|
 |
|
|||||
 |
Summary
Encryption is the essential tool for protecting privacy, security, public safety, and free expression online. The Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about U.S. encryption policy before the House Intelligence Committee. CDT is a public interest group dedicated to promoting civil liberties and democratic values on the Internet. CDT has long supported the Security and Freedom through Encryption (SAFE) Act, which is badly needed to reform a U.S. encryption policy that does not serve the interests of the United States.
Encryption is vital to the security of electronic commerce, personal communications, and the increasingly important information infrastructure. While encryption creates new challenges for law enforcement and national security, no U.S. export control or key recovery policy can stop determined criminals, terrorist groups, or rogue governments from getting access to strong encryption. Moreover, the law enforcement problem is narrower than it appears: Even without controls, in many cases the plaintext of encrypted data will be available where it is decrypted or stored, or through lawful access to existing decryption information. Meanwhile, encryption export controls are slowing down the use of strong encryption which would allow us to protect proprietary and personal information and our critical infrastructures.
For all of these reasons, we agree with the conclusion of the National Research Council's 1996 report Cryptography's Role in Securing the Information Society. Its distinguished panel of technology, policy, and national security experts, who received classified briefings, concluded that "On balance, the advantages of more widespread use of cryptography outweigh the disadvantages."
Two years ago, in June 1997, a group of eminent computer security experts and cryptographers issued a damning critique of government proposals to require plaintext access features in encryption systems. Their report, The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption concluded that:
"The deployment of key-recovery-based encryption infrastructures to meet law enforcement's stated specifications will result in substantial sacrifices in security and greatly increased costs to the end-user. . . . These basic requirements [for plaintext access by government] make the problem of general key recovery difficult and expensive -- and potentially too insecure and too costly for many applications and many users."
Two years later, the assertions of the experts remain unrebutted. Mandatory government access has been rejected by the marketplace and by policy makers around the world. Mandatory plaintext access raises serious constitutional concerns about non-particularized searches. And the government remains unable to explain how the security of keys will be protected globally when U.S. legal protections stop at the border.
Contrary to Administration predictions, foreign governments are not embracing export controls and key recovery. Since November, three major U.S. allies have moved in the opposite direction. France, long held out as a supporter of domestic controls, has abandoned mandatory key recovery and liberalized controls. The U.K., viewed as the Administration's staunchest ally, in May abandoned a domestic key recovery proposal. And just last week Germany announced that it would affirmatively promote the export of strong encryption.
The Administration has been unable to provide satisfactory answers to basic questions about the effectiveness and costs of encryption export controls and plaintext access systems. This Committee should seek answers to these questions:
Scenario: Suppose U.S. intelligence agencies surreptitiously intercept encrypted communications from a suspected terrorist organization. The group uses key recovery, with keys recoverable by lawful process in the Middle Eastern country the group operates from. Will U.S. agencies go through that lawful process?
Scenario: The government of China seeks decryption keys held in the U.S. for the encrypted communications of a pro-democracy group in China. Under what circumstances will the keys be turned over?
Scenario: Following the U.S. lead, France requires that U.S. companies make keys available to the French government for all communications in France. What legal standards will protect the trade secrets or other sensitive data sent with these systems, in a country without a Fourth Amendment and with a track record for government industrial espionage?
The Administration has been unable to answer these fundamental questions about U.S. policy. It has been unable to do so because export controls and key recovery are not a workable policy. Congressional action is needed. While CDT remains concerned with the criminal provisions in the SAFE Act, overall the SAFE Act would help provide Americans with the strong security and privacy products they so badly need. We urge this committee to support SAFE, and to seek answers to the hard questions about a U.S. policy that, in its current state, does not add up.
1. Developments of the Last Two Years Confirm the Need for a New U.S. Encryption Policy
Two years ago, this committee and four others in the House held hearings and voted on the SAFE Act in the context of a debate on encryption strikingly similar to the one going on today. Privacy advocates and industry representatives testified about the need for new encryption policies, and Administration officials argued that new regulations would allow U.S. policy to satisfy the competing interests at hand. In retrospect, the rapid pace of technical and marketplace developments over the last two years has made it clearer than ever before that the U.S. approach to encryption policy remains fundamentally flawed.
Two years ago, the Justice Department disputed arguments by privacy advocates that 56-bit encryption, the maximum strength exportable for consumers without key recovery, was not secure enough for many applications. The Justice Department claimed that "According to the National Security Agency’s estimates, the average time needed to decrypt a single message by means of a brute force cryptoanalytic attack on 56-bit DES — a strength whose export we are now allowing --- would be approximately one year and eighty-seven days using a thirty-million-dollar supercomputer." [ 1 ]
Technical developments have proven these comments wrong. In the Fall of 1998, a group of researchers sponsored by the Electronic Frontier Foundation built a "DES Cracker" system for less than $250,000 that broke a 56-bit key within 56 hours. [ 2 ] Less than six months later, in January 1999, encryption enthusiasts broke a 56-bit code in 22 hours using the DES Cracker and a network of distributed computers. If a non-profit and a group of part-time enthusiasts could develop such a system on a shoestring budget, we are only left to imagine what a foreign government, large corporation, or sophisticated criminal enterprise could do.
The U.S. Government has itself recognized the weakness in 56-bit encryption systems. In a January 1999 draft the National Institute of Standards and Technology (NIST) revised the encryption standard for government use from 56-bit DES to much stronger "Triple DES," citing the vulnerability of DES. [ 3 ] Meanwhile, NIST has been leading efforts to create an Advanced Encryption Standard based on the 128-bit (and higher) algorithms that are becoming the world standard for online security. If the government does not trust 56-bit security, why should everyday computer users and companies be expected to rely on this weaker level of security?
Two years ago, Administration witnesses touted key recovery as the compromise that met law enforcement desires and was going to "become the worldwide standard." [ 4 ] In fact, since then government-driven key recovery has been greeted with great skepticism and widely discredited.
Research has revealed the vulnerabilities of key recovery systems, which create backdoors to plaintext without the notice or consent of an encryption user. A 1997 report by a group of encryption experts found that "[t]he deployment of key-recovery-based encryption infrastructures to meet law enforcement’s stated specifications will result in substantial sacrifices in security and greatly increased costs to the end-user." A year later, with no substantive response from within the Administration or the technical community, the same group of experts confirmed its findings still held true in June 1998. [ 5 ] A copy of their report is being submitted to the Committee along with this testimony.
Despite Administration predictions, the marketplace has shown little interest in even stored data recovery, and there is virtually no demand for key recovery for communications. To CDT's knowledge, not one major key recovery encryption product is being widely used by consumers today. [ 6 ]
Encryption controls are ultimately only effective if other countries control encryption products as well. In 1997, the Administration testified, "We have engaged in extensive international discussions on this topic over the last year, and a consensus is now emerging throughout much of the world that the way to achieve this balance is through the use of a ‘key recovery’ or ‘trusted third party’ system. . . We believe that key recovery will become the worldwide standard for users of the GII." [ 7 ]
To date, the opposite has been true. The OECD Cryptography Policy Guidelines and the Ministerial Declaration of the European Union, both released in 1997, failed to embrace key recovery despite lobbying by the U.S. government. In the past year, Canada, Ireland and Finland have announced encryption policies allowing free use and export of strong encryption products without key recovery. Recent Administration claims of a new encryption control regime through the Wassenaar Arrangement have been overstated. In fact, many countries, including Wassenaar signatories, still allow encryption exports consistent with Wassenaar (See below for a greater explanation of the Wassenaar changes.)
Perhaps most importantly, major U.S. trading partners have recently moved away from U.S. policy. The U.K., the staunchest supporter of U.S. key recovery policy, this Spring rejected a major plaintext access proposal. France, long held out as a country with sweeping controls on encryption use in the past, recently liberalized its domestic limits. And this June the German government rejected domestic controls on encryption and committed to affirmatively promote German encryption exports.
The Department of Commerce has taken a step forward in its recently released encryption regulations, easing exports of 56-bit products and allowing export of strong encryption products to online merchants. However, U.S. policy remains focused on export controls and incentives to use key recovery. The mass market products needed by individual users remain controlled. The special relief for certain industry sectors, while surely welcome by those businesses, does little to change the encryption available to individual computer users or small organizations.
Taken together, these developments argue for a more comprehensive change to U.S. encryption policy, away from export controls and key recovery and towards a view where public safety is best protected by giving people the encryption tools they need to protect themselves on line.
2. Encryption Export Controls Jeopardize Privacy and Free Expression While Providing Few Real Benefits
Encryption export controls continue to threaten the privacy and security of Internet users and businesses both abroad and within the United States. They also threaten free expression: a Federal appeals court recently held that controls on encryption source code violate the First Amendment, and controls in general keep people from getting the security tools they need to protect free expression and free association. At the same time, the rationale for export controls is increasingly eroding due to the availability of good foreign encryption products. Finally, contrary to some claims, export controls are not required by the Wassenaar Arrangement.
Export controls limit the availability of strong encryption products to law-abiding consumers both domestically and abroad. Such controls directly limit the availability of strong U.S. products abroad, of particular concern to human rights groups and other international organizations. Export controls affect people in the U.S. when they communicate abroad, since they may be forced to use the lower levels of encryption available to the parties they communicate with. Export controls have also slowed the deployment of strong encryption standards. While some strong encryption products are available to consumers, export controls have largely slowed the seamless integration of good security systems into operating systems, network protocols, and many applications. Encryption should be easy for consumers; because of federal regulations, it is not.
The importance of encryption to computer users is real. Some examples include:
In these cases, encryption export controls have a real impact on security. As Human Rights Watch testified in Congress earlier this Spring, "Strong encryption, such as the PGP program, is available worldwide, but restraints have inhibited both the sharing of compatible programs throughout the human rights community and the development of new encryption products for the mass market. Were mass-market strong encryption readily available worldwide, protection in times of crisis would be a reality for many more users." Weaker encryption may not be sufficient for sensitive applications; for example, human right workers believe the Yugoslavian government has access to Russian surveillance technology allowing them the readily crack the 40-bit encryption most readily available to potential informants there. [ 10 ]
The most recent December 1998 encryption regulations, while a welcome step forward by the Administration, do not change the fundamental premise of U.S. policy: export controls on all but the weakest encryption for mass market consumers, and strong incentives for the use of key recovery and plaintext access systems. The sector relief provided for foreign subsidiaries of U.S. companies, certain industries, and online merchants does little to provide regular consumers with strong encryption. Export controls remain a powerful incentive to adopt key recovery and plaintext access systems. The piecemeal relief offered by the regulations raises the question: When do regular people get to protect their privacy online?
Computer users remain at risk, awaiting the widespread deployment of encryption and facing increasing threats to their unprotected information.
B. Export controls hinder free expression and have been ruled unconstitutional
Encryption export controls violate the First Amendment prohibitions on prior restraints of speech. Courts have ruled that the ideas expressed in encryption source code make source code a form of protected speech, and the courts continue to find encryption export controls unconstitutional. In May, the Ninth Circuit Court of Appeals ruled that current export controls on encryption source code violated the First Amendment. While the decision is likely to be appealed -- leaving many still in need of immediate relief -- it is highly significant that yet another court has now found that the Administration's urgent national security claims do not override the constitutional infirmity of such regulations vesting "boundless discretion in government officials."
C. Good Encryption is Increasingly Produced Abroad
Strong encryption products are widely available abroad, undercutting the basic rationale of U.S. export controls. Ideas cannot be stopped at the border, and so it is no surprise that strong encryption products are increasingly being produced abroad. Surveys have documented literally hundreds of encryption products produced outside of the United States, many of them stronger than the limits imposed on U.S. exports. [ 11 ] The open, global, decentralized nature of the Internet makes transfer of encryption software around the world a simple matter. For example, a short online search reveals a sample of Web sites from around the world (see Figure 1 below) distributing free versions of the popular 128-bit encryption software "Pretty Good Privacy" (PGP). PGP is distributed on Web sites around the world ranging from those run by well-known organizations, to those provided by Internet Service Providers, to individual home pages.
While some have argued that foreign encryption is easily broken, there is much reason to believe that much of the internationally-produced encryption is just as secure as American encryption. Cryptography has become a global science. Many cryptography researchers live outside of the U.S. Many of the important cryptography conferences are held outside of the U.S. each year. Some of the most important advances in cryptography have been made by researchers outside of the U.S. For example, just this May an important new method for attacking encryption systems was released by Israeli cryptographer Adi Shamir.
Figure 1: Some Foreign Sites Supplying
Pretty Good Privacy ™ (popular 128-bit encryption product)
|
Country |
Site Name |
URL |
|
Norway |
The International PGP Page |
|
|
Austria |
Arges Tempo Internet Service Provider |
|
|
Brazil |
The Best of Internet Software (Personal Home Page) |
|
|
Germany |
(Personal Homepage) |
http://www.westfalen.de/hugo/index.html |
|
Singapore |
Centre for Internet Research |
http://www.irdu.nus.sg/pgp/download.htm |
|
Sweden |
CoMa's PGPClick Download Page |
Other examples of high quality foreign cryptography can be found in the ongoing efforts of the National Institute for Standards and Technology (NIST) to create a new Advanced Encryption Standard (AES), due to be completed by 2002. NIST solicited submissions for the AES algorithms, expected to become the world-class standard for the strongest (128-bit and higher) encryption products. Of the 15 submissions NIST received, ten were from industry and university researchers outside of the United States -- including Australia, Belgium, Canada, Costa Rica, England, France, Germany, Israel, Japan, and Korea.
D. The Export of Strong Encryption Does Not Violate the Wassenaar Arrangement
The Clinton Administration has long argued that the world community would imminently agree to limit the spread of encryption. In December 1998, the Administration claimed victory when 32 other nations agreed under the Wassenaar Arrangement to create a separate category for encryption products, removing encryption of 64 bits or greater from the General Software Note, a license exception for software products that are generally available and in the public domain. [ 12 ] Administration officials claimed that the amendments to Wassenaar "closed a loophole" by creating an international ceiling on bit-length. [ 13 ] However, the Wassenaar Arrangement does not impose multilateral controls on encryption products as the Administration claims.
Administration officials have argued that the export liberalization provisions in SAFE would violate the Wassenaar Arrangement. [ 14 ] However, Wassenaar does not impose multilateral export controls, but rather provides a set of non-binding guidelines for participating countries to follow in the spirit of international stabilization. Compliance with standards set by Wassenaar is entirely at the discretion of each participating country: "All measures undertaken with respect to the arrangement will be in accordance with national legislation and policies will be implemented on the basis of national discretion." The member countries are not required to adopt Wassenaar standards, and there are no penalties for exercising national discretion. Several Wassenaar signatories such as Canada, Finland, and Ireland readily allow the export of strong encryption products.
Moreover, several important countries that are not members of Wassenaar — Israel, China, and India — allow export of strong encryption.
The SAFE Act is completely consistent with the letter, and the spirit, of Wassenaar. It eases export controls on encryption products that are already generally available on the international market. The bill also prohibits mandatory key escrow, a system that is being rejected by the international community because it imposes serious privacy risks on the encryption user. SAFE also includes provisions that allow the Secretary of Commerce to prohibit export of specific encryption products to specific countries if "such encryption products will be used for military or terrorist end-use."
3. Government-Driven "Key Recovery" or "Plaintext Access" is Not a Solution
The law enforcement community in general has variously endorsed "key escrow," "key recovery," and other forms of "plaintext access" as its favored approach to encryption policy. These variations on the failed "Clipper Chip" policy seek to guarantee third-party access to the keys for all encrypted communications and stored data without the notice or consent of the key owners. Such proposals have been greeted with much skepticism and concern from the global Internet community.
The attempt to institutionalize key recovery worldwide is a fundamental threat to privacy and security both domestically and abroad:
Despite these concerns, current encryption regulations continue to give many encryption producers a Hobbesian choice: accept key recovery or be forced to export lower strength encryption. Moreover, proposals backed by the FBI in the past have sought to further force U.S. encryption users to adopt key recovery through a number of coercive regulations, including outright domestic mandates. While we are encouraged that the Administration appears to have backed away from mandatory domestic controls, we are wary that it has not denounced this approach. And even the current U.S. encryption policy based on key recovery and export controls threatens to leave global Internet users without the technical means to secure their communications or the international legal standards needed to protect their privacy.
4. National Security and Law Enforcement are Best Served by the Widespread Use of Strong Encryption
It is increasingly clear that the benefits of widespread encryption far outweigh the costs. The last two years have seen Americans moving their lives online in unprecedented numbers. A Presidential Commission has highlighted the vulnerability of our nation's critical information infrastructure. Together these developments have underscored the importance of securing the Internet, and deploying strong encryption to do so.
Two years ago the national security community seemed to speak with one voice about the danger of strong encryption. Today there has been an increasing recognition of the cost of U.S. encryption policy. As Sam Nunn, Co-Chair of the Advisory Committee to the President’s Commission on Critical Infrastructure Protection, noted in 1998 Senate testimony, "I do think we are in a different era of technology now and I do not think the nostalgia for the old-fashioned wiretap by law enforcement is going to be realistic in this age we are in now. [ 17 ] " Senator Bob Kerrey, an early proponent of encryption controls, argued in an October 1998 speech that "the encryption debate has hobbled our efforts to write laws that enable our law enforcement and national security agencies to carry out their mission" and argued that it was time to "remove export restrictions on encryption products of any strength." [ 18 ]
The benefits of current U.S. policy to law enforcement are uncertain. U.S. policy will not stop sophisticated criminals from using encryption to evade law enforcement. Strong, non-escrowed encryption is already available both inside and outside of the United States today. Foreign governments and criminals have access to these powerful tools and will be able to encrypt data despite continued export controls or key recovery. Furthermore, nothing in the Administration policies prevents users from "super-encrypting" communications even within a key recovery framework.
The law enforcement problems with encryption are important but more limited than claimed. Law enforcement faces a real, but narrowly focused, problem with encryption. Most encrypted information will still be accessible to law enforcement by legal process even in an encrypted world. For example, businesses will be still be required to produce the plaintext of encrypted business records under proper legal process. Stored information, corporate and business information, and even a great deal of electronic communication will most likely be largely available to law enforcement through legal process similar to that available today.
Important challenges remain for law enforcement interceptions of communications or seizures of data without notice to the party under surveillance. This narrower problem must be put into the context of the benefits provided by encryption and the costs associated with key recovery systems. The information economy presents new and powerful tools and opportunities for law enforcement surveillance. Online interaction leaves a detailed trail of electronic transactions, credit card purchases, online communications, and Web-based clickstream data presenting new traffic analysis opportunities. In fact, law enforcement is operating today in a Golden Age of surveillance, with online collections of personal data offering unprecedented new tools to obtain evidence of criminal activity (and raising important privacy concerns that must be dealt with.)
U.S. policy is creating a deficit of trust around important issues we could all be working on together. U.S. policy stands in the way of a growing urgent need for strong encryption products and better computer security in general. As Sam Nunn testified before the Senate last year, "[I]f the deadlock continues as it is today, building the trust required between the public and private sectors in the broad area of infrastructure protection will be even more difficult." [ 19 ] Nunn went on to note that "limiting the power of encryption over the long-haul is simply not going to be feasible." Current U.S. policy dangerously impedes the deployment of accessible, easy-to-use, global security systems for the Internet that are needed to protect our privacy and our critical infrastructure.
On balance, national security demands strong encryption. CDT agrees with the conclusion of the National Research Council's major study of encryption, which argued in its 1996 encryption study, "On balance, the advantages of more widespread use of cryptography outweigh the disadvantages." [ 20 ]
5. Conclusion: Congress Should Support the SAFE Act
U.S. policy stands in the way of a growing urgent need for strong encryption products that people trust. The past two years have shown that people and businesses are moving more and more of their lives, economic activities, and sensitive data online. The federal government has identified the vulnerability of our nation's critical information infrastructure. Strong encryption, without built-in backdoors, is an essential part of protecting that sensitive data and critical infrastructure.
That is why the SAFE Act is so important. SAFE would take the common-sense step of allowing export of the mass-market encryption software most difficult to control, and most important to everyday computer users. It is a measured step; it does not remove all export controls, retaining for example restrictions on exports to countries like Iran or Libya. And CDT remains particularly concerned about provisions criminalizing the use of encryption to obstruct law enforcement in the course of a federal felony. While this provision is narrowly crafted, we remain concerned that it not be interpreted broadly enough to chill the routine use of encryption. On balance though, CDT believes SAFE would be a dramatic step forward for the security of computer users.
In the current policy standoff between an unsustainable control policy and the emerging and acute privacy and security needs of the Information Age, Congressional action is needed. Only Congress is in the position today to change U.S. encryption policy and get Americans the privacy and security tools they need. The private sector cannot do it. The Administration will not do it. The courts may do it, but not without a protracted struggle. Congress must act. CDT believes that immediate liberalization of export controls in the SAFE Act will help provide Americans on the Internet with the strong security and privacy they so badly need.
Footnotes
1. Security and Freedom Through Encryption (SAFE) Act: Hearing on H.R. 695 Before the Subcomm. on International Economic Policy and Trade of the House Comm. on International Relations, 105th Cong., 2nd Sess, 57-73 (1997) (Statement of Robert S. Litt, Deputy Assistant Attorney General, Department of Justice) (emphasis added).
2. See ELECTRONIC FRONTIER FOUNDATION, CRACKING DES (1998).
3. "With regard to use of single DES, exhaustion of the DES (i.e. breaking a DES encryption ciphertext by trying all possible keys) has become increasingly more feasible with technology advances. Following a recent hardware based DES key exhaustion attack, NIST can no longer support the use of single DES for many applications." 64 FED. REG. 10, 2625-2628 (1999) (proposed January 15, 1999).
4. "[W]e believe that key recovery encryption is going to become the worldwide standard." Security and Freedom Through Encryption (SAFE) Act: Hearing on H.R. 695 Before the Subcomm. on International Economic Policy and Trade of the House Comm. on International Relations, 105th Cong., 2nd Sess, 57-73 (1997) (Statement of Robert S. Litt, Deputy Assistant Attorney General, Department of Justice).
5. AN AD-HOC GROUP CRYPTOGRAPHERS AND COMPUTER SCIENTISTS, THE RISKS OF KEY RECOVERY, KEY ESCROW, & TRUSTED THIRD PARTY ENCRYPTION (1997). (Updated 1998 report available at http://www.cdt.org/crypto/risks98/.)
6. Cost may play a role. A recent study by the Business Software Alliance estimated the cost of key escrow systems at $7.7 billion per year and $38.5 billion over a five year period. BUSINESS SOFTWARE ALLIANCE, THE COST OF GOVERNMENT-DRIVEN KEY ESCROW ENCRYPTION (1998).
7. Security and Freedom Through Encryption (SAFE) Act: Hearing on H.R. 695 Before the Subcomm. on International Economic Policy and Trade of the House Comm. on International Relations, 105th Cong., 2nd Sess, 57-73 (1997) (Statement of Robert S. Litt, Deputy Assistant Attorney General, Department of Justice).
8. Security and Freedom Through Encryption (SAFE) Act: Hearing on H.R. 695 Before the Subcomm. on International Economic Policy and Trade of the House Comm. on International Relations, 106th Cong., 1st Sess. (May 18, 1999) (Statement of Dinah PoKempner, Deputy General Counsel, Human Rights Watch).
9. See Regina Joseph, "The Encryption Imperative", Editor & Publisher, January 1999.
10. Security and Freedom Through Encryption (SAFE) Act: Hearing on H.R. 695 Before the Subcomm. on International Economic Policy and Trade of the House Comm. on International Relations, 106th Cong., 1st Sess. (May 18, 1999) (Statement of Dinah PoKempner, Deputy General Counsel, Human Rights Watch).
11. Encryption software can be purchased from many other countries across the globe, and easily downloaded over the Internet. According to a recent study by the Economic Strategy Institute, 1,601 encryption products were available as of September 1997 from 941 firms in thirty countries. Of this total, 653 are made outside the United States by 472 foreign firms.
12. General Software Note, Wassenaar Arrangement (http://www.wassenaar.org/list/gtngsn.pdf) [Revised version of GSN]
13. Security and Freedom Through Encryption (SAFE) Act: Hearing on H.R. 695 Before the Subcomm. on Courts and Intellectual Property of the House Comm. on the Judiciary, 106th Cong., 1st Sess. (March 4, 1999) (Statement of William A. Reinsch, Under Secretary for Export Administration, Department of Commerce).
14. At a March 1999 meeting of the President's Export Subcommittee on Encryption, Under Secretary Reinsch identified provisions of the SAFE bill that he asserted would violate the Wassenaar Arrangement. Summary of Open Session, President's Export Subcommittee on Encryption (March 12, 1999).
15. AN AD-HOC GROUP CRYPTOGRAPHERS AND COMPUTER SCIENTISTS, THE RISKS OF KEY RECOVERY, KEY ESCROW, & TRUSTED THIRD PARTY ENCRYPTION (1997). (Updated 1998 report available at http://www.cdt.org/crypto/risks98/.)
16. American Association for the Advancement of Science, Comments on Bureau of Export Administration Interim Rule on Encryption Controls (Feb. 7, 1997).
17. Hearing before the Subcommittee on Technology, Terrorism, and Government Information of the Senate Committee on the Judiciary, 105th Cong., 2nd Sess, (March 17. 1998) (Statement of Sam Nunn, Co-Chair, Advisory Committee to the President's Commission on Critical Infrastructure Protection).
18. 144 CONG.REC. S12359 (1998).
19. Hearing before the Subcommittee on Technology, Terrorism, and Government Information of the Senate Committee on the Judiciary, 105th Cong., 2nd Sess, (March 17. 1998) (Statement of Sam Nunn, Co-Chair, Advisory Committee to the President's Commission on Critical Infrastructure Protection).
20. NATIONAL RESEARCH COUNCIL, CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY (1996).
About the Center for Democracy and Technology
CDT is an independent, non-profit public interest policy organization in Washington, D.C. The Center's mission is to develop and implement public policies that protect and advance individual liberty and democratic values in new digital communications media. The Center achieves its goals through policy development, public education, and coalition building. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), an ad hoc coalition of more than 50 computer, communications, and public interest organizations and associations working on information privacy and security issues.
House Rule XI, clause 2(g)(4) disclosures: Neither Alan Davidson nor the Center for Democracy and Technology have received any federal grant, contract, or subcontract in the current or preceding two fiscal years.
For more information contact:
|
Alan B. Davidson, Staff Counsel |
|
|
James X. Dempsey, Senior Staff Counsel |
|
|
Center for Democracy and Technology |
|
|
202.637.9800 (v) 202.637.0968 (f) And see CDT's Encryption Policy Resource Page on the World Wide Web: |
|
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |