The SAFE encryption bill would put more non-escrow, strong encryption in the hands of many more people -- and mark the death knell for government regulation of encryption. That's why CDT supports it. That's why we hope that people who care about privacy and security online will support it too. 1. The SAFE Bill Will Bring More Strong Crypto To More People There is a right we don't have now: The right to export strong cryptography. The result is that strong, easy-to-use encryption is not seamlessly integrated into most popular products, and is not accessible to most people (who are not as technically sophisticated as the members of this list.) SAFE would legalize the export (to all but a few countries such as Iran, N. Korea, and Cuba) of non-escrow encryption *of unlimited strength* that is designed for the mass market or is in the public domain, i.e.: "(i) that is generally available, as is, and is designed for installation by the purchaser; or "(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form;" (See also Footnote below) Translation: If it's sold in Egghead Software, it's exportable. If it's available on the Web: exportable. PGP: exportable. 3DES, IDEA, or Blowfish in mass-market products or public domain toolkits: Exportable. Exportable. Exportable. So the export control provisions in SAFE would put a lot more strong crypto -- and the freedom to use it -- in the hands of a lot more people. SAFE's export control relief is not unlimited. The bill does not allow export to Iran, Iraq, Cuba, or N. Korea (that's what the "Trading With The Enemy" provision is about); Congress is not likely to pass a law saying you can export strong crypto to Saddam Hussein. Relief is also limited for non-mass-market hardware and software (e.g., custom systems not available to the public). Non-mass-market hardware is exportable if "commercially available" in the destination country; such software is exportable according to a hard-to-parse "financial institutions" standard that roughly translates into DES. Less than ideal -- but these provisions do not apply to most of the hardware and software that most people use. What SAFE does legalize is strong, non-escrow encryption in the products that are most widely used, in almost all countries worldwide. Once *ordinary people* have strong crypto built in to the products they use every day, it will be much harder for governments to take it away or restrict it. SAFE is "strong crypto for the masses." SAFE is a huge step forward. 2. CDT Does Not Support The Criminal Provision in SAFE CDT is actively working to get the criminal provision taken out of the SAFE bill. We are not alone: CDT signed a letter with other groups including EPIC, EFF, ACLU, VTW, PGP, IEEE, and ACM, urging Congress to remove the provisions -- "while expressing our support for the measure." Contrary to reports, the SAFE bill does not say: "Use a cipher, go to prison." It does say: "Use cryptography TO COMMIT A CRIME, go to prison": 2805. Unlawful use of encryption in furtherance of a criminal act "Any person who willfully uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a court of competent jurisdiction... [may be imprisoned or fined]" The Leahy bill version is narrower. It says: "Use cryptography to willfully obstruct justice in furtherance of a felony, go to prison." "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication to an investigative or law enforcement officer of information in furtherance of a felony that may be prosecuted in a court of the United States shall...[may be imprisoned or fined]" CDT opposes both these provisions because they are unnecessary and could chill the use of encryption (especially by self-confessed felons like Tim May!). But they are not as sweeping as some on this list have said. On balance, CDT believes that SAFE's giant step forward of export relief and prohibitions on Executive Branch key escrow controls outweigh the problems created by these criminal provision. That is why we will fight to get criminal provisions removed, while we still support the bill. Passage of the SAFE Bill would put strong security tools in the hands of many more people. That's why CDT supports SAFE, and why we think people who care about privacy and security online should support it too. -- Alan Davidson, CDT FOOTNOTE: The Export Provisions in SAFE The export control provisions in SAFE differentiate between so-called mass-market and non-mass-market hardware and software. Mass-market software and hardware with non-escrow encryption of *unlimited strength* may be exported under the Act to all but a few countries (such as Iran, N. Korea, and Cuba): (2) ITEMS NOT REQUIRING LICENSES. -- No validated license may be required, except pursuant to the Trading With the Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of-- "(A) any software, including software with encryption capabilities -- "(i) that is generally available, as is, and is designed for installation by the purchaser; or "(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or "(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any - requirement for a validated license under subparagraph (A). [See http://www.cdt.org/crypto/legis_105/SAFE/hr695_text.html for the Bill's definitions of "generally available," "as is", etc.] Non-mass-market hardware and software -- suach as code not generally available to the public via the Internet, or custom implementations not generally available or sold "as is" -- receive less favorable treatment: "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be -- "(A) diverted to a military end-use or an end-use supporting international terrorism; "(B) modified for military or terrorist end-use; or "(C) reexported without any authorization by the United States that may be required under this Act. This "financial institutions" standard is supposed to roughly translate into DES. "(4) HARDWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available outside the United States from a foreign supplier, without effective restrictions. So non-mass-market hardware can be exported *with any encryption algorithm* if a "comparable" product is available outside the U.S. from a foreign supplier without restriction.