----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 22 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 22 May 30, 1996 CONTENTS: (1) NRC Report Calls Admin. Crypto Policy Into Question (2) Join Rep. White Wed 6/5 At HotWired to Discuss the Internet Caucus, the CDA, and other Internet Policy Issues (3) Subscription Information (4) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of <editor@cdt.org> ----------------------------------------------------------------------------- (1) NATIONAL RESEARCH COUNCIL REPORT CALLS ADMINISTRATION CRYPTO A blue ribbon panel of experts today released a comprehensive report on the state of US encryption policy that calls the Administration's current cryptography policy into question. The 500 page report, sponsored by the National Research Council (NRC), highlights the need for strong, reliable encryption to protect individual privacy, provide security for businesses, and maintain national security. Among other things, the report describes how the current US encryption policy is not working, notes that classified information is not relevant to the policy debate, and outlines the adverse impact export restrictions have had on the domestic market. In addition, the study emphasizes that market forces and user choices, not law enforcement or national security interests, should drive the development of encryption technologies and the debate over US cryptography policy. The report, entitled "Cryptography's Role in Securing the Information Society", provides an important starting point for an honest and open debate on this critical issue. A summary of the report's most important findings and an overview of its policy recommendations is included below. OVERVIEW OF SOME OF THE REPORT'S MOST IMPORTANT FINDINGS For the past 3 years, the US government has attempted to leverage the need for strong encryption and the desire of US businesses to export strong privacy and security products as a means impose key-escrow encryption. The result of this has been a policy morass which has stifled innovation, limited the availability of strong, easy to use encryption technologies, and endangered the ability of US companies to compete in the global information marketplace. While acknowledging the complexities and challenges associated with the encryption policy debate, the study's findings directly undermine the Administration's current approach to cryptography policy. The report concludes by noting that the "[w]idespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography." The NRC study identified several critical issues: * CURRENT US ENCRYPTION POLICY IS NOT WORKING: The study is highly critical of the current ad-hoc approach to US encryption policy, particularly the reliance on export controls. The study states explicitly, "Current national cryptography policy is not adequate to support the information security requirements of an information society." The study goes on to note, "Indeed, current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities. For example, through the use of export controls, national policy has explicitly sought to limit the use of encryption abroad but has also had the effect of reducing the domestic availability to businesses and other users of products with strong encryption capabilities." * CLASSIFIED INFORMATION IS NOT RELEVANT TO THE POLICY DEBATE: The NRC report explicitly states that classified information is "not particularly relevant" to the policy debate. The study states, "The debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis." The study goes on to note, "Although many of the details relevant to policy makers are necessarily classified, these details are not central to making policy arguments one way or another. Classified material, while important to operational matters in specific cases, is neither essential to the big picture or why policy has the shape and texture that it does today nor required for the general outline of how technology will, and why policy should, evolve in the future." This is a startling revelation which will profoundly alter the encryption policy debate. No longer can the government claim, "If you knew what we knew, you would understand this issue." It also suggests that, while national security and law enforcement interests are an important element in the debate, there is no "secret-silver-bullet" which trumps all other considerations. From now on, the debate over cryptography policy should occur in the open, with all issues aired publicly. By removing its arguments from the veil of secrecy, the government can go a long way towards building the trust of the public. * EXPORT CONTROLS DO INFLUENCE THE DOMESTIC MARKET AND HARM COMPETITIVENESS OF US INDUSTRY: The NRC study confirms what civil liberties advocates and the computer industry have long argued: that the current administration policy of limiting the export of strong encryption is impacting the domestic market and harming US business. The study states, "Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities... Thus, domestic users face a more limited range of options for strong encryption than they would in the absence of export controls." * MARKET FORCES, NOT GOVERNMENT INTERESTS, SHOULD DRIVE THE POLICY DEBATE: The study stresses that the domestic availability of encryption should not be restricted in any way, and that the market of individual users, rather than the government's interests, should drive the development of technology and policy. The study notes, "As cryptography has assumed a greater importance to non government interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector ... A national cryptography policy that is aligned with market forces would emphasize the freedom of domestic users to determine cryptographic functionality, protections, and implementations according to their security needs as they see fit." The study is without a doubt the most comprehensive and balanced analysis of the complex encryption policy debate yet published. While stressing the need for strong encryption to protect individual privacy and to maintain the competitiveness of US industry in the global marketplace, the report also acknowledges the real challenges posed to law enforcement and national security by the global proliferation of strong encryption technologies. The authors of the study deserve great credit for their work in producing what will clearly become the basis for an open and honest public debate over the need to reform US encryption policy. Information on how to obtain a copy of the document is available at <http://www2.nas.edu/cstbweb/> OVERVIEW OF THE NRC REPORT'S POLICY RECOMMENDATIONS The report also outlines several recommendations for a national cryptography policy. An overview of these recommendations is attached below. CDT will post an analysis of the NRC's policy recommendations in the near future. Recommendations of the Committee for national cryptography policy would: 1. Free domestic manufacture, sale, and use of encryption -- The committee argued that any future legal prohibitions on the domestic use of any kind of cryptography are "inappropriate." While no such prohibitions are currently in effect, many encryption users have been concerned over law enforcement's articulated desire to slow the domestic use of encryption. 2. Call for open policy-making process -- The report supports the development of national cryptography policy based on open public discussion. Policy to date has often taken place outside of the public eye, and with little guidance from Congress or the general public. 3. Align national policy with market and user demand -- The report notes that national policy has "become increasingly disconnected from market reality and the needs of parties in the private sector." 4. Progressively relax, but not eliminate, export controls -- The committee recommends that export controls should be "progressively relaxed but not eliminated." This would include: 4.1. Products that meet "most general commercial requirements" for confidentiality should be exportable -- The report suggested that 56-bit DES products would meet this need and should be exportable today, and that this level of security should be increased over time. The report noted that DES provides a significantly more attractive level of security than 40-bit products currently exportable, without imposing too great a burden on national security as many sophisticated targets do not use U.S. products today. 4.2. Stronger products should be exportable to a list of approved companies if access to decrypted information is provided -- The report argues that exports of encryption greater than 56-bit DES should be permitted for "trustworthy" users who will guarantee access to decrypted information upon a legally authorized request. The report does, however, acknowledge the significant privacy and security concerns raised by any such "key escrow" plan. 4.3. The U.S. government should streamline the export licensing process. 5. Provide assistance for law enforcement -- The report recognizes that "cryptography is a two-edged sword" for law enforcement, providing both a tool to help prevent crime such as economic espionage, fraud, or destruction of the information infrastructure, and a potential impediment to law enforcement investigations and signals intelligence. Specific suggestions to assist in adjustment to "new technical realities of the information age" include: 5.1. The government should encourage use of encryption for authentication and integrity. 5.2. The government should promote telecommunications security, especially for cellular phones and telephone switches. 5.3. The government should explore escrowed encryption for its own uses. The report recommends further use of escrowed encryption for government purposes as a testbed for the technical and privacy concerns raised by key escrow policies. The report acknowledged many of the problems of escrow, and noted that escrow may never be adopted freely by the market for real-time communications but that such communications will be of less concern to law enforcement over time. 5.4. The government should seriously consider criminalizing "the use of encrypted communications in interstate commerce with the intent to commit a federal crime." The report acknowledged the risks posed by such legislation, including ambiguity about what is an encrypted communication, how to deal with automatic or ubiquitous encryption, and how to define intent and the need for an underlying criminal conviction. 5.5. Research and development of additional capabilities for law enforcement should be given a high priority. 6. The government should develop a mechanism to promote information security in the private sector. CDT will post an analysis of the report's recommendations soon. In the meantime, detailed background information on the encryption policy debate, including the text of several bills pending before the Congress to liberalize the export of encryption technology, is available at CDT's encryption policy web page: http://www.cdt.org/crypto/. ------------------------------------------------------------------------ (2) JOIN CONGRESSMAN RICK WHITE (R-WA) LIVE ONLINE TO TALK ABOUT THE INTERNET CAUCUS, THE CDA, AND TAKE YOUR QUESTIONS Congressman Rick White (R-WA) will be live online at HotWired on Wednesday June 5 at 9:00 pm ET to discuss his efforts to encourage better communication between members of Congress and the Internet community, his plans for the Congressional Internet Caucus, and other topics. Representative White will also answer questions from Netizens. DETAILS ON THE EVENT * Wednesday June 5, 9 - 10 pm ET (6 pm Pacific) on HotWired URL: http://www.hotwired.com/wiredside/ To participate, you must be a registered HotWired member (there is no charge for registration). You must also have RealAudio(tm) and a telnet application properly configured to work with your browser. Please visit http://www.hotwired.com/wiredside/ for information on how you can easily register for Hotwired and obtain RealAudio. Wednesday's forum is another in a series of planned events, and is part of a broader project coordinated by CDT and the Voters Telecommunications Watch (VTW) designed to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues. Transcripts from last week's discussion with Senator Leahy are available at http://www.cdt.org/crypto/. Events with other members of Congress working on Internet Policy Issues are currently being planned. Please check http://www.cdt.org/ for announcements of future events ------------------------------------------------------------------------ (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request@cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.22 5/30/96 -----------------------------------------------------------------------