Encryption Bill Would Restrain Next Generation of the Internet By PETER WAYNER The users of the next generation of the Internet will be forced to turn over the keys to their encrypted computer data to government authorities if a bill currently before the Senate passes. Senator Bob Kerrey, the Nebraska Democrat who cosponsored the measure, said in an interview Monday that the bill would require that the authorities be able to recover such keys in the next generation network, called Internet 2, an advanced, high-speed research project that is being carried out in more than 100 universities across the country. The bill does not mention Internet 2 specifically but simply refers to data traveling on all networks created "with the use of Federal funds for transaction of government business." Users of the current Internet would have the freedom to choose whether to notify the authorities of the keys. Key recovery is a controversial proposal aimed at giving fast access to encrypted data to the branches of the government responsible for law enforcement and national defense. These branches worry that widely deployed, easy-to-use encryption technology will make it simple for criminals and terrorists to cloak their communications and make it impossible for the police to use surveillance to gather evidence. Others, including computer scientists, civil libertarians and even some law enforcement officials, worry that such a proposal would concentrate too much power in the key recovery centers and that this makes the nation vulnerable to both attack by terrorists and abuse by those entrusted with the power. A government-approved key-recovery system, as imagined by the bill, would be created by an organization that would store the keys to unlock the data encrypted by members of the organization. It could be either a corporation, a university or a group of private citizens. The key recovery official for the organization, known as the "agent," would be responsible for decrypting the data and providing a "plaintext" version to the police in response to a subpoena, a court order, a warrant or a letter from an attorney general. The bill would remove the civil and criminal liability from the agents for responding to such queries but would impose penalties of up to $100,000 on those who fail to comply. The bill, called the Kerrey/McCain act after its sponsors, Kerrey and John McCain, the Arizona Republican who is chairman of the Commerce Committee, is officially known as the Secure Public Networks Act. It would require all new federally financed networks or computer systems to use government-approved key-recovery technology. The Internet 2 is a cooperative effort involving 109 universities to build a demonstration version of a very-high-speed Internet in order to aid scientific research and to push the state of network technology. Its current embodiment is financed by a mixture of grants from the National Science Foundation and President Clinton's Next Generation Internet initiative. The greatest problem facing the users of Internet 2 and other future federally financed networks will be defining where the government control begins and where it ends. In the interview, Kerrey admitted that this was a challenging problem and said that the government must be flexible in determining the answer. His legislation would create an Information Security Board that would ultimately be responsible for tuning the application of the law. "The law is written so we can get regular look-backs and decide what's not working," he said. "We know the current law isn't right. So let's change the law and get some good flexibility." The current law controls only the export of encryption technology. People in the United States have been free to use encryption to protect their secrets since before the days of the American Revolution. Thomas Jefferson, for instance, dabbled in cryptography and even personally specified the encryption system to be used by Lewis and Clark in their expedition. For this reason, Senator Kerrey expects that people will challenge the constitutionality of his bill, but he says that his office is working hard to ensure that they get the bill right the first time. The law could run afoul of the First Amendment to the Constitution, which prohibits the "abridging of the freedom of speech." Requiring people to speak in a form that is understandable by the government in order to participate in government-financed network might be considered an abridgment. Donald Haines, legislative counsel of the American Civil Liberties Union said, "It's like asking: 'Can you make it illegal to commit a crime in French?' " A more likely challenge may come from the Second, Fourth and Fifth Amendments. The United States government has treated encryption technology as munitions in order to control its export. The Second Amendment, however, guarantees the right to "keep and bear arms." The Fourth Amendment guarantees "the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures." It is not clear how a court would view the requirement that a citizen disclose his or her encryption key to a key-recovery agent in order to participate in the next generation of the Internet. On one hand, the agent would act as an intermediary who would only disclose the data to the government in response to a valid request. On the other, the requirement for disclosure before any warrant is issued might be seen as a violation of the Fifth Amendment, which prohibits the possibility that someone "be compelled in any criminal case to be a witness against himself." More obscure challenges may emerge from the Ninth and Tenth Amendments. The Tenth Amendment reserves "powers not delegated to the United States by the Constitution" to either the individual states or the people. Representative Bob Goodlatte, a Virginia Republican and a sponsor of competing legislation in the House, asserts that Kerrey's bill is unconstitutional and that it amounts to a "dramatic erosion of the people's rights" to allow access to someone's data without the oversight of a court. He points out that Kerrey bill would allow foreign governments to request access to anyone's files in the United States through the office of the Attorney General. To a large extent, the constitutional question may depend upon just how voluntary the key-recovery process turns out to be. The current draft of the bill contains language that explicitly guarantees that participation in the program is voluntary, but it then enumerates all the conditions under which federal financing will make it mandatory. The first to feel the requirements will be universities and colleges, because they rely heavily on government financing. Kerrey said he remained willing to consider any language that would help give the universities the flexibility they need to continue to do research effectively, but added that he remained committed to pushing key-recovery technology. Some members of the university community expressed doubt that any compromise would be possible. Gregory A. Jackson, the associate provost of the University of Chicago and a member of the Internet 2 steering committee, said that the record-keeping burden would be onerous and that the gains would be to slim when measured against the cost. "I can understand the FBI's point," Jackson said. "There are times when we want access to some communications on campus and we can't get it." In his work at the University of Chicago and in his previous job at the Massachusetts Institute of Technology, Jackson said, he was often called on to deal with disciplinary problems involving misuse of the campus networks. "We had to use different leverage over people on campus," he said. "Ultimately, the FBI is probably going to reach the same conclusion." Besides, Jackson said, it is virtually impossible even to define what encryption is. While the law requires that the key-recovery agents deliver "plaintext," it is impossible to control how people speak or what data they exchange. He went on to predict that the Internet 2 project would find a way to migrate into a completely private entity if it became necessary to avoid government regulation. "Even the most optimistic estimates of what the federal contribution will be are still a small fraction of the costs of Internet 2," he said. "It's serious money, and its important for making it go forward quickly, but it's not the lion's share." George Cybenko, a professor at Dartmouth, said that his use of the Internet 2 could drop to simple e-mail and Web browsing because of the overhead imposed by keeping track of the keys. "If someone shows up and says, 'This packet came out of your office at 4 p.m. What does it mean?' it will be a nightmare," Cybenko said. Many of the new uses of the Internet involve packing new and different forms of communication into complicated data structures. Determining the difference between data that are encrypted and data that are merely unconventional is difficult and could lead to problems. Some Internet correspondents have predicted that the FBI will be able to find a Senator to add an amendment to Kerrey's bill to make key recovery mandatory for all Americans. Kerrey himself suggested that this amendment may be offered by the Judiciary committee or on the floor of the Senate in coming weeks. On Wednesday, the Senate Judiciary committee will begin holding meetings to investigate the technology. Some expect that the committee chairman, Senator Orrin Hatch, Republican of Utah, will offer his own version of the legislation. In the House, however, a different story continues to unfold. Goodlatte has sponsored his SAFE legislation (Security and Freedom through Encryption) that would relax export controls and not require key-recovery provisions for anyone. His bill would deal with the problem of criminals hiding their actions by extending the sentences of anyone who uses encryption in furtherance of a felony. His legislation has enjoyed wide, bipartisan support. Cosponsors range from conservative Republicans like Tom DeLay of Texas, to liberal Democrats like Maxine Waters of California. In the last two days, six more members of the House have signed on as co-sponsors, bringing the total to 131. Copyright 1997 The New York Times Company ----- Ariel Glenn / AcIS R&D / Columbia University ariel@columbia.edu #include <stddisclaimer.h>