America just can’t seem to get its collective mind around the legal use of strong cryptography. Senator Conrad Burns (R-Montana) is expected to again introduce legislation that would allow U.S. businesses to sell products outside the U.S. borders that contain stronger encryption than is currently allowed.
Burns, chair of the Senate Commerce Telecommunications Subcommittee has already introduced his Promotion of Commerce Online in the Digital Era Act (Pro-Code) twice. Law enforcement and national security agencies within the government have consistently rebuffed the proposed legislation. The agencies charge that strong cryptography will give criminals the upper hand against enforcement and surveillance when they use it to secure communications.
Law enforcement agencies insist that manufacturers must provide access to encrypted material through a key-escrow—or key-recovery—system that will allow encrypted material to be decrypted on-demand during investigations. Privacy advocates counter that key-escrow systems will constrict both personal privacy and commerce. Pro-Code would specifically prohibit any sort of key-escrow or key-recovery system.
“Law enforcement remains in unanimous agreement that the continued widespread availability and increasing use of strong, non-recoverable encryption products will ... devastate our capabilities for fighting crime, preventing acts of terrorism, and protecting the national security,” FBI Director Louis Freeh testified before the Senate in February 1999.
Pro-Code will almost certainly be met with strong resistance, and not just from the law enforcement community. The last version of Pro-Code included a provision that would create an “information security board” comprised of representatives from federal agencies. The board, charged with developing information security policies and cryptography export controls, would meet in private.
A companion bill in the House of Representatives, Security and Freedom Through Encryption (SAFE), offered by Representatives Bob Goodlatte (R-Virginia) and Zoe Lofgren (D-California) was also reintroduced for the third time in late February 1999.
SAFE is designed to protect the right of American citizens to use strong cryptography to protect their privacy and simplifies the export review process for products that include encryption technologies.
SAFE passed the House Judiciary Subcommittee in mid-March 1999 but faces stiff resistance before it becomes law. The bill moves next to the full House Judiciary Committee and up to four other House panels may have a chance to offer amendments before it gets to the House floor for a vote.
In 1997 the House Intelligence Committee turned SAFE completely around by voting to criminalize the production, sale, or distribution of products that contain encryption technologies without providing a third-party key escrow system to ensure government surveillance. Representative Goodlatte has been tenacious in his pursuit of getting SAFE passed. “This legislation is needed because every American is vulnerable to online predators. Credit-card numbers can be stolen, personal medical records can be exposed, and bank deposits can be rerouted, all because of the administration’s restrictive encryption policy,” Goodlatte said in a mid-March 1999 statement.
Representative Michael Oxley (R-Ohio) circulated a letter against SAFE to his colleagues and various media outlets. Included with the letter were copies of articles about Microsoft and Intel serialization technologies. Oxley’s letter stated, in part:
“Computer industry supporters of the so-called Security and Freedom through Encryption Act employ the rhetoric of civil libertarians, citing their desire to protect the privacy of their customers as the rationale for their opposition to encryption export controls and other national security and law enforcement safeguards.”
“How ironic it is, then, to find the papers filled in recent weeks with headlines such as the ones appearing below. It seems that two industry giants have developed the means to secretly trace the authorship of documents and collect detailed information on the Internet habits of their customers.”
“Despite the high-sounding rhetoric, it would appear that industry opposition to including meaningful safeguards in legislation relaxing export controls is motivated mostly by a desire to not be inconvenienced by the law enforcement and national security requirements of the United States government. Please bear this in mind as Congress works to update encryption policy in a dangerous world.”
In addition to domestic resistance on some fronts, relaxed cryptography export regulation faces international resistance as well. In December 1998, thirty-three countries—including the United States—signed the Wassenaar Arrangement that seeks to limit any export of strong cryptography tools. And President Clinton has given no indication that his administration intends to modify its strong opposition to the use of cryptography. President Clinton has already declared a national emergency to restrict encryption exports.
In early June 1998, the Clinton administration significantly escalated its justifications for demanding a key escrow system. “We can count on the fact that the spread of strong encryption is going to mean that lives are going to be lost,” Robert Litt, principal associate deputy attorney general told the Electronic Privacy Information Center (EPIC) Cryptography Conference. “People are going to be at greater risk because it is going to compromise law enforcement’s ability to investigate.”
Cryptography expert and head of RSA Data Security, Jim Bidzos responded in his keynote address that such arguments are like saying that automobiles should be banned because they go fast and sometimes people die in car accidents.
While the U.S. government has long held the position that strong cryptography should be limited for the threat it poses to public safety and national security, Litt’s comments at the EPIC Cryptography Conference for the first time bordered on the hysterical. Litt claimed, for example, that the government needs mandatory key escrow because it’s very difficult for government agencies to crack strong cryptography.
“It is a myth that we have supercomputers that can crack anything that is out there,” Litt told the conference attendees. “Let me put the technical problem in context: It took 14,000 Pentium computers working for four months to decrypt a single message…. We are not just talking FBI and NSA needing massive computing power, we are talking about every police department.” Litt’s suggestion that the National Security Agency (NSA) was met with open derision by the audience. The extent of the NSA’s computing and surveillance capabilities are believed to be immense, but its impossible to know for sure because the information is classified.
“Litt is either lying or incompetent,” Bruce Schneier, a cryptography expert and president of Counterpane Systems, told Wired News. “It is a simple matter of engineering, and it is not even hard engineering. Connected Pentiums is not the way you do it, and using that as an example is disingenuous.”
A month later, in early July 1998, the Clinton administration announced that it would allow the export of strong cryptography, without key escrow. But not for you and me. Only financial institutions in forty-five countries that have “acceptable” money-laundering laws are covered under the exception. The American software industry has argued for years that foreign software companies will gain domination in the market if U.S. companies are not allowed to export strong cryptography tools.
While huge technology conglomerates like IBM welcomed the new policy, most privacy groups called the change “insignificant.” The policy change “appears to represent a very favorable shift in administration policy,” an IBM spokesperson told the New York Times. “As the world’s largest exporter of security solutions to international banks and financial institutions, we have been urging such a shift for some time, and this seems to be a key step in that direction.”
Some privacy advocates say SAFE doesn’t go far enough to protect the privacy rights of the American citizenry. The proposed legislation includes provisions that require an encryption exporter to submit their product to the government for a 15-day technical review. Another provision includes criminal penalties for the use of encryption to conceal criminal activity.
0 responses. Comments closed for this article.