CDT Policy Post 3.02 - Administration Proposes Domestic Encryption Controls

-----------------------------------------------------------------------------
    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/      Volume 3, Number 2
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
 CDT POLICY POST Volume 3, Number 2                       March 26, 1997

 CONTENTS: (1) Administration Proposes Domestic Encryption Controls
           (2) How to Subscribe/Unsubscribe
           (3) About CDT, contacting us

  ** This document may be redistributed freely with this banner intact **
        Excerpts may be re-posted with permission of 
         ** This document looks best when viewed in COURIER font **
-----------------------------------------------------------------------------

(1) ADMINISTRATION PROPOSES DOMESTIC ENCRYPTION CONTROLS

The Clinton Administration has drafted legislation to control the domestic
use of encryption technologies and compel participation in key recovery
systems open to the government. The bill would:

* Create a vast new government-dominated "key management infrastructure"
  designed to be a prerequisite for participation in electronic
  commerce.

* Compel people to use key recovery as a condition of participating in
  the key management infrastructure.

* Require the disclosure of private keys held by third parties,
  without a court order and upon mere written request of any law
  enforcement or national security agency.

CDT has obtained a draft of the proposed bill, which the Administration has
floated to several members of Congress. To the best of our knowledge, the
bill does not yet have a supporter on the Hill.

The text of the draft is available online at http://www.cdt.org/crypto/
________________________________________________________________________
SHORT SUMMARY

The proposed bill would destroy any prospect of privacy and security on the
Internet by opening a huge window of vulnerability to the private
communications of Internet users.  An initial analysis of the proposal by
CDT reveals the following significant concerns:

1. EASY ACCESS TO PRIVATE COMMUNICATIONS BY LAW ENFORCEMENT:

   Under the proposal, the government is granted carte blanche access to
   private decryption keys through a "subpoena" or "written
   authorization in a form to be specified by the Attorney General,"
   whenever the government has encrypted information (Sec. 302).

   The draft bill specifies no further standards for the release of keys
   and PROHIBITS notice to the person whose key has been revealed.

   The Administration's proposal would dramatically increase law
   enforcement surveillance authority by allowing access to decryption
   keys without a court order.

   Current electronic surveillance law requires law enforcement to obtain a
   Title III court order, upon a showing of probable cause, before
obtaining the
   contents of an electronic communication or data from a wiretap.

2. NEW DOMESTIC CONTROLS ON ENCRYPTION TECHNOLOGY:

   Until now, the debate over encryption policy has centered on US
   export controls, which have had the indirect but intended effect of
   limiting the availability of strong, easy-to-use encryption
   technologies inside the United States.

   The Administration's proposal for the first time explicitly
   encourages the use of key recovery inside the United States.  The
   bill seeks to accomplish this by granting government approved "Key
   Recovery Agents" and "Certificate Authorities" immunity for
   mishandling keys.

3. COMPELLED USE OF KEY RECOVERY DOMESTICALLY:

   While the Administration claims that its proposal is voluntary, the
   draft uses a variety of means to force use of government-approved
   key-recovery agents.

   In other words, in order to conduct business, engage in electronic
   commerce, or have a secure communication online, individuals would be
   compelled to use encryption systems with GUARANTEED GOVERNMENT
   ACCESS.

   Broadly speaking, a public key infrastructure would enable users to
   clearly identify the people they are communicating with and
   facilitate key management, and is widely viewed as an important
   component of a secure and trusted communications environment.
   However, the administration's proposal would establish this
   infrastructure at a heavy price: All users of the public key
   infrastructure would have to ensure government access to their
   encryption keys upon a mere government request.
________________________________________________________________________
MORE TO COME

CDT will post a detailed analysis of the Administration's proposal on our
Encryption Policy Issues Page (URL below) shortly.  The full text of the
Administration's draft is available now.

Bills are currently pending in both the House and Senate to relax US
encryption export controls and promote the widespread availability of
strong, easy-to-use encryption technologies to protect privacy and security
on the Internet.  Two of these bills (S. 377 - the 'Promotion of Commerce
Online in the Digital Era (Pro-CODE) Act of 1997' and HR --, the 'Security
and Freedom through Encryption (SAFE) Act of 1997' were the subject of
Congressional Hearings last week. Detailed background information on both
proposals is available at CDT's encryption policy issues page and the
Encryption Policy Resource Page (URLs below)

* CDT's Encryption Policy Issues Page   -- http://www.cdt.org/crypto
* the Encryption Policy Resource Page   -- http://www.crypto.com/
------------------------------------------------------------------------
(2) SUBSCRIPTION INFORMATION

Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
nearly 10,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

     policy-posts-request@cdt.org

with a subject:

     subscribe policy-posts

If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:

     unsubscribe policy-posts

-----------------------------------------------------------------------
(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.

Contacting us:

General information:  info@cdt.org
World Wide Web:       URL:http://www.cdt.org/
FTP                   URL:ftp://ftp.cdt.org/pub/cdt/

Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968

-----------------------------------------------------------------------
End Policy Post 3.02                                           03/26/97
-----------------------------------------------------------------------
CDT Publications Page
CDT Cryptography Page
CDT Home Page