105TH CONGRESS

H.R. 695 - The "SAFE" Bill

Analysis of Oxley-Manton Amendment

To: Members of the House Commerce Committee
Date: September 11, 1997
Subject: New Oxley-Manton Amendment Would Create National Surveillance Infrastructure

The Oxley-Manton Amendment to H.R. 695, the SAFE encryption bill, would impose new domestic controls on the manufacture and distribution of encryption products and any service providers which offer security through encryption. The Oxley amendment is widely expected to be offered as an amendment to the Security and Freedom through Encryption Act (HR 695) during Thursday's markup in the House Commerce Committee. The Amendment would be a serious blow to computer security, U.S. high-tech competitiveness, and individual privacy.

The Oxley Amendment would take several extraordinary steps:

• Prohibits the domestic manufacture and sale of encryption products or services which do not provide instant access for law enforcement: The proposal would prohibit the manufacture, sale, import, or distribution within the United States of any encryption product unless it allows "immediate access" to the plaintext of any user's messages or files without the user's knowledge.
  

• Exposes software and hardware companies, phone companies, and Internet service providers to new criminal penalties for providing encryption products without immediate access for law enforcement: The proposal would require all providers that offer encryption products or services to their customers to ensure that all messages using such encryption can be immediately decrypted without the knowledge of the customer.
  

• Grants broad new authority for the Attorney General to set technical standards for encryption products: The proposal requires the Attorney General to set standards for what are and are not acceptable encryption products. The proposal's requirement of immediate access to plaintext would seem to seriously limit the options available to encryption manufacturers seeking approval of their products.
  

The Oxley amendment does not specify whether the immediate access "features" could be activated or not at the option of the purchaser or end user. Nonetheless, requiring that such a capability be installed in all domestic communications networks and encryption products is the equivalent of enabling a national surveillance infrastructure and asserts unprecedented control over the design of Internet software, hardware, and services.

While export of encryption products from the United States has long been restricted, there have never been controls on the manufacture, distribution, or use of encryption within the United States. The Oxley Amendment represents a major shift from even the stated position of the Clinton Administration, which has denied since its first year that it was seeking domestic controls on encryption.

The Amendment would jeopardize the security and privacy of American individuals and businesses, would threaten the viability of electronic commerce and the competitiveness of the U.S. technology industry, and would enable a national surveillance infrastructure.

• It endangers security and privacy by imposing a risky and expensive system for back-door access to the sensitive encrypted data.
  

• It risks U.S. competitiveness by imposing costly and undesirable access features on American encryption products that will be unacceptable in the competitive international marketplace, and which do not provide the security needed to support electronic commerce.
  

• It expands law enforcement authority by seeking guaranteed access to every communication and every stored record of every American encryption user, without the required Fourth Amendment notice or consent. Law enforcement has never been given such a guarantee, which runs afoul of our constitutional civil liberties.
  

The Oxley Amendment would amount to an end run around the Constitution. By creating an avenue for immediate access to sensitive decryption keys without the knowledge of the user, the proposal denies users the notice that is a central element of the Fourth Amendment protection against unreasonable searches and seizures. Just this past April, the Supreme Court reaffirmed that the Fourth Amendment normally requires the government to advise the target of a search and seizure that the search is being conducted.

Forcing U.S. citizens and companies to adopt the sorts of key recovery systems that meet the Oxley Amendment's requirements would pose serious security risks, especially when the systems can be accessed without the knowledge of the users. A recent study by 11 cryptography and computer security experts concluded that such key recovery systems would be costly and ultimately insecure (see http://www.crypto.com/key_study).

The Oxley-Manton Amendment would jeopardize the future of electronic commerce and individual privacy in the Information Age. We urge the Committee to oppose the amendment and support H.R. 695.

Back.