Pardon the massive mailing (I have never posted a full Policy Post to this list before), but I thought a majority of you would find this interesting and relevant. Jonah (editor@cdt.org) ------------------------------------------------------------------------ ****** ******** ************* ******** ********* ************* ** ** ** *** POLICY POST ** ** ** *** ** ** ** *** November 9, 1995 ** ** ** *** Number 29 ******** ********* *** ****** ******** *** CENTER FOR DEMOCRACY AND TECHNOLOGY ------------------------------------------------------------------------ A briefing on public policy issues affecting civil liberties online ------------------------------------------------------------------------ CDT POLICY POST Number 29 November 9, 1995 CONTENTS: (1) Public Interest/Industry Coalition Says Administration Crypto Policy Flawed -- Pledges to Develop Alternative (2) Text of CDT-led coalition letter to Vice President Gore (3) How To Subscribe To The CDT Policy Post Distribution List (4) About CDT, Contacting Us This document may be re-distributed freely provided it remains in its entirety. Excerpts may be re-posted by permission (editor@cdt.org) ------------------------------------------------------------------------- (1) Public Interest/Industry Coalition Says Administration Crypto Policy Flawed -- Pledges to Develop Alternative A broad coalition of nearly forty public-interest organizations, trade associations, and representatives from the telecommunications and computer hardware and software industries sent the attached letter to Vice President Albert Gore on Wednesday, objecting to the Administration's recently announced cryptography policy. While the letter praised the administration for its efforts to develop a national cryptography policy, the signatories, which include groups such as EFF and companies such as America Online, Apple, AT&T, MCI, Lotus, Microsoft, and Tandem Computer (organized by CDT), expressed concern that the Administration's proposal is weighed heavily in favor of law enforcement and national security while neglecting the privacy and security needs of individuals and the marketplace. The letter states: "A secure, private, and trusted Global Information Infrastructure (GII) is essential to promote economic growth and meet the needs of the Information Age society. Competitive businesses need cryptography to protect proprietary information as it flows across increasingly vulnerable global networks. Individuals require privacy protection in order to build the confidence necessary to use the GII for personal and financial transactions... The undersigned groups recognize that the Administration's recently articulated cryptography initiative was a serious attempt to meet some of these challenges, but the proposed initiative is no substitute for a comprehensive national cryptography policy. To the extent that the current policy becomes a substitute for a more comprehensive policy, the initiative actually risks hindering the development of a secure and trusted GII." The coalition pledged to work together to formulate recommendations for an alternative cryptography policy based on the following principals: * ROBUST SECURITY: access to levels of encryption sufficient to address domestic and international security threats, especially as advances in computing power make currently deployed cryptography systems less secure. * INTERNATIONAL INTEROPERABILITY: the ability to securely interact worldwide. * VOLUNTARY USE: freedom for users to choose encryption solutions, developed in the marketplace, that meet their particular needs. * ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to meet the expressed needs of cryptography users. * CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth Amendment privacy protection and regulation of searches, seizures, and interceptions. * RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national security, while recognizing the reality that determined criminals will have access to virtually unbreakable encryption. A second group, composed of conservative/libertarian organizations including Americans for Tax Reform and Citizens for A Sound Economy, issued a similar letter on Wednesday to House Speaker Newt Gingrich. The text of that letter, as well as additional information on the cryptography policy debate, can be found on CDT's Cryptography Issues Page: URL:http://www.cdt.org/crypto.html The letters come as the National Institute of Standards & Technology (NIST) this week announced revisions to the Administration's proposed export criteria announced last September (See CDT Policy Post No. 24). The revised proposal is substantively similar to the previous version, and maintains controversial provisions including: * LIMITS ON KEY LENGTH: The revised proposal would continue to only allow the export of cryptography systems with 64 bit key lengths, but only if the keys are escrowed by an agent approved by the U.S. Government and if the systems meet the other export criteria. * RESTRICTED INTEROPERABILITY: While the revised proposal does clarify the interoperability provision, it would continue to prohibit exportable products from operating with any other cryptographic products that do not meet the NIST criteria. * NO PRIVACY SAFEGUARDS: The proposal contains no mention of the procedures for law enforcement access to escrowed keys, the standards for certifying escrow agents, or the obligations on escrow agents to protect privacy. CDT believes that the NIST proposals fall far short of the promise for a more sensible and comprehensive cryptography policy outlined last July in Vice President Gore's letter to Rep. Maria Cantwell. The current proposal fails to provide adequate security, protect the privacy of individuals, and meet the needs of the global marketplace. CDT believes that a more comprehensive approach to cryptography policy is necessary to address both the immediate need for strong cryptographic applications and the long-term development of a secure and trusted Global Information Infrastructure. CDT will work with the signatories of the letter to over the next six months to develop an alternative to the Administration's proposal. ----------------------------------------------------------------------- (2) Text of CDT-led Coalition Letter to Vice President Gore November 8, 1995 The Honorable Albert Gore, Jr. Office of the Vice President Old Executive Office Building, Room 276 Washington, D.C. 20501 Dear Mr. Vice President: A secure, private, and trusted Global Information Infrastructure (GII) is essential to promote economic growth and meet the needs of the Information Age society. Competitive businesses need cryptography to protect proprietary information as it flows across increasingly vulnerable global networks. Individuals require privacy protection in order to build the confidence necessary to use the GII for personal and financial transactions. Promoting the development of the GII and meeting the needs of the Information Age will require strong, flexible, widely-available cryptography. The undersigned groups recognize that the Administration's recently articulated cryptography initiative was a serious attempt to meet some of these challenges, but the proposed initiative is no substitute for a comprehensive national cryptography policy. To the extent that the current policy becomes a substitute for a more comprehensive policy, the initiative actually risks hindering the development of a secure and trusted GII. A number of the undersigned organizations have already written to express concern about the latest Administration cryptography initiative. As some of us have noted, the Administration's proposed export criteria will not allow users to choose the encryption systems that best suit their security requirements. Government ceilings on key lengths will not provide an adequate level of security for many applications, particularly as advances in computing render current cryptography systems less secure. Competitive international users are steadily adopting stronger foreign encryption in their products and will be unlikely to embrace U.S. restrictions. As they stand, current export restrictions place U.S. hardware manufacturers, software developers, and computer users at a competitive disadvantage, seriously hinder international interoperability, and threaten the strategically important U.S. communications and computer hardware and software industries. Moreover, the Administration policy does not spell out any of the privacy safeguards essential to protect individual liberties and to build the necessary public trust in the GII. The current policy directive also does not address the need for immediate liberalization of current export restrictions. Such liberalization is vital to enable U.S. companies to export state-of-the-art software products during the potentially lengthy process of developing and adopting a comprehensive national cryptography policy. Without relief, industry and individuals alike are faced with an unworkable limit on the level of security available and remain hamstrung by restrictions that will not be viable in the domestic and international marketplace. Many members of the undersigned groups have been working actively with the Administration on a variety of particular applications, products, and programs promoting information security. All of us are united, however, by the concern that the current network and information services environment is not as secure as it should be, and that the current policy direction will delay the secure, private, and trusted environment that is sought. Despite the difficulties of balancing the competing interests involved, the undersigned companies, trade associations, and privacy organizations are commencing a process of collective fact-finding and policy deliberation, aimed at building consensus around a more comprehensive cryptography policy framework that meets the following criteria: * ROBUST SECURITY: access to levels of encryption sufficient to address domestic and international security threats, especially as advances in computing power make currently deployed cryptography systems less secure. * INTERNATIONAL INTEROPERABILITY: the ability to securely interact worldwide. * VOLUNTARY USE: freedom for users to choose encryption solutions, developed in the marketplace, that meet their particular needs. * ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to meet the expressed needs of cryptography users. * CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth Amendment privacy protection and regulation of searches, seizures, and interceptions. * RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national security, while recognizing the reality that determined criminals will have access to virtually unbreakable encryption. In six months, we plan to present our initial report to the Administration, the Congress, and the public in the hopes that it will form the basis for a more comprehensive, long-term approach to cryptography on the GII. We look forward to working with the Administration on this matter. Sincerely, American Electronics Association America Online, Inc. Apple Computer, Inc. AT&T Business Software Alliance Center for Democracy & Technology Center for National Security Studies Commercial Internet eXchange Association CompuServe, Inc. Computer & Communications Industry Association Computing Technology Industry Association Crest Industries, Inc. Dun & Bradstreet Eastman Kodak Company Electronic Frontier Foundation Electronic Messaging Association EliaShim Microcomputers, Inc. Formation, Inc. Institute for Electrical and Electronic Engineers - United States Activities Information Industry Association Information Technology Industry Council Information Technology Association of America Lotus Development Corporation MCI Microsoft Corporation Novell, Inc. OKIDATA Corporation Oracle Corporation Securities Industry Association Software Industry Council Software Publishers Association Software Security, Inc. Summa Four, Inc. Sybase, Inc. Tandem Computers, Inc. Telecommunications Industry Association ViON Corporation --------------------------------------------------------------------------- (3) HOW TO SUBSCRIBE TO THE CDT POLICY POST LIST CDT Policy Posts, which is what you have just finished reading, are the regular news publication of the Center For Democracy and Technology. CDT Policy Posts are designed to keep you informed on developments in public policy issues affecting civil liberties online. SUBSCRIPTION INFORMAITON 1. SUBSCRIBING TO THE LIST To subscibe to the policy post distribution list, send mail to "Majordomo@cdt.org" with: subscribe policy-posts in the body of the message (leave the subject line blank) 2. UNSUBSCRIBING FROM THE LIST If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo@cdt.org" with the following command in the body of your email message: unsubscribe policy-posts youremail@local.host (your name) (leave the subject line blank) You can also visit our subscription web page URL:http://www.cdt.org/join.html ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance constitutional civil liberties and democratic values in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: URL:http://www.cdt.org FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1001 G Street NW * Suite 500 East * Washington, DC 20001 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post No. 29 11/9/95 -----------------------------------------------------------------------