With apps like WhatsApp and Signal, many of us take having encrypted communications in our pockets for granted. But it wasn’t always that way. Various governments keep proposing new laws to try and ban or backdoor encryption—like the EARN IT Act or the Online Safety Bill—so such easy access to encrypted communications might not be something that’s around forever.
We’re preaching to the choir when we say that these proposed laws are generally terrible. They would have profoundly negative effects on the security and privacy of both our work and personal lives. Good luck protecting your organization’s financial data, business secrets, or Protected Health Information if they end up banning encryption.
But the forces of security and sanity have beaten back government overreach before, and hopefully they will be able to keep doing so. Let’s take a trip down memory lane and look at the battles to bring encryption to the public, the so-called Crypto Wars.
The history of encryption
Let’s begin by setting the scene. Encryption has been around in simple forms for thousands of years, with the simple Caesar Cipher being one of the most prominent early examples. Throughout history, it was mostly used to protect military and government secrets, because it wasn’t overly practical for everyday use.
Over time, people got better at cracking codes, so more complicated encryption algorithms were developed in an attempt to keep data safe. The field blossomed in the twentieth century, with advances like the Enigma Machine and the Data Encryption Standard (DES). These days, we mostly use the Advanced Encryption Standard (AES) for symmetric-key encryption.
Despite this rapid development, up until the last few decades, encryption and other cryptographic techniques were still too unwieldy to protect normal people’s information. But there were other mechanisms that were able to perform similar roles. We could keep our letters confidential by wrapping them in envelopes. If it was really important, we could add our personal seal—if it was broken then the recipient would at least know that it had been read. For higher level secrets, we could use trusted couriers to send the information.
When it came to analog phone communication, it was always possible to intercept it, but an attacker would have to physically insert themselves into the line and wiretap it. It simply wasn’t that practical for too many people to snoop, except for a nosy operator or the police, who were supposed to obtain a warrant beforehand.
None of the early protection techniques were perfect, but they gave some semblance of privacy to our communications. With the rise of digital communications, all of a sudden, we had loads of sensitive data zipping around, and much of it could be easily intercepted. It was time for cryptography to be deployed worldwide.
Export controls on cryptography
Historically, cryptographic techniques had been subject to export controls in the U.S. This may seem like a strange thing until you consider just how important cryptography is on the battlefield. It’s also helpful for nation-states as they spy on each other and jockey for power. If you can read your enemy’s communications, but they can’t read yours, it gives you a huge advantage. With this in mind, it’s understandable why a country would want to place export controls on cryptography.
Challenging the law
As technology developed and life started to turn digital, the situation began to change dramatically. In the early nineties, Phil Zimmermann released the PGP encryption system and it spread rapidly through the Internet.
The U.S. authorities were not fans of Zimmermann unleashing encryption into the wild, and he became the subject of a criminal investigation for exporting cryptography without a license. He faced a lengthy sentence, but had an ingenious tactic up his sleeve.
Exporting PGP may have been illegal, but publishing books is protected under the First Amendment as free speech. He ended up publishing the PGP source code as a book, which technically made the software available anywhere in the world. This put the U.S. authorities in a complicated position, because the First Amendment is sacrosanct, but the export restrictions on cryptography were critical for the country’s military and geopolitical interests.
Fighting in the courts
Zimmermann’s investigation was ultimately dropped, so he never faced court and his particular case was never tried. But in 1995, Daniel J. Bernstein, now a famed cryptographer and computer scientist, put the underlying principle to the test.
Still a student at the time, he wished to publish the source code of an encryption system he had developed called Snuffle. With assistance from the Electronic Frontier Foundation (EFF) and a host of lawyers, he brought a case against the Department of Justice. After four years and multiple hearings, the Ninth Circuit Court of Appeals eventually ruled that code was protected under the First Amendment. A case brought by Peter Junger also led to a similar ruling by the Sixth Circuit Court of Appeals in 2000. This meant that the regulations blocking the publication of cryptographic code like Snuffle and PGP were unconstitutional.
Eventually, the U.S authorities had to back down, and they weakened the restrictions on cryptography throughout the late 1990s and early 2000s. While encryption software like Signal and WhatsApp can now be freely shared across the world, there are still some export restrictions on cryptography, and certain cryptographic technologies still require a license for export.