----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 34 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 34 September 26, 1996 CONTENTS: (1) House Judiciary Committee Holds Hearing on Encryption Bill; NSA, DOJ Oppose Efforts to Promote Privacy Online (2) How to Subscribe/Unsubscribe to the Policy Post list (3) About CDT, contacting us ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of <editor@cdt.org> ** This document looks best when viewed in COURIER font ** ----------------------------------------------------------------------------- (1) HOUSE JUDICIARY COMMITTEE HOLDS HEARING ON ENCRYPTION LEGISLATION; NSA, DOJ OPPOSE CONGRESSIONAL EFFORTS TO PROMOTE PRIVACY ONLINE At a hearing before the House Judiciary Committee on Wednesday September 25, Deputy Attorney General Jamie Gorelick laid to rest any lingering suspicion that the Administration would agree to change current export controls on strong non-escrowed encryption. Equally troubling to Internet users, Administration witnesses confirmed that the Government is seeking to compel domestic Internet users towards a "voluntary" key-escrow encryption system. The hearing was called to consider the "Security and Freedom through Encryption (SAFE) Act of 1996," (H.R. 3011) sponsored by Representatives Bob Goodlatte (R-VA), Anna Eshoo (D-CA), and a bi-partisan group of more than 43 other Representatives. The bill is designed to encourage the widespread availability of strong, easy to use encryption technology by relaxing current encryption export controls. The hearing -- the first before the House in nearly 3 years -- marked the first time the House Judiciary Committee has formally considered the encryption issue, and marks an important step along the path towards passage of real encryption policy reforms. Witnesses testifying before the Committee Wednesday: * Rep. Bob Goodlatte (R-VA), chief Sponsor of the HR 3011 * Jamie Gorelick, Deputy Attorney General * William Crowell, Deputy Director, National Security Agency * William Reinsch, Under Secretary of Commerce, Export Administration * Melinda Brown, VP and General Counsel, Lotus Development Corp. * Roberta Katz, VP and General Counsel, Netscape Communications Corp. * Patricia Rippley, Managing Director, Bear Stearns & Company * Dr. Charles Deneka, Senior VP and CTO, Corning, Inc (on behalf of the National Association of Manufacturers). REPORTS OF ADMINISTRATION COMPROMISE PROVE PREMATURE Although some press reports had suggested that the Administration was poised to announce a new compromise encryption policy in testimony before the Committee, these reports proved to be premature. In response to rumors that the administration would relax export controls on 56 bit DES encryption (encryption exports are currently limited to 40 bit keys) Gorelick stated that the Administration does not support the unrestricted export of 56 bit DES. However, Gorelick did confirm that the Administration plans to propose legislation soon, and suggested such a proposal would specify the process for law enforcement to access encryption keys held by third-parties. The proposal would include new civil penalties for the unauthorized disclosure of keys. Additionally, credible sources have told CDT that the Administration's new proposal will transfer jurisdiction for encryption exports from the State Department to the Commerce Department, and that domestic law enforcement will have a role in evaluating export applications. It is also likely that the Administration will again offer to raise the export limit from 40 to 64 bit key-lengths with law enforcement access. ADMINISTRATION REITERATES PLANS TO COMPEL USE OF KEY-ESCROW DOMESTICALLY Both Gorelick and NSA Deputy Director William Crowell stressed that the Administration is not seeking to mandate the domestic use of key-escrow encryption. However, both admitted that they would like to see the widespread adoption of key-escrow systems and have initiated a broad effort to encourage industry to develop such systems. In her prepared statement, Gorelick acknowledged that criminals will at times use non-escrowed encryption to communicate with themselves, but, "we believe that if strong key recovery encryption products that will not interoperate -- at least in the long term -- with non-key recovery products are made available overseas and domestically and become part of a global KMI (Key Management Infrastructure), such products will become the worldwide standard. Under those circumstances, even criminals will be compelled to use key recovery products, because even criminals need to communicate with legitimate organizations like banks, both nationally and internationally." The administration continues to insist that their policy is "voluntary", despite the fact that their policy is clearly designed to compel the use of key-escrow domestically through continued controls on encryption exports and negotiations with foreign governments through the OECD. This apparent double-talk from the Administration cannot be the basis for sound encryption policy reform. CONGRESS, INDUSTRY REMAIN SKEPTICAL OF ADMINISTRATION'S POSITION, STAGE IS SET FOR REAL REFORM NEXT YEAR Led by Representatives Bob Goodlatte (R-VA) and Zoe Lofgren (D-CA), members of the Judiciary Committee expressed a great deal of skepticism about the Administration's proposal. Rep. Goodlatte (a chief sponsor of the SAFE bill) testified that in his view, "the chief roadblock to electronic commerce on the Internet is government regulation of encryption." Goodlatte added, "The arguments that the FBI, CIA, and NSA have given me to justify the need for a massive 'key-escrow' or as it's now called 'key-recovery' plan just don't ring true in 1996." Representative Zoe Lofgren (D-CA), expressed concern that current US encryption policy is endangering the future of the US high-technology industry. Lofgren was also highly critical of the Administrations efforts to push for a global key-escrow standards through the OECD. Lofgren said: "The Deputy Attorney General also argues that the United States, combined with its allies, can control the world encryption market and can coordinate the implementation of an international 'key-escrow' regime. Notwithstanding the absence of any demonstrable progress towards such an agreement, the aspirations for a comprehensive global key escrow scheme ignore the undeniable power of market demand for cryptographic products that do not incorporate any form of escrow. The customers that purchase encryption products DO NOT WANT products with escrowed keys, and if use suppliers are forbidden to supply these products, then someone undoubtedly will. Whatever hopes we may have for an international system of key escrow, we will never achieve 100 percent participation, and those who do not participate will profit heavily at our expense." (emphasis in original) Several other members of the Committee, including Reps. Sonny Bono (R-CA), John Conyers (D-MI), Robert Scott (D-VA), and John Bryant (D-TX) echoed these concerns in their questions of the Administration witnesses. The fact that Committee members from both parties expressed deep skepticism of the Administration's proposal is an extremely encouraging preview of the debate when Congress resumes in January. Finally, witnesses testifying on behalf of the software industry, the securities industry and users of encryption technology all expressed support for the SAFE bill, and argued that current policy threatens the competitiveness of US businesses and Internet users. NEXT STEPS Time is running out in a busy election year Congressional calendar, and chances of passage of encryption reform legislation in either the House or Senate before the end of the current term are slim. However, the stage is clearly set for an all out battle when Congress returns in January, and support for encryption policy is clearly growing in Congress. Forty-five Republican and Democratic members of the House have signed on as co-sponsors of the Security and Freedom through Encryption Act (SAFE). The Burns/Leahy "Promotion of Commerce Online in the Digital Era (ProCODE) Act also enjoys broad bi-partisan support in the Senate. Meanwhile, the Administration continues to offer more of the same -- continued reliance on export controls while pushing for a global key-escrow standard. The stage is set, but the battle over U.S. encryption policy reform is only just beginning. CDT will continue to work to educate policy makers and the public on the importance of encryption policy reform. Over the next several months, stay tuned for more information on what you can do to help protect privacy and security on the Internet. ----------------------------------------------------------------------- (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by nearly 10,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request@cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.34 9/26/96 -----------------------------------------------------------------------