March 17, 1998--WASHINGTON -- Today, in the Senate Judiciary Committee, Senator Kyl's Subcommittee on Technology, Terrorism and Government Information is holding a hearing on "Protecting America"s Critical Infrastructures: The new policy directive," a report issued last year by the President's Commission on Critical Infrastructure Protection (PCCIP).
In the past, Senator Kyl has used similar hearings as a platform to attack the use of strong encryption without government-mandated backdoor systems like key recovery. CDT remains concerned that the "new initiative directive" surrounding protection of critical infrastructures will in fact form the basis for a sweeping plan to build new surveillance capabilities into the information infrastructure.
In light of that concern, today CDT Executive Director Jerry Berman sent Sen. Kyl and the members of his subcommittee the following letter:
March 17, 1998
The Honorable Jon L. Kyl
Chairman Subcommittee on Technology, Terrorism and Government Information
Committee on the Judiciary
702 Hart Senate Office Building
Washington, D.C. 20510
Dear Mr. Chairman:
The Executive Branch"s plans for protecting the Nation's communications infrastructures raise vital civil liberties and privacy issues. The Center for
Democracy and Technology is a civil liberties organization focused on enhancing the democratic potential of the Internet and other new digital media. We urge you at today's hearing and as you move forward to examine carefully the constitutional implications of infrastructure protection proposals as they affect the Internet and other communications infrastuctures.
We have two concerns about the report of the President's Commission on Critical Infrastructure Protection ("PCCIP"):
The PCCIP endorsed key recovery encryption. In essence, after cataloguing the threats faced by computer-dependent infrastructures, the PCCIP proposed creating another new infrastructure -- a key management infrastructure -- that will be vulnerable to all the same attacks.
It is widely acknowledged that strong encryption is a central component in securing computer networks from the dangers described in the PCCIP report. Yet key recovery of the type contemplated by the Executive Branch for law enforcement use introduces new risks into those very computer systems. User-controlled key recovery has some valid applications, but creating paths to plaintext that would be accessible without the knowledge of the user, as the FBI has urged, creates risks of mistaken disclosure, insider fraud, and outsider attack.
Enclosed is the report of 11 leading cryptographers and computer scientists outlining the risks of key recovery of the type contemplated by the Executive Branch, "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption" (May 1997). To date, the Executive Branch has offered no substantive response to the conclusion in this report that ubiquitous key recovery "will require significant sacrifices in security." We ask that the cryptographers" report be made a part of the record of your hearing, and we urge you to seek from the Administration a substantive explanation of how it expects to avoid the risks outlined in the report.
The PCCIP recommended the establishment of an "Early Warning and Response capability" to protect telecommunications networks against cyber-attack, and the Attorney General recently announced the creation of a National Infrastructure Protection Center. Our concern is not with the concept of such a center per se, nor with the notion of government agencies such as the Pentagon monitoring use or attempted use of their own systems, but rather with the implications of monitoring non-government communications and information systems. We urge you to oppose any initiatives for building new surveillance capabilities into the non-government information and communications infrastructure. We also urge you to avoid measures that would infringe upon the right of anonymity, which has an important role in preserving free and open communications under our Constitution. First Amendment principles, not national security values, should govern the design of communications systems for the public.
Protection of national security should not be used as a pretext for eroding civil liberties in cyberspace. There is no need to compromise on our freedoms to protect our security, were that exchange ever possible. Infrastructures should be protected but the goal is to find the means to do so without infringing on the very civil liberties that national security is designed to protect.
We congratulate you for your attention to this issue, and we hope we can be of assistance to you as you consider the constitutional aspects of these important issues.
Sincerely,
Jerry Berman
Executive Director
For a link to the report "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption," see http://www.crypto.com/key_study.
The Center for Democracy and Technology, a non-profit organization, is dedicated to developing public policy solutions that advance civil liberties and democratic values in new computer and communications media.
# # # # # 