American policy on encryption technologies is largely outdated and unnecessarily burdens the emerging field of electronic commerce, said Ronald Rivest, associate director of the Laboratory for Computer Science and the E.S. Webster Professor of Computer Science and Engineering.
He outlined his ideas on cryptography policy at "Cryptography and the Limits of Secrecy," one of MIT's ongoing Security Studies Program seminar series, on October 13.
Professor Rivest said encryption policy covers two primary policy issues: export control of these technologies and law enforcement. The federal government regulates and restricts the export of encryption software and algorithms abroad, with certain "academic" exemptions, such as published research.
This policy, he said, reflects an antiquated view of the uses of encryption. The military developed cryptography in the early 1900s, and until the early 1950s, the primary use of encryption was encoding military messages. Secure communication was a crucial need for American troops in World War II and Korea.
As companies became interested in data encryption to protect trade secrets in the 1950s and 1960s, the regulation of the industry was slow to adapt, Professor Rivest said. The first data encryption standards were not adopted until 1976, and academic study of encryption was not widespread before the 1980s.
The federal government still views encryption as a military and intelligence "secret," and it is reluctant to make those technologies widely available outside of the United States. In an article published in the October 1998 issue of Scientific American, Professor Rivest proposed a more relaxed attitude towards encryption. He argued that a wider development of encryption technologies will aid the emerging field of electronic commerce, and that the potential drawbacks -- such as individuals and rogue states using encryption for terrorism or international crime -- would be minimal.
Professor Rivest compared cryptography to gloves: both help criminals elude law enforcement, but both are also very useful for licit and productive applications. Allowing encryption to be widely available would fuel international trade and communication, and bolster consumers' confidence in purchasing goods and services online, he said.
Since the mathematical basis for encryption is already widely known, serious criminal organizations and terrorist states are already able to implement the technology, and export restrictions serve only to slow the legal commercial application of this useful technology. For example, 128-bit PGP (Pretty Good Privacy) encryption is subject to American export restrictions, but it is widely available abroad.
The Security Studies Program holds weekly seminars on Wednesdays from 12-1:30pm in the sixth-floor conference room in Building E38. More information is available on the program's web site.
A version of this article appeared in MIT Tech Talk on October 20, 1999.