CDT Policy Post 2.15 - Legislation Challenges Clinton's Grip on US Crypto Policy

[jim bell]

>  The Center for Democracy and Technology   Volume 2, Number 15
>Among other things, the "Pro-CODE" would:
>* Allow the export of "generally available" or "public domain"
>  encryption software such as PGP and popular World Wide Web browsers
>  without requiring NSA authority.
>
>* Allow the export of encryption hardware and software not available in
>  the "mass market" or "public domain" under an export scheme that would
>  allow up to roughly DES-strength (i.e., 56 bit key-length) security.
>  if a product of similar strength is commercially available from a
>  foreign supplier

What, exactly, is the point of such a provision that would limit key length? 
 Since the classifications of encryption export software seem to allow any 
keylength, why should there be an 
exception for others?  I think they should give specific examples of 
hardware or software whose export would not be allowed, and more 
particularly an explanation why an exception is needed in those cases.  

We really need to know what they're thinking about, here.  It isn't obvious 
why, and generally I've found that whenever laws carve out exceptions, there 
are substantial reasons for those exceptions, although not necessarily 
"good" reasons.  

Notice, for example, that there appears to be a distinction between hardware 
and software. (although, in the bill, it does list both hardware and 
software.)    As we all should understand, the distinction ought to be 
meaningless, but one of our goals should be to allow the unrestricted export 
of good-encryption telephones which have their encryption done  in hardware. 
 That doesn't appear to be the case, and I think this is a telling 
limitation.  The law will practically guarantee that no factories to build 
good crypto phones get sited in the US.

However, a look at the actual bill shows nothing which specifically limits 
things to 56-bit keys, although it seems to make an unusual distinction, 
allowing exports "in any foregin country to which those exports of computers 
software and computer hardware of similar capability are permitted for use 
by financial institutions..."  The problem, as I see it, is that this is 
practically an open invitation to foreign countries to pass laws which are 
specifically intended to restrict encryption.  We should not be encouraging 
them to do this.  Some explanation is definitely in order!

BTW, that brings us to another issue:  The bill should specifically prohibit 
restrictions on the IMPORTATION of any kind of encryption systems, either 
hardware and software.


>* Prohibit the government from imposing mandatory key-escrow encryption
>  schemes domestically, or from restricting the sale of commercial
>  encryption products within the United States

Redundant.  The 1st amendment should already do this.  I have no objection 
to them re-stating Constitutional protections, but it should label them as 
such.

>* Prohibit the Department of Commerce from imposing government designed
>  standards for encryption technologies (such as Clipper and Clipper
>  II).

Ditto.  But more importantly, I think it ought to be prohibited from even 
_encouraging_ the use of such systems, which as we all know the government 
can do by abusing its power.  It should be prohibited from spending any 
money to develop those standards, as well as prohibiting government from 
encouraging the use of those standards, etc.

All in all, a substantial improvement over the Leahy bill, but it could 
still use a little work.

Jim Bell
jimbell at pacifier.com
Jim Bell
jimbell at pacifier.com