No Subject
Bob Palacios
editor at cdt.org
Tue Mar 5 12:02:17 PST 1996
-----------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 2, Number 9
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 2, Number 9 March 5, 1996
CONTENTS: (1) Bills To Relax Crypto Export Controls Introduced by Leahy,
Burns, Goodlatte, Others
(2) Subscription Information
(3) About CDT, contacting us
This document may be redistributed freely provided it remains in its entirety
** Excerpts may be re-posted by permission (editor at cdt.org) **
-----------------------------------------------------------------------------
(1) BIPARTISAN BILLS TO EASE ENCRYPTION CONTROLS AND PROTECT INTERNET PRIVACY
INTRODUCED IN SENATE AND HOUSE
A bipartisan group of members from both houses of Congress today introduced
legislation to lift many export controls on strong encryption hardware and
software and affirm the rights of Americans to use whatever form of
cryptography they choose. The bills, sponsored by Sen. Leahy (D-VT), Sen.
Burns (R-MT), Rep. Goodlatte (R-VA), Rep. Eshoo (D-CA), and others,
represent a major step towards breaking the stranglehold on encryption
technologies which for years has denied computer users access to vital
privacy-protecting applications.
The "Encrypted Communications Privacy Act of 1996" represents a rejection
of the Clinton Administration's invasive and unworkable "Clipper Chip" and
"Clipper II" key escrow policies. Under the guise of promoting so-called
"voluntary" encryption standards, these Administration efforts have sought
to use export controls to compel the adoption of key escrow encryption
domestically, and have left Internet users without adequate privacy and
security.
By relaxing export controls on "generally available" cryptographic
applications such as PGP, popular Web browsers, and other programs, the
Encrypted Communications Privacy Act of 1996 would encourage the
development and use of strong privacy protecting technologies. Major
provisions of the legislation would:
* Ease export controls on encryption products, allowing the export of
'mass market' or 'generally available' cryptography. This would
include products such as PGP or many of the popular Web browser
programs.
* Affirm the right of Americans to use any encryption domestically. The
bills explicitly prohibit the government from imposing any limits
on the domestic use or sale of encryption.
* (Senate version only) Provide protections to those who choose to store
their encryption keys with third parties by creating criminal and
civil penalties for the unauthorized disclosure of keys and strict
requirements for law enforcement access. The bill does not in any way
affect the ability of any person to use encryption without a key
escrow function..
The legislation also contains several provisions which CDT believes require
further clarification and consideration, including controversial language
that would create a new federal crime for the use of encryption to
willfully obstruct a law enforcement investigation. CDT will work with
Senators Leahy and Burns and Representatives Goodlatte, Eshoo, and other
interested members to address these concerns as the bill makes its way
through the legislative process.
The full text of both the House and Senate versions of the bills, along
with other relevant background information, is available on CDT's Crypto
Issues World Wide Web page:
http://www.cdt.org/crypto/
CDT believes that the House and Senate encryption bills are an important
step forward in the ongoing attempts to build better security into the
information infrastructure through the widespread availability of
encryption. Congressional action is particularly welcome as the
Administration has continued to impose a flawed approach to encryption
based upon export controls, key length limits, and key escrow policies all
aimed at slowing the adoption of strong cryptography in the U.S. and
throughout the world.
While CDT believes improvements can be made in both bills, they establish a
solid framework for building a comprehensive, global cryptography policy.
CDT believes the bills deserve careful consideration and support. We look
forward to working with Senator Leahy, Senator Burns, Rep. Goodlatte, Rep.
Eshoo, individual Internet users, public interest advocates, and the
computer and communications industry to develop a cryptography policy that
protects privacy, security, and competitiveness on the Global Information
Infrastructure.
SUMMARY OF THE LEGISLATION: WHAT THE BILLS WOULD DO
The House and Senate bills both modify Title 18 of the U.S. Code to clarify
the status of encrypted communications, access to those communications by
law enforcement, and the liability of third-party key holders. The bills
would:
* SIGNIFICANTLY EASE EXPORT CONTROLS: The bills would remove all export
restrictions on "mass market" or publicly accessible encryption
software and similar hardware -- that is, products that are generally
available to the public and sold for installation "as is," or that are
in the public domain such as PGP or some popular web browsers. (For
example, products commercially available "off the rack," or freely
available to the public via the Internet, would all be exportable.)
Other encryption hardware would be exportable to countries where
hardware with similar capabilities is already commercially available.
The bills also allow export of other encryption software if it is
currently exportable under law for use by foreign financial
institutions.
* PROHIBIT ANY RESTRICTION ON THE DOMESTIC USE OR SALE OF ENCRYPTION:
The bills would affirmatively prohibit any government restrictions or
attempts to mandate the domestic sale or use of any type of
encryption.
* IMPOSE CIVIL AND CRIMINAL LIABILITY FOR UNAUTHORIZED KEY DISCLOSURES:
(Senate Version Only) The Senate bill would lay down privacy
guidelines to protect those users who choose to store their keys with
third parties. The bill would impose civil and criminal penalties for
the unauthorized release of decryption keys or other decryption
assistance by third parties who individuals have entrusted with their
keys. No privacy protections and only limited restrictions for law
enforcement access currently exist for those who choose to store their
keys with trusted third parties.
* PROVIDE LIMITS FOR ACCESS TO KEYS BY LAW ENFORCEMENT: (Senate Version
Only) The Senate bill would also spell out limits and guidelines for
law enforcement access to the keys of those users who have
chosen to store their keys with third parties. Today, encryption keys
held by third parties could be released to law enforcement with
nothing more than a subpoena. Under the Senate bill, third parties
could only provide assistance to law enforcement in decrypting
communications if presented with a court order. The bill also limits
the scope and duration of such assistance. Decryption keys for stored
communications could be disclosed with a proper court order or
subpoena.
* ESTABLISH A BROAD "PERSONAL USE EXEMPTION" FOR U.S. TRAVELERS: The
bills would allow U.S. persons to use any form of encryption in a
foreign country, establishing a less restrictive form of the "personal
use exemption" recently published by the State Department. The
provision is intended to accommodate "U.S. citizens and permanent
residents who have the need to temporarily export encryption products
when leaving the U.S. for brief periods of time". While the intent of
this provision is clear, CDT believes that the language of the bill
should be further clarified.
* PROHIBIT THE USE OF ENCRYPTION TO CONCEAL THE COMMISSION OF A FELONY:
Finally, the bills would criminalize the use of encryption to
willfully obstruct justice. Anyone who "willfully endeavors" to use
encryption for the purpose of obstructing, impeding, or preventing the
communication to a law enforcement officer of information relating to
a Federal felony would be subject to criminal penalties. CDT believes
this new federal crime is unnecessary since it duplicates obstruction
of justice crimes that are already available to prosecutors, and is
unwise since it might be interpreted to discriminate against users of
encryption.
BACKGROUND - BILLS ADDRESS LONG-STANDING FRUSTRATIONS WITH U.S.
ENCRYPTION POLICY
Congressional action comes as Clinton Administration encryption
restrictions continue to jeopardize the security of computer users.
Encryption tools, which scramble electronic communications and data, are
widely viewed as the key to providing security and privacy and encourage
commerce on the Global Information Infrastructure.
Individuals need encryption in order to trust the GII with confidential
data such as financial transactions, medical records, or private
communications. Businesses need encryption to provide individuals with
privacy protections they need and to protect their own proprietary
information as it flows across vulnerable global networks. The lack of good
encryption today has left computer users vulnerable to the prying eyes of
hackers, corporate competitors, and even foreign governments.
Current Administration policy restricts the export of "strong" encryption
hardware or software products with keys greater than 40 bits long. (The
length of encryption "keys" is often used to indicate the security of a
system.) Export controls actually influence the entire GII -- both
domestically and internationally -- due to the difficulty of distributing
and interoperating products with different strengths of encryption. The
level of security permitted under the export controls, and hence the level
of security largely available to domestic users as well, has been judged
woefully inadequate by many experts. Even the most recent Administration
"Clipper II" proposals would only allow the export of moderately stronger
encryption, and then only with "key escrow" restrictions to guarantee U.S.
government access to individual keys -- restrictions which raise real
Constitutional issues and are bound to fail in the competitive
international marketplace.
In recent months, groups from across the political spectrum have
increasingly criticized the Clinton Administration's restrictive export
controls. In November 40 companies, trade associations, and public interest
groups wrote to Vice President Gore calling the latest Administration
proposals flawed and inadequate. Last month a report by the CEOs of 13
leading U.S. technology companies found that U.S. industry stands to lose
up to $60 billion dollars per year by the year 2000 due to restrictions on
the export of cryptography. And several weeks ago a group of noted computer
security experts released a report calling for the deployment of
dramatically longer encryption key lengths of at least 75 to 90 bits.
The House and Senate bills give voice to this growing drumbeat of criticism
demanding a radical departure from the flawed approach of the Clinton
Administration's current encryption polices. CDT looks forward to working
with members of Congress to push for a more comprehensive U.S. encryption
policy that reflects the privacy and security needs of computer users.
FOR MORE INFORMATION
More information on the cryptography policy debate, including the text of
the Senate and House bills, is available on CDT's Cryptography Issues
Web Page:
http://www.cdt.org/crypto/
For More Information Contact:
Center for Democracy and Technology +1.202.637.9800
Daniel Weitzner, Deputy Director <djw at cdt.org>
Alan Davidson, Staff Counsel <abd at cdt.org>
-----------------------------------------------------------------------
(2) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 9,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
policy-posts-request at cdt.org
with a subject:
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
-----------------------------------------------------------------------
(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info at cdt.org
World Wide Web: URL:http://www.cdt.org/
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post 2.9 3/5/96
-----------------------------------------------------------------------
More information about the cypherpunks-legacy
mailing list