Bill, I hope you don't mind me basing my letter on yours. ----------- September 11, 1997 Richard S. Bryan 364 Russell Senate Office Building Washington, DC 20510-2804 RE: Secure Public Networks Act Dear Senator Bryan, Thank you for your July 23 letter, however, I am still extremely disturbed by Congressional and Administration comments in favor of mandatory "key recovery". Besides being a disaster for American software companies, and a clear violation of the constitution's protections of freedom of speech, these systems are harmful to the security of the United States. All cryptographic systems are extremely difficult to get right. Netscape's SSL protocol, used for secure credit card transactions, which doesn't provide for "key recovery", went through three versions before the major problems were removed. "Key recovery" systems are, as Professor Dorothy Denning testified, much more complex than similar systems which do not include that feature. In fact, the key recovery system built into Clipper, with the advice of NSA, had major flaws. If the best cryptographic group in the world can't get it right, after years of effort, how can we expect "key recovery" systems to be secure. What do we risk with insecure systems? We risk compromising the information of non-classified government agencies, including IRS records; United States companies, including delicate international negotiations; and individual Americans, including their medical records. Even worse, if some group should decide to launch an information war attack on the United States, these flaws may allow them to access sensitive systems in the finance, transportation, and energy sectors. One simple way this attack could occur is if the access codes are distributed using a flawed encryption system. The calls from law enforcement for these cryptographic backdoors to thwart drug-kingpins, terrorists and the like, were recently refuted by the government's own studies. "Encryption and Evolving Technologies in Organized Crime and Terrorism" found that there is no real "encryption problem" which justifies placing limitations on the use of encryption. Even if "key recovery" were implemented there are many ways for it to be thwarted. It is a simple matter to insert messages using unbreakable crypto "inside" the lawful formats for communication. This cannot be detected by law enforcement without decrypting all communication traffic and having all such keys immediately available, something no one is suggesting, and without which no improvement in lawful access is achieved. Only the most incompetent of the evil-doers will not know this, therefore, the most likely law enforcement use of "key recovery" is surveillance of those who do not pose a threat to the security of our nation, that is, the common citizen. The only reason I can see for such expansion of government authority in this area is tyranny. I hope you will consider these thoughts when deciding your stand on this issue. Sincerely, Steve Schear CEO First ECache Corporation --------------------------- Senator Bryan's letter --------------- July 23, 1997 Mr. Steve Schear 7075 West Gowan Road, #2148 Las Vegas, Nevada 89129 Dear Mr. Schear: Thank you for contacting me regarding encryption technology export controls. I appreciate having the benefit of your views. As a member of the Senate Commerce Committee, I am very aware of the explosive growth and popularity of electronic commerce, as well as the importance of ensuring the privacy of electronic transactions. In addition, I am concerned with reports that American software and hardware producers are hampered by export controls on encryption technology. As you know, there are no restrictions on the production or use of any strength encryption product within the United States. There are legitimate concerns regarding export controls, but I am also concerned with the spread of this technology. Unfortunately, encryption technology provides criminal organizations, terrorists, drug traffickers, and child pornographers with an effective method of shielding illegal activities from law enforcement agencies. Certain members of Congress have advocated eliminating most export restrictions on encryption technology. Legislation such as Senator Conrad Burn's Promotion of Commerce On-Line in the Digital Era Act (S.377), would prohibit the Commerce Department from regulating or enforcing any standards on the private sector for encryption products. While I understand Senator Conrad's support for safeguardinq electronic commerce and promoting American software exports, I do not think these concerns should completely outweigh the concerns of public safety and national security. At a Commerce Committee hearing regarding Senator Burn's legislation, Federal Bureau of Investigation Director Louis Freeh expressed his concerns on this issue. Mr. Freeh advocated developing trusted third parties to hold encryption access keys to aid in swift criminal investigations. Mr. Freeh further testified that several American allies have expressed concerns that releasing all export controls will flood the market with unbreakable encryption products that can be utilized by criminals, which might ultimately lead other nations to enact import controls. Clearly this would not be favorable for American encryption exports. In June, the Senate passed an encryption bill which should provide a compromise. The Secure Public Networks Act will expand the bit length of exportable encryption software to 56 bits, and longer bit software could be exported if they include a key recovery mechanism. As you know, key recovery allows law enforcement agencies to decipher encrypted information with the proper court orders. This legislation will also contain the following provisions: *criminalize the use of encryption in a crime; *criminalize the decryption of data or communications without the proper authority; and, *criminalize the decoding of encryption for the purpose of violating another person's privacy security or property rights. I am hopeful that this legislation will provide a compromise that will facilitate the production, exportation, and use of strong American encryption products, without undermining public safety and national security. Again, thank you for contacting me. Sincerely, Richard H. Bryan United States Senator

At 2:40 pm -0400 on 9/13/97, Steve forwarded from Senator Bryan:

of this technology. Unfortunately, encryption technology provides criminal organizations, terrorists, drug traffickers, and child pornographers with an effective method of shielding illegal activities from law enforcement agencies.

Wow. Horseman city... I wonder who gives them the idea for this stuff? Wired should be banned from the confines of DC. ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/