Interesting People mailing list archives
IP: New FBI Crypto Bill To Force Key Recovery
From: David Farber <farber () cis upenn edu>
Date: Thu, 11 Sep 1997 04:37:54 -0400
------------------------------------------------------------------------------ _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 3, Number 13 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 3, Number 13 September 8, 1997 _____________________________________________________________________________ (1) NEW FBI DRAFT ENCRYPTION LEGISLATION WOULD IMPOSE MANDATORY KEY RECOVERY In its most audacious crypto proposal yet, the FBI is circulating on Capitol Hill legislation to impose full domestic controls on the manufacture and use of encryption. The FBI is seeking support for its proposal among two crucial House Committees preparing to consider encryption legislation this week. The text of the key section of the FBI draft is attached below. The FBI draft would take two extraordinary steps. It would prohibit the manufacture, sale, import or distribution within the United States of any encryption product unless it contains a feature that would create a spare key or some other trap door allowing "immediate" decryption of any user's messages or files without the user's knowledge. In addition, it would require all network service providers that offer encryption products or services to their customers to ensure that all messages using such encryption can be immediately decrypted without the knowledge of the customer. This would apply to telephone companies and to online service providers such as America Online and Prodigy. In the FBI draft, the "key recovery capability" could be activated by the purchaser or end user. But requiring that such a capability be installed in all domestic communications networks and encryption products would be the critical step in enabling a national surveillance infrastructure. The proposal requires the Attorney General to set standards for what are and are not acceptable encryption products. The proposal's requirement of "immediate" decryption would seem to seriously limit the options available to encryption manufacturers seeking approval of their products. While export of encryption products from the United States has long been restricted, there have never been controls on the manufacture, distribution, or use of encryption within the United States. Pending before the House Intelligence and National Security Committees is the Security and Freedom through Encryption Act (SAFE, HR 695), sponsored by Rep. Goodlatte (R-VA), which would lift current export controls on encryption technology. The Goodlatte bill has already been reported favorably by the House Judiciary and International Relations Committees. The House National Security Committee is scheduled to consider HR 695 on Tuesday, September 9. The House Intelligence Committee has scheduled its vote for September 11. Members of both committees are expected to consider the FBI draft as a substitute to the SAFE bill. This FBI proposal represents a major turn-around for the Clinton Administration, which has denied since its first year that it was seeking domestic controls on encryption. The FBI proposal is an attempted end run around the Constitution. By creating an avenue for immediate access to sensitive decryption keys without the knowledge of the user, the proposal denies users the notice that is a central element of the Fourth Amendment protection against unreasonable searches and seizures. Just this past April, the Supreme Court reaffirmed that the Fourth Amendment normally requires the government to advise the target of a search and seizure that the search is being conducted. Forcing U.S. citizens and companies to adopt so-called key recovery systems poses serious security risks, especially when the systems can be accessed without the knowledge of the users. A recent study by 11 cryptography and computer security experts concluded that such key recovery systems would be costly and ultimately insecure (see http://www.crypto.com/key_study) CDT executive director Jerry Berman said of the latest proposal, "This is not the first step towards the surveillance society. It *is* the surveillance society." ______________________________________________________________________________ (2) TEXT OF MANDATORY KEY RECOVERY SECTION OF FBI DRAFT LEGISLATION (From FBI "Technical Assistance Draft" Dated August 28, 1997) SEC. 105. PUBLIC ENCRYPTION PRODUCTS AND SERVICES (a) As of January 1, 1999, public network service providers offering encryption products or encryption services shall ensure that such products or services enable the immediate decryption of communications or electronic information encrypted by such products or services on the public network, upon receipt of a court order, warrant, or certification, pursuant to section 106, without the knowledge or cooperation of the person using such encryption products or services. (b) As of January 1, 1999, it shall be unlawful for any person to manufacture for sale or distribution within the U.S., distribute within the U.S., sell within the U.S., or import into the U.S. any product that can be used to encrypt communications or electronic information, unless that product - (1) includes features, such as key recovery, trusted third party compatibility or other means, that (A) permit immediate decryption upon receipt of decryption information by an authorized party without the knowledge or cooperation of the person using such encryption product; and (B) is either enabled at the time of manufacture, distribution, sale, or import, or may be enabled by the purchaser or end user; or (2) can be used only on systems or networks that include features, such as key recovery, trusted third party compatibility or other means, that permit immediate decryption by an authorized party without the knowledge or cooperation of the person using such encryption product. (c) (1) Within 180 days of the enactment of this Act, the Attorney General shall publish in the Federal Register functional criteria for complying with the decryption requirements set forth in this section. (2) Within 180 days of the enactment of this Act, the Attorney General shall promulgate procedures by which data network service providers and encryption product manufacturers, sellers, re-sellers, distributors, and importers may obtain advisory opinions as to whether a decryption method will meet the requirements of this section. (3) Nothing in this Act or any other law shall be construed as requiring the implementation of any particular decryption method in order to satisfy the requirements of paragraphs (a) or (b) of this section. ______________________________________________________________________________
Current thread:
- IP: New FBI Crypto Bill To Force Key Recovery David Farber (Sep 11)