Policy Post 4.20: Latest Administration Crypto Controls Leave Individual Privacy Concerns Unanswered



------------------------------------------------------------------------------
    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/     Volume 4, Number 20
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
 CDT POLICY POST Volume 4, Number 20                    September 16, 1998

 CONTENTS: (1) Latest Administration Crypto Controls Leave Individual
               Privacy Concerns Unanswered
           (2) Continued Push for Key Recovery Leaves Online Privacy
               Unprotected
           (3) How to Subscribe/Unsubscribe
           (4) About CDT, Contacting us

  ** This document may be redistributed freely with this banner intact **
        Excerpts may be re-posted with permission of <ari@cdt.org>

      |PLEASE SEE END OF THIS DOCUMENT FOR SUBSCRIPTION INFORMATION|
_____________________________________________________________________________

(1) Latest Administration Crypto Controls Leave Individual Privacy
Concerns Unanswered

The White House today announced revised controls on the export of
encryption products used to protect security online. While a step in
the right direction, the new policy leaves major individual privacy
concerns unanswered.

The revisions released today would allow export of moderately
stronger encryption and allow certain industry segments to use even
more secure products. However, the Administration policy does not
address the needs of individuals online, human rights groups, or
other non-commercial users. It continues to use export controls as
a club to force the adoption of risky "key recovery" systems without
addressing the privacy concerns raised by backdoor government access
to our most sensitive data.

Major features of today's announcement include:

* Decontrol of 56-bit (DES-level) encryption -- would permit export
of 56-bit products and their equivalent (including 1024-bit
asymmetric systems) to most countries, after a one-time governmental
review.
* Export relief for specific industry segments -- would permit
export of stronger products to subsidiaries of U.S companies, health
and insurance industries, and unspecified "electronic commerce"
users.
* Exemptions for "recoverable" products -- would permit export of
encryption products of unlimited strength if those products include
backdoor access to plaintext, use key recovery, or allow access to
plaintext through a system administrator or other person independent
of the user.

The Administration announcement is available on CDT's Web site at
http://www.cdt.org/crypto.


_____________________________________________________________________________

(2) Continued Push for Key Recovery Leaves Online Privacy Unprotected

CDT welcomes these efforts to address the concerns raised about
current U.S policy. However, the new regulations leave significant
privacy concerns unanswered:

* 56 bit (DES level) encryption will not adequately protect online
privacy and security.  Expert cryptographers have argued for years
that 56-bit encryption is not sufficient to protect privacy online.
Just this summer, a group of California researchers created a "DES
Cracker" that broke a 56 bit-length encrypted message in just 56 hours,
using minimal resources.

* Granting export relief for industry groups leaves the little guy out.
Individuals, human rights workers, or other non-commercial groups who
have a compelling interest in using strong encryption, without backdoor
access built-in, will not get relief under the new proposal.

* Administration policy continues to use export controls to force the
adoption of vulnerable key recovery systems. The new regulations would
continue the Administration's efforts to require "key recovery" or
other plaintext access features in the encryption products that most
individuals use. An experts report on "The Risks of Key Recovery"
(http://www.crypto.com/key_study) recently argued that such
recovery technologies introduce new security risks.

* Standards for government access are not specified. A "recovery"
system that does not provide a clear understanding of the legal
protection governing access to plaintext leaves basic privacy concerns
unaddressed.  Such a discussion that is absent from this proposal.

The extent to which the proposed new regulations will actually
provide export relief will depend a great deal on the fine print.
The new regulations are expected to be published in the late fall,
and CDT will be monitoring these rules as they are published to ensure
that they protect privacy.

CDT believes that the only way to protect individual security online
as well as the nation's critical infrastructure is through the
widespread availability of strong encryption, without backdoors.  We
will continue to work with members of Congress to push for reforms that
preserve the rights of individuals and businesses to protect sensitive
personal information.

For more information on how to get involved in the crypto debate, sign
up for CDT's "Adopt Your Legislator" campaign to be informed when your
representative is voting on encryption issues. Visit CDT's crypto
policy web site at http://www.crypto.com/adopt


_____________________________________________________________________________

(3) SUBSCRIPTION INFORMATION

Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 13,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

                majordomo@cdt.org

in the BODY of the message (leave the SUBJECT LINE BLANK), type

     subscribe policy-posts

If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:

     unsubscribe policy-posts
_____________________________________________________________________________

(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.

Contacting us:

General information:  info@cdt.org
World Wide Web:       http://www.cdt.org/


Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968

----------------------------------------------------------------------------
End Policy Post 4.20
----------------------------------------------------------------------------