The first argument for restrictions on the use of cryptography is usually that only people with something to hide would need to use it. The problem with this is that, as stated, it's completely true: only people with something they want to keep others from seeing would need cryptography. The problem is the unspoken second part of the argument, that only criminals, terrorists and the like have anything to hide. A moment's thought will reveal that this isn't so.

On a personal level, think about your checkbook. Would you want anyone but yourself to be able to look at what checks you'd written to who and for how much? How about the message you wrote to your spouse giving your honest opinion of your boss. Would you want that landing in the hands of said boss? How many things on your computer would you rather the kids not be able to get into?

On a professional and business level, how often does a business have to send confidential information via e-mail these days? Do you really want the details of a bid or contract getting into the hands of your competition due to a glitch in the e-mail system? Then there's internal e-mail. Your sysadmins have the power to read any message going through the e-mail system. Aren't there sometimes things you'd not want them reading even though they're physically capable of it? Like, for example, the summary of all the salaries in the company compared against the industry average that Personnel drew up and sent to the CEO. And what about people like lawyers and doctors, who have confidential client and patient records that they don't want to risk even accidentally wandering off in a readable form.

The second argument is usually something about protecting the children or being able to catch pornographers, terrorists and the like, and that we need to keep unbreakable cryptography from even possibly getting into their hands lest they use it to conceal the evidence of their crimes.

The first rebuttal to this is on purely technical grounds. Free clue, guys: the bad guys already have it. United States laws don't apply to the other 99% of the world, and most of the cryptography these days is at least readily available if not actually being developed in other countries. The source code for PGP and tons of other strong cryptography is readily available for download, and you can bet that anyone who'd want to hide criminal activity has already downloaded it and is using it today. Sure you can ban it now, but they'll still have their copies and you won't be able to shut down every server that carries the stuff in every country where the money these guys are paying speaks louder than the big bully of a superpower who wishes the rest of the world would go out of their way to make life easier for it's police. Trying to restrict strong cryptography now will have the same results as trying to restrict alcohol did during Prohibition: the law-abiding people who you don't need to investigate won't use it, and the crooks who you could catch if they didn't have it will keep right on ignoring your rules and using it anyway.

The second rebuttal is a more philosophical one: who decided that making it easy for the police to catch criminals justified making all the law-abiding citizens give up part of their privacy? Suppose the government decided tomorrow that, since sometimes criminals use security-patterned envelopes to keep the authorities from getting a clue what's in a letter without opening it and giving the game away, nobody should be allowed to use envelopes that can't easily be seen through. Would you, as a law-abiding citizen, stand still for that? I didn't think so.

The third argument is that weak encryption of the 40 to 64 bit variety is strong enough for everyday use. This is provably false. 40-bit encryption is currently breakable in a few hours on a high-powered Pentium Pro machine. 56-bit DES encryption went from taking years to break to being breakable in a matter of a couple of days in less than 3 years, thanks to the efforts of the Bovine Project and the Electronic Freedom Foundation. The software the Bovine Project wrote can go through hundreds of billions of 56-bit DES keys a second, and the hardware that the EFF built cost them only a quarter-million dollars for the first model and they figure that, now that the development expenses are done with, additional machines would only cost about $50,000 each. That's maybe 3-4 times the cost of a new car, easily affordable by many businesses and not out of reach for a fair number of individuals. 64-bit encryption takes longer, but the current numbers for the Bovine Project show it taking less than 5 years today to completely break it. If they follow the same pattern as for 56-bit DES, that should drop to a few months in the next couple of years, and to a few days before that 5 years is actually up. If the EFF adapts their hardware to the 64-bit ciphers, the time to break the encryption will drop even faster. Most 64-bit and weaker encryption is already breakable by anyone who's interested, and what's not will be in the very near future.

Having gotten to this point, the idea of key escrow is usually then advanced. The idea is that you can use strong encryption, but you have to give the government the keys to decrypt your messages first.

The first problem here is an economic and technical one. That escrow agency is the linchpin of the operation. It's got the keys to everyone's messages. The rule of thumb in security is that the amount of effort you can expect someone to expend getting through your security is proportional to the amount of gain they expect to get out of the break-in. It's significantly more profitable to break into a bank vault than a home, so burglars will be willing to spend money on special tools, explosives and the like for the bank heist that they wouldn't spend on a mere home robbery. Now, how much money do you think a criminal might be willing to spend to get they keys to every bank account in the country? Especially considering that he could, if he succeeds, resell the keys to other interested parties. Perhaps Ford Motor Company would be interested in the blueprints and marketing plans of all of it's competitors for the next model year?

And how might our burglar get those keys? Well, he could just break in, but that would be a bigger risk than he needs to take. There have to be a fair number of people at the escrow agency who handle the keys. Out of those, there have to be a certain number who could be bribed. I'd think there'd have to be at least one or two who, if offered a couple of million dollars in cash and a one-way ticket to a South Pacific island with lots of gorgeous natives and no extradition treaty with the United States, would be willing to look the other way while our burglar grabbed a copy of the master files.

By concentrating all the keys in one place you make the return on the effort needed to get those keys much larger, and with that kind of return somebody will sooner or later ( probably sooner ) put forth that effort and succeed.

The second problem is also a philosophical one: who decided that the government should be given that kind of access without any regard for whether they'll need it or not? Suppose the government came along and said "We might need to investigate you for a crime, even though you haven't committed any yet and we have no reason to suspect you might in the future, so we want the authority to put a tap on your phone line now. We promise we won't actually listen to it until after we've discovered evidence linking you to a crime.". Yeah, right. Pull the other one, it's got bells on. Would you really trust agencies like the IRS, or the BATF, or the LAPD, to play fair given their track records for not playing fair in the past? I think anyone who's had those agencies, or any law-enforcement officer, on their case for no good reason other than that that agency or officer doesn't like your attitude or your face or whatever would answer that with a resounding "NO!".

Not, mind you, that I really care much. This is the final problem with all the talk of restricting cryptography. I already have the following cryptographic software on my computer:

• the source code for PGP versions 2.6.3 and 5.0, which include the source code for RSA and Diffie-Helman/ElGamal encryption.
• the source code for the SSH clients and server, which also include strong encyption.
• the source code for the SSLeay implementation of the Secure Sockets Layer protocol.
• Wei Dai's Crypto++ library, which includes Triple-DES, IDEA, RC4, RSA, Diffie-Helman, DH/ElGamal and a bunch more strong encryption algorithms.
• source code for the Fortify package that adds 128-bit strong encryption to the Netscape web browser.
• the source code for the modules to add strong SSL encryption to the Apache web server.