-----------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 3, Number 9
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 3, Number 9 July 9, 1997
CONTENTS: (1) Key Recovery gets Mixed Reviews at Senate Judiciary
Committee Hearing
(2) How to Subscribe/Unsubscribe
(3) About CDT, contacting us
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of
** This document looks best when viewed in COURIER font **
-----------------------------------------------------------------------------
(1) KEY RECOVERY GETS MIXED REVIEWS AT SENATE JUDICIARY COMMITTEE HEARING
The Senate Judiciary Committee today held a hearing to explore government
access to encrypted communications through key recovery. The hearing,
called to consider both the general question of key recovery encryption and
the McCain-Kerrey "Secure Public Networks Act" (S. 909), highlighted the
controversy surrounding efforts to reform US encryption policy.
Several Senators for the first time came out in the open to acknowledge
their support of mandatory key recovery inside the United States even
beyond the compelled use of key recovery contained in the McCain-Kerrey
bill. At the same time, other Senators raised serious concerns about the
feasibility and vulnerability of key recovery systems of the kind favored
by the Clinton Administration.
Witnesses testifying at the hearing, billed as "Encryption, Key Recovery,
and Privacy Protection in the Information Age," included:
* Senator Robert J. Kerrey (D-Nebraska)
* Louis Freeh, FBI Director
* William Crowell, NSA Deputy Director
* Ken Dam, Chair of National Research Council Encryption Policy Study
* Mike Mackay, Vice President, Novell
* Peter Neumann, Principal Scientist, SRI
* Ray Ozzie, President Iris Associates
Committee chairman Orrin Hatch (R-UT) outlined the issue in his opening
remarks: "There appears to be little dispute that the development of some
form of key recovery is inevitable. What is not at all clear and serves as
the primary basis for this hearing is whether our national encryption
policy should be based upon a government mandated or controlled key
recovery scheme, whether the government should remove itself from this
debate and allow for a purely market driven development of key recovery, or
whether there exists a true middle ground whereby government and industry
can work together in a manner that strikes a reasonable compromise between
these competing interests."
Senator Patrick Leahy (D-VT), the ranking Democrat, expressed similar
concerns: "I have always believed that there will be a use for a market
driven, user-friendly, cost-effective form of key recovery, so that
businesses and individuals can recover encrypted data that is important to
them.... However, government-dictated recovery systems are radically
different in nature. The Administration's insistence on burdensome
regulation of key recovery systems, guaranteed access to both encrypted
communications and stored files, access to keys by both domestic and
foreign law enforcement agencies without court orders, and no notice ever
of key disclosures to the owners of those keys, all pose significant
obstacles to a market-driven approach to the development of key recovery
systems"
Senator Bob Kerrey (D-NE), a lead sponsor of S. 909, testified at length in
support of his bill, making it clear that key recovery was his central
concern.
Several Senators, including Jon Kyl (R-AZ), expressed concern that S. 909,
which would require the use of key recovery as a condition for
participating in electronic commerce, does not go far enough and expressed
support for mandated key recovery inside the United States. Senators
Charles Grassley (R-IA) and Diane Feinstein (D-CA) also seemed to support
mandatory key recovery.
When Senator Kerrey claimed that his legislation gave no additional
authority to the government, Senator Feinstein directed Kerrey's attention
to a memorandum by CDT and asked Sen. Kerrey for his written response (the
text of the memo is available online at the URL below).
FBI Director Louis Freeh and William Crowell, deputy director of the
National Security Agency, testified. Freeh also said that the
McCain-Kerrey bill did not go far enough. Freeh appeared to be
accommodating on the question of requiring a judicial order for access to
escrowed keys.
Witnesses representing the computer and communications industry expressed
strong opposition to S. 909 and government-mandated key recovery.
Michael Mackay, Vice President of Novell testifying on behalf of the
Business Software Alliance and the Software Publishers Association, stated
"The Administration's key recovery scheme is too complex, too costly, and
too vulnerable. It will not work."
Mackay's comments were echoed by Ray Ozzie of Iris Associates (a subsidiary
of Lotus and IBM), who told the committee, "Large scale key management and
recovery systems are inherently imperfect and, if mandated, will *cause* an
increase in crime."
Several Senators, including Patrick Leahy (D-VT), expressed strong concern
about S. 909 and urged caution. Senator John Aschroft (R-MO) who voted
against S. 909 at the Commerce Committee in June, said, "No nationwide key
recovery system, or licensing requirement for certificate authorities,
should be brought to the floor without through examination, analysis, and
understanding. We must understand the impact of these provisions,
economically as well as technologically, before a bill is brought to the
Senate floor."
Citing the recent report by leading cryptographers on the risks of key
recovery systems (http://www.crypto.com/key_study), Peter Neumann told the
panel that key recovery systems designed to meet law enforcement
specifications (like those proposed by S. 909) threaten the security of the
Internet and create new opportunities for crime.
The report, which was referenced by several of the other witnesses and
senators, seemed also to resonate with Chairman Hatch, who concluded the
hearing by stating that he had "real qualms " about S. 909, and noted that
in the very difficult area of encryption policy the solutions may create
new problems. "I'm worried," Hatch concluded, "about Congress messing this
up."
The full text of S. 909, as well as additional information about the
encryption policy debate, is available online at http://www.cdt.org/crypto/
WHAT YOU CAN DO
Want to learn more about your U.S. Representative and Senator's position
on this and other Internet related policy issues? Join the Adopt Your
Legislator Campaign. Visit http://www.crypto.com/adopt for details.
________________________________________________________________________
(2) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 13,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
policy-posts-request@cdt.org
with a subject:
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
-----------------------------------------------------------------------
(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org/
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post 3.09 07/09/97
-----------------------------------------------------------------------
CDT Publications Page
CDT Cryptography Page
CDT Home Page