryption worldwide is at least 500, with an annual growth rate of 50 percent to 100 percent. But the report's collected anecdotes suggest that so far, though, encrypted files have sometimes slowed investigations and made them more expensive, and that law officers have found ways to crack ciphers or used other evidence to complete prosecutions.
Denning, known in the past as a backer of strict controls on encryption and of systems such as the Clipper chip to afford government access to data, said she's given pause by the report's finding that prosecutors have not been derailed by encrypted evidence.
"It's put me in a greater state of doubt than at the beginning," she said in an interview last week. But the report noted that currently, criminals often use off-the-shelf technology and other methods that are often easily cracked, as in the case of former CIA agent Aldrich Ames, who was convicted of espionage in part because of a easily breakable commercial program he used to encrypt data.
"Not everyone wants to spend their time messing around with technology; then there are others who are willing to do it," Denning said. "It will go in both directions."
The report also says that although the spread of strong cryptography "could become a serious threat to law enforcement and national security," police and prosecutors face plenty of challenges from technologies that help criminals hide data (such as compression and steganography) and spy on adversaries.
"One thing that was discussed when the paper was presented to the group is that you can forget about encryption - there are more basic problems law enforcement has to deal with," like staffing and basic technologies, says Jeff Berman, executive director of the National Strategy Information Center.
For instance, some big drug dealers were not encrypting phone calls, but instead swapped phones to stay ahead of the police. In one Keystone Kops-type episode, the DEA noticed a large number of calls to Columbia on their phone bill, and realized that the Cali cartel had cloned the DEA's own number.
The report concludes that export controls have had a double-edged negative effect: It has prevented businesses and law enforcement outside the United States from getting strong encryption, but has not stopped determined criminals from obtaining it.
Conversely, the report says, "One effect of lifting export controls is likely to be increased availability and use of encryption to protect sensitive information from organized crime." Although criminals would also have greater access to crypto programs, the report argues, market demand for key recovery systems could lead to a situation in which police will be able to retrieve keys to crime-related data.
The report cuts across lines of the current legislative-executive debate on encryption and how it should be regulated. Since last year, both houses of Congress have worked on bills that would reverse the Clinton administration's export controls and ban mandatory key recovery systems.
In the House, Virginia Republican Bob Goodlatte's Security and Freedom through Encryption Act has gained a majority of members as co-sponsors. However, a parallel bill in the Senate has been shouldered aside by John McCain and Bob Kerrey's Public Network Security Act, which offers industry incentives for participating in a key recovery system and preserves the current export controls on the technology. The current handicapping of the battle of the bills - despite an August-long lobbying campaign by civil liberties and Internet users groups - is that any final legislation will significantly weaken the House provisions.
The study also faults key recovery systems on several points, perhaps most importantly the fact that they themselves could be abused either by criminals or government officials. Another widely publicized study of large-scale key-management infrastructures, put out in May by a team of cryptographers and computer scientists opposed to controls, concluded that such systems would be so expensive and technically complex that they are simply impractical.
So if strict export controls don't work and key recovery systems open up a whole new Pandora's box of criminal activities, what's the best encryption policy?
"It's a hard, hard, hard question," Denning said. "To me, a lot of it boils down to whether trying to regulate it is a good idea, and I'm not convinced either way."
