Episode Show Notes
[START OF RECORDING]
JACK: My grandfather went most of his life without using or needing encryption but now we live in a time where encryption is intertwined in almost all of our electronic communications. That shift to go from a world where everyday people didn't use encryption at all to a world where everyone uses it and doesn't even know it was a major transformation and there was nothing easy about it. There were powers at play that didn't want everyday people to encrypt their messages but human rights and civil rights activists fought and fought and fought. You know the outcome of this story but you may not know what it took for us to get here. Let's take a journey through time back to the 1990s and understand exactly what were to be known as the Crypto Wars.
JACK (INTRO): [INTRO MUSIC] This is Darknet Diaries, true stories from the dark side of the internet. I'm Jack Rhysider. [INTRO MUSIC ENDS]
JACK: Before we get started, I feel like I should say something. It's really hard for me to stay neutral on this topic because I'm such a privacy and security advocate. This is a topic that's important to me and I'm staunchly on a specific side, so upfront I just want to say that I apologize if I don't represent both sides fairly in this story. To help take us through this pivotal piece of history, we have a very special guest.
CINDY: My name is Cindy Cohn and I'm the Executive Director of the Electronic Frontier Foundation.
JACK: The EFF is a non-profit digital rights group. It helps protect your civil liberties online. Cindy has been with the EFF for over twenty years and she's played a crucial part in the Crypto Wars as we'll soon discover. But before we get into her role in it we need to take a quick glimpse into the history of cryptography.
CINDY: Cryptography has been used by military people to protect their plans and share information say, across between the generals and the front lines for as far back as Julius Caesar. Caesar had a cypher that they used. In World War II there's some great stories about how the ability to break the German code, the enigma machine which they were using to code had a tremendous influence on the ability of the allies to win the war. There's great stories about both the code breakers in Bletchley Park breaking the German code, there were also really successful efforts to break the Japanese codes. Lots of people will, I think quite credibly say that the allies' ability to break encryption codes had a lot to do with us actually winning the war.
JACK: [BEEPING] Encryption is when you take a message and encode it in such a way that if someone else were to get that message, they would not be able to read it. But then whenever the receiver gets the message, they would be able to decode it and read the message. This is also known as cryptography.
CINDY: The military has always viewed encryption as a part of its tool set, part of what they needed to do in order to help us win military wars. The US State Department keeps a list called the US Munitions List that has all of the things that the government treats as a military tool such that it can't be exported without a license from the government. The US Munitions List is pretty long. It has things that will be -- it has tanks and surface-to-air missiles and submarines and things like that that you can't -- and military subs, that if you build them or a piece of them you need to get a license from the US government before you export it.
JACK: During the Cold War era, sometime in the 1970s or 80s, the US State Department added cryptography to the Munitions List.
CINDY: It wasn't particularly important to the rest of us [00:05:00] because the rest of us didn't really need to have strong encryption in what we did every day. [MUSIC] That's kind of what the world looked like heading into the early days of the internet. The shift came as the internet was getting to be developed, especially in the early 1990s, just before the World Wide Web but when a lot more people were beginning to think about what the world would look like if we had everybody in the world connected via digital technology. The realization that we were going to need to have privacy and security in this new world and that encryption was one of the ways that you could get it was fairly obvious to a lot of early thinkers about this.
Suddenly this thing that wasn't particularly relevant to the rest of us, the fact that the government controlled encryption technology suddenly became very relevant as we started thinking about how to build an internet that would really work for every day, ordinary people who wanted to do commerce or have a private conversation or use this technology to develop new tools that they might need to protect as trade secrets, or keep confidential. Also, keep the network secure. Encryption does both of these things; it both keeps things private and it keeps things secure. It emerged as one of the really important technologies that we were going to have to have available if we were going to have an internet that really worked for everybody. The government created an encryption standard that it let people use so that there could at least be some encryption but it was very, very weak.
JACK: This standard was known as DES and stood for Data Encryption Standard. With it you can encrypt your data or a message and anyone who reads the encrypted message could not understand what it said. The person receiving the message had a key to decrypt the message but by the time the internet was taking shape DES had already been around for twenty years and was starting to show its age.
CINDY: Most cryptographers, most mathematicians knew this for years. By the 90s DES was clearly not good security anymore. The government was pretending like it was, and one of the -- it was kind of one of those situations in which the government policy people wanted something to be true, that DES was really secure, because they had back-doored it, because they knew that it wasn't really secure. They could always break it and were pretending like it was really secure and hoping that nobody noticed. But of course, people did notice.
JACK: The government knew 40-bit DES encryption was not very strong but insisted we use it anyways.
CINDY: A guy named Bobby Inman who was the head of the NSA in the 90s, but there are other people as well, who were making representations about DES that were I think not really true. You have to either think that they knew what they were talking about and were basically trying to convince the rest of us that it wasn't, or that they didn't know what they were talking about, in which case it's a little troubling because they're the NSA.
JACK: Businesses and banks were digitizing their data and the need for all this data to be encrypted slowly became more and more important. The early 90s was a place where...
CINDY: The people are engaging in various kinds of protest activity, political organizing, all of that sort of activity. Encryption is tremendously important for people who are trying to change the government, who are trying to change corporate polices, who are trying to stand up for building a world that is better than the one that we have. We know that the US government has traditionally spied on people who are engaging in political protests. We know they spied on Martin Luther King, we know they spied on John Lennon, we know that they spied on all of the civil rights movement.
JACK: This is why PGP got started. Phil Zimmermann, a software engineer, developed a much more secure way of communicating called PGP which stood for Pretty Good Privacy. He helped human rights activists use it. He put his PGP code on a FTP server for anyone to download and use. While Phil said he did not spread it outside the US, it eventually found its way to the other side of the US borders. Because cryptography was considered a munition, Phil was investigated by the US Customs Service for violating the Arms Export [00:10:00] Control Act. This would be the same violation if someone were to export stinger missiles outside the US without an Arms Permit. Businesses were originally fine with DES as the standard even though they knew stronger encryption existed, because in the 80s the only adversary to businesses were other businesses.
They knew other businesses didn't have strong crypto analytic capabilities. Even if it was weak, nobody had the ability to crack it except for governments but it started to become clear that other nations were trying to develop ways to break DES so businesses were starting to get a little worried and wanted to use stronger encryption. Businesses started using PGP as a form of communicating trade secrets and sensitive data. Using PGP internally was legal as long as the encryption didn't cross the US border.
For the next few years Phil would be continually investigated for spreading his encryption method around the world. A case was brought against him by the government for violating the Arms Export Control Act. From what I can tell, the battle between Phil Zimmermann and the US government was the first battle of the Crypto Wars. The users of the internet, security companies, and banks were all starting to request higher and higher security encryptions to be used by the people.
CINDY: On the other side was the military and law enforcement saying no, we need to keep the encryption weak so we can catch the bad guys. We were pointing out that most of us would rather be secure in the first instance and not get robbed than have very low security but slightly increase the chance that they might catch the robbers afterwards.
JACK: In 1993 Bruce Schneier published a book called Applied Cryptography. This book describes various cryptographic algorithms and how to use them. It even contains algorithms which were not allowed to be used on the internet. An electronic engineer named Phil Karn asked US State Department for a commodities jurisdiction for the book. He wanted to know if he could legally ship the book across US borders. Since there's no export regulations on books, he was given permission to export the book. Then Phil Karn took a few pages from the book which contained some cryptographic algorithms and placed them on a floppy disc. He then requested a commodity jurisdiction for the floppy disc. The State Department had a discussion with the NSA and denied the request. We know they had a discussion with the NSA because of records requested through the Freedom of Information Act years later.
Because the encryption was in electronic form it was now considered a regulated munition and was not allowed to cross US borders in that form. This created quite a controversy. A book containing a mathematical algorithm can be sent across the border but a floppy disc with the same algorithm cannot? So Phil Karn sued the US State Department. He believed that if the data contained in a book was considered protected under the First Amendment, then data contained on a floppy disc should also be protected in the same way. Once Phil Zimmermann heard of this lawsuit he decided to print his PGP source code in a book format. He even took great care into making the book easily scannable. He too, asked for a commodity jurisdiction on his book but the State Department was now more aware of the situation and did not grant him the right to export the book, but really didn't deny him either. The State Department just sat on the request for a while.
Phil Zimmermann's publisher didn't wait for a response; instead they started shipping the book containing his PGP code all over the world. The security community took this in various other directions too, such as printing algorithms on t-shirts which would then make the t-shirt a regulated munition, and when something is a regulated munition like that, you can't even allow foreigners to read the t-shirt. Simply wearing that shirt in front of a foreigner violated the Arms Export Control Act.
CINDY: Several things happened; I launched a team from EFF with the EFF lawyers, launched a lawsuit against the encryption technologies. There were actually three lawsuits that were filed. We handled one called Bernstein vs. Department of Justice.
JACK: Another cryptographer named Dan Bernstein was developing encryption methods that were above the regulated limit. In 1995 Bernstein wanted to write about his encryption, give talks about it, and publish the source code on the internet. The Arms Export Control Act and the International Traffic and Arms Regulation required Bernstein to submit his ideas about cryptography to the government for review which also required him to register as an arms dealer and to apply for a license. All this simply to publish his ideas about cryptography to the internet. Bernstein decided to do battle against the [00:15:00] US Department of Justice and he got help from the EFF; specifically, Cindy Cohn herself.
JACK: The EFF took their best lawyers to go and help out Bernstein.
CINDY: Yeah, that was exactly what the goal of the litigation was, to make sure that people could publish. Publishing on the internet always is an export, right, because everybody in the world can see what gets published on the internet. We wanted people to be able to publish and share strong encryption on the internet. To get there, what we did was we argued that computer programs, computer code was protected speech under the First Amendment and that the government's regulations of that speech in the form of the Munitions List Regulations were not consistent with the First Amendment.
JACK: For the next year Bernstein, Cindy, and the EFF did battle against the US Department of Justice. [MUSIC] In 1996 a professor at Case Western University named Peter Junger also joined the battle.
CINDY: Yeah, Peter Junger is the third case. He also was arguing -- he was a law professor but he also had a computer science background. He argued basically the same thing as professor Bernstein, that he wanted to publish code as well.
JACK: Not only did he want to publish code to the internet but he also wanted to teach a class on cryptography. But because he included cryptography as a topic of his class, he was restricted from accepting foreign students in his class. This resulted in Junger challenging the export laws as well.
CINDY: That case was going on in Cleveland. Our case, the EFF's case was going on in California and then Phil Karn's case was going on in DC. The three of us all worked together to try to make sure that we were putting as much pressure on the government as we could collectively.
JACK: By this point there were numerous businesses expressing a need for stronger encryption for their data. Banks in particular were requesting the government allow them to use a stronger encryption method. Specifically, the US government was not allowing encryption that was over 40 bits in length to be used on the internet. Around this time AT&T created a phone that would encrypt a phone call. It basically created a modem connection from one end to the other and digitized the voice and then did a DES encryption on the data. AT&T sold these phones for $1,400 in the mid-90s. The US government freaked out about this phone. They contacted AT&T and said they have a better solution. The government had been working on a new way to encrypt data electronically using a specialized computer microchip.
The encryption was far superior to the common DES, possibly even unbreakable. The government called this the Clipper Chip. The government developed this chip for anyone who wanted to use stronger encryption and so, a solution was found. The government urged AT&T to use the chip on their phone. AT&T was hesitant at first but the government offered to buy a bunch of these phones if they added the chip. AT&T added the Clipper Chip into the phone and the US government bought a ton of these phones, but in the features of the Clipper Chip there was one rather large asterisk. The Clipper Chip had a backdoor key built into it which allowed the government to decrypt any message encrypted by the chip. The government was basically allowing people to use a rather strong encryption method but had a key to break the encryption if they needed it. The idea was that the government would be the only one who would ever have the key.
CINDY: One of the things that happened right after that got released, is a guy by the name of Matt Blaze, who's now a professor at the University of Pennsylvania of Computer Science, a very famous computer science professor demonstrated that these Clipper Chips were really insecure and demonstrated what we all know is true right now, is that if you're going -- you can't build a door into strong encryption and only expect the good guys to ever figure out what the key is, to ever have a key to it. If you're going to weaken the encryption, they'll let the good guys have a key. You're going to weaken the encryption such so that the bad guys will have access too.
The demonstration of the flaws in the Clipper Chip that Matt Blaze did was really central to this [00:20:00] conversation because ultimately it meant that the government dropped the Clipper Chip idea. That was the first nail in the coffin of the government's crypto policy. The second thing that happened was we were beginning to win our lawsuit. We won it at the District Court and then we also won it at the Court of Appeals. At the same time there were efforts in Congress that were moving along a little more slowly. There was also direct pressure on the administration from the tech companies and Al Gore, who was wanting to be president after Clinton and was a pretty technically savvy guy. He understood that this position wasn't very good and he wanted to curry favor with this growing Silicon Valley group of companies. Ultimately what happened, the government decided that they were not going to keep encryption on the Munitions List anymore.
JACK: On November 15, 1996, Bill Clinton signed Executive Order 13026 which removed encryption from the Munitions List. The Executive Order also moved who oversees encryption from the US State Department to the US Department of Commerce. Signing the Executive Order was a major victory for the civil rights activists.
CINDY: I'm sure that we had a party because we always had parties back then. I'm sure that we did. I think there was much champagne and we were really happy about it. We were a little nervous that they would backtrack. We actually had some meetings with the government about it and ultimately I flew to DC and we had some meetings with them to settle on exactly what this was going to look like.
JACK: Actually, it turns out the government was still holding a position on the battlefront. See, the government was still requiring you to get a license for encryption and still regulated it.
CINDY: The government only licensed 40-bit DES. They said you can have all the encryption you want as long as it's 40-bit which is a little like saying you can have all the security you want as long as there's nothing but a really weak lock on your door. It was becoming obvious that people needed more encryption than something that was stronger encryption than just 40 bits.
JACK: Because encryption was limited to only 40 bits in length it severely limited how secure our computers could be. There were numerous stronger cyphers available but under government regulation this was not allowed to be used. A company called RSA Security sponsored a DES challenge. They offered a reward for anyone who could crack the DES cypher. In 1997 a group found a way to brute-force and crack a DES message. It took them 39 days to decipher the message. Cryptographers thought this would be enough for the government to allow people to use stronger encryption but that didn't happen. NIST, the National Institute of Standards and Technology, still considered DES to be safe. The government downplayed the issue by saying 39 days to crack the code was too long of a time for it to be a significant threat.
CINDY: One of the things that happened as a result of this weird disconnect is that EFF created a tool called the DES Cracker. They still exist. It was a hardware tool that basically, very cheaply, could break DES. The reason to do that was to demonstrate that the government wasn't being straight with people about how secure the technology was and that we needed to move to a more secure government standard. DES is a government standard. If you're going to sell to the government or you're in the financial industry you need to be licensed by the government.
JACK: The EFF called this tool Deep Crack and could crack a DES message in just 56 hours. But still, the government did not change their stance on DES and still continued to endorse it. A few months after that the EFF and the winners of the first DES challenge joined together to develop an even faster way to crack DES. They were able to crack a message in just 22 hours.
CINDY: We did it because we weren't getting anywhere with the government. They were pretending, again, continuing to pretend that the emperor had clothes on when we were pointing out that the emperor didn't have any clothes. What EFF built was completely available for bad guys to build all over the world. We didn't create anything. We just demonstrated to the public what was long-known privately which was any bad guys with access to really straightforward, off the shelf technology could build something that would break the security that all these financial institutions were relying on to protect our money.
JACK: This was the [00:25:00] last battle of the war. Once someone could crack a DES message in under a day, the US government agreed it was no longer secure. They released a new cypher called Advanced Encryption Standard, or AES. AES used 120-bit strength and was far superior to the 40-bit DES. They also allowed triple DES which was a stronger version of DES. By 1999 all court cases were dropped by the US government and new, stronger encryption methods were allowed. By the year 2000 the government stopped requiring licensing or restricting key lengths altogether.
People were now allowed to encrypt their communication with as strong of encryption method as they wanted. Businesses were able to utilize the most cutting-edge encryption to secure their transactions and data. Of course, Phil Zimmermann could publish his code online and Peter Junger could accept nine US students in his class that talks about cryptography. By the year 2000 the first set of the Crypto Wars were over, marking a major victory for our civil rights. We are now safer and our privacy is more protected because of it. We have these internet crypto warriors to thank for paving the way for our privacy and security.
CINDY: I think personally, it's the thing I'm most proud of, that I've accomplished by working with EFF. I think EFF has done lots of other things but I had such a central role in this. I'm very, very proud of the work that we did. I think we set up today's internet to be a place where people have the right to have strong security.
JACK: But this story's not over. This is just the story of the first Crypto Wars. Shortly after this the government began attacking crypto in new ways which went entirely undetected for a long time. But that's a story for another time. People ask me if I think we're becoming more secure or less secure online over time. After researching this episode I definitely think we're becoming more secure because once crypto was allowed at any strength on the internet, it opened up the doors for websites to encrypt their whole website and not just a log-in page or a credit card page. More and more websites are going full HTTPS, making all of their communication to it private. The EFF creates tools like HTTPS everywhere, which is a browser plug-in to allow us to use HTTPS where available. What's more is when strong encryption is showing up in our everyday lives without us even knowing it's there.
We don't even have to enable it and in fact, we can't disable the encryption even if we wanted to. For instance, Facebook uses a protocol called Signal to do end-to-end encryption of their messaging service. PGP had a hard time getting mass adoption because it was hard to use but now even the most technologically illiterate people are using strong encryption when talking with their friends on Facebook. When these strong encryption methods become integrated into our lives in ways that make it easy for us to use, we become safer and our privacy is protected. Encryption is becoming more seamless and more integrated in so many products.
Yes, a lot of technology we use every day still isn't using good security practices like text messaging and standard phone calls. But there are still major wins in the name of privacy and online security that happen all the time. We'll never become fully safe and secure online because it's simply a hostile environment but we can stay vigilant and speak up when we feel our privacy and security is not being looked after. When enough of us raise our voices, we can win the next Crypto War.
JACK (OUTRO): [OUTRO MUSIC] You've been listening to Darknet Diaries. For show notes and links check out darknetdiaries.com. There you'll be able to see a picture of the Clipper Chip and Deep Crack. Music in this episode is provided by Ian Alex Mac and Kevin MacLeod.
[OUTRO MUSIC ENDS]
[END OF RECORDING]
Transcription performed by Leah Hervoly