------------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 3, Number 13
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 3, Number 13 September 8, 1997
CONTENTS: (1) New FBI Draft Crypto Bill Would Force Mandatory Key Recovery
(2) Text of FBI Proposal
(3) What You Can Do
(4) How to Subscribe/Unsubscribe
(5) About CDT, contacting us
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of
** This document looks best when viewed in COURIER font **
_____________________________________________________________________________
(1) NEW FBI DRAFT ENCRYPTION LEGISLATION WOULD IMPOSE MANDATORY KEY RECOVERY
In its most audacious crypto proposal yet, the FBI is circulating on Capitol
Hill legislation to impose full domestic controls on the manufacture and use
of encryption. The FBI is seeking support for its proposal among two crucial
House Committees preparing to consider encryption legislation this week.
The text of the key section of the FBI draft is attached below.
The FBI draft would take two extraordinary steps. It would prohibit the
manufacture, sale, import or distribution within the United States of any
encryption product unless it contains a feature that would create a spare key
or some other trap door allowing "immediate" decryption of any userÍs messages
or files without the userÍs knowledge.
In addition, it would require all network service providers that offer
encryption products or services to their customers to ensure that all messages
using such encryption can be immediately decrypted without the knowledge of
the customer. This would apply to telephone companies and to online service
providers such as America Online and Prodigy.
In the FBI draft, the "key recovery capability" could be activated by the
purchaser or end user. But requiring that such a capability be installed in
all domestic communications networks and encryption products would be the
critical step in enabling a national surveillance infrastructure.
The proposal requires the Attorney General to set standards for what are and
are not acceptable encryption products. The proposal's requirement of
"immediate" decryption would seem to seriously limit the options available to
encryption manufacturers seeking approval of their products.
While export of encryption products from the United States has long been
restricted, there have never been controls on the manufacture, distribution,
or use of encryption within the United States.
Pending before the House Intelligence and National Security Committees is the
Security and Freedom through Encryption Act (SAFE, HR 695), sponsored by Rep.
Goodlatte (R-VA), which would lift current export controls on encryption
technology. The Goodlatte bill has already been reported favorably by the
House Judiciary and International Relations Committees. The House National
Security Committee is scheduled to consider HR 695 on Tuesday, September 9.
The House Intelligence Committee has scheduled its vote for September 11.
Members of both committees are expected to consider the FBI draft as a
substitute to the SAFE bill.
This FBI proposal represents a major turn-around for the Clinton
Administration, which has denied since its first year that it was seeking
domestic controls on encryption.
The FBI proposal is an attempted end run around the Constitution. By creating
an avenue for immediate access to sensitive decryption keys without the
knowledge of the user, the proposal denies users the notice that is a central
element of the Fourth Amendment protection against unreasonable searches and
seizures. Just this past April, the Supreme Court reaffirmed that the Fourth
Amendment normally requires the government to advise the target of a search
and seizure that the search is being conducted.
Forcing U.S. citizens and companies to adopt so-called key recovery systems
poses serious security risks, especially when the systems can be accessed
without the knowledge of the users. A recent study by 11 cryptography and
computer security experts concluded that such key recovery systems would be
costly and ultimately insecure (see http://www.crypto.com/key_study)
CDT executive director Jerry Berman said of the latest proposal, "This is not
the first step towards the surveillance society. It *is* the surveillance
society."
______________________________________________________________________________
(2) TEXT OF MANDATORY KEY RECOVERY SECTION OF FBI DRAFT LEGISLATION
(From FBI "Technical Assistance Draft" Dated August 28, 1997)
SEC. 105. PUBLIC ENCRYPTION PRODUCTS AND SERVICES
(a) As of January 1, 1999, public network service providers offering
encryption products or encryption services shall ensure that such products or
services enable the immediate decryption of communications or electronic
information encrypted by such products or services on the public network, upon
receipt of a court order, warrant, or certification, pursuant to section 106,
without the knowledge or cooperation of the person using such encryption
products or services.
(b) As of January 1, 1999, it shall be unlawful for any person to
manufacture for sale or distribution within the U.S., distribute within the
U.S., sell within the U.S., or import into the U.S. any product that can be
used to encrypt communications or electronic information, unless that product
-
(1) includes features, such as key recovery, trusted third party
compatibility or other means, that
(A) permit immediate decryption upon receipt of decryption
information by an authorized party without the knowledge or
cooperation of the person using such encryption product; and
(B) is either enabled at the time of manufacture, distribution,
sale, or import, or may be enabled by the purchaser or end user; or
(2) can be used only on systems or networks that include features, such
as key recovery, trusted third party compatibility or other means, that
permit immediate decryption by an authorized party without the
knowledge or cooperation of the person using such encryption product.
(c) (1) Within 180 days of the enactment of this Act, the Attorney General
shall publish in the Federal Register functional criteria for complying
with the decryption requirements set forth in this section.
(2) Within 180 days of the enactment of this Act, the Attorney General
shall promulgate procedures by which data network service providers and
encryption product manufacturers, sellers, re-sellers, distributors, and
importers may obtain advisory opinions as to whether a decryption method
will meet the requirements of this section.
(3) Nothing in this Act or any other law shall be construed as requiring
the implementation of any particular decryption method in order to
satisfy the requirements of paragraphs (a) or (b) of this section.
______________________________________________________________________________
(3) WHAT YOU CAN I DO TO HELP?
Are you concerned about protecting privacy and security in the information
age? Curious what your Member of Congress thinks about the issue?
Adopt Your Legislator! Visit http://www.crypto.com/adopt for details
You will recieve customized alerts with news you can use, inlcuding the latest
information on internet-related issues, the views of your Representative and
Senators, and contact information to help you ensure your voice is heard in
the ongoing debate over the future of the Information Age.
Visit http://www.cdt.org/crypto or http://www.crypto.com/ for detailed
background information on the encryption policy reform debate, including the
text of various legislative proposals, analysis, and other information.
_____________________________________________________________________________
(4) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 13,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
policy-posts-request@cdt.org
with a subject:
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
_____________________________________________________________________________
(5) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org/
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
----------------------------------------------------------------------------
End Policy Post 3.13 09/08/97
----------------------------------------------------------------------------
CDT Publications Page
CDT Cryptography Page
CDT Home Page