105TH CONGRESS

H.R. 695 - The "SAFE" Bill

Analysis of Revised Oxley-Manton Amendment

September 23, 1997

Revised Oxley-Manton amendment does not resolve concerns

On Tuesday afternoon, Rep. Oxley circulated a new version of his amendment. The revised amendment does not address our basic concerns:

• It still imposes criminal penalties on anyone who manufactures or sells within the United States any encryption product not guaranteeing the government immediate access to plaintext of communications or stored data without the knowledge of the user. (Page 5, lines 4 - 11.)
  

• It still gives the Attorney General authority to decide what is a suitable encryption product. (Page 3, lines 8 - 21.)
  

• It still denies to encryption users a fundamental Fourth Amendment right -- the right to notice when the government seeks access to personal information. (Page 2, lines 5-6.)
  

The revised amendment fails to meet our primary objection -- that the amendment controls the design of all encryption products manufactured or sold within the United States to guarantee immediate government access to plaintext without the knowledge of the user.

The language inserted in the amendment in an apparent effort to meet our objections does not succeed.

Constitutional protections are still circumvented

The revised amendment includes the phrase "pursuant to appropriate judicial process." The amendment makes no effort to spell out what this means.

In our analysis of the initial Oxley amendment, we wrote:

As initially drafted, Oxley-Manton does not require a court order for immediate access to keys, does not require probable cause, does not provide minimization standards to ensure that keys or decryption assistance will not be used for other purpose, and does not address the question of foreign government access. Each one of these questions must be addressed. But even if all these questions were addressed, there would remain the question of notice: Can users of encryption be forced to store their keys with another party and thus be denied notice when the government demands access? So long as Oxley-Manton includes the concept "without knowledge or cooperation of the user," it remains inconsistent with a basic Fourth Amendment principle.

The revised Oxley-Manton does not address any of these questions. What judicial process is "appropriate" for access to keys? Does it require a court order, or does it include a subpoena issued in the name of a grand jury but really just signed by a prosecutor? What is the standard? Is it probable cause, which is what is required for a wiretap, or is mere relevance sufficient? What standards apply to foreign government requests?

Notice is still lacking

And finally, how can you have "appropriate judicial process" allowing "immediate access" "without the knowledge of the user" when notice is a key and normally indispensable element of the Fourth Amendment?

This still invites disastrous industrial policy

The revised amendment provides that "no officer of the Federal Government or any state may require any particular decryption methodology." (Page 3, lines 22 - 23.)

This is very similar to language in the Communications Assistance for Law Enforcement Act (CALEA) which has not stopped the FBI from trying to dictate the design of the nation's phone system to ensure access to communications streams on the FBI's terms. Under that statute, under very similar language, the FBI produced a very detailed requirements document and has blocked adoption of industry standards for failing to include a number of very specific capabilities in the FBI requirements.

Anyhow, the proviso merely says that the Attorney General cannot say what is required. It still leaves the Attorney General in the position of deciding what is legal. In other words, the Attorney General can say what is illegal, she just can't say what is legal. This means that the Attorney General will still have the authority to disapprove key escrow arrangements and the design of encryption products.

Back.