Encryption advocates fear new laws

By Anick Jesdanun
Associated Press

Stanton McCandlish, chief communications officer of the CryptoRights Foundation, helps encourage and train human rights workers to protect their online communications with data-scrambling technology. Associated Press

Draft legislation circulating at the Justice Department would extend prison sentences for scrambling data in the commission of a crime, something encryption advocates fear would achieve little in catching criminals — and hurt legitimate uses of cryptography.

"Why should the fact that you use encryption have anything to do with how guilty you are and what the punishment should be?" said Stanton McCandlish of the CryptoRights Foundation, which teaches human-rights workers to use encryption. "Should we have enhanced penalties because someone wore an overcoat?"

Such law enforcement tools sought after the Sept. 11 attacks are expected to be among top discussion items at the annual Computers, Freedom and Privacy conference that begins tomorrow in New York.

The measures are sought by police and intelligence agents who worry criminals who use encryption will plan crimes that will be tougher to solve or prevent.

Law enforcers hope the threat of added penalties — as much as five years for the first offense and 10 years after that — would make criminals think twice before scrambling their messages.

"If you went the extra step to keep us from getting evidence, you should pay an extra price," said Jimmy Doyle, a former computer crimes investigator with the New York Police Department.

It's not the first time encryption has been under assault.

For years, the government restricted the export of high-strength encryption. It also sought to require developers to create a back door and hand investigators a set of keys upon request.

Encryption advocates — supported by the technology industry — resisted and thought they had won in September 1999 when the Clinton administration relaxed export controls.

Then came Sept. 11.

The new proposal is part of legislation dubbed Patriot II, a sequel to the 2001 USA Patriot Act, which gave law enforcers broad new powers.

Attorney General John Ashcroft has said any draft circulating in the Justice Department is far from official policy and has yet to be submitted to Congress. But when he was a senator, Ashcroft in 1998 introduced a similar bill, which never passed.

The latest proposal would apply only to individuals who willfully and knowingly use encryption to commit a federal felony.

But critics worry the language could cover almost all conduct online as encryption gets incorporated in Web browsers for e-commerce, virtual private networks for telecommuters and other day-to-day applications.

A mistake on an electronic tax return could mean longer prison terms, warns Mark Rasch, a former Justice Department computer crimes prosecutor.

In the extreme, someone who neglects to pay a state tax for online shopping — few people do — could be prosecuted for federal mail fraud and face five extra years "for avoiding two dollars worth of taxes," Rasch said.

Rasch and other crypto-rights advocates add that encryption would help stop crime by making it harder to steal passwords or break into computers.

Many question whether such a law would even work.

"You have to be intentional about using encryption, and that's a tricky thing to prove," said Stewart Baker, a former National Security Agency counsel now in private law practice. "I see this provision as largely symbolic rather than effective."