============================================================================= ____ _ _ _ / ___|_ __ _ _ _ __ | |_ ___ | \ | | _____ _____ | | | '__| | | | '_ \| __/ _ \ _____| \| |/ _ \ \ /\ / / __| | |___| | | |_| | |_) | || (_) |_____| |\ | __/\ V V /\__ \ \____|_| \__, | .__/ \__\___/ |_| \_|\___| \_/\_/ |___/ |___/|_| WHITE HOUSE RELEASES CLIPPER 3.1.1 PLAN; SAME OLD STORY EXCLUDES CONGRESS; PROPOSAL DRIVEN BY LAW ENFORCEMENT NO CONCERNS FOR PRIVACY OF INTERNET USERS http://www.crypto.com/ Date: October 2, 1996 URL:http://www.crypto.com/ crypto-news@panix.com If you redistribute this, please do so in its entirety, with the banner intact. ----------------------------------------------------------------------------- Table of Contents Introduction White House announces new encryption proposal Text of White House announcement Response from Senator Patrick Leahy (D-VT) Response from Senator Conrad Burns (R-MT) How to receive crypto-news Press contacts ----------------------------------------------------------------------------- INTRODUCTION Interested in spreading the word in Congress about privacy rights and encryption? Want to help Congress fight the White House's poorly crafted, dictatorial, encryption policies? WWW.Crypto.Com has opened up a new service, "Adopt Your Legislator", which allows you to add your name to a targeted list for contacting your legislators. Whenever your legislator is teetering on an issue related to privacy or encryption, we'll notify you directly for a focused call-in/write-in campaign. It's fast, it's easy, it's like having your own personal activist. Sign up at http://www.crypto.com/ or through one of the many fine organizations below that have links to the adoption pages: Electronic Frontier Foundation (http://www.eff.org/) Center for Democracy and Technology (http://www.cdt.org/) Voters Telecommunications Watch (http://www.vtw.org/) Look for the "My Lock, My Key" icon and follow it to help fight the new Clipper 3.1.1 proposal and fight for your privacy! ----------------------------------------------------------------------------- WHITE HOUSE ANNOUNCES NEW ENCRYPTION PROPOSAL The White House announced their new encryption proposal yesterday. There are several main points that have come out now, or will appear soon: -jurisdictional move from State to Commerce for export applications with a Department of Justice role -temporary increase of key lengths to 56 bits, provided future key escrow functionality is promised, -joint effort with companies such as IBM to produce key escrow products, -increased purchasing of key recovery products by Federal agencies to stimulate the creation of a key escrow industry, and -legislation to legitimize the key escrow recovery market. There are absolutely no plans to permanently increase the key length of unescrowed encryption products. Companies who do not have an escrow plan in place by the end of the two year temporary increase will lose their export status. This proposal has a number of significant problems, including: DOMINATED AND DRIVEN BY LAW ENFORCEMENT INTERESTS This Clipper proposal, like the three previous ones, has been driven entirely by the concerns of law enforcement. This should come as no surprise to even the most optimistic industry or public interest advocates. As Senator Leahy (D-VT) says in his statement below: Internet users themselves -- not the FBI, not the NSA, not any government regulator -- should decide what encryption method best serves their needs. JUSTICE ROLE IN EXPORT APPLICATIONS A BLATANT ATTEMPT AT DOMESTIC CONTROL OF CRYPTOGRAPHY By allowing Justice a seat at the table in approving export applications, the Clinton Administration has clearly demonstrated that they wish to control the domestic cryptography market. Justice will certainly veto the export applications of any products which they are not able to break either by brute force or without key escrow. This will probably end up being an even worse route for companies wishing to export products. TEMPORARY INCREASE IN KEY LENGTH IS NOT SUFFICIENT The original Clipper proposal would have allowed encryption with 80 bits keys. Clipper II bandied about the number 64 as the acceptable level of encryption. With Clipper 3.1.1, that amount has been reduced to 56 bits for the next two years. This is clearly too little too late. CONGRESS WAS NOT CONSULTED Congress has clearly stated their intentions with regards to the White House policy, and this year will certainly not be the end of their involvement in the issue. Senator Burns (R-MT) summarizes it well: This debate is not over by any stretch of the imagination. The administration has prevented Congress from weighing in on this issue just as support was building for a legislative solution. I intend to move forward with pro-encryption legislation in the next Congress. You can continue to follow this issue at http://www.crypto.com/ ! ----------------------------------------------------------------------------- TEXT OF WHITE HOUSE ANNOUNCEMENT THE WHITE HOUSE Office of the Vice President FOR IMMEDIATE RELEASE CONTACT: 456-7035 TUESDAY, October 1, 1996 STATEMENT OF THE VICE PRESIDENT President Clinton and I are committed to promoting the growth of electronic commerce and robust, secure communications worldwide while protecting the public safety and national security. To that end, this Administration is consulting with Congress, the information technology industry, state and local law enforcement officials, and foreign governments on a major initiative to liberalize export controls for commercial encryption products. The Administration's initiative will make it easier for Americans to use stronger encryption products -- whether at home or abroad -- to protect their privacy, intellectual property and other valuable information. It will support the growth of electronic commerce, increase the security of the global information, and sustain the economic competitiveness of U.S. encryption product manufacturers during the transition to a key management infrastructure. Under this initiative, the export of 56-bit key length encryption products will be permitted under a general license after one-time review, and contingent upon industry commitments to build and market future products that support key recovery. This policy will apply to hardware and software products. The relaxation of controls will last up to two years. The Administration's initiative recognizes that an industry-led technology strategy will expedite market acceptance of key recovery, and that the ultimate solution must be market-driven. Exporters of 56-bit DES or equivalent encryption products would make commitments to develop and sell products that support the key recovery system that I announced in July. That vision presumes that a trusted party (in some cases internal to the user's organization) would recover the user's confidentiality key for the user or for law enforcement officials acting under proper authority. Access to keys would be provided in accordance with destination country policies and bilateral understandings. No key length limits or algorithm restrictions will apply to exported key recovery products. Domestic use of key recovery will be voluntary, and any American will remain free to use any encryption system domestically. The temporary relaxation of controls is one part of a broader encryption policy initiative designed to promote electronic information security and public safety. For export control purposes, commercial encryption products will no longer be treated as munitions. After consultation with Congress, jurisdiction for commercial encryption controls will be transferred from the State Department to the Commerce Department. The Administration also will seek legislation to facilitate commercial key recovery, including providing penalties for improper release of keys, and protecting key recovery agents against liability when they properly release a key. As I announced in July, the Administration will continue to expand the purchase of key recovery products for U.S. government use, promote key recovery arrangements in bilateral and multilateral discussions, develop federal cryptographic and key recovery standards, and stimulate the development of innovative key recovery products and services. Under the relaxation, six-month general export licenses will be issued after one-time review, contingent on commitments from exporters to explicit benchmarks and milestones for developing and incorporating key recovery features into their products and services, and for building the supporting infrastructure internationally. Initial approval will be contingent on firms providing a plan for implementing key recovery. The plan will explain in detail the steps the applicant will take to develop, produce, distribute, and/or market encryption products with key recovery features. The specific commitments will depend on the applicant's line of business. The government will renew the licenses for additional six-month periods if milestones are met. Two years from now, the export of 56-bit products that do not support key recovery will no longer be permitted. Currently exportable 40-bit mass market software products will continue to be exportable. We will continue to support financial institutions in their efforts to assure the recovery of encrypted financial information. Longer key lengths will continue to be approved for products dedicated to the support of financial applications. The Administration will use a formal mechanism to provide industry, users, state and local law enforcement, and other private sector representatives with the opportunity to advise on the future of key recovery. Topics will include: . evaluating the developing global key recovery architecture . assessing lessons-learned from key recovery implementation . advising on technical confidence issues vis-a-vis access to and release of keys . addressing interoperability and standards issues . identifying other technical, policy, and program issues for governmental action. The Administration's initiative is broadly consistent with the recent recommendations of the National Research Council. It also addresses many of the objectives of pending Congressional legislation. ----------------------------------------------------------------------------- RESPONSE FROM SENATOR PATRICK LEAHY (D-VT) STATEMENT OF SENATOR LEAHY ON THE ADMINISTRATION'S NEW ENCRYPTION INITIATIVE October 1, 1996 The timing of the Administration's announcement on encryption, within hours of the Congress' likely adjournment, is unfortunate. The Administration needs to work with Congress to develop a consensus on a national encryption policy that takes account of the privacy, law enforcement and competitiveness concerns of our Nation's citizens and businesses. Taking unilateral steps will not resolve this issue, but instead could delay building the consensus we so urgently need. This issue simply cannot by resolved by Executive fiat. While technology should not dictate policy, particularly when our public safety and national security interests are at issue, any policy we adopt must protect our privacy. As the Administration and industry rush to find an alternative to unbreakable encryption, they should take heed that any solution which fails to protect the Fourth Amendment and privacy rights of our citizens will be unacceptable. That is why, with bipartisan support, Senator Burns and I introduced legislation in March that set out privacy safeguards to protect the decoding keys to encrypted communications and stringent legal procedures for law enforcement agencies to get access to those keys. In this plan, the Administration is directing the resources of our high-tech industry to develop breakable, rather than unbreakable, encryption. But no one is yet clear about who will be legally allowed to break into encrypted messages, and under what circumstances. These are questions that have to be answered not only with our own government but also with foreign governments. The weakest link in a key recovery system may be the country with the weakest privacy protections. Internet users, who can send messages around the globe seamlessly, do not want the privacy of their encrypted communications to be at the mercy of a country that ignores the Fourth Amendment principles we enjoy here. These are significant privacy and security concerns not answered by the Administration's plan. Even without reading the fine print, the general outline of the Administration's plan smacks of the government trying to control the marketplace for high-tech products. Only those companies that agree to turn over their business plans to the government and show that they are developing key recovery systems, will be rewarded with permission to sell abroad products with DES encryption, which is the global encryption standard. Conditioning foreign sales of products with DES on development of key recovery systems puts enormous pressure on our computer industry to move forward with key recovery, whether their customers want it or not. Internet users themselves -- not the FBI, not the NSA, not any government regulator -- should decide what encryption method best serves their needs. Then the marketplace will be able to respond. The Administration is putting the proverbial cart before the horse, by putting law enforcement interests ahead of every one elses. But that is not the only catch in the Administration's plan. Permission to export DES will end in two years. Allowing American companies to sell DES overseas is a step long overdue. Given the fact that a Japanese company is already selling "triple DES", one might say this step is too little, too late. Threatening to pull the plug on DES in two years, when this genie is already out of the bottle, does not promote our high-tech industries overseas. Does this mean that U.S. companies selling sophisticated computer systems with DES encryption overseas must warn their customers that the supply may end in two years? Customers both here and abroad want stable suppliers, not those jerked around by their government. The most effective way to protect the privacy and security of our on-line communications is to use encryption technology. Every American should be concerned about our country's policy on encryption since the resolution of this debate will affect privacy, jobs and the competitiveness of our high-tech industries. ----------------------------------------------------------------------------- RESPONSE FROM SENATOR CONRAD BURNS (R-MT) For immediate release: Contact: Matt Raymond Tuesday, October 1, 1996 (202) 224-8150 Randall Popelka (202) 224-6137 Burns Cautious on Encryption Plan Oversight Vowed for Plan That "Raises More Questions Than It Answers" WASHINGTON, D.C. _ Montana Senator Conrad Burns today reacted cautiously to plans by the Clinton administration to loosen restrictions on exports of stronger encryption for computer software and hardware. He also criticized the White House for its failure to negotiate on the cornerstone of its proposals: that companies must agree to "escrow" their decryption keys. "I have no doubt that it was the pressure of Congress, high-tech companies and privacy advocates that dragged the White House kicking and screaming into agreeing that export restrictions should be eased," said Burns, chief sponsor of the Pro-CODE bill, which would loosen restrictions on encryption exports and prohibit government-mandated key escrow. "However, I can't say I'm pleased with a process that has all but excluded Congress and the public from the discussion. "The administration's insistence on key escrow as a condition of lifting these restrictions has never been negotiable. Meanwhile, what choice do these companies have but to yield as their global competitiveness withers on the vine? "This plan raises even more questions than it answers, such as, what about the widespread availability of much stronger encryption than that which is allowed by the White House? How do we deal with rapid changes in technology that will inevitably render the 56-bit limit obsolete? The devil is definitely in the details. "This debate is not over by any stretch of the imagination. The administration has prevented Congress from weighing in on this issue just as support was building for a legislative solution. I intend to move forward with pro-encryption legislation in the next Congress. "I will also push for vigorous oversight of the administration's plan in the Commerce Committee." The Senate Commerce Committee, of which Burns is a member, has jurisdiction over the Commerce Department. The administration has stated its intent to transfer export licensing authority over encryption from the State Department to the Commerce Department. ----------------------------------------------------------------------------- HOW TO RECEIVE CRYPTO-NEWS To subscribe to crypto-news, sign up from our WWW page (http://www.crypto.com) or send mail to majordomo@panix.com with "subscribe crypto-news" in the body of the message. To unsubscribe, send a letter to majordomo@panix.com with "unsubscribe crypto-news" in the body. ----------------------------------------------------------------------------- PRESS CONTACT INFORMATION Press inquiries on Crypto-News should be directed to Shabbir J. Safdar (VTW) at +1.718.596.2851 or shabbir@vtw.org Jonah Seiger (CDT) at +1.202.637.9800 or jseiger@cdt.org ----------------------------------------------------------------------------- End crypto-news =============================================================================