Both sides of the crypto-debate spent today jockeying for position before an important vote tomorrow in the House Commerce committee. At issue is whether the panel will follow the lead of the Intelligence committee and restrict your ability to protect your privacy with whatever technology you want. Law enforcement officials are pressing for a secret backdoor, and Rep. Oxley was planning to offer a proposal (Oxley I) giving them just that. * Today Oxley circulated a revised proposal that I think of as Oxley II. It's designed to respond to some of the criticisms: http://www.cdt.org/crypto/legis_105/SAFE/Oxley_Manton_rev.html * Law professors sent a letter criticizing Oxley I: http://www.law.miami.edu/~froomkin/lawprof-letter.htm * Yesterday dozens of groups -- from Apple to USWest -- sent out a letter criticizing Oxley I. (It's attached below.) The question is now: how many of these groups will oppose Oxley II? * Oxley is trying to carve off pieces of the alliance and get the Baby Bells not to oppose Oxley II, Reuters reports below. Also, grassroots law enforcement groups -- including some from California -- are sending their own letters to support Oxley. * Rep. Rick White is trying to cut a deal; he's proposing alternative, compromise language. A note from his staff is attached below. * Scientific and engineering professional societies, too, weighed in. I've attached their note at the end of this message. -Declan --------------

From White's staff:

Congressman Rick White will offer an alternative to the Oxley/Manton substitute in order to preserve the SAFE bill while addressing some of the concerns of the law enforcement community.

The White alternative would:

1) Give law enforcement the tools they needs. The alternative would create a National Electronic Technologies Center (NETCenter) to serve local, state and federal law enforcement authorities by providing information and assistance regarding decryption technologies and techniques. In addition the NETCenter would give law enforcement access to the tools they need to keep pace with changing technologies.

2) Tough on those who commit crimes by using encryption. The alternative doubles the allowable jail time for those who break the law and commit crime and try to hide their tracks by use of encryption.

3) Study. There has never been a study on a domestic key recovery system and the recent proposal by the FBI. The White alternative calls for a six month study of domestic key recovery system to determine its effectiveness.

4) Americans should not have to turn over the keys to their electronic security. The 4th Amendment protects our individual right(s) to keep protect our "effects." The White alternative states that the federal government and the States cannot restrict the use of domestic encryption technologies and cannot condition the issuance of certificates of authentication -- which many believe will be necessary for electronic commerce to succeed -- on the use of a government-blessed key recovery system for encryption.

-------- September 22, 1997 The Hon. Thomas J. Bliley, Jr. Chairman House Commerce Committee 2125 Rayburn House Office Building Washington, D.C. 20515 Dear Chairman Bliley: We are writing to express our strong opposition to the Oxley-Manton amendment to HR 695, the Security and Freedom through Encryption Act (SAFE), which the Commerce Committee will consider this week, and to any form of government domestic controls on encryption. The Oxley-Manton amendment would impose unprecedented restrictions on the domestic manufacture and availability of encryption, thus potentially compromising the security of the nation's telephone system and the Internet alike. The amendment would: * prohibit the domestic manufacture, sale and importation of any encryption product or service unless the government is given immediate access to the plaintext of communications and stored files without the knowledge of the user; * prohibit network service providers, including telephone companies and Internet service providers, from offering encryption products or services unless communications can be immediately read without the knowledge of the user; and * give the Attorney General unprecedented, broad new powers to establish standards for encryption products and services. Encryption technologies are the vital tools consumers and businesses need to operate with security and privacy in the information age, and are a cornerstone of electronic commerce. Government domestic controls on encryption are incompatible with the consumer, corporate, and national security benefits of the national information infrastructure. Numerous communications products and services are now under development that incorporate encryption as an essential feature. Oxley-Manton will stifle these new products and services, end the deployment of market-driven key recovery systems, and undermine the potential of the new communications media for electronic commerce and the promotion of democratic values. * Strong encryption will not only ensure privacy but also help prevent crime on the network. However, by mandating trap doors in all domestic encryption products and communications networks, the Oxley-Manton amendment will make the personal records and communications of individuals and businesses more vulnerable to hackers, terrorists, industrial spies and other criminals. Put at risk will be medical records, tax returns, private email, business proprietary information and transactions, attorney-client communications, and cellular phone conversations. * Oxley-Manton's broad requirement for "immediate access" to decryption keys without knowledge of the user would force Americans to forfeit their constitutional right of privacy as a condition of participating in the information age. * Oxley-Manton invites disastrous industrial policy. It is industrial policy with criminal sanctions attached. The amendment authorizes the Attorney General to promulgate technical requirements for all encryption products and gives the Department of Justice prior approval authority over all encryption systems for computers and telecommunications. This will stifle innovation. It will drive encryption expertise out of this country. The market should be allowed to develop its own solutions, many of which in fact will meet law enforcement's needs within our existing system of legal authorities and safeguards. * Oxley-Manton will be ineffective in keeping strong encryption out of the hands of criminals. Criminals and terrorist groups will not use a system that gives the government access to their decryption keys. In fact, the FBI has admitted in Congressional testimony that criminals will always have access to strong unbreakable encryption. We urge the Committee to reject the Oxley-Manton amendment and any other form of domestic encryption control. Sincerely, ACL Datacom, Inc., California American Electronics Association American Automobile Manufacturers Association Americans for Tax Reform America Online, Inc. Ameritech ANS Communications, Inc., New York Apple Computer, Inc. Ashton Communications Corp., California and Texas Bell Atlantic Bell South Bowles Farming Co., Inc. Business Software Alliance Center for Democracy and Technology Commercial Internet eXchange Association CommerceNet Compaq Computer Corp. CompuServe, Inc. Computer & Communications Industry Association Computer Software Industry Association Consumer Electronic Manufacturers Association Counsel Connect Crest Industries, Inc. DataXchange Network, Inc. Direct Marketing Association Electronic Data Systems, Corp. Electronic Frontier Foundation Electronic Messaging Association Epoch Internet Fiber Network Solutions, Inc., Columbus, Ohio Genuity Inc., a Bechtel company IBM Corp. Information Technology Association of America Information Technology Industry Council (ITI) Institute of Electrical and Electronics Engineers - US Activities International Communications Association Intuit Inc. Internet Providers Association of Iowa Microsoft National Association of Manufacturers NETCOM On-Line Communication Services, Inc. NetINS, Inc., Iowa Novell Online Banking Association National Association of Manufacturers National Retail Federation Netscape Communications Corp. Phoenix Media/Communications Group Pro-Trade Group PGP, Inc. RSA Data Security, Inc. SBC Communications Inc. Securities Industry Association Silicon Valley Software Industry Coalition Software Forum Software Publishers Association Sun Microsystems, Inc. TheOnRamp Group, Inc., Ohio Trusted Information Systems United States Council for International Business United States Internet Council United States Telephone Association U.S. Chamber of Commerce US West Voters Telecommunications Watch --- Lawmakers try to get Baby Bells out of code debate By Aaron Pressman WASHINGTON, Sept 23 (Reuter) - With a Congressional panel set to vote Wednesday on a proposal to impose domestic controls on encryption, lawmakers backing the limits worked furiously to convince telephone companies not to oppose them. Late Tuesday, officials at the five "Baby Bell" regional phone companies said they had not decided if last-minute changes to the proposal addressed their concerns. On Monday, the five companies joined dozens of high-tech firms and business and Internet groups in a letter opposing the proposal authored by Ohio Republican Rep. Mike Oxley. The restrictions, which would require all products sold in the United States to include features allowing the government to covertly decode any encrypted data, had been building strong momentum in Congress over the past month. And until the telephone company opposition surfaced two weeks ago, the proposal was expected to be adopted easily by the House Commerce Committee. But the opposition of the influential Baby Bells stopped the process and the committee decided to put off an earlier vote until Wednesday. In a recent revision, Oxley agreed to remove provisions which required network service providers such as the phone companies to provide immediate access to coded communications. Lawyers for the phone companies met Tuesday but did not reach a decision on the changes, according to Bell South spokesman Bill McCloskey. "The meeting ended inconclusively," McCloskey said. "We have no verdict." Oxley's office remained confident that changes could be made to mollify the phone companies. "We will get them onboard, there's no doubt," one staffer said. While lawmakers worked to assuage the concerns of the Baby Bells, and added a provision to appease the banking industry, leading science groups and law professors separately issued new statements on Tuesday completely opposing the Oxley restrictions. Professors from 23 law schools, including Yale, Harvard and Stanford, said the restrictions were a "profound mistake" that would "contravene fundamental principles of our constitutional tradition." Leading science, mathematics and engineering groups said the restrictions were impeding on the advance of cryptography research thus making all computer networks, including the Internet, less secure. The Oxley proposal will be considered as an amendment to a bill by Virginia Republican Rep. Bob Goodlatte that began as an effort to loosen strict U.S. export controls on encrypotion products and preclude domestic restrictions. Rep. Rick White, Republican of Washington, said Tuesday he would offer an alternative to Oxley's amendment that would meet many of the objections of industry, Internet groups and others. But White's proposal was not endorsed by leading law enforcement agencies that back Oxley's plan. White's plan would establish a center to help law enforcement agencies crack encryption used by criminals, start a study of technologies to allow government access and increase criminal penalties for use of encryption as part of a crime. While two House committees have approved the Goodlatte bill intact, two other panels added tighter export controls and domestic restrictions. After the Commerce Committee's vote, the bill goes to the House Rules Committee which must reconcile the competitng versions. No action is expected on the bill by the full House this year. ((--202-898-8312)) Tuesday, 23 September 1997 19:47:13 RTRS [nN2351141] --- PRESS RELEASE SEPTEMBER 24, 1997 LEADING US SCIENTIFIC, MATHEMATICS, AND ENGINEERING SOCIETIES PROTEST RESTRICTIONS ON CRYPTOGRAPHY RESEARCH AND DEVELOPMENT The leading U.S. scientific, mathematics, and engineering societies sent a united message to Congress today protesting proposed U.S. cryptography policies that would maintain export restrictions limiting the open exchange of scientific information and the progress of scientific research and development. In addition, these organizations warned that new requirements for domestic key recovery raise serious scientific and technical problems that undermine its viability as a policy alternative. In a letter to the House Commerce Committee, the societies indicated that the policies will "diminish the scientific reputation of the United States and weaken us economically." This is the first time these highly influential societies have united to inform Congress how cryptography policies will effect the future of scientific research and development in the U. S. Until now, the debate has focused on commercial, civil liberties, and national security/ law enforcement interests. The House Commerce Committee will vote today on proposed legislation removing restrictions on the export of encryption products. However, amendments to this language were passed by two House Committees restricting the domestic use of encryption. The letter urges the Committee to reject such proposals or " U.S. leadership in many areas of science and technology is likely to be jeopardized with no discernible benefits to our National Interests." Export controls and domestic restrictions on cryptography development and use impact scientific freedoms in a number of ways. Cryptographers, a specialized subset of computer scientists, mathematicians, and engineers, are unable to communicateare unable to communicate with their colleagues overseas or to participate in international projects aimed at developing a secure GII. The full and open exchange of scientific information facilitated by these organizations has significantly increased the economic strength of the United States. However the proposed new laws would continue to force them to exclude members living outside the United States from this free exchange. According to Dr. Barbara Simons, " The scientific and engineering societies today speak with one voice in urging Congress not to enact cryptography policies which will prohibit scientists from performing important research. If scientists cannot research and develop new cryptographic tools, the future of electronic commerce may be in jeopardy." CONTACTS: Dr. Barbara Simons Chair U.S. Public Policy Committee for the Association for Computing phone: 408:256-3661 pager: 1-888-329-3091 pager id: 2533409 e-mail simons@VNET.IBM.COM Dr. Peter Neumann U.S. Public Policy Committee for the Association for Computing email: neumann@csl.sri.com Ed Lazowska Chair, Computer Science University of Washington e-mail: lazowska@cs.washington.edu phone: 206 543 4755 David L. Waltz President, American Association for Artificial Intelligence (AAAI) e-mail: waltz@research.nj.nec.com phone: 609-951-2700 fax: 609-951-2483 Irving Lerch Co-Chair, Committee on Scientific Freedom and Responsibility American Association for the Advancement of Science phone: 301 209 3236 Mary Gray Co-Chair, Scientific Freedom and Responsibility American Association for the Advancement of Science phone: 202 885 3171 Staff: Lauren Gelman 202/544-4859 gelman@acm.org Alex Fowler 202/ 326-7016 afowler@aaas.org September 24, 1997 Dear Chairman Bliley: As representatives of the leading scientific, mathematics, and engineering societies in the United States, we are writing to protest current and proposed U.S. cryptography policies that restrict the open exchange of scientific information and the progress of scientific research and development. We object to national policies that criminalize the use of cryptography that is not approved by the Administration or that mandate domestic key recovery schemes. The leadership that the United States currently enjoys in research and development of encryption algorithms, cryptographic products, and computer security technology will be seriously eroded, if not essentially eliminated, by misguided proposals to restrict the domestic use of encryption. o The development of strong cryptographic technology is crucial to the further growth of our electronic infrastructure. Encryption protects the security and privacy of communications and stored data. A lack of strong universally available encryption exacerbates security problems on personal computers, intranets, and the world-wide Internet. A recent National Academy of Sciences study warned against the government's premature reliance on key recovery as an encryption technique. It urged that the method be deployed in test situations first to work out problems. This has not been done. o Our organizations publish numerous scientific journals and conference proceedings, often relying on the Internet for publication. The free exchange of scientific information facilitated by our organizations has significantly increased the economic strength of the United States. But the proposed new laws would continue to force us to exclude members living outside the United States from this free exchange. The result would diminish the scientific reputation of the United States and weaken us economically. o It is unreasonable and probably unconstitutional to distinguish between printed and electronic distribution of encryption source code. U.S. policy should not create an artificial distinction between paper and electronic versions of a document. o U.S. scientists and engineers involved with research and development of cryptographic tools cannot publish their results using electronic media, are restricted in their efforts to educate the next generation of computer scientists, and cannot communicate with their international colleagues. For example, the U.S. cryptography community has not been able to participate in the Internet Protocol Security project, an effort to develop new international standards for Internet security. o Publication restrictions relating to cryptography have a negative impact on peer review and the development of robust algorithms. To demonstrate that encryption algorithms are secure, cryptographers publish their algorithms and other cryptographers try to break them. Not only does this process tend to identify faulty algorithms, but it is also a precondition for the public to have confidence that the algorithm is secure. o Computer systems currently are plagued by considerable security and privacy weaknesses. These problems will become more widespread as electronic commerce develops and computer systems become ubiquitous. Cryptographers in the U.S. face numerous barriers when addressing computer security issues, and some security researchers may be unwilling to continue their work because they will be restricted in publishing and discussing their research. In conclusion, we urge you to eliminate current policies that stifle the ability of researchers and implementers to study and build cryptographic algorithms, secure information systems, and secure network protocols. Otherwise, U.S. leadership in many areas of science and technology is likely to be jeopardized with no discernible benefits to our National Interests. For more information please contact Barbara Simons at 408/256-3661, Alex Fowler at 202/326-7016 or Lauren Gelman at 202/544-4859. Sincerely, ------------ ------------------------- Declan McCullagh Time Inc. The Netly News Network Washington Correspondent http://netlynews.com/