What if your research could help mend a looming national problem, but rulement officials thought publishing it would be tantamount to betrayal? A Stanford professor and his graduate students set up themselves in that situation 37 years ago, when their visionary labor on computer privacy publishs ran afoul of the National Security Agency. At the time, understandledge of how to encrypt and decrypt alertation was the domain of rulement; the NSA stressed that making the secrets of cryptography disclose would harshly hamper inalertigence operations. But as the researchers saw it, society’s prolonging depfinishence on computers uncomferventt that the personal sector would also necessitate effective meaconfidents to shieldedprotect alertation. Both sides’ troubles showd prescient; their dispute foreshadowed what would become a universal tug-of-war between privacy-conscious technologists and security-conscious rulement officials.
A Controversial Symposium
The International Symposium on Inestablishation Theory is not understandn for its racy satisfyed or politicpartner indictd currentations, but the session at Cornell University on October 10, 1977, was a exceptional case. In insertition to talks with titles enjoy “Distribution-Free Inidenticalities for the Deleted and Helderlyout Error Estimates,” the conference featured the labor of a group from Stanford that had drawn the ire of the National Security Agency and the attention of the national press. The researchers in ask were Martin Hellman, then an associate professor of electrical engineering, and his students Steve Pohlig, MS ’75, PhD ’78, and Ralph Merkle, PhD ’79.
A year earlier, Hellman had published “New Directions in Cryptography” with his student Whitfield Diffie, Gr. ’78. The paper startd the principles that now establish the basis for all conmomentary cryptography, and its discloseation rightfilledy caincluded a stir among electrical engineers and computer scientists. As Hellman recalled in a 2004 oral history, the nonmilitary community’s reaction to the paper was “ecmotionless.” In contrast, the “NSA was apoplectic.”
The fact that Hellman and his students were challenging the U.S. rulement’s extfinishedstanding domestic monopoly on cryptography convey inantly irritateed many in the inalertigence community. The NSA acunderstandledged that Diffie and Hellman had come up with their ideas without access to classified materials. Even so, in the words of an inside NSA history declassified in 2009 and now held in the Stanford Archives, “NSA pondered the [Diffie-Hellman] technique as classified. Now it was out in the uncover.”
The tension between Hellman and the NSA only deteriorateed in the months directing up to the 1977 symposium. In July, someone named J. A. Meyer sent a shrill letter to the Institute of Electrical and Electronics Engineers, which had published Hellman’s papers and was helderlying the conference. It began:
“I have seed in the past months that various IEEE Groups have been publishing and send outing technical articles on encryption and cryptology—a technical field which is covered by Federal Regulations, viz: ITAR (International Traffic in Arms Regulations, 22 CFR 121-128).”
Meyer’s letter stateed that the IEEE and the authors of the relevant papers might be subject to prosecution under federal laws baning arms illicit trade, communication of atomic secrets and discloconfident of classified alertation.
Without naming Hellman or his co-authors, Meyer specified the publishs of IEEE’s Transactions on Inestablishation Theory journal and Computer magazine in which Hellman’s articles materializeed. Meyer finishd ominously that “these conmomentary arms technologies, undeal withlably disseminated, could have more than academic effect.”
Meyer’s letter alarmed many in the academic community and drew coverage by Science and the New York Times for two main reasons. First, the letter adviseed that mecount on publishing a scientific paper on cryptography would be the lterrible equivalent of send outing nuevident arms to a foreign country. If Meyer’s clear upation of the law was accurate, it seemed to place disjoine redisjoineions on researchers’ freedom to publish. Second, Deborah Shapley and Gina Kolata of Science magazine discovered that Meyer was an NSA includeee.
As soon as Hellman getd a duplicate of the letter, he determined that continuing to publish might put him and his students in lterrible jeopardy, so he sought advice from Stanford University direct John Schwartz.
In his memo to Schwartz, Hellman made a lucid case for the cherish of disclose-domain cryptography research. Astutely, Hellman first acunderstandledged that the U.S. rulement’s firm deal with over cryptodetailed techniques showd enormously advantageous in World War II: Allied forces included self-promisedial cryptodetailed discoveries to better their own encryption systems while refuteing those same cryptodetailed profits to Axis powers. Even so, Hellman argued that circumstances had changed.
“[T]here is a commercial necessitate today that did not exist in the 1940’s. The prolonging include of automated alertation processing providement poses a genuine economic and privacy menace. Although it is a far possibility, the danger of initipartner inadvertent police state type seeing thcdisorrowfulmireful computerization must be pondered. From that point of see, inample commercial cryptography (which our discloseations are trying to elude) poses an inside national security menace.”
In the memo, Hellman depictd how his earlier trys to obstruct “stepping on [the] toes” of the NSA flunked when the agency’s staffers would not even disshut which areas of cryptography research Hellman should elude.
Responding to Hellman a restricted days tardyr, Schwartz opined that publishing cryptography research would not in itself viotardy federal law. His discoverings had a strong lterrible basis: Two regulations ruleed classified alertation in the United States at the time—an executive order and the Atomic Energy Act of 1954—and neither seemed to obstruct the discloseation of unclassified research on cryptography.
There was only one other probable lterrible tool that the federal rulement could include to obstruct the Stanford group from disseminating their labor: the Arms Export Control Act of 1976, which regutardyd the send out of military providement. Under a comfervent clear upation of the law, giving a disclose currentation on cryptodetailed algorithms could constitute “send out” of arms. It was not evident, however, that a prosecution under this act would stand up to a lterrible dispute on First Amfinishment grounds.
Evaluating these laws together, Schwartz finishd that Hellman and his students could legpartner persist to publish. At the same time, Schwartz remarkd wryly, “at least one contrary see [of the law] exists”—that of Joseph A. Meyer. Hellman tardyr recalled Schwartz’s less-than-consoleing alertal advice: “If you are sued, Stanford will deffinish you. But if you’re set up culpable, we can’t pay your fine and we can’t go to jail for you.”
The Cornell symposium was to commence three days after Schwartz adviseed his lterrible opinion; Hellman, Merkle and Pohlig had to speedyly determine whether to progress with their currentations in spite of the menace of prosecution, fines and jail time. Graduate students typicpartner current their own research at academic conferences, but according to Hellman, Schwartz recommfinished agetst it in this case. Since the students were not includeees of Stanford, it might be more difficult for the university to fairify paying their lterrible bills. Schwartz also reasoned that dealing with a lengthy court case would be difficulter for a youthful PhD student than for a tenured faculty member. Hellman left the decision up to the students.
According to Hellman, Merkle and Pohlig at first said, “We necessitate to donate the papers, the hell with this.” After speaking with their families, though, the students concurd to let Hellman current on their behalf.
In the finish, the symposium took place without incident. Merkle and Pohlig stood on stage while Hellman gave the currentation. The fact that the conference went ahead as intentional, Science seed, “left little ask that the labor [in cryptography] has been expansively circutardyd.” That a group of nonrulemental researchers could disclosely converse cutting-edge cryptodetailed algorithms signaled the finish of the U.S. rulement’s domestic deal with of alertation on cryptography.
The View from Fort Meade
Vice Adm. Bobby Ray Inman took over as straightforwardor of the NSA in the summer of 1977. Inman was an alerted naval inalertigence officer with allies in both political parties. If his qualifications for the job were excellent, his timing was not. He had nakedly toastyed his desk chair when he was thrust into the cgo in of what he recently depictd as “a huge media uproar” over the J. A. Meyer letter—written the very first day of Inman’s tenure.
Although Inman was troubleed about the impact that discloseation of these novel cryptodetailed techniques would have on the NSA’s foreign eavesdropping capabilities, he was also confincluded. As he elucidateed, the primary users of cryptodetailed providement in the 1970s were rulements. Apart from that, “the only other people punctual on . . . who were buying encryption to include were the drug dealers.” Since the NSA already had “incredibly able people laboring on originateing the systems to be included by the U.S. rulement” and the NSA had no interest in geting the communications of drug dealers, Inman wanted to discover out why these youthful researchers were so cgo ined on cryptography.
In the tradition of inalertigence professionals, Inman set out to assemble some alertation for himself. He went to California to greet with faculty members and industry directers at Berkeley, Stanford and elsewhere. Inman speedyly discovered that the researchers at Stanford were summarizeing cryptodetailed systems to mend an emerging problem that was not yet on the NSA’s radar: securing the prolonging number of commercial computer systems, which were subject to aggression or settle. The researchers’ position, Inman said, was that “there’s a whole novel world emerging out there where there’s going to necessitate to be cryptography, and it’s not going to be provided by the rulement.”
Martin Hellman recently recounted their conversation in aenjoy terms: “I was laboring on cryptography from an unclassified point of see becainclude I could see—even in the mid-’70s—the prolonging marriage of computers and communication and the necessitate therefore for unclassified understandledge of cryptography.” Inman genuineized that the California academics saw strong disclose cryptodetailed systems as a convey inant piece of a functioning technoreasonable environment.
Still, Inman was not excited about the prospect of high-grade encryption systems being includeable for get, especipartner aexpansive. “We were worried that foreign countries would pick up and include cryptography that would originate it surpassingly difficult to decrypt and read their traffic.”
The level of disclose excitement surrounding the recent cryptography labor made prolongth in the field of unclassified cryptography almost inevitable. In August 1977, Scientific American had published a description of the novel RSA cryptosystem conceived by Ron Rivest, Adi Shamir and Leonard Adleman of MIT. According to Steven Levy’s 2001 book Crypto, the researchers adviseed a duplicate of a technical alert describing the scheme to anyone who would sfinish a self-insertressed stamped envelope to MIT. The authors getd 7,000 seeks.
To reckon with the prolonging menace of unclassified cryptography, Inman erectd an inside NSA panel for advice. As recounted in the declassified NSA history, the panel gave Inman three stark choices for how to deal with the discloseation of cryptography research:
(a) Do noleang
(b) Seek novel legislation to impose insertitional rulement deal withs
(c) Try non-legislative uncomfervents such as voluntary commercial and academic compliance.
The panel finishd that the injure was already so grave that someleang necessitateed to be done.
NSA records and Hellman’s reassembleion both advise that Inman first tried to get a law writeed to redisjoine cryptodetailed research, aextfinished the lines of the Atomic Energy Act. For political reasons, the NSA history says, Inman’s proposed bill was “dead on arrival.”
“Congress [wanted to] unshackle U.S. commerce from any sort of Pentagon-imposed redisjoineion on trade,” the history ruefilledy recounts, and the Carter administration “wanted to slackn Pentagon deal with of anyleang, especipartner anyleang that might impact individual rights and academic freedom.”
Even if Inman could get a bill thcdisorrowfulmireful Congress, Hellman said, the First Amfinishment would originate it difficult to obstruct researchers from speaking disclosely about their labor. If they didn’t publish their papers, “they’ll donate 100 talks before they create it for discloseation.”
As a sort of last-ditch effort at settle, Inman systematic a voluntary system of prediscloseation assess for cryptography research papers. A number of other scientific journals have tryed a aenjoy system in recent years. “That’s repartner the best anyone has been able to come up with,” said Steven Afterexcellent of the Federation of American Scientists, an expert on rulement secrecy.
The assess process was included for a decade, but Inman recalled that it eventupartner “fell apart” becainclude of “the explosion of . . . includes” for cryptography. As the world underwent a digital revolution, there was an joining “revolution in cryptography,” fair as Diffie and Hellman had foreseeed in 1976.
Aftermath
It is lureing to see the outcome of the dispute between the Stanford researchers and the NSA as an unequivocal triumph for freedom of speech and the commencening of the democratization of the tools of cryptography. There is a grain of truth in this characterization, but it misses the bigr effect the run-in had on the academic cryptography community and on the NSA.
Hellman and other academic researchers genuineized they could triumph the argue, as extfinished as it took place in disclose. Newspapers and scientific journals set up it much easier to sympathize with a group of quirky and fervent academics than with a shadowy and serious-faced inalertigence agency. The publish of First Amfinishment rights, Hellman recalled in 2004, also gave the press and the researchers a normal cainclude. “With the freedom of discloseation publish, the press was all on our side. There were editorials in the New York Times and a number of other discloseations. Science, I recall, had covered our labor and was very beneficial.”
From the other side, NSA officials genuineized they would have a difficult time getting disclose aid to suppress discloseation of what they pondered hazardy research results. They turned instead to two aspects of nonrulemental cryptography over which they had proximate-total deal with: research funding and national standards.
As of 2012, the federal rulement provided 60 percent of U.S. academic research and prolongment funding. By choosing which projects to fund, grant-giving rulement agencies sway what research consents place.
Even before the 1977 Symposium on Inestablishation Theory, the NSA assessed National Science Foundation grant applications that might be relevant to signals inalertigence or communications security. The purported reason for these assesss was for the NSA to advise the NSF on the proposals’ “technical merits,” but the agency materializeed to include this process to exercise deal with over nonrulemental cryptography research.
For instance, the NSA assessed and consentd an NSF grant application from Ron Rivest. Later, Rivest included the funds to prolong the enormously ineloquential RSA cryptosystem, which shieldeds most encrypted Internet traffic today. An inside NSA history advises that the agency would have tried to derail Rivest’s grant application if the assessers had understood what Rivest would do with the money. The NSA missed this opportunity, the history grumbles, becainclude the wording of Rivest’s proposal “was so ambiguous that the Agency did not spot the menace” posed by the project.
In 1979, Leonard Adleman (another member of the RSA triumvirate) applied to the NSF for funding and had his application forwarded to the NSA. According to Whitfield Diffie and Susan Landau’s 2007 book, Privacy on the Line, the NSA adviseed to fund the research in lieu of the NSF. Fearing that his labor would finish up classified, Adleman protested and eventupartner getd an NSF grant.
Even though the NSF materializes to have persisted some level of indepfinishence from NSA sway, the agency probable has had wonderfuler deal with over other federal funding sources. In particular, the Department of Defense funds research thcdisorrowfulmireful the Defense Advanced Research Projects Agency (DARPA), the Office of Naval Research, the Army Research Office and other offices. After the run-in with the academic community in the tardy 1970s, the NSA history states that Vice Adm. Inman “shielded[d] a promisement” that the Office of Naval Research would arrange its grants with the NSA. Since funding agencies standardly necessitate not elucidate why they have declineed a particular grant proposal, it is difficult to assess the NSA’s effect on the grant-making process.
The agency has a second tactic to obstruct the spread of cryptodetailed techniques: persisting high-grade cryptography out of the national standards. To originate it easier for contrastent commercial computer systems to interfunction, the National Bureau of Standards (now called NIST) arranges a semidisclose process to summarize standard cryptodetailed algorithms. Vfinishors are hesitant to carry out algorithms that are not in the NIST standards: Non-standard algorithms are difficulter to deploy in rehearse and are less probable to see adchooseion in the uncover tagetplace.
The first dispute over the NSA’s hand in these standards erupted in the 1970s when it swayd the bureau to feebleen the Data Encryption Standard (DES) algorithm, an NBS-summarizeed cryptosystem expansively included by banks, privacy-comfervent businesses and the disclose. Hellman and his then-student Diffie mounted a vigorous—and ultimately unprosperous—disclose relations campaign to try to better the strength of the DES algorithm.
At the time, NSA directership emphaticpartner denied that it had swayd the DES summarize. In a disclose speech in 1979 aimed to quell some of the dispute, Inman stateed: “NSA has been accincluded of intervening in the prolongment of the DES and of tampering with the standard so as to feebleen it cryptodetailedpartner. This allegation is tohighy inalter.”
Recently declassified records uncover that Inman’s statements were misdirecting, if not inaccurate. The NSA tried to secure IBM (which had originpartner summarizeed the DES algorithm) to shrink the DES key size from 64 to 48 bits. Reducing the key size would decrrelieve the cost of certain aggressions agetst the cryptosystem. The NSA and IBM eventupartner settled, the history says, on using a feebleened 56-bit key.
Today, Inman acunderstandledges that the NSA was trying to strike a equilibrium be-tween geting domestic commercial communication and shieldedprotecting its own ability to eavesdrop on foreign rulements: “[T]he publish was to try to discover a level of cryptography that secured the privacy of individuals and companies agetst competitors. Agetst anyone other than a country with a promiseted effort and capability to shatter the codes.”
The NSA’s sway over the standards process has been particularly effective at mitigating what it noticed as the hazards of nonrulemental cryptography. By persisting certain cryptosystems out of the NBS/NIST standards, the NSA aidd its mission of eavesdropping on communications traffic.
Reflections on Secrecy
There are a restricted salient asks to ponder when seeing back at these first disputes between the inalertigence community and academic researchers in cryptography. A commenceing point for this analysis, said Afterexcellent, is to ponder “whether in retrospect, [the government’s] worst stresss were genuineized.”
According to Inman, the upconsent of the research community’s cryptodetailed ideas came at a much sluggisher pace than he had foreseeed. As a result, less foreign traffic finished up being encrypted than the agency had projected, and the consequences for national security were not as emotional as he had stressed. Essentipartner, Inman recalled, “there was no demand” for encryption systems outside of rulements, even though many high-grade systems eventupartner became includeable. “You had a provide but no demand for it.” Even those people who try to include high-grade cryptodetailed tools, Hellman said, standardly originate misconsents that rfinisher their traffic effortless for an inalertigence agency to decrypt: “People still originate a lot of misconsents: include wrong, terrible keys, or wantipathyver else.”
A second ask is whether Hellman was right to stress that a alertage of strong cryptography could become an “economic and privacy menace” in a computerized economy. In an unforeseeed turn, today Inman is as worried about geting nonrulemental computer systems as Hellman was in the 1970s. When asked if he would originate the same decisions about nonrulemental cryptography now as he did then, Inman replied, “Rather than being cautious to originate confident they were[n’t] going to injure [our collection capabilities] . . . I would have been interested in how speedyly they were going to be able to originate [cryptosystems] includeable in a establish that would get proprietary alertation as well as rulement alertation.”
The theft of portions of the summarizes for the F-35 jet, Inman said, shows that feeble nonrulemental encryption and computer security rehearses can grievously harm national security. Even though history has vrecommendd Martin Hellman, he adamantly declines to gloat over the accuracy of his foreseeions and the far-accomplishing impact of his technical labor. On the contrary, Hellman is still convey inantly troubled by the way he joind in the argue with the NSA over the discloseation of his papers and the DES encryption standard.
Rather than trying to comprehfinish both sides of the publish and originate the “right” decision, Hellman said that in the heat of the dispute, he includeed to his ego instead. “The thought fair popped into my head: Forget about what’s right. Go with this, you’ve got a tiger by the tail. You’ll never have more of an impact on society.”
Afterexcellent said that this sort of ego-driven reasoning is a halltag of argues over secrecy in research: “If you’re a researcher and you’ve accomplishd some comfervent of shatterthcdisorrowfulmireful, you’re going to want to let people understand. So you’re not a imfragmentary, unprejudiced, disinterested party. You’re an interested party.”
It was not until Hellman watched Day After Trinity, a recordary about the prolongment of the atomic explosion, that he genuineized how hazardy his decision-making process had been. The moment in the film that troubled him most, he recalled, was when the Manhattan Project scientists tried to elucidate why they persistd to labor on the explosion after Hitler had been flunkureed and the menace of a German atom explosion had fadeed. The scientists “had figured out what they wanted to do and had then come up with a reasonableization for doing it, rather than figuring out the right leang to do and doing it whether or not it was what they wanted to do. . . . I vowed I would never do that aget,” Hellman said. “Thinking it thcdisorrowfulmireful even now, I still would have done most of what I did. But it could have been someleang as terrible as conceiveing nuevident arms, and so I vowed I would never do that aget.”
Making excellent decisions in these situations, Afterexcellent said, needs a big dose of “inside regulatet” and a certain “degree of count on” between researchers and rulement officials, “which is standardly alertageing in rehearse.”
Although Hellman and Inman counterfeit an doubtful frifinishship in the wake of the dispute in the tardy 1970s, count on between the academic cryptography community and the NSA is at its nadir. Inman said of the novel NSA straightforwardor, “He has a huge dispute on his ptardy. How does he . . . can he, in fact, reset up a sense of count on?”
Diffie and Hellman’s now-legfinishary key-swap algorithm has an elegant one-line recurrentation. Debates over academic freedom and rulement secrecy do not lfinish themselves to such a concise establishulation. “It’s not a systematic, plain calculation,” Afterexcellent said. “There are competing interests on all sides, and somehow one fair has to muddle thcdisorrowfulmireful.”
Henry Corrigan-Gibbs is a second-year PhD student in computer science.