on behalf of the
Center for Democracy and Technology
on
NIST's Proposed Key Escrow Export Criteria and
the Search for a National Cryptography Policy
December 5, 1995
National Institute of Standards and Technology
Gaithersburg, MD
Good afternoon, my name is Daniel Weitzner, Deputy Director of the Center for Democracy and Technology ("CDT"). The Center is pleased to have this opportunity to comment on the Administration's proposed private key escrow export criteria. CDT is an independent, non-profit public interest policy organization in Washington, D.C. The Center's mission is to develop and implement public policies to protect and advance individual liberty and democratic values in new digital communications media. The Center achieves its goals through policy development, public education, and coalition building. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), an ad hoc coalition of more than 50 computer, communications, and public interest organizations and associations working on communications privacy issues. In the past, members of the Working Group have strongly opposed the Administration's Clipper Chip proposal and have worked on the Digital Telephony bill passed into law last fall.
CDT is pleased to be here again as part of the Administration's continuing efforts to engage industry and the public in a discussion of U.S. cryptography policy. We are particularly concerned that the voice of Internet users be heard in this forum. Unfortunately, today we must once again deliver the same message that civil liberties organizations, industry groups, and the cryptography user community have been repeating with increasing urgency over the last several years: this is the wrong approach to cryptography policy. A cryptography policy based upon a narrow national security perspective that ignores the security needs of individual users is unlikely to form the sound basis for a secure worldwide communications infrastructure. A cryptography policy without explicit privacy protections will never gain the trust of users or be embraced by the international marketplace.
CDT believes that the Administration's proposal fails to meet the needs of the user community. Our chief concern is that the Global Information Infrastructure (GII) be a safe and secure place for those who use it. The Administration's proposal will not give users the security and privacy they need, and will keep the market from giving it to them as well. The NIST proposal will not provide adequate security, promote secure communications worldwide, or guarantee user privacy:
The firestorm of protest that greeted the introduction of the Clipper Chip proposal suggests the pitfalls of a policy approach driven largely by national security and law enforcement concerns. The latest NIST criteria continue to make policy within this narrow framework. The failure of this approach suggests that a broader view is appropriate. Forty participants in CDT's Digital Privacy and Security Working Group (DPSWG) have written to Vice President Gore protesting this latest cryptography initiative and committing to a six month collective policy development process, aimed at framing a more comprehensive cryptography policy that better recognizes the realities of the global marketplace and the privacy concerns of users. We look forward to working with the Administration in this process over the coming months.
A secure, private, and trusted Global Information Infrastructure (GII) is essential to promote economic growth and meet the needs of Information Age society. Developing that secure and trusted GII will require strong, flexible, widely-available cryptography. Individuals need to have confidence in the GII if they are to realize its full democratic potential for promoting free association and personal communications.
Competitive businesses need to protect proprietary information as it flows across insecure global communications networks. To realize that democratic potential, individual users need the privacy protections that cryptography offers; to protect their proprietary communications, business users need the security only strong encryption can provide.
In recent months, however, the public has been made increasingly aware of the dangers of computer crime and the vulnerability of current cryptography implementations. Rapid advances in the speed and sophistication of hardware and software have already laid siege to the 40-bit key systems currently approved for export, as well as the popular 56-bit DES algorithm. If we are to maintain the trust of the public and realize the full potential of the GII, a more comprehensive long-term approach to cryptography is needed -- one which particularly reflects the impact of technological change, of a global economy, and of the increasingly important information infrastructure.
The GII will simply not continue to develop without such a global approach to cryptography. The lack of any international standard for strong cryptography has already hindered the deployment of highly secure systems worldwide. Moreover, national and regional governments are increasingly considering regulations on the use of cryptography, just as the Council of Europe recently did. Such actions threaten to create a patchwork of international regulations which would hinder the deployment of secure global communications and leave users without the security and privacy they need.
In this context, the sole focus on national security needs embodied in the Administration's cryptography proposal is unlikely to meet the needs of GII users. By maintaining the 40-bit key length restrictions on exports, it leaves users hamstrung with insecure systems. By proposing unattractive interoperability restrictions and minimal privacy protections for key escrow systems, it discourages the deployment of secure systems in U.S. products. Rather than being seamlessly incorporated into popular products, secure communications will remain out of reach for less sophisticated GII users. The resulting loss of security can be expected to have a chilling effect on the development of electronic commerce and the information infrastructure as the privacy and security needs of users are not met.
The vast majority of individuals and organizations who have expressed an opinion on the recent Administration initiative have been overwhelmingly dissatisfied with the proposal. The NIST criteria have met with increasing criticism concerning security, privacy, technical feasibility, and marketplace viability. In a series of letters this fall, individual companies, trade associations, and citizens groups, from an array of industries and across the political spectrum, have expressed their concern that the Administration's proposal will not meet the needs of GII users. Some of the public interest groups critical of the NIST criteria include --
The NIST criteria have also been criticized by industry trade associations representing dozens of companies directly involved in providing the goods and services that form the basis for the GII. Some of the organizations expressing their concern that the criteria will not allow them to meet the needs of GII users include--
Finally, a broad group containing forty members of the Digital Privacy and Security Working Group (DPSWG), including companies, trade associations, and public interest groups, together wrote to the Vice President:
This letter was signed by individual companies from across several industry groups, and included America Online, Apple Computer, AT&T, Dun & Bradstreet, MCI, Microsoft, Oracle, Sybase, and Tandem, along with public interest groups such as CDT, EFF, and the Media Institute. These DPSWG members also pledged to commence "a process of collective fact-finding and policy deliberation, aimed at building consensus around a more comprehensive cryptography framework." A copy of the DPSWG Letter to Vice President Gore is attached as an Appendix to this testimony.
The 40 DPSWG participant companies, trade associations, and public interest groups who together wrote to Vice President Gore in November also presented a set of goals for a more comprehensive cryptography policy. These goals included:
Many of these organizations and companies have argued individually that various aspects of the NIST criteria do not meet these goals. Taken together, these arguments provide a compelling critique of the Administration's cryptography policy:
A. The NIST criteria will not provide adequate security.
Widely-accessible strong cryptography is the cornerstone of a secure and trusted GII, and is essential to promote electronic commerce and communication. The provisions of the Administration's proposal that impose a 64-bit key length limit for key escrow systems, and retain 40-bit key length limits for non-escrowed systems, present a real challenge to user needs for adequate security both in the short- and long-term.
B. The NIST criteria will hinder international interoperability and the development of an international cryptography standard.
Under the NIST criteria, exportable key escrow systems would not be permitted to interoperate with strong systems that do not meet the criteria. These restrictions impede international interoperability in several ways. The interoperability restrictions would immediately create a barrier between those who obey the criteria and those who use some other form of strong encryption. In addition, the continuation of a U.S. export control policy similarly creates a two-tier market with a barrier between products available in the U.S. and products available outside of it. Finally, it is unlikely that foreign users will embrace the NIST criteria as a standard when there is conveniently available non-escrow encryption of similar or greater strength available. All of these, taken together, will serve to hinder the development of global standards for the use of cryptography.
C. The NIST criteria act to use export controls to coerce the domestic cryptography markets.
Interoperability restrictions and other criteria may function as an attempt to use export restrictions to influence the domestic market in an effort to solve domestic law enforcement problems. Domestic users will be forced to meet the export criteria if they wish to communicate with systems outside of the U.S. that also meet the criteria. If, for example, a domestic corporation using Eudora mail software with strong encryption wanted to communicate with a foreign affiliate using the same U.S.-made software, both versions of the software would have to meet the NIST export criteria.
Furthermore, the desire of companies to sell product lines that interoperate with each other, taken together with NIST's interoperability restrictions and export limits, could work to force the adoption of a cryptography standard based on the NIST criteria. As BSA noted in its letter to the Vice President, "The Administration appears to be trying to leverage our companies' desire to export their programs in order to force those companies to include features in the programs they sell abroad and in the U.S. . . . Thus, in the name of 'national security,' it appears that the Administration really is attempting to satisfy domestic law enforcement concerns -- without industry input, public debate, or congressional involvement." (BSA Letter to Vice President Gore, Nov. 9, 1995)
D. Products meeting the NIST criteria will not be viable in the international marketplace.
The NIST criteria fail to recognize that equally secure, non-escrowed foreign encryption products are readily available overseas. Foreign products are already adopting 56-bit or better encryption, without having to meet the NIST requirements. (For example, Trusted Information Systems, Inc. has documented the availability of 179 foreign products incorporating the popular 56-bit DES.)
Moreover, international users are much more likely to adopt products without the NIST criteria. Requirements such as NIST-imposed interoperability restrictions, or key escrow criteria that provide no due process and privacy guarantees, will make U.S. products less attractive than foreign products with similar or better security.
E. The NIST criteria do not include any constitutional privacy protections.
The export criteria contain no explicit provisions for constitutional privacy safeguards to govern the use of key escrow systems. The criteria do not offer any guidelines for obtaining escrowed keys, nor are there any requirements for notifying users whose keys have been accessed. No standards are presented for how key escrow agents will be "certified by the government", or what redress will be available against escrow agents that improperly release keys. Moreover, the criteria provide no explanation of how the standards will be applied to foreign citizens, or by foreign countries that support individual privacy in ways that may be radically different from the protections guaranteed under the U.S. Constitution.
F. NIST criteria may not actually promote the needs of law enforcement.
Any system which expects to solve law enforcement problems must be attractive enough to users to be adopted widely. Interoperability restrictions, weak security, and missing privacy protections make it less likely that users will adopt a U.S. key escrow system. As the ITAA also noted, "[E]xport restrictions that do not reflect marketplace realities may drive U.S. companies to move their encryption work off shore . . . defeating the very purpose of the restrictions." (ITAA Letter to Vice President Gore, Sept. 27, 1995)
Moreover, the international nature of the Internet makes it virtually impossible to ever guarantee that determined individuals will not have access to strong cryptography. While criminals will always have privacy, the users with insecure networks will be individuals and organizations forced to adopt the NIST criteria.
A comprehensive approach to cryptography policy -- one that provides real security, is truly voluntary, contains explicit privacy protections, and is acceptable to the international market -- is greatly needed to smooth the emergence of a secure and trusted information infrastructure. Unfortunately, the Administration's proposal does not meet this need. This most recent NIST proposal comes at a time of great urgency in the development of electronic commerce, digital communication, and the GII. GII users are searching for tools to provide the privacy and security they need to realize the full democratic, and commercial, potential of the emerging information age society. Last year, Vice President Gore's letter to Representative Maria Cantwell held out hope for the user community by laying out a set of guiding principles for a more comprehensive approach to national cryptography policy. Perhaps these goals can form the starting point for a renewed look at cryptography policy.
In their November letter to Vice President Gore, members of the Digital Privacy and Security Working Group pledged to work together over the next six months to seek a consensus around just such a more comprehensive cryptography policy. CDT invites all who are interested to participate in this open process of collective fact-finding and policy debate over the next several months. We thank NIST for continuing this dialogue, and look forward to working with the Administration in the months ahead.