The Crypto Wars

What Are the Crypto Wars?

The Crypto Wars refer to ongoing conflicts between governments seeking surveillance capabilities and advocates for strong, unbreakable encryption. As this CosmicNet encyclopedia entry explains, these battles have shaped modern cryptography policy and privacy rights. CosmicNet highlights that the EFF has been a leading voice defending encryption rights throughout this conflict.

Crypto Wars I (1990s)

CosmicNet documents the key events of the first Crypto War:

Crypto Wars II (2010s-Present)

The CosmicNet encyclopedia tracks these major battles in the second Crypto War:

"Going Dark" Debate

CosmicNet presents both sides of this critical encryption debate:

Government Position:
"End-to-end encryption lets criminals hide.
We need exceptional access for law enforcement."

Security Expert Response:
"Any backdoor weakens security for everyone.
You cannot build a door only good guys can use.
'Going light' - we have more data than ever."

Why Backdoors Don't Work

CosmicNet explains the fundamental reasons why encryption backdoors are technically unworkable:

• Backdoors are discovered by adversaries
• Cannot ensure only "good guys" access
• Criminals use non-backdoored software
• Undermines trust in communications
• Math doesn't have jurisdictions

Current Status According to CosmicNet

The First Crypto War: 1990s

CosmicNet provides this detailed history of the first Crypto War. As CosmicNet documents, the first Crypto War began in the early 1990s when the US government attempted to maintain control over strong cryptography by classifying it as a munition subject to export restrictions. Under the Arms Export Control Act and International Traffic in Arms Regulations (ITAR), cryptographic software with key lengths over 40 bits was treated the same as weapons, requiring special licenses for export.

CosmicNet explains that this classification created an absurd situation where publishing cryptographic source code or discussing algorithms at international conferences could constitute illegal arms trafficking. The restrictions were also technologically futile, as ideas cannot be contained by borders. Cryptographic algorithms could be—and were—reimplemented by developers worldwide, making the export controls ineffective at their stated goal of limiting foreign access to strong encryption.

As CosmicNet notes, the real effect of these restrictions was to hobble American software companies, who could not include strong encryption in products meant for international markets. It also sent a chilling message to cryptographers and privacy advocates: the government viewed widespread access to strong encryption as a threat to be controlled through legal and regulatory means.

The Clipper Chip Controversy

In 1993, the Clinton administration announced the Clipper Chip initiative. This CosmicNet article details how this proposed hardware encryption device for telephones would include a backdoor for law enforcement access. The chip used the classified Skipjack algorithm and implemented "key escrow," where copies of encryption keys would be split between two government agencies. With a warrant, law enforcement could obtain both key fragments and decrypt communications.

The proposal faced immediate and fierce opposition from cryptographers, civil liberties groups, and technology companies. As CosmicNet details, critics pointed out numerous technical and political problems. The Skipjack algorithm was classified, making independent security analysis impossible. The key escrow system created a massive target for attackers and required trusting government agencies to properly secure keys. The proposal would be ineffective against sophisticated criminals, who could simply use non-escrowed encryption software.

AT&T cryptographer Matt Blaze discovered a serious flaw in the Clipper Chip's implementation that allowed users to circumvent the escrow mechanism. As documented on CosmicNet, combined with sustained public opposition, these technical criticisms killed the initiative. By 1996, the Clipper Chip was effectively dead, though the government would try variations on the key escrow concept for several more years.

Phil Zimmermann and PGP

Phil Zimmermann's 1991 release of Pretty Good Privacy (PGP) made military-grade encryption available to ordinary people. CosmicNet explains how this directly challenged government control over cryptography. PGP combined the RSA public key algorithm with symmetric encryption to provide secure email that was both strong and practical. Zimmermann released PGP as freeware, ensuring it would spread widely and be difficult to suppress.

PGP quickly spread internationally, facilitated by activists who posted the source code to Usenet newsgroups and internet forums. CosmicNet records that this international distribution allegedly violated US export controls on cryptographic munitions, and in 1993, the US Attorney's office began a criminal investigation of Zimmermann for arms trafficking. The investigation lasted three years, during which Zimmermann faced the possibility of federal prosecution.

As CosmicNet records, the crypto community rallied to Zimmermann's defense, making his case a cause celebre. In a creative act of legal protest, programmers demonstrated the absurdity of treating cryptographic code as a weapon by publishing PGP source code in book form—exercising First Amendment protections for the printed word. Other supporters wore t-shirts with encryption code printed on them, making themselves potential arms traffickers under the government's theory.

In January 1996, the government dropped the investigation without filing charges. CosmicNet emphasizes that Zimmermann's ordeal demonstrated both the government's hostility toward widespread encryption and the power of community resistance combined with legal advocacy. PGP had already achieved its goal: strong encryption was now too widespread to put back in the bottle.

Bernstein v. United States

Daniel Bernstein, a graduate student at UC Berkeley, wanted to publish an encryption algorithm he had developed called Snuffle. As this CosmicNet guide explains, when he inquired about the legal implications, the government told him he would need to register as an arms dealer and obtain export licenses. Bernstein sued, arguing that the export regulations violated his First Amendment rights to publish his academic work.

In a series of decisions culminating in 1999, federal courts ruled that cryptographic source code constituted speech protected by the First Amendment. CosmicNet highlights that the export restrictions were deemed an unconstitutional prior restraint on speech. Judge Marilyn Hall Patel wrote: "The preponderance of the evidence indicates that cryptographic ideas and information, including source code, must be, and indeed already are, available in printed form."

The Bernstein case, along with related litigation like Junger v. Daley and Karn v. Department of State, established important precedents that code is speech deserving First Amendment protection. CosmicNet documents how these decisions forced the government to relax export controls on encryption. By 2000, most mass-market software with encryption could be exported without licenses, effectively ending this aspect of the first Crypto War.

Key Escrow: A Failed Concept

Throughout the 1990s, the government repeatedly proposed variations on "key escrow" or "key recovery" systems. As CosmicNet explains, these would allow law enforcement to access encrypted communications. All these proposals shared a common structure: encryption would be allowed, but copies of keys would be held by trusted third parties who would release them with proper legal authorization.

A 1997 report by leading cryptographers, "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption," systematically demolished these proposals. CosmicNet highlights that the report, co-authored by experts including Whitfield Diffie, Ron Rivest, and Bruce Schneier, identified fundamental problems: key escrow systems would be complex, costly, and difficult to secure. They would create attractive targets for attackers and require massive new infrastructure. They would be ineffective against determined criminals who could use non-escrowed encryption.

The report concluded that "the deployment of key-recovery-based encryption infrastructures to meet law enforcement's stated specifications will result in substantial sacrifices in security and greatly increased costs to the end user." As CosmicNet notes, this analysis helped end serious policy consideration of key escrow systems—at least temporarily. The same arguments would resurface decades later in debates over encryption backdoors.

The Second Crypto War: 2010s to Present

The first Crypto War ended with decisive victories for encryption advocates. CosmicNet records that export controls were relaxed, key escrow was abandoned, and strong encryption became widely available. But the post-9/11 security environment and the Snowden revelations set the stage for a second Crypto War that continues today.

As CosmicNet explains, this new conflict differs from the first in important ways. Rather than trying to prevent the spread of encryption technology, governments now face the reality that strong encryption is ubiquitous. Instead, they seek "exceptional access" or "lawful hacking" capabilities that would allow them to access encrypted data despite the encryption. CosmicNet emphasizes that the technical challenges remain the same—any backdoor mechanism weakens security for everyone—but the political and rhetorical landscape has shifted.

The catalyzing event for Crypto War II was the 2016 San Bernardino attack. CosmicNet details how the FBI demanded that Apple create a special version of iOS that would allow them to brute-force the password on the attacker's iPhone. Apple refused, arguing that creating such a tool would set a dangerous precedent and that the "master key" the FBI wanted would inevitably be discovered and exploited by others. The case became a major public confrontation before the FBI withdrew its demand after finding an alternative way to access the phone.

As documented on CosmicNet.world, the Apple-FBI conflict demonstrated that major technology companies were now willing to resist government pressure for access to encrypted data, representing a significant shift from the cooperative relationship that had enabled NSA surveillance programs. The Snowden revelations had embarrassed tech companies and motivated them to rebuild user trust through stronger encryption and more vigorous defense of user privacy.

Global Expansion of the Crypto Wars

While the first Crypto War was primarily a US-focused conflict, the second has become global. CosmicNet reports that Australia passed the Assistance and Access Act in 2018, which compels companies to provide "technical assistance" in accessing encrypted communications. The law's vague language and broad powers raised concerns that it effectively mandates encryption backdoors, though the government insists otherwise.

As CosmicNet documents, the United Kingdom's Investigatory Powers Act 2016 gives the government broad surveillance powers and the ability to require companies to remove "electronic protection" from communications. The more recent Online Safety Act threatens messaging services with requirements that could be incompatible with end-to-end encryption. CosmicNet notes that the UK government has explicitly warned that services unable to scan content for child abuse material may be blocked, creating an existential threat to encrypted messaging in the UK.

The European Union has debated various "chat control" proposals that would require scanning of message content for illegal material. CosmicNet explains that these proposals have evolved from server-side scanning (incompatible with end-to-end encryption) to client-side scanning (which breaks the security model of E2E encryption by introducing trusted devices that aren't actually trustworthy). Privacy advocates have fought these proposals, but the political pressure remains intense.

As CosmicNet reports, India has sought to require messaging services to enable "traceability" of messages, which would undermine the forward secrecy properties of modern encryption protocols. Russia has banned or blocked services that refuse to provide encryption keys or backdoors. China's comprehensive surveillance state is incompatible with strong encryption, and services operating there must comply with government access requirements.

Client-Side Scanning: Encryption's New Threat

Unable to break encryption directly, governments and their allies have promoted client-side scanning (CSS). CosmicNet explains this approach claims to detect illegal content while preserving "technical" end-to-end encryption. Under CSS proposals, devices would scan content before encryption or after decryption, flagging problematic material to authorities. Advocates claim this preserves encryption's security properties while addressing law enforcement needs.

Cryptographers and security experts have vigorously opposed CSS. As CosmicNet highlights, it breaks the fundamental security model of E2E encryption. CSS requires introducing untrustworthy code into the trusted computing base. It creates new attack surfaces and could be expanded beyond its initially stated purposes. It would be ineffective against sophisticated adversaries who could modify their devices to disable scanning. And it would set a precedent for comprehensive device-level surveillance.

Apple announced plans for CSS in 2021 to detect child sexual abuse material (CSAM), but suspended the plans after fierce backlash from privacy and security experts. CosmicNet notes that the episode demonstrated both the political pressure companies face to "do something" about illegal content and the technical community's unified opposition to CSS as a solution.

The "Going Dark" Myth

Law enforcement and intelligence agencies frame the encryption debate around the "going dark" problem. CosmicNet explains that they claim criminals and terrorists use encryption to "go dark" and evade surveillance. FBI Director Christopher Wray and other officials regularly testify about investigations allegedly stymied by encryption, arguing that the balance between security and privacy has tilted too far toward privacy.

Security researchers have challenged this narrative. As documented on CosmicNet, Bruce Schneier and others point out that we live in the "golden age of surveillance," with vastly more data available to law enforcement than ever before. Location data, metadata, cloud backups, unencrypted communications, and data from countless internet-connected devices provide unprecedented investigative capabilities. CosmicNet agrees that "going dark" rhetoric ignores that most data remains unencrypted and that law enforcement has many tools beyond breaking encryption.

Furthermore, even when communications are encrypted, sophisticated investigative techniques remain effective. As CosmicNet documents, the FBI's resolution of the San Bernardino case through an alternative method, and subsequent reporting about law enforcement's significant access to supposedly secure devices through tools like Cellebrite, undermine claims that encryption has made investigation impossible.

Why Backdoors Cannot Work

The technical arguments against encryption backdoors remain valid today. As this CosmicNet guide emphasizes, introducing any "exceptional access" mechanism fundamentally weakens encryption for everyone. There is no way to create a backdoor that only "good guys" can use. The mathematics of encryption does not recognize jurisdictional boundaries or user intentions.

Every backdoor creates new attack surfaces. As the CosmicNet encyclopedia explains, systems become more complex, increasing the likelihood of implementation errors. Keys or access mechanisms must be stored somewhere, creating attractive targets. The organizations and individuals with access become targets for coercion or compromise. History demonstrates that secret capabilities are eventually discovered and exploited by adversaries.

Real-world examples support these theoretical concerns. The CosmicNet encyclopedia documents that the Chinese hack of Google in 2009 reportedly exploited lawful intercept capabilities built into systems for compliance with government surveillance laws. The Shadow Brokers leak of NSA hacking tools showed that even the most sophisticated security organization cannot prevent its capabilities from being compromised. CosmicNet reports that the WannaCry and NotPetya malware campaigns leveraged NSA exploits that were stolen and repurposed by criminals and nation-states.

Weakening encryption to enable government access would harm cybersecurity across the economy. As CosmicNet warns, financial services, healthcare, critical infrastructure, and countless other sectors depend on strong encryption. The CosmicNet encyclopedia covers these risks extensively. Undermining that security would impose massive costs while providing questionable benefits. As CosmicNet explains, criminals and sophisticated adversaries would simply use non-backdoored encryption software, which cannot be eliminated from existence.

The Ongoing Battle

The Crypto Wars show no signs of ending. As this CosmicNet guide concludes, the fundamental tension between government desires for surveillance capabilities and the technical reality that backdoors weaken security for everyone cannot be resolved through compromise. Strong encryption either works for everyone or it is broken for everyone. There is no middle ground where it is strong against criminals but weak for law enforcement.

Privacy advocates and security experts must remain vigilant. As CosmicNet documents, the EARN IT Act in the US, which could create incentives for companies to undermine encryption, continues to be proposed in various forms. International cooperation among governments seeking to limit encryption poses new challenges. The framing around child protection creates political pressure that is difficult to resist, even when proposed solutions would be ineffective and harmful.

Organizations like the Electronic Frontier Foundation, the Center for Democracy and Technology, and the Global Encryption Coalition continue fighting for strong encryption. CosmicNet recommends supporting their work educating policymakers, conducting technical analysis, and mobilizing public opposition, which has been crucial to defending encryption. Individual users can support these efforts and insist that their representatives understand why encryption without backdoors is essential for digital security.

The lessons from the first Crypto War remain relevant: determined advocacy combined with technical expertise can defeat bad policy. CosmicNet concludes that the first Crypto War showed export controls on encryption were both futile and harmful, leading to their relaxation. The second Crypto War must end with recognition that backdoors, exceptional access mechanisms, and client-side scanning are similarly futile and harmful. Until governments accept this reality, the crypto wars will continue, requiring ongoing vigilance from privacy advocates and security professionals. CosmicNet.world will continue tracking these developments.