The attached is from Barbara Simons of the U.S. ACM. Note item 4, where Congressional staffers point to PGP as an example of key escrow software being possible. To those of us fighing the government control of cryptography, this is not helpful. Bruce -------------------------------------------------------------------------- Date: Mon, 13 Oct 1997 13:27:03 PDT Reply-To: "Barbara Simons" <simons@VNET.IBM.COM> Sender: ACM US Public Policy Committee <USACM@ACM.ORG> From: "Barbara Simons" <simons@VNET.IBM.COM> Subject: Hill ... Blues To: USACM@ACM.ORG On Thursday and Friday of last week I met with Hill staffers of the following Congresspeople: Sen. Feinstein, Sen. Boxer, Rep. Eshoo, Rep. Campbell, and Sen. Kerrey. As you may have noticed, there was a Ca. theme to the group, with the exception of Nebraska's Kerrey, of S909 fame. Both Feinstein's and Boxer's staffer suggested that I speak with Kerrey's staff, which is how I ended up meeting with Christopher McLean, Kerrey's Legislative Counsel, and Lorenzo Goco, who is Special Assistant to the Vice Chairman of the Senate Select Committee on Intelligence. My discussion with them was very interesting and somewhat lively. I don't know whether or not they had noticed our letter in opposition to S909, but they at least appeared to be surprised when I said that we had written such a letter, a copy of which was given to each at the meeting. I had the strong impression that McLean and Goco had had a hand in the writing of S909. They certainly were well versed in the arguments. Here is some of what they said: 1. S909 impacts only the government, NOT universities that receive government funding for networks. This is not our interpretation of the bill, and I'd be interested in hearing from some of the lawyers who are on USACM as to whether or not they agree with McLean and Goco. 2. If we are concerned about the well being of the computer industry in the U.S., we should be supporting S909, since the alternatives are either a more draconian bill or no bill at all, with the maintenance of the status quo export restrictions. They claim that Clinton will veto any bill that does not contain provisions that address some of law enforcement's concerns. 3. If we are concerned about inappropriate behavior vis-a-vis key escrow or recovery, we should be supporting S909, since it includes strong penalties for unlawfully revealing or obtaining others' keys. 4. The NSA states that key recovery is doable and will not jeopardize national security. And there is an existence proof for key recovery software in the new PGP release. 5. Yes, they would like to see widespread use of key recovery, but their idea is to encourage the development of encryption with key recovery by using the buying power of the government to cause widespread and inexpensive key recovery encryption to come into being. 6. They are simply doing what the NRC report recommended, namely "testing" key recovery on the government without imposing it on the citizenry. 7. Key recovery or key escrow are simply attempts at maintaining the status quo for law enforcement, who are now able to wiretap at will. Some of these are old arguments that we've been hearing for a while, but some are newer. In particular, points 4 and 6 are difficult to refute without getting into some technical details. Both points also undercut the argument that a key recovery infrastructure potentially weakens security. After all, the NSA thinks it's secure enough that it can be used by the government. Barbara