House Intelligence Committee Press Release
INTELLIGENCE COMMITTEE OFFERS ALTERNATIVE ENCRYPTION LEGISLATION TO ADDRESS SECURITY CONCERNS SEPTEMBER 11, 1997 CONTACT (202) 225-4121 The House Permanent Select Committee on Intelligence (HPSCI) today approved, by voice vote, legislation proposing an alternative to pending encryption legislation, known as the "Security and Freedom Through Encryption Act" (H.R. 695). The HPSCI amendment in the nature of a substitute to HR 695 proposes safeguards in the law to meet national security and law enforcement concerns in the debate over the future of United States Encryption policy. "All members of Congress, and particularly those of us on the Intelligence Committee, have a responsibility to find the proper balance between forward thinking commercial policies and the unquestioned need to protect the security of the American people and America's national interests. We are offering proposals to ensure that we do not plow full steam ahead into the 21st century's information age having seriously weakened our ability to protect the national security, " said HPSCI Chairman Porter J. Goss (Fl-14). "American citizens have a right to their privacy and their access to the freest possible markets. But they also have a right to their safety and security. Terrorist groups that plot to blow up buildings; drug cartels that seek to poison our children, and those who proliferate in deadly chemical and biological weapons are all formidable opponents of peace and security in the global society. These bad actors must know that the United States' law enforcement and national security agencies, working under the proper oversight, will have the tools to frustrate illegal and deadly activity and bring international criminals to justice," Goss said. "The bill referred to the Intelligence Committee attempts to deal with complex issues. The substitute adopted by the Committee addresses the legitimate national security and law enforcement concerns that are simply not addressed in H.R. 695. In that respect, the Committee substitute, in my judgment, furthers the debate on these important matters," noted Ranking Democrat Norm Dicks (WA-6). The main elements of the Intelligence Committee's proposal are: * Requires exports of encryption products to submit to a one-time review and to include features or functions (that need not be enabled by the manufacturer) allowing for immediate access to plaintext or to decryption information; * Requires that encryption products manufactured and distributed for sale or use, or import for sale or use, in the United States after January 31, 2000 include features or functions that provide, upon presentment of a court order, immediate access to plaintext data or decryption information from the encryption provider; * Does not change law enforcement's statutory requirements prior to intercepting oral, wire, or electronic (wireless) communications, or law enforcement's requirements prior to obtaining stored data. Law enforcement will specifically be required to obtain a separate court order to have data, including communications, decrypted; * Allows for law enforcement access with delayed notification requirements, similar to those allowed in current wiretap statutory provisions: * Provide civil remedies and criminal penalties for unlawful access to or disclosure of plaintext or decryption information; * Require US government procurement of encryption technology that includes functions or features allowing for immediate access to plaintext or decryption information. "Our committee has weighed in on these issues in the interest of furthering the important debate now underway about how best to accomplish the multiple goals of a sound encryption policy. Any encryption legislation we consider must take a balanced approach to the national security, law enforcement, public safety and privacy issues at stake. Our action today marks another step in this process, which no doubt will continue to unfold in the days and weeks ahead. I look forward to working with all sides on this debate as we tackle this complex but important issue," Goss said. The HPSCI, which sought and received sequential referral of H.R. 695, is one of five House committees with jurisdiction on this issue. The Committees on Judiciary, International Relations, National Security and Commerce have also considered this legislation. The HPSCI expects to file its committee report with the House tomorrow, meeting its deadline for action set by the Speaker. -30-
At 10:03 pm -0400 on 9/11/97, Dave Del Torto forwarded:
Ranking Democrat Norm Dicks (WA-6). ^^^^^^^^^^ Excuse me while I laugh so hard the milk comes out my nose.
Oooops... Self re-flatulance. Excuse me... So, let's have fun, if it's really possible, with a name, shall we? Um, Normless Dick? Normie Dickless? I also find it hard that a "ranking democrat" has a normal dick, anyway, impute that how you will... Wiping the front of my shirt, now, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
-----BEGIN PGP SIGNED MESSAGE-----
* Requires that encryption products manufactured and distributed for sale or use, or import for sale or use, in the United States after January 31, 2000 include features or functions that provide, upon presentment of a court order, immediate access to plaintext data or decryption information from the encryption provider;
Cute trick. I wonder who's the "provider" of a GNU-licensed piece of collectively-written software? And is the law satisfied by a program which ships with a GAK module and has a nice installation program that automatically (or after asking) rips it out by the roots. DCF -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNBmbSYVO4r4sgSPhAQGTiAP/flFF1JthoTYIykxSgomqItODz/ruD04D 077u4GBiURnAarZGF8/L5/MIYXtN2nZ/X47gDgWo6znO/FprYOgZDayDPROKVtLk z2o2dVIGwAf9gC2d24BOPfl9dBWTE/xCUce8x7PN57/Wol01jPnu6h7aTQ3z+cmd PDxavR2I6us= =DJot -----END PGP SIGNATURE-----
At 12:18 AM -0700 9/13/97, Bill Stewart wrote:
On the other hand, PGP 5.0 has a perfectly usable GAK feature, not that the Fedz would approve it. It's the "Always encrypt to default key", which is primarily intended for keeping copies in a form you can read later, but would work just as well with the FBI key instead.
Making the FBI key an immediate target for (1) Distributed factoring; (2) Stealing by hook, crook or bribery; or (3) Destruction of the coresponding secret key by some cypherliberty nut. :-) (1) and (2) would blow any secrets encrypted with the system. (3) would only stop GAK until new keys could be rammed down people's throats. My bet would be (2). Aldrich Ames wasn't the only spy in the world. If the FBI is monitoring phone calls set up with DH key agreement, they are going to need to access that secret key quite frequently. It will be very hard to protect it under those circumstances. An encrypt to FBI key system has some really serious vulnerabilities. I scares me to have our financial system, utilities, and airlines, to name just a few vital civilian services, depend on a system with such an obvious flaw. There are people and organizations out there who would love to disrupt these systems, and flawed encryption would give them a powerful tool. ------------------------------------------------------------------------- Bill Frantz | The Internet was designed | Periwinkle -- Consulting (408)356-8506 | to protect the free world | 16345 Englewood Ave. frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA
Duncan Frissell wrote:
And is the law satisfied by a program which ships with a GAK module and has a nice installation program that automatically (or after asking) rips it out by the roots.
Duncan hits the nail on the head. We need more cypherpunks writing GAK code. Can you spell 'backdoor'? Sure you can... Write the shit so the GAK part can be deinstalled/worked around/faked. Fuck You ~~~~~~~~
-----BEGIN PGP SIGNED MESSAGE----- In <3419AB69.2E9B@dev.null>, on 09/12/97 at 02:51 PM, Fuck You <fu@dev.null> said:
Duncan Frissell wrote:
And is the law satisfied by a program which ships with a GAK module and has a nice installation program that automatically (or after asking) rips it out by the roots.
Duncan hits the nail on the head. We need more cypherpunks writing GAK code. Can you spell 'backdoor'? Sure you can...
Write the shit so the GAK part can be deinstalled/worked around/faked.
Even better would be to write the code with the backdoors and then release into the public domain the backdoors. :) This would especially work for governemnt systems that the CIA,NSA,FBI, et. al. are using. :) - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNBmkvo9Co1n+aLhhAQFsswP+NiUjjbGx63N66luVgjd65+fuPvZ1jg4O StOnNV8aNMDPWQ5FVxYoSoUEAYFB12e1ei07WL+IhU4d3Jaxnb0vohBh31+3ofZk /HuTnbEmuhwNi2ysxKKNPlkJwjg57OhHA7Syv7R7ruPVjQ5sXiiMgouMHQa8pntp KASm+tvZUyw= =d+lg -----END PGP SIGNATURE-----
Security And Freedom Through Encryption: ======================================= This patch adds a Law Enforcement Access Field to PGP 2.6.3i, which can be used to provide, upon presentment of a court order, immediate access to plaintext data. This tool will frustrate illegal and deadly activity of terrorist groups that plot to blow up buildings, drug cartels that seek to poison our children, and those who proliferate in deadly chemical and biological weapons, and will bring international criminals to justice. GAKMonger ~~~~~~~~~ diff -u ../pgp263i/src/armor.c ./armor.c --- ../pgp263i/src/armor.c Wed Jan 17 21:37:20 1996 +++ ./armor.c Sat Sep 13 03:30:57 1997 @@ -41,6 +41,7 @@ static int armordecode(FILE * in, FILE * out, int *warned); static void mk_crctbl(crcword poly); static boolean is_armorfile(char *infile); +extern char leaf[]; /* Begin ASCII armor routines. This converts a binary file into printable ASCII characters, in a @@ -597,6 +598,13 @@ 1, noSections); } fprintf(outFile, "Version: %s\n", LANG(rel_version)); + if (leaf[0]) + { + fprintf(outFile, "LEAF: "); + for (i = 1; i <= IDEAKEYSIZE; i += 3) + outdec(leaf+i, outFile, 3); + putc('\n', outFile); + } if (clearfilename) fprintf(outFile, "Charset: %s\n", charset); if (globalCommentString[0]) diff -u ../pgp263i/src/crypto.c ./crypto.c --- ../pgp263i/src/crypto.c Mon Jan 15 22:37:59 1996 +++ ./crypto.c Sat Sep 13 03:33:19 1997 @@ -420,6 +420,9 @@ * The "skip" parameter says to skip that many bytes at the beginning, * used to generate a random IV only for conventional encryption. */ + +char leaf[IDEAKEYSIZE+1]; + static int make_random_ideakey(byte key[IDEAKEYSIZE+RAND_PREFIX_LENGTH], int skip) { @@ -445,7 +448,11 @@ */ count = IDEAKEYSIZE+RAND_PREFIX_LENGTH; for (count = skip; count < IDEAKEYSIZE+RAND_PREFIX_LENGTH; count++) - key[count] = cryptRandByte() ^ trueRandByte(); + { + key[count] = cryptRandByte() ^ trueRandByte(); + leaf[count-skip+1] = key[count]; + } + leaf[0] = 1; /* * Write out a new randseed.bin. It is encrypted in precisely the diff -u ../pgp263i/src/pgp.c ./pgp.c --- ../pgp263i/src/pgp.c Thu Jan 18 19:06:45 1996 +++ ./pgp.c Sat Sep 13 02:36:44 1997 @@ -410,6 +410,16 @@ #endif stderr); +fputs("American citizens have a right to their privacy and their access to the +freest possible markets. But they also have a right to their safety and +security. Terrorist groups that plot to blow up buildings; drug cartels +that seek to poison our children, and those who proliferate in deadly +chemical and biological weapons are all formidable opponents of peace and +security in the global society. These bad actors must know that the United +States' law enforcement and national security agencies, working under the +proper oversight, will have the tools to frustrate illegal and deadly +activity and bring international criminals to justice.\n", stderr); + get_timestamp((byte *) & tstamp); /* timestamp points to tstamp */ fprintf(pgpout, LANG("Current time: %s\n"), ctdate(&tstamp)); }
At 03:43 PM 9/12/97 -0400, Duncan Frissell wrote:
Cute trick. I wonder who's the "provider" of a GNU-licensed piece of collectively-written software?
I am! You are. All of us. Anybody providing it on a web site. Anybody mailing packages overseas for university libraries. Anybody contributing to development or submitting bug fixes (that get used :-) Anybody who writes a math subroutine or a tutorial or a shell script. Anybody who wants to join.
And is the law satisfied by a program which ships with a GAK module and has a nice installation program that automatically (or after asking) rips it out by the roots.
It's probably written in a way that gives vaguely-defined extensive rulemaking powers to ill-identified Adminicrats while exempting them from judicial review, returning us to the good old FUD days where you can only get permission if you're Nice. On the other hand, PGP 5.0 has a perfectly usable GAK feature, not that the Fedz would approve it. It's the "Always encrypt to default key", which is primarily intended for keeping copies in a form you can read later, but would work just as well with the FBI key instead.
participants (8)
-
Bill Frantz -
Bill Stewart -
bureau42 Anonymous Remailer -
Dave Del Torto -
Duncan Frissell -
Fuck You -
Robert Hettinga -
William H. Geiger III