I think this is a very important area to consider, and I thank Tim for putting his thoughts into this very organized form. My replies: Timothy C. May writes:
If the Leahy bill is unacceptable, what legistlation is necessary? I can't see how the use of cryptography in the commission of a crime needs to be a separate offence, but I could see how it could be treated as a special circumstance - that doesn't really needed a new law though.
I don't see any compelling need for U.S. legislation. And given the pressures to attach all sorts of language to bills, I think it best that no legislation happen.
Unfortunately, this is not an option. Legislation will happen, with our endorsement or without it. One good example is the Grassley computer crime bill earlier in 1995. Nobody advised him on this, as far as I can tell, he just went out and drafted it. Lo and behold, he drafted a provision that basically criminalized all crypto, including rot13. We have to wake up and learn from the fight against the net censorship legislation. This is realpolitik. Congress will legislate crypto, whether we want them to or not. This is not news anyone wants to hear, but we have to face up to it.
* DOMESTIC USE OF ENCRYPTION: Currently, no restrictions whatsoever. No laws saying messages can't be encrypted, no laws saying keys must be escrowed, no laws about permissable strength of ciphers, no special laws covering disclosure of keys. Just silence, blessed silence. The Constitution says there shall be no laws about permissable speech (what language one speaks in, or writes in), and other provisions about compelled testimony seem adequate.
Congress has discovered the net, and partly though the widespread fame of this list, they have also discovered crypto. Simply saying, "we don't want any laws that address crypto" may be the ideal solution, but that won't stop them from passing laws that govern the domestic use of crypto.
* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. companies, but is not _per se_ an issue I worry about. So long as I have strong crypto, I don't really care too much about export. It would be nice to get the ITARs modified, but not at the risk of adding language (such as Leahy did) making use of encryption a possible crime (we've debated this, so I won't elaborate here). Besides, I think the best way to overturn the ITARs is through a court challenge; as I have noted, even the NSA's lawyers felt that the ITARs would not withstand court scrutiny.
Unfortunately, many U.S. software companies don't agree with you. While I agree with you (I've got PGP, what's the problem?), several of these companies are working through their trade organizations to introduce and push crypto legislation to allow them to raise the key length in their products. Put ourselves in their shoes for a minute. They're sitting there, with their 40 bit products, knowing that it blows chunks. They want to produce stronger crypto, but know they won't be able to export it. They talk to the company's attorneys, who speak to speak to the lobbyists, and poof, a crypto bill.
* KEY ESCROW: A matter of contract law, nothing more. If I want to give a copy of my key to my lawyer, fine. If I want to give a copy to Vince's Offshore Key Repository, no current U.S. laws stops me from doing so, and I can even get it to him securely without violating any ITARs by using the cipher that _he_ uses and then importing it here!
IMPORTANT NOTE: It is often said, in a correct interpretation I think, that a third party holding a key (Joe's Key Warehouse) is _not_ covered by the 5th Amendment's protections against self-incrimination, and so must honor a subpoena. Sounds accurate to me. However, what if Joe is _also_ one's lawyer? Does attorney-client privilege apply here? Perhaps. A better solution is also fully legal at this time: use only offshore key storage. A U.S. subpoena to Vince's Offshore Key Repository will carry no weight in Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince and I could have a stipulation that such "duress requests" will not be honored, no matter how loudly I squawk.)
This is actually very important. The Leahy bill forces Joe's Key Warehouse to only divulge your key when they've been presented with a warrant that's on par with whatever they used to get your original communication. That means that Louis Freeh can't issue an administrative subpoena to get your key, after he's got a judge to allow the FBI to search your house. They have to get a judge involved for both parts. It's better than where we are today, where Joe's Key Warehouse is vulnerable to every law enforcement joker that can write an administrative subpoena. We haven't yet had an incident that demonstrates this, but we will. Of course, if you're the sort of person who thinks that the FBI and the Department of Justice are involved in a big criminal conspiracy to begin with, we shouldn't even be talking about due process, as you don't believe it exists...
In conclusion, things are fine as they are. I see no compelling need to write a special law confirming the rights we already are enjoying. If the Congress wants to relax the ITARs (fat chance), they can direct that the language of specific sections be redrafted. (I'm not even sure when and how the original language was crafted, though it is part, I believe, of the ancient Munitions Act and/or Trading with the Enemy Act. The enabling legislation for the ITARs, and especially for the specific items actually ON the "Munitions List" could be trivially changed. Were this Leahy's intent, an easy thing to write a bill for. I doubt this was his intent, however.
I think this indeed is what Leahy was aiming for. A quick glance at the bill will prove this out. The approach that "things are fine as they are" is like saying "I'm on a freight train, heading for a cliff, but they're still serving me caviar so it's OK". Sure, it feels ok, but the train's still moving, no matter how far you are into your denial. I can't say this enough: the net has moved into realpolitik. Congress has found us, and their first step is to regulate us. Then, they'll outlaw us. Let's hope we convert enough legislators to netizens before they outlaw us. -Shabbir J. Safdar co-founder, Voters Telecommunications Watch