------------------------------------------------------------------------
****** ******** *************
******** ********* *************
** ** ** *** POLICY POST
** ** ** ***
** ** ** *** November 9, 1995
** ** ** *** Number 29
******** ********* ***
****** ******** ***
CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST Number 29 November 9, 1995
CONTENTS: (1) Public Interest/Industry Coalition Says Administration
Crypto
Policy Flawed -- Pledges to Develop Alternative
(2) Text of CDT-led coalition letter to Vice President Gore
(3) How To Subscribe To The CDT Policy Post Distribution List
(4) About CDT, Contacting Us
This document may be re-distributed freely provided it remains in its
entirety. Excerpts may be re-posted by permission (editor@cdt.org)
------------------------------------------------------------------------
(1) Public Interest/Industry Coalition Says Administration Crypto Policy
Flawed -- Pledges to Develop Alternative
A broad coalition of nearly forty public-interest organizations, trade
associations, and representatives from the telecommunications and
computer hardware and software industries sent the attached letter to
Vice President Albert Gore on Wednesday, objecting to the
Administration's recently announced cryptography policy.
While the letter praised the administration for its efforts to develop a
national cryptography policy, the signatories, which include groups such
as EFF and companies such as America Online, Apple, AT&T, MCI, Lotus,
Microsoft, and Tandem Computer (organized by CDT), expressed concern
that the Administration's proposal is weighed heavily in favor of law
enforcement and national security while neglecting the privacy and
security needs of individuals and the marketplace.
The letter states:
"A secure, private, and trusted Global Information Infrastructure
(GII) is essential to promote economic growth and meet the needs of
the Information Age society. Competitive businesses need cryptography
to protect proprietary information as it flows across increasingly
vulnerable global networks. Individuals require privacy protection in
order to build the confidence necessary to use the GII for personal
and
financial transactions... The undersigned groups recognize that
the Administration's recently articulated cryptography initiative was
a
serious attempt to meet some of these challenges, but the proposed
initiative is no substitute for a comprehensive national cryptography
policy. To the extent that the current policy becomes a substitute
for
a more comprehensive policy, the initiative actually risks hindering
the development of a secure and trusted GII."
The coalition pledged to work together to formulate recommendations for
an alternative cryptography policy based on the following principals:
* ROBUST SECURITY: access to levels of encryption sufficient to address
domestic and international security threats, especially as advances in
computing power make currently deployed cryptography systems less
secure.
* INTERNATIONAL INTEROPERABILITY: the ability to securely interact
worldwide.
* VOLUNTARY USE: freedom for users to choose encryption solutions,
developed in the marketplace, that meet their particular needs.
* ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to
meet the expressed needs of cryptography users.
* CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth
Amendment privacy protection and regulation of searches, seizures, and
interceptions.
* RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national
security, while recognizing the reality that determined criminals will
have access to virtually unbreakable encryption.
A second group, composed of conservative/libertarian organizations
including Americans for Tax Reform and Citizens for A Sound Economy,
issued a similar letter on Wednesday to House Speaker Newt Gingrich. The
text of that letter, as well as additional information on the
cryptography policy debate, can be found on CDT's Cryptography Issues
Page:
URL:http://www.cdt.org/crypto.html
The letters come as the National Institute of Standards & Technology
(NIST) this week announced revisions to the Administration's proposed
export criteria announced last September (See CDT Policy Post No. 24).
The revised proposal is substantively similar to the previous version,
and maintains controversial provisions including:
* LIMITS ON KEY LENGTH: The revised proposal would continue to only
allow the export of cryptography systems with 64 bit key lengths, but
only if the keys are escrowed by an agent approved by the U.S.
Government and if the systems meet the other export criteria.
* RESTRICTED INTEROPERABILITY: While the revised proposal does clarify
the interoperability provision, it would continue to prohibit
exportable products from operating with any other cryptographic
products that do not meet the NIST criteria.
* NO PRIVACY SAFEGUARDS: The proposal contains no mention of the
procedures for law enforcement access to escrowed keys, the standards
for certifying escrow agents, or the obligations on escrow agents to
protect privacy.
CDT believes that the NIST proposals fall far short of the promise for a
more sensible and comprehensive cryptography policy outlined last July
in Vice President Gore's letter to Rep. Maria Cantwell. The current
proposal fails to provide adequate security, protect the privacy of
individuals, and meet the needs of the global marketplace. CDT believes
that a more comprehensive approach to cryptography policy is necessary
to address both the immediate need for strong cryptographic applications
and the long-term development of a secure and trusted Global Information
Infrastructure. CDT will work with the signatories of the letter to over
the next six months to develop an alternative to the Administration's
proposal.
-----------------------------------------------------------------------
(2) Text of CDT-led Coalition Letter to Vice President Gore
November 8, 1995
The Honorable Albert Gore, Jr.
Office of the Vice President
Old Executive Office Building, Room 276
Washington, D.C. 20501
Dear Mr. Vice President:
A secure, private, and trusted Global Information Infrastructure (GII)
is essential to promote economic growth and meet the needs of the
Information Age society. Competitive businesses need cryptography to
protect proprietary information as it flows across increasingly
vulnerable global networks. Individuals require privacy protection in
order to build the confidence necessary to use the GII for personal and
financial transactions. Promoting the development of the GII and
meeting the needs of the Information Age will require strong, flexible,
widely-available cryptography. The undersigned groups recognize that
the Administration's recently articulated cryptography initiative was a
serious attempt to meet some of these challenges, but the proposed
initiative is no substitute for a comprehensive national cryptography
policy. To the extent that the current policy becomes a substitute for
a more comprehensive policy, the initiative actually risks hindering the
development of a secure and trusted GII.
A number of the undersigned organizations have already written to
express concern about the latest Administration cryptography initiative.
As some of us have noted, the Administration's proposed export criteria
will not allow users to choose the encryption systems that best suit
their security requirements. Government ceilings on key lengths will
not provide an adequate level of security for many applications,
particularly as advances in computing render current cryptography
systems less secure. Competitive international users are steadily
adopting stronger foreign encryption in their products and will be
unlikely to embrace U.S. restrictions. As they stand, current export
restrictions place U.S. hardware manufacturers, software developers, and
computer users at a competitive disadvantage, seriously hinder
international interoperability, and threaten the strategically important
U.S. communications and computer hardware and software industries.
Moreover, the Administration policy does not spell out any of the
privacy safeguards essential to protect individual liberties and to
build the necessary public trust in the GII.
The current policy directive also does not address the need for
immediate liberalization of current export restrictions. Such
liberalization is vital to enable U.S. companies to export state-of-the-
art software products during the potentially lengthy process of
developing and adopting a comprehensive national cryptography policy.
Without relief, industry and individuals alike are faced with an
unworkable limit on the level of security available and remain hamstrung
by restrictions that will not be viable in the domestic and
international marketplace.
Many members of the undersigned groups have been working actively with
the Administration on a variety of particular applications, products,
and programs promoting information security. All of us are united,
however, by the concern that the current network and information
services environment is not as secure as it should be, and that the
current policy direction will delay the secure, private, and trusted
environment that is sought.
Despite the difficulties of balancing the competing interests involved,
the undersigned companies, trade associations, and privacy organizations
are commencing a process of collective fact-finding and policy
deliberation, aimed at building consensus around a more comprehensive
cryptography policy framework that meets the following criteria:
* ROBUST SECURITY: access to levels of encryption sufficient to address
domestic and international security threats, especially as advances in
computing power make currently deployed cryptography systems less
secure.
* INTERNATIONAL INTEROPERABILITY: the ability to securely interact
worldwide.
* VOLUNTARY USE: freedom for users to choose encryption solutions,
developed in the marketplace, that meet their particular needs.
* ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to
meet the expressed needs of cryptography users.
* CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth
Amendment privacy protection and regulation of searches, seizures, and
interceptions.
* RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national
security, while recognizing the reality that determined criminals will
have access to virtually unbreakable encryption.
In six months, we plan to present our initial report to the
Administration, the Congress, and the public in the hopes that it will
form the basis for a more comprehensive, long-term approach to
cryptography on the GII. We look forward to working with the
Administration on this matter.
Sincerely,
American Electronics Association
America Online, Inc.
Apple Computer, Inc.
AT&T
Business Software Alliance
Center for Democracy & Technology
Center for National Security Studies
Commercial Internet eXchange Association
CompuServe, Inc.
Computer & Communications Industry Association
Computing Technology Industry Association
Crest Industries, Inc.
Dun & Bradstreet
Eastman Kodak Company
Electronic Frontier Foundation
Electronic Messaging Association
EliaShim Microcomputers, Inc.
Formation, Inc.
Institute for Electrical and Electronic Engineers - United States
Activities
Information Industry Association
Information Technology Industry Council
Information Technology Association of America
Lotus Development Corporation
MCI
Microsoft Corporation
Novell, Inc.
OKIDATA Corporation
Oracle Corporation
Securities Industry Association
Software Industry Council
Software Publishers Association
Software Security, Inc.
Summa Four, Inc.
Sybase, Inc.
Tandem Computers, Inc.
Telecommunications Industry Association
ViON Corporation
------------------------------------------------------------------------
---
(3) HOW TO SUBSCRIBE TO THE CDT POLICY POST LIST
CDT Policy Posts, which is what you have just finished reading, are the
regular news publication of the Center For Democracy and Technology. CDT
Policy Posts are designed to keep you informed on developments in public
policy issues affecting civil liberties online.
SUBSCRIPTION INFORMAITON
1. SUBSCRIBING TO THE LIST
To subscibe to the policy post distribution list, send mail to
"Majordomo@cdt.org" with:
subscribe policy-posts
in the body of the message (leave the subject line blank)
2. UNSUBSCRIBING FROM THE LIST
If you ever want to remove yourself from this mailing list,
you can send mail to "Majordomo@cdt.org" with the following command
in the body of your email message:
unsubscribe policy-posts youremail@local.host (your name)
(leave the subject line blank)
You can also visit our subscription web page
URL:http://www.cdt.org/join.html
-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance constitutional civil liberties
and democratic values in new computer and communications technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1001 G Street NW * Suite 500 East * Washington, DC 20001
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post No. 29 11/9/95
-----------------------------------------------------------------------
Return to the CDT Publications Page
Return to the CDT Home Page