-----------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 3, Number 7
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 3, Number 7 June 17, 1997
CONTENTS: (1) McCain & Kerrey Introduce Domestic Key Recovery Crypto Bill
(2) How to Subscribe/Unsubscribe
(3) About CDT, contacting us
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of
** This document looks best when viewed in COURIER font **
-----------------------------------------------------------------------------
(1) SENATORS McCAIN (R-AZ) AND KERREY (D-NE) INTRODUCE BILL TO COMPEL DOMESTIC
KEY RECOVERY
Today, Senators John McCain (R-AZ) and Bob Kerrey (D-NE) introduced S. 909,
"The Secure Public Networks Act of 1997" -- a bill that would, for the first
time, impose domestic restrictions on the ability of American citizens to use
encryption technologies to protect their privacy and security inside the United
States. The bill all but mandates that Americans provide guaranteed government
access to their private communications and stored files.
The McCain-Kerrey bill would gut efforts by Senator Conrad Burns (R-MT) and
others to enact meaningful encryption reform legislation that protects privacy
promotes electronic commerce, and recognizes the realities of the global
information infrastructure.
Specifically, the bill would:
* Compel Americans to Use Government-Approved Key Recovery Systems
* Make Key Recovery a Condition Of Participation in E-Commerce
* Allow Government Carte Blanche Access to Sensitive Encryption Keys
Without a Court Order
* Create New Opportunities for Cybercrimes
* Codify a low 56-bit Key Length Limit on Encryption Exports
* Create Broad New Criminal Penalties for the Use of Encryption
The full text of the bill, along with detailed analysis, is available
online at http://www.cdt.org/crypto/
McCain, chairman of the powerful Senate Commerce Committee, is expected to
propose the bill as a substitute to Senator Burns' "Promotion of Commerce
Online in the Digital Era Act (Pro-CODE) at a Committee vote currently
set for Thursday June 19.
CDT believes that the McCain-Kerrey bill represents a significant threat to
privacy and security in the Information Age.
________________________________________________________________________
OVERVIEW OF THE McCAIN-KERREY BILL
While pitched on Capitol Hill as a compromise, the McCain-Kerrey bill in fact
mirrors draft legislation proposed earlier this year by the Clinton
Administration. In some important ways, the McCain-Kerrey bill actually goes
even further than the Administration's proposals by forcing domestic and
worldwide adoption of key recovery systems. Specifically, the bill would:
* COMPEL AMERICANS TO USE GOVERNMENT-APPROVED KEY RECOVERY SYSTEMS
The bill would compel businesses and individuals to use federally-
licensed "key recovery" encryption systems to ensure guaranteed
government access to all private communications and stored files.
Although the bill states that use of government-approved key
recovery systems would be "voluntary," the bill contains powerful
regulatory incentives and legal penalties designed to compel
individuals and corporations to adopt federal key recovery systems if
they wish to participate in secure electronic commerce and private
communications.
* MAKE KEY RECOVERY A CONDITION OF PARTICIPATION IN E-COMMERCE
If enacted, the bill would effectively compel all Americans to use key
recovery systems if they wish to purchase products or services over
the Internet and communicate securely with their doctors, lawyers,
accountants, and colleagues.
Specifically, the bill would require the use of key recovery systems
in order to obtain the public key certificates needed to conduct secure
electronic commerce.
Key certification is widely viewed as a necessary part of secure and
trusted electronic commerce (it lets people verify the identity of
those they are communicating with). However, there is no technical
reason for tying certificates to key recovery -- other than to force
otherwise unwilling computer users to use federally-licensed key
recovery agents.
As a result, the linkage between certificates and third-party access
effectively holds electronic commerce hostage to key recovery.
* ALLOW GOVERNMENT CARTE BLANCHE ACCESS TO SENSITIVE ENCRYPTION KEYS
WITHOUT A COURT ORDER
The bill would allow law enforcement to access key information with as
little as a subpoena (a commonly used investigative tool). The bill
would allow for the seizure of keys, and access to encrypted
communications and data, by any of the over 15,000 federal, state, and
local law enforcement agencies in the U.S. ** WITHOUT THE APPROVAL OF
A JUDGE ** (A full analysis of the bill's impact on constitutional
privacy rights will be posted soon at http://www.cdt.org/crypto)
Decryption keys are among the most sensitive pieces of information
owned by an individual or organization - they provide access to the
most private and valuable communications, stored records, and
personal data. Such sensitive keys demand a heightened degree of
protection from disclosure and abuse - as Congress has recognized with
respect to other highly sensitive personal information.
As a result, the bill dramatically expands law enforcement
surveillance ability by setting an inappropriately low standard for
seizure of sensitive key information.
* CREATE NEW OPPORTUNITIES FOR CYBERCRIMES:
Key recovery systems of the type contemplated in the McCain-Kerrey
bill will open a huge window of vulnerability to the private data of
computer users.
A recent report by a group of 11 of the world's leading cryptographers
concluded that key-recovery systems like those proposed in the McCain-
Kerrey bill, "Will result in substantial sacrifices in security and
cost to the end user. Building a secure infrastructure of the
breathtaking scale and complexity demanded by these requirements
is far beyond the experience and current competency of the field."
* CODIFY A LOW 56-bit KEY LENGTH LIMIT ON ENCRYPTION EXPORTS
The bill would continue the Administration's Cold War-era export
controls on encryption technologies by limiting the strength of US
encryption exports to 56 bit key lengths. This despite the fact that
products with much greater strength are in demand by the global market
and are already widely available outside the United States.
* CREATE BROAD NEW CRIMINAL PENALTIES FOR USE OF ENCRYPTION
The bill contains a broad new crime that would penalize routine uses
of encryption and federalize vast numbers of state crimes. In
addition, the bill would create 15 new federal crimes dealing with the
use of encryption and key recovery as well as grant the Commerce
Department sweeping new enforcement powers.
CDT believes that this bill represents a significant threat to privacy and
security in the Information Age, and is not an appropriate way to address US
encryption reform.
________________________________________________________________________
NEXT STEPS
Senate Commerce Committee Chairman John McCain (R-AZ) is expected to offer "The
Secure Public Networks Act" as a substitute for the Pro-CODE bill at Committee
markup on Thursday June 19. Senator Burns (R-MT), the sponsor of the
net-friendly Pro-CODE bill, is expected to oppose the McCain-Kerrey bill and
offer an alternative proposal without key-recovery provisions.
CDT plans to work with Senator Burns and other committee members to block
government efforts to impose key recovery or key escrow domestically.
We will also continue to work with Rep. Goodlatte and the more than 120
sponsors of the Security and Freedom Through Encryption Act (SAFE) in the
House. The SAFE bill, which does not contain key recovery provisions, is
set for a vote in the House International Relations Trade Subcommittee within
the next few weeks.
For information on what you can do to help, visit http://www.cdt.org/crypto/
------------------------------------------------------------------------
(2) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
nearly 10,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
policy-posts-request@cdt.org
with a subject:
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
-----------------------------------------------------------------------
(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org/
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post 3.07 06/17/97
-----------------------------------------------------------------------
CDT Publications Page
CDT Cryptography Page
CDT Home Page