---------- Forwarded message ---------- Date: Sun, 22 Jun 1997 20:52:08 -0700 (PDT) From: Declan McCullagh <declan@well.com> To: fight-censorship@vorlon.mit.edu Subject: Washington Post says McCain-Kerrey bill "raises red flags" The Washington Post has a long history of endorsing the Clinton administration's position on export controls of encryption products. On June 10, 1996 the paper editorialized that "national security and law enforcement questions remain too important to be sacrificed lightly." On July 27, 1996: "Congress should be exceedingly cautious about getting out ahead of administration concerns on controls." "Unbreakable codes on the loose strike us as a real danger, a legitimate reason for tight export controls," the Post said on October 4, 1996 -- worrying the White House wasn't strict enough -- and again last month. But even the Post couldn't quite stomach the McCain-Kerrey bill that the Senate Commerce committee approved last week. In an editorial today, the Post said: ...the McCain-Kerrey legislation goes the other way, seeking to expand such restrictions to cover most of the uses of encryption software in the United States. That proposal raises red flags even if you believe, as we do, that there are legitimate national security and law enforcement reasons for controlling the diffusion of such `robust' coding software overseas. Below I've attached five Washington Post editorials on encryption. Thanks to Alan Olsen, Peter Trei, and especially John Young for holding on to these editorials and sending them to me. -Declan --- Senate Commerce committee and McCain-Kerrey bill: http://www.jya.com/declan3.txt http://www.jya.com/declan2.txt Problems with SAFE and ProCODE: http://cgi.pathfinder.com/netly/editorial/0,1012,1022,00.html Kerrey crypto-bill: http://cgi.pathfinder.com/netly/editorial/0,1012,931,00.html ------ Net Tangle on Privacy Sunday, June 22, 1997; Page C06 The Washington Post PITY THE senator or representative who still hasn't quite mastered the details of how the Internet works, or the difference between the World Wide Web and e-mail. On the Net-related issues that, by all indications, draw the most urgent public interest -- those relating to privacy protection -- there are now multiple clumps of competing bills, whose differences are both highly important and highly technical. Three of these involve different strategies to curb junk e-mail; two, diametrically opposed, concern encryption. All these bills are tangential, strictly speaking, to the basic concern expressed at hearings before the Federal Trade Commission: how to safeguard personal and sensitive data about yourself once it gets into the hands of institutions and third parties. (The commission itself is weighing whether to recommend such legislation based on what it heard.) But any of them could powerfully affect future privacy protection. A striking example is the newest bill on encryption, sponsored by Sens. Robert Kerrey and John McCain, which the Senate Commerce Committee on Thursday voted to adopt as a replacement for a long-standing proposal by Sen. Conrad Burns, dubbed Pro-CODE. Where the Burns bill would have lifted restrictions on the export of "uncrackable" encryption software abroad -- restrictions that the administration has fought to maintain for national security reasons -- the McCain-Kerrey legislation goes the other way, seeking to expand such restrictions to cover most of the uses of encryption software in the United States. That proposal raises red flags even if you believe, as we do, that there are legitimate national security and law enforcement reasons for controlling the diffusion of such `robust' coding software overseas. The bill, offered as a compromise between the administration's priorities and those of Congress, shows how difficult it is to square this particular circle. It would require users of domestic networks with any government funding (such as universities, many hospitals and government contractors) to deposit an extra "key" to their codes with a licensed "key management" authority -- with the licensing to be done by the government. Like the administration's international policy, this bill envisions the development of whole new government-regulated industries for key management, retrieval and authentication. This meets the needs of domestic law enforcement agencies, which could get the keys with an ordinary subpoena, but at a considerable cost to the consumer confidence that would be expected to drive a market in encryption software to begin with. What you think of these bills has a good deal to do with how you think the worlds of electronic commerce and networked communal life will develop -- and, of course, no one knows. Even the most enthusiastic boosters of the right to encryption concede that very few people actually use it yet. Electronic commerce itself has yet to take real shape. The main force shaping the Internet for now continues to be the perception -- not to mention fear -- of the all-too-likely prospect that anyone who wants to can snoop around in the stacks of your most private data, which are constantly accumulating in unknown files. ---------- The Washington Post, June 10, 1996, p. A18. Global Village Cops? What will be the long-term effect of Internet technologies on global law enforcement? The amazing story of Bill and Anna Young, a k a Leslie Rogge and Judy Kay Wilson, offers one possible scenario. The pseudonymous Youngs, residents of Guatemala who the FBI says have been on a decade-long run from U.S. justice since Mr. Rogge was convicted of a string of bank robberies and other offenses, turned themselves in to authorities after a neighbor recognized Mr. Rogge's face on the FBI home page's Most Wanted list. According to a story first told in the Guatemala Weekly, the person who recognized him was a newly Internet-wired 14-year-old. The vision of the future evoked by this story, of a world in which the familiar "global village" becomes a place not just of instant communication but of neighborly nosiness and where no one can just melt into the crowd, is reassuring and unnerving in about equal proportions. (What if it were a network of hit men or an authoritarian government seeking a dissident, rather than the FBI, making use of this powerful technology?) But it's also worth keeping in mind that, other than the romance of the technology, it doesn't represent that great an advance on current global media that have made celebrities or fugitives' faces familiar to a vast public -- just ask Salman Rushdie. The Rogge nabbing is the first that the FBI credits to its home page specifically, but TV's "America's Most Wanted" has scored similar coups. The impossibility of predicting the exact shape of these extensions of policing is relevant as well to a report that the National Research Council recently issued on another computer technology issue -- the vexed matter of whether to ease export controls on encryption software, which encodes information sent electronically so that only a user with a key can decipher it. The government until now has resisted lifting controls on "uncrackable" encryption software -- that is, codes that are too complex to be broken by brute force -- unless the industry agrees to deposit keys in an escrow arrangement with a third party so the government can seek and obtain a warrant to read encoded communications if necessary. Software makers, meanwhile, are pushing hard to have these restrictions eased. The research council, an arm of the generally neutral National Academy of Sciences, sought to bridge the gap between industry interests and such government agencies as the FBI and national security agencies, whose case, they say, is based largely on classified matter that can't be publicly discussed. Part of the report's conclusion, which favors the easing though not the abolition of current restrictions, is that wider use of encryption technology will actually *help* national security and law enforcement because more data, economic and otherwise, will be secure to begin with. But if the news of the changing terrain tells anything, it is that it is far too soon to base arguments on such a premise. Our own sense on encryption is that the national security and law enforcement questions remain too important to be sacrificed lightly, despite the considerable economic interests of the parties on the other side. But the world of Internet law enforcement is still taking shape. Whatever the public conclusion on encryption, the debate should not rest on any assumptions about what that shape will be. -----------

The Washington Post, July 27, 1996, p. A22.

Speaking in Code on the Internet ... [Editorial]

The decibel level has been rising in the argument over how much control the federal government should have over the export of encryption technology. The Senate Commerce Committee held hearings Thursday on a proposal dubbed Pro-CODE (Promotion of Commerce On-line in the Digital Era) that would lift current restrictions on exporting encryption software above a certain level of complexity. The move is opposed strongly by law enforcement and national security authorities, who fear the consequences to their tracking of terrorism or crime if uncrackable cryptography becomes the global standard.

But encryption software -- which scrambles a person's computer messages so no one can read them without a key -- also is thought by many in the computer industry to be the missing piece that's preventing customers from a full-scale move to the Internet for banking and other confidential transactions, rather than, as now, worrying about the security of their data. They also see it as a market in which the United States maintains a comfortable lead, one that is threatened if domestic encryption makers can't sell their products elsewhere. The makers argue that foreign encryption software will rush in to fill the gap, doing nothing about the uncrackability problem -- indeed, making it worse. The administration in turn is pursuing a wider international agreement to maintain controls on cryptology export by all the industrialized nations and has been putting pressure on its colleagues in the Organization for Economic Cooperation and Development, which will rule on the matter in a Paris meeting in September.

Administration officials, including FBI chief Louis Freeh, have been pushing for an alternative policy of "voluntary key escrow" -- encryption makers would deposit a key to the code with a neutral third body before exporting the products and could then have access to the codes only by court order, as happens now with wiretapping. Mr. Freeh, testifying at Thursday's hearing in favor of an optional key escrow plan, noted that the point is not to prevent all copies of uncrackable code from going abroad -- that's clearly impossible -- but to prevent such high-level code from becoming the international standard, with architecture and transmission channels all unreadable to world authorities. To software companies and Internet users who have been clamoring for the right to encrypt as securely as possible, Mr. Freeh and others argue, "the genie is not yet out of the bottle" on "robust," meaning uncrackable, encryption.

It's far from obvious to anyone that an optional escrow plan really can prevent the growth of inaccessible transmissions by international terrorists or criminals. Encryption, if widely used, could conceivably ease some privacy problems concerning who gets to see personal and financial data on individuals -- though such data usually are vulnerable to being dug out of storage rather than intercepted in transmission. But neither is it clear that the encryption enthusiasts' desire for free development should take precedence over the tracking of terrorism. At the very least, Congress should be exceedingly cautious about getting out ahead of administration concerns on controls that, once lifted, are hardly reversible.

---- The Washington Post, October 4, 1996, p. A22. Crypto Politics [Editorial] The Clinton administration once had a coherent, if unpopular, position on encryption software, the stuff that allows you to encode your email messages or other data so that no one can read it en route without a key. Now, in the wake of word that the president will sign an executive order, the position is no longer coherent, nor discernibly more popular with the high-tech audience it attempts to mollify. People and companies doing international financial business are highly interested in this kind of software, the more powerfully "uncrackable" the better. The U.S. software industry thinks there's a lot of money in it, especially if encryption becomes routine. The administration position till recently was that, much as U.S. software companies might profit from being able to market "uncrackable" encryption software freely, national security and law enforcement considerations dictated that such exports be controlled by license. Powerful encryption, like arms, could be dangerous in the hands of terrorists, rogue governments or international criminals. The software was classed as a munition; software above a certain uncrackability level could not be exported unless law enforcement authorities could get access somehow to the "key" after obtaining the proper warrants. Unbreakable codes on the loose strike us as a real danger, a legitimate reason for tight export controls. But if the administration really believes this, you'd think it would stick with steps that can plausibly meet the goal of control. Instead, trying to please, it has been splitting and splitting the difference between itself and the largely unmoved industry, which argues that no one will buy an encryption product that a government can decrypt at will. As with arms sales, the companies also argue that if they don't sell it, somebody else will, and that anyway it's far too late to fence off rogues. The national security people respond that there is still a "window," perhaps two years, in which they can prevent, if not all leaks of unauthorized crypto technology, at least its off-the-shelf use and wide adoption as the international standard. The administration initially proposed, then repeatedly refined, the concept of key "escrow" -- depositing a copy of the code with trusted third parties -- but never came up with a version the industry would accept. It commissioned a National Research Council report, which recommended a significant easing of restrictions. Now the president appears to have embraced a yet looser form of licensure upon declaration by a company that it will develop a plan within two years for key recovery. Also, the technology no longer will be considered munitions. What kind of plan? Nobody can quite say. What if the plans aren't acceptable? Licensing will revert to the old rule in two years. Will the security issue be moot by then? Probably. Barring some burst of clarity, one is left wondering whether the administration has compromised or caved, and what it now believes about the dangers of exporting uncrackable software. ---------- Showdown on Encryption Sunday, May 25 1997; Page C06 The Washington Post AFTER A YEAR'S rumbling, Congress seems ready to mount a direct challenge to the administration's position on encryption, the sticky issue of how to handle software that creates, for commercial use, codes too strong to break. The House Judiciary Committee the other day passed a bill dubbed Security and Freedom Through Encryption, or SAFE, which would undo existing curbs on the export of "uncrackable" encryption technology abroad without a license. The administration has fought to maintain those curbs against increasing pressure from the manufacturers of such software and from a loose but growing coalition of privacy and civil liberties groups. A similar bill is pending in the Senate. The administration maintains that the sellers of software capable of encrypting electronic messages to a complexity beyond ready cracking shouldn't sell it abroad -- or, if they do, should be prepared to deposit keys to the codes with trusted commercial third parties at home. Police or national security authorities could get these keys with a search warrant or court order, as in normal investigations, and a market would develop to provide the third-party service of holding them. This vision of a worldwide "key management" structure is a clever way to reconcile two otherwise contradictory desires: the desire of Internet users for absolute security and privacy in electronic transactions and the government's desire to prevent criminals and terrorists from making themselves impregnable to a degree never before seen. "Key management" does not, however, exist. And the administration has gone so far toward undercutting its own position -- saying key escrow should be voluntary, trying to accommodate industry with numerous exemptions, licensing uncrackable software separately for banks -- that it's not clear it ever will exist. Meanwhile, the once-obscure drive to make unlimited-strength cryptography available to all has picked up momentum -- and some odd allies. Phyllis Schlafly was among those who testified in favor of the SAFE bill, saying it would protect Americans from unprecedented government intrusion and the FBI reading their mail. Libertarian groups such as Americans for Tax Freedom are enthusiastic about the vision of a world where powerful, widely available encryption renders communications totally safe. The odd part is that there currently are no restrictions on use of uncrackable encryption software within this country. The software industry has argued that the export control makes for a de facto domestic curb, because it's too complicated to market a full-strength version for the domestic market and a weaker one for the foreign market. But this isn't a very persuasive argument, since most popular software programs exist in dozens of versions for different markets and in different languages. The real question is whether you believe this stuff poses a significant national security threat in the wrong hands. If you do -- and we think it irresponsible to assume otherwise -- then it's not enough to declare uncrackable privacy a civil right. You have to at least address the question of how to minimize intrusion into that right while preserving some ability to grapple with the potential danger. Neither the SAFE advocates in Congress nor the administration's voluntary escrow enthusiasts up to now have laid out that vision in a convincing way. ###