------------------------------------------------------------------------------ _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 3, Number 13 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 3, Number 13 September 8, 1997 CONTENTS: (1) New FBI Draft Crypto Bill Would Force Mandatory Key Recovery (2) Text of FBI Proposal (3) What You Can Do (4) How to Subscribe/Unsubscribe (5) About CDT, contacting us ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of <editor@cdt.org> ** This document looks best when viewed in COURIER font ** _____________________________________________________________________________ (1) NEW FBI DRAFT ENCRYPTION LEGISLATION WOULD IMPOSE MANDATORY KEY RECOVERY In its most audacious crypto proposal yet, the FBI is circulating on Capitol Hill legislation to impose full domestic controls on the manufacture and use of encryption. The FBI is seeking support for its proposal among two crucial House Committees preparing to consider encryption legislation this week. The text of the key section of the FBI draft is attached below. The FBI draft would take two extraordinary steps. It would prohibit the manufacture, sale, import or distribution within the United States of any encryption product unless it contains a feature that would create a spare key or some other trap door allowing "immediate" decryption of any user's messages or files without the user's knowledge. In addition, it would require all network service providers that offer encryption products or services to their customers to ensure that all messages using such encryption can be immediately decrypted without the knowledge of the customer. This would apply to telephone companies and to online service providers such as America Online and Prodigy. In the FBI draft, the "key recovery capability" could be activated by the purchaser or end user. But requiring that such a capability be installed in all domestic communications networks and encryption products would be the critical step in enabling a national surveillance infrastructure. The proposal requires the Attorney General to set standards for what are and are not acceptable encryption products. The proposal's requirement of "immediate" decryption would seem to seriously limit the options available to encryption manufacturers seeking approval of their products. While export of encryption products from the United States has long been restricted, there have never been controls on the manufacture, distribution, or use of encryption within the United States. Pending before the House Intelligence and National Security Committees is the Security and Freedom through Encryption Act (SAFE, HR 695), sponsored by Rep. Goodlatte (R-VA), which would lift current export controls on encryption technology. The Goodlatte bill has already been reported favorably by the House Judiciary and International Relations Committees. The House National Security Committee is scheduled to consider HR 695 on Tuesday, September 9. The House Intelligence Committee has scheduled its vote for September 11. Members of both committees are expected to consider the FBI draft as a substitute to the SAFE bill. This FBI proposal represents a major turn-around for the Clinton Administration, which has denied since its first year that it was seeking domestic controls on encryption. The FBI proposal is an attempted end run around the Constitution. By creating an avenue for immediate access to sensitive decryption keys without the knowledge of the user, the proposal denies users the notice that is a central element of the Fourth Amendment protection against unreasonable searches and seizures. Just this past April, the Supreme Court reaffirmed that the Fourth Amendment normally requires the government to advise the target of a search and seizure that the search is being conducted. Forcing U.S. citizens and companies to adopt so-called key recovery systems poses serious security risks, especially when the systems can be accessed without the knowledge of the users. A recent study by 11 cryptography and computer security experts concluded that such key recovery systems would be costly and ultimately insecure (see http://www.crypto.com/key_study) CDT executive director Jerry Berman said of the latest proposal, "This is not the first step towards the surveillance society. It *is* the surveillance society." ______________________________________________________________________________ (2) TEXT OF MANDATORY KEY RECOVERY SECTION OF FBI DRAFT LEGISLATION (From FBI "Technical Assistance Draft" Dated August 28, 1997) SEC. 105. PUBLIC ENCRYPTION PRODUCTS AND SERVICES (a) As of January 1, 1999, public network service providers offering encryption products or encryption services shall ensure that such products or services enable the immediate decryption of communications or electronic information encrypted by such products or services on the public network, upon receipt of a court order, warrant, or certification, pursuant to section 106, without the knowledge or cooperation of the person using such encryption products or services. (b) As of January 1, 1999, it shall be unlawful for any person to manufacture for sale or distribution within the U.S., distribute within the U.S., sell within the U.S., or import into the U.S. any product that can be used to encrypt communications or electronic information, unless that product - (1) includes features, such as key recovery, trusted third party compatibility or other means, that (A) permit immediate decryption upon receipt of decryption information by an authorized party without the knowledge or cooperation of the person using such encryption product; and (B) is either enabled at the time of manufacture, distribution, sale, or import, or may be enabled by the purchaser or end user; or (2) can be used only on systems or networks that include features, such as key recovery, trusted third party compatibility or other means, that permit immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption product. (c) (1) Within 180 days of the enactment of this Act, the Attorney General shall publish in the Federal Register functional criteria for complying with the decryption requirements set forth in this section. (2) Within 180 days of the enactment of this Act, the Attorney General shall promulgate procedures by which data network service providers and encryption product manufacturers, sellers, re-sellers, distributors, and importers may obtain advisory opinions as to whether a decryption method will meet the requirements of this section. (3) Nothing in this Act or any other law shall be construed as requiring the implementation of any particular decryption method in order to satisfy the requirements of paragraphs (a) or (b) of this section. ______________________________________________________________________________ (3) WHAT YOU CAN I DO TO HELP? Are you concerned about protecting privacy and security in the information age? Curious what your Member of Congress thinks about the issue? Adopt Your Legislator! Visit http://www.crypto.com/adopt for details You will recieve customized alerts with news you can use, inlcuding the latest information on internet-related issues, the views of your Representative and Senators, and contact information to help you ensure your voice is heard in the ongoing debate over the future of the Information Age. Visit http://www.cdt.org/crypto or http://www.crypto.com/ for detailed background information on the encryption policy reform debate, including the text of various legislative proposals, analysis, and other information. _____________________________________________________________________________ (4) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 13,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request@cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts _____________________________________________________________________________ (5) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ---------------------------------------------------------------------------- End Policy Post 3.13 09/08/97 ----------------------------------------------------------------------------