1. Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011

2. Overview Task: Update and explain why good encryption law/policy matters, 12 years after U.S. crypto wars ended Outline of paper: – India and China update – From wiretaps to the Internet Importance of strong crypto to the Internet – 2 arguments for strong crypto in globalized setting Crypto helps cybersecurity Least trusted country problem – Answer 3 objections made by those who oppose strong crypto – A proposed way to reconcile CALEA (foster wiretaps) and strong crypto (limits effectiveness of wiretaps)

3. India 40 bit legal limit on key length, since 90s Mumbai attack, 2008 RIM and newly vigorous enforcement Security agencies insist on ability to wiretap in real time Waiting for new policy – Maybe key escrow – Maybe new import license restrictions

4. China Encourage domestic crypto – Soft law that encryption ok only if it is not the “core function” Microprocessors, PCs, mobile phones OK VPNs are not OK, “core function” is crypto Great uncertainty about meaning of “core function” – China is trying to require home-grown encryption for hardware and software Lack of peer review to date of their algorithms – A goal appears to be to spread those algorithms throughout China and then into global supply chain

5. Background Part of Paper Paper gives background for those new to the debate: – Intro to wiretaps, for phone and online – Intro to encryption Categories of attacks/vulnerabilities – History of crypto wars in the 1990s Administration changed position in 1999, can export strong crypto Lessons learned, apply to the globalized debate today

6. Bob ISP Alice ISP %!#&*YJ#$ &#^@% Hi Bob! Internet: Many Nodes between ISPs Alice Bob %!#&*YJ#$ &#^@%

7. Problems with Weak Encryption Nodes between A and B can see and copy whatever passes through Brute force attacks became more effective due to Moore’s Law; 40 bits was already breakable in mid-90’s From a few telcos to many millions of nodes on the Internet – Hackers – Criminals – Foreign governments – Amateurs Strong encryption as feasible and correct answer – Scaled well for many applications (SSL, HTTPS, in chips) as Internet users went over one billion

8. I. Crypto Essential to Cybersecurity Public awareness of cybersecurity grown a lot since 1999 Increasing importance of computing & thus cybersecurity Crypto deeply embedded in modern computing: – SSL, HTTPS, VPNs, Skype/VOIP, Bitlocker, etc. Offense is ahead of the defense – The world is our bad neighborhood – Defense and the weakest link problem – Crypto as perhaps the largest category for effective defensive – Don’t play cybersecurity with two hands tied behind your back

9. II. The Least Trusted Country Problem 1990’s Clipper chip debate – Many expressed lack of trust in government access to the keys Globalization and today’s encryption debate – What if a dozen or 50 countries with the keys, or enforced crypto limits? – What if your communications in the hands of your least trusted country? India/Pakistan; China/Taiwan; Israel/Iran – Don’t create security holes in global Internet, especially for billions of people

10. Responses to Common Concerns “They” have a backdoor “Going dark” vs. “golden age of encryption” – Paper concludes the latter is more accurate Trade policy and domestic industry

11. Possible Topics for Questions/Discussion Lessons from the Crypto wars of the 1990’s Strong crypto and insecure channel of the Internet Crypto as important to cybersecurity Least trusted country problem Backdoors to “them” as excuse for limits on encryption Going dark vs. modern surveillance advantages Others?