Americans for Computer Privacy
Your privacy is at stake Home, Who we are, For press, Search Home Who we are For press Search
Encryption technology bolsters your privacy
Table of contents About Bills Questions Myths Glossary Resources Join

Join the Fight

Be ready to help fight for your right to privacy online when Congress acts. Join over 6500 Americans from all 50 states as an Individual ACP Member. (It's Free!)

Email:
5 digit zipcode:

Note: If you don't have a US zip code, please enter 20500 in the zipcode field above.

Our Privacy Policy



Myths vs. Reality on Encryption

Myth # 1: Strong encryption is not necessary to protect consumer privacy and ensure security on electronic networks.

Reality: In fact, encryption is a critical foundation of electronic transactions. Almost all transactions (involving sensitive data) conducted over the Internet are currently protected by strong 128-bit encryption. For example, 128-bit encryption is currently required by all major banks in order to conduct banking transactions over the Internet.

Myth # 2: The widespread use of encryption will leave Americans more vulnerable to crime and terrorism.

Reality: Actually the opposite is true. Strong encryption will help protect America from growing computer crime, fraud, and theft. Moreover, in a 1996 Presidential Commission report, the National Research Council, recognizing the vulnerabilities of the nation's critical infrastructure, called for the "broad use of cryptography Š" to meet today's information security needs.

Myth # 3: Encryption technology currently is controlled by the National Security Agency and law enforcement.

Reality: Encryption is not controlled by law enforcement. It is prevalent today and used regularly to protect bank records, financial transactions, e-mail, and medical records. State-of-the-art encryption is sold in the United States "over the counter" at thousands of retail outlets and over the Internet. Any attempt by the FBI to mandate a system in which "third parties" hold encryption "keys" would represent a substantial new limitation on an individual's ability to protect his or her privacy.

Myth # 4: The Fourth Amendment gives law enforcement the right to access your data and computer communications without your knowledge.

Reality: The Fourth Amendment establishes only a right of the people against unreasonable searches and seizures. It does not grant an affirmative power to the federal government ensuring reasonable and convenient access to evidence. The federal government has only the power to search - it does not have the right to find. Outlawing the use of encryption where no "key" is held by a "third-party" turns the Fourth Amendment inside-out. The police would have a "right to find" evidence, while the people would be jailed for best securing their "papers and effects." [more]

Myth # 5: The FBI's "key recovery" plan is workable.

The Administration and the FBI have proposed a "key recovery" infrastructure designed to enable law enforcement access to the plaintext of encrypted data and communications. Specifically, the FBI wants "immediate access to the plaintext of encrypted communications or electronic information without the knowledge or cooperation of the person using such product or service."

Reality: For today's commercially sold encryption products, the technology does not exist to provide "immediate access" to "communication without the knowledge of the user." (This can be roughly comparable to the FBI mandating compact disk quality sound recording in the days of the 45-RPM record.)

Myth # 6: Because law enforcement officers would be required to obtain a court order to view personal information without the owner's knowledge, innocent people are not at risk.

Reality: Law-abiding citizens are most at risk. Imagine a system where all citizens, not just criminals, would have to deposit a copy of their house key or a copy of their safe combination with a "trusted third party," just in case law enforcement ever wanted covert access to their private information. So-called "key recovery" gives the government and third-party key holders the ability to access the private data of every American -- well before a crime is committed or a court order is secured.

Myth # 7: "Trusted third parties" would ensure that encryption keys aren't misused.

Reality: "Key recovery" is an inherently insecure system because "keys" would be held by either "trusted third parties" or governments. Under such a system, security rests with the integrity of the institutions and individuals holding the "keys," not with the underlying technology. The 1996 National Research Council stated it best: "Escrowed encryption (encryption for which a "third party" holds a key) by design introduces a system weakness Š and so if the procedures that protect against improper use of that access somehow fail, information is left unprotected." No government policy can guarantee those "third parties" will be scrupulous with those "keys."

Myth # 8: Strong encryption is available only in the United States.

Reality: Strong, state-of-the-art, non-"key recovery" encryption is freely available abroad from major multinational corporations like Siemens and Brokat. Some foreign companies market unrestricted products as "stronger security than any U.S. company can provide."

Myth # 9: The Administration and the FBI have secured global support for their "key recovery" infrastructure.

Reality: Since the Internet is global, any "key recovery" technology scheme must be global AND interrelated. There is no global legal infrastructure to support "key recovery." In fact many countries have already decided not to participate. Currently, the OECD (26 countries) and the European Commission have both indicated opposition to a mandatory "key recovery" scheme. Moreover, despite the Administration's best efforts over a number of years, not one bilateral or multilateral agreement has been reached regarding the global exchange of encryption keys.

Myth # 10: Current U.S. export controls are constitutional.

Reality: This is not a settled matter. Today's export controls may be unconstitutional as "prior restraint" of speech under the First Amendment. The District Court in the Northern District of California has already held that the current export control regulations are unconstitutional.


webmaster@computerprivacy.org  |  © 1998 - 2003 Americans for Computer Privacy  |  Site Credits  |  Privacy Policy

powered by Photofunia