Three minutes with Steven Levy

For decades, the U.S. government restricted the public use of high-strength encryption, and particularly its export from the United States, to protect its own surveillance of American citizens and foreign entities. Steven Levy, Newsweek's technology columnist and author of the recently published Crypto, has covered the 20-year battle between civilian cryptographers and government agencies over the public's right to privacy. He's seen the demands of the Internet and electronic-commerce finally lead to the Clinton administration's easing of restrictions in September 1999.
PCW: Why do we need encryption?
LEVY: Thirty years ago we didn't need it as much because we weren't communicating so much in such open channels. But with e-mail ... and cell phones ... it's important to communicate in a way that unwelcome people can't hear us.... [And] cryptography gives us the tool that enables us to be able to do commerce and other stuff in cyberspace.... So it really becomes essential to have something like this in place.
PCW: You write about the Penet case in Finland in 1995 in which the Church of Scientology went after a remailer service for allowing a critic of the church to anonymously post church documents on the Net. The Finnish government concluded that e-mail shouldn't have the same protection as postal mail and phone calls. Why do you think it has taken so long for electronic mail to be recognized as deserving the same protection as regular mail?
LEVY: Well, in some cases it still isn't really recognized.... For instance, if you send something in the mail from your place of employment, your employer would have the right to open your mail.
PCW: Do you think that we'll begin to see company policies and perhaps legislation to let employers prevent employees from using encryption when sending personal mail through a work computer?
LEVY: I think ... employers will demand that people use their company's keys, and you won't be able to communicate privately in a way that your employer can't read it.
PCW: You make the claim that everyone is entitled to privacy. But should that really be the case?
LEVY: There's not a privacy amendment in the Constitution, but justices have acknowledged that there is something akin to a right of privacy to a certain degree. I certainly think you start off with the premise that people are entitled to privacy, and there are cases where it's reasonable to say, "Well, in this case, you're not entitled to privacy." You could argue that felons in prison aren't entitled to many of the privacy rights that people outside have. People under suspicion or who have a warrant against them ... shouldn't have the privacy that people who aren't under suspicion have.
PCW: In your book, you talk about the "Four Horsemen of Apocalypse"--drug dealers, kidnappers, child pornographers, and terrorists--who are the unintentional beneficiaries of encryption. You also quote Phil Zimmerman as saying that "all technology has trade-offs." Is encryption for terrorists and criminals the trade-off for the rest of us to have privacy?
LEVY: If you accept that it's a reasonable thing to build encryption into systems--to let people in general take advantage of it--then you acknowledge that this is going to benefit criminals, too. But there are things that you can do to mitigate the benefit that criminals have. There are ways to track the way people communicate without knowing the content of their communications, and maybe there are ways the government can try to crack those codes.... [For instance,] you can [require] that some people who use encryption have to make their keys available.
PCW: But encryption has been let out of the bag and is widely available. How do you now address the fact that people who shouldn't have encryption already have it? How do you change that?
LEVY: You can't change that. You can outlaw guns ... but if someone wants to break the law and get a gun and is highly motivated to do so, they're going to get a gun. Now in the case of [encryption] software ... you can make it more difficult for them to use that ... but the fact is, the stuff's out there. It's a reality that law enforcement and national security agencies have to deal with, and to some degree they're beginning to adjust to it.
PCW: But haven't we stacked the cards against law enforcement and the nation's defense forces by opening encryption to everyone?
LEVY: I don't necessarily think so.... [J]ust because they might not be able to listen to a phone conversation and read e-mail as easily doesn't mean that ... they're not going to get a wealth of new information. Take, for instance, cell-phone tracking: There's a good possibility that they will be able to find out where everyone is as people talk over the phone. That's real valuable information that is going to be very helpful to them.
PCW: Yes, but certainly not as valuable as if they had written words and could hear the phone conversation.
LEVY: Well, recently there was a case in Philadelphia where a mobster was using PGP [Pretty Good Privacy], and [investigators] managed to get a keyboard sniffer in there which read the password, and they got everything... My point is that the march of technology should not be dictated by [the government's desire] to maintain the exact same methods they used to use to gather information.
PCW: So you don't think that now that we've fought so hard to get encryption public that it leaves the door wide open, that it's going to lead to anarchy as the government feared?
LEVY: No. This vision of crypto anarchy is in a way as misguided as the government's belief that they could stop this thing.... Cryptography might present more of a challenge for law enforcers or tax collectors, but they can [still] get you.
PCW: What is the future?
LEVY: We're going to get cryptography built into a number of systems over the next few years. There are some knotty problems involved in this in terms of infrastructure.... There's still work to be done, and [work] in making this stuff ubiquitous... There are hurdles, but we can start addressing these things now that the main hurdle has been largely removed. I think we're going to see digital cash happen eventually and digital signatures become common.
PCW: So how long before we'll reach the point where pretty much everyone is using encryption for their important correspondence?
LEVY: It could happen within five years.
PCW: Is stronger encryption a key to defeating hackers?
LEVY: Certainly it's helpful. One thing we can do right now is make sure that e-commerce locations that store information that could be accessed by the Internet--even if it's password-protected--store these things in encrypted format to take that extra step so that if someone does break into the system, [they] can't get hold of it.
PCW: You talked about a future of quantum computers that could break our encryption codes, and you quote Edgar Allan Poe as saying that no code is impervious to cracking. Are we standing on the cyberspace equivalent of landfill by putting too much stock in encryption?
LEVY: No.... There is quantum cryptography as well as quantum computers, and quantum cryptography would protect you from the quantum computer. So basically it's an arms race. Obviously ... you can't get complacent and say that today's cryptography will protect us forever, but you can with some confidence say that every step of the way there will be strong codes to protect you from state-of-the-art means of crypt analysis.
PCW: You imply that the blame for the lack of security on the Internet today lies with the government's resistance to stronger public encryption.
LEVY: Not solely. The Internet was not built with security in mind. So we started off with a problem: How do you secure something that is by its nature open? But I think the government exacerbated the situation by taking the stance it did.
PCW: What could the government have done differently?
LEVY: They could have recognized earlier that there's arguably an equal national security interest in securing the Internet with cryptography as there is in preserving our ability to listen in on other people by suppressing public cryptography. We would have been maybe a couple of years ahead of where we are now in security.
PCW: Is it fair to say that e-commerce saved the day for encryption?
LEVY: I think it certainly helped. It was the cavalry riding in.
PCW: It's interesting to note that the impetus for relaxing the regulations was economic.
LEVY: Yes, but it went hand in hand with the idea that we weren't going to put our nation at risk by doing it. Where the motivation was economic, the argument was that this is something that is economically beneficial and in excess of whatever drawbacks might come with it.
PCW: So you don't think they sold us out for big business?
LEVY: I don't think so, because this stuff is good for securing the economy, and for securing the infrastructure. So at a certain point the disaster scenarios became just as scary from not using cryptography as they did for using it.