This just went out over the wires... attributed to Investors Business Daily Headline: Guest Editorial Nothing Safe About Encryption Bills ====================================================================== By D. JAMES BIDZOS Congress is intent on regulating encryption technology in the name of law enforcement, no matter what the cost. But the real debate's not about fighting crime. It's about the ability of American business to compete in our new networked world. The Senate is nearing a vote on a bill, by Sen. John McCain, R- Ariz., and Sen. Bob Kerrey, D-Neb., requiring all encryption products made, sold or used in the U.S. to provide on-demand government access to encrypted files with a court order. In the House, the story's more complicated. The Commerce Committee on Wednesday approved the Security and Freedom through Encryption Act, a bill by Rep. Bob Goodlatte, D-Va. that was written to bar domestic controls on encryption. A few weeks ago, SAFE was amended to resemble the Senate bill. But the Commerce Committee scrapped the change and restored the bill's original language. The battle now moves to the Rules Committee, where Rep. Gerald Solomon, R-N.Y., vows to restore the decoding provisions. FBI Director Louis Freeh wants encryption controls passed. He told the Senate Judiciary Subcommittee on Technology that without such a law, "Our ability to investigate and sometimes prevent the most serious crimes and terrorism will be severely impaired." No one wants the FBI stymied in its efforts to fight crime. Unfortunately, the debate in Congress so far has painted the Senate bill's opponents as ignorant of public safety and national security concerns, or, worse, willing to put commercial interests ahead of them. What's missing from the current encryption debate is a clear understanding of the implications of the Senate bill, and the identification of safeguards against abuse of a "key recovery" system. Key recovery means that someone other than the main user holds a copy of an encryption key. Everyone agrees that key recovery is useful, even necessary. The bottom line is, who should hold the keys? Strong encryption is already a fact of life in the U.S. and around the world. Advanced, strong, unescrowed encryption is used in millions of products, including every Web browser sold by Netscape Communications Corp. and Microsoft Corp. Law enforcement and the national security establishment view strong encryption as a threat to their efforts to safeguard the public from those who would encrypt incriminating data. But this is a myopic view. Fact is, in our evolving cyber-society, everything about us will be stored digitally. Contrary to the position of the FBI -which says it only wants to maintain wiretap capabilities as they have existed since 1968 - the proposal for key recovery is not the digital equivalent of putting alligator clips on phone wires. It's more like giving the government the keys to all of our personal and professional lives. While the FBI says such access will only be by authorized court order, it has not explained how controls and audits will prevent abuse of these valuable keys. Would people allow local and federal law enforcement to have and store a copy of the keys to their homes and their filing cabinets? The computer industry fears that a law requiring products to include U.S. government access will make them unable to compete in a market where roughly 60% of their revenues come from outside the U.S. And U.S. firms operating overseas are very concerned. Foreign governments with key recovery would have every reason to use it to steal trade secrets and pass them on to their own industries. In France and elsewhere, government spies often help state-owned firms steal trade secrets from U.S. companies. The FBI hopes that the U.S. encryption market can sway the rest of the world. But if other countries take the position - as Germany has - - that they will not control the export of encryption or require key recovery, how will U.S. industry compete? Along with Germany, encryption companies are springing up in South Africa, Ireland, Belgium, Switzerland and Singapore to exploit opportunities created by a restrictive U.S. export policy. The administration and Congress seem ready to accept that American industry will become a casualty of the crypto-wars as it struggles to comply with a law no one fully understands, and foreign suppliers step in to meet the demand. We can only hope that Congress will stop and think on this critical issue before enshrining key recovery in law. D. James Bidzos is president of RSA Data Security Inc. in Redwood City, Calif. ------- End of Forwarded Message -- ------------------------------------------------------------------------------- David HM Spector spector@zeitgeist.com Network Design & Infrastructure Security voice: +1 212.580.7193 Amateur Radio: W2DHM (ex-N2BCA) (ARRL life member) GridSquare: FN30AS -.-. --- -. -. . -.-. - .-- .. - .... .- -- .- - . ..- .-. .-. .- -.. .. --- "New and stirring things are belittled because if they are not belittled, the humiliating question arises, 'Why then are you not taking part in them?'" --H. G. Wells