Sens. Ashcroft and Leahy are expected to introduce the bill today. A section-by-section analysis of the bill is available online today at http://www.cdt.org/crypto

CDT is concerned about several features in the E-PRIVACY Act that create new threats to privacy online. The bill establishes a new research center to assist federal, state and local police in dealing with encrypted data. The bill also makes it a crime to use encryption to obstruct justice. Implementing these provisions will require intensive oversight and public comment.

Overall, the E-PRIVACY Act presents a strong pro-privacy approach to the encryption issue, in marked contrast to the export controls and mandatory backdoors embraced by the Clinton Administration. The bill makes more encryption, more accessible, to many more people. It also creates new privacy protections for data stored on networks - protections that will become increasingly important as more people go online. Center for Democracy and Technology May 12, 1998 Page Two

Major provisions of the new bill would:

Prevent the federal government from requiring back door access to encrypted communications and files: The bill reaffirms the right to use strong encryption domestically without the 'key recovery' back doors supported by the Administration. It also prohibits the federal government from creating regulations or standards designed to coerce public use of key recovery. To further limit the government's ability to force people to use key recovery, the bill requires that government key recovery systems be interoperable with non-key-recovery systems.

Ease export restrictions: The E-PRIVACY Act would remove most export controls on generally available and mass market encryption software and hardware. PGP, or 128-bit Netscape and Internet Explorer, would be readily exportable to all but a handful of countries. Custom encryption products would be exportable to countries where comparable products are commercially available.

Establish privacy protections for encryption keys entrusted to third parties: Today, a decryption key entrusted to a third party receives little protection. Such keys can be demanded by the federal government with a mere subpoena, without the supervision of a judge or any notice to the key's owner. The bill would give decryption keys in the hands of third parties the same protections they would have if they were retained by the key owners. Such keys could only be retrieved by the government with a "probable cause" court order, or with a subpoena served on the key owner with a meaningful opportunity for the key owner to challenge it. This provision could prove extremely important if encryption users voluntarily choose to use key recovery, as many are expected to do.

Strengthen privacy protections for data stored in networks: In the future world of networked computing people will increasingly store sensitive data outside of their homes. Under current law, data stored on computer networks outside of a person's possession may receive limited privacy protections. This data may be accessible to government officials without the owner's knowledge and without supervision by the courts. The E-PRIVACY Act would create new standards protecting networked data as if it were stored in an individual's possession. The act would require a court order based upon probable cause, or a subpoena that the information's owner has a meaningful opportunity to challenge.

Strengthen privacy protections for cellular phone location information and other data: The bill would also strengthen protections for cellular phone location information, requiring a court order based upon probable cause before sensitive physical location data could be turned over to the government. The bill also gives judges more authority in reviewing government requests to install "trap and trace devices" and "pen registers," commonly used surveillance devices that record revealing data about a person's telephone usage.

The new bill also contains provisions designed to address law enforcement concerns with encryption. An "obstruction of justice" encryption crime is included, similar to the narrow provision found in the House SAFE bill. The bill also establishes a new "Net Center" designed to improve federal, state, and local resources for dealing with encryption. CDT believes that both of these provisions are cause for concern and their implementation will need to be closely monitored to ensure that they do not create new burdens on the privacy of individuals using encryption.

CDT applauds Senators Ashcroft, Leahy, Burns, Boxer, and the bill's other cosponsors for their forward-looking view of privacy and security online. The E-PRIVACY Act represents a milestone in the hard-fought congressional debate on encryption. While the Administration and some in the Senate have continued to push for key recovery, the bill presents a diametrically opposed approach, giving individuals and companies the technical tools and legal protections needed to protect their security. On balance, the E-PRIVACY Act would be a major step forward for individual privacy in the Information Age.

More information about the encryption issue is available at CDT's Web site, at http://www.cdt.org/crypto If you're interested in becoming more involved in the encryption debate, please visit CDT's "Adopt Your Legislator" campaign at: http://www.crypto.com The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. CDT works to develop and advocate public policies that advance constitutional civil liberties and democratic values in new computer and communications technologies