IP: The details == House Committee Passes Domestic Crypto

[David Farber <farber () cis upenn edu>]

Date: Thu, 11 Sep 1997 23:28:50 -0700 (PDT)
From: Declan McCullagh <declan () well com>
Reply-To: Declan McCullagh <declan () well com>
To: David Farber <farber () cis upenn edu>




Dave,


On Thu, 11 Sep 1997, you forwarded a message from Alan Davidson:


> As of 5:00 pm ET, the Committee has not released legislative language or
> any details of the proposal


I got a copy of the new SAFE bill this afternoon. Here's my brief summary
of the amended legislation, as approved by the Intelligence committee this
morning: 


SELLING CRYPTO: Selling unapproved encryption products (that do not
include "immediate access to plaintext") becomes a federal crime,
immediately after this bill becomes law. Five years in jail plus
fines. Distributing, importing, or manufacturing such products
after January 31, 2000 is another crime.


NETWORK PROVIDERS: Anyone offering scrambled "network service"
including encrypted web servers or even "ssh" would be required to
build in a backdoor for the government by January 31, 2000. This
backdoor must provide for "immediate decryption or access to
plaintext of the data."


TECHNICAL STANDARDS: The Attorney General will publish technical
requirements for such backdoors in network service and encryption
products, within five months after the president signs this bill.


LEGAL TO USE CRYPTO: "After January 31, 2000, it shall not be
unlawful to use any encryption product purchased or in use prior to
such date."


GOVERNMENT POWERS: If prosecutors think you may be selling,
importing, or distributing non-backdoor'd crypto or are "about" to
do so, they can sue. "Upon the filing of the complaint seeking
injunctive relief by the Attorney General, the court shall
automatically issue a temporary restraining order against the party
being sued." Also, there are provisions for holding secret
hearings, and "public disclosure of the proceedings shall be
treated as contempt of court." You can request an advisory opinion
from the government to see if the program you're about to publish
violates the law.


ACCESS TO PLAINTEXT: Courts can issue orders, ex parte, granting
police access to your encrypted data. But all the government has to
do to get one is to provide "a factual basis establishing the
relevance of the plaintext" to an investigation. They don't have to
demonstrate probable cause, which is currently required for a
search warrant. More interestingly, this explicitly gives the FISA
court jurisdiction (yes, the secret court that has never denied a
request for a wiretap). If they decode your messages, they'll tell
you within 90 days.


GOVERNMENT PURCHASING: Federal government computer purchases must
use a key escrow "immediate decryption" backdoor after 1998. Same
with networks "purchased directly with Federal funds to provide the
security service of data confidentially." Such products can be
labeled "authorized for sale to U.S. government"


ENCRYPTION EXPORTS: The Defense & Commerce departments will control
exports of crypto. Software "without regard to strength" can be
exported if it includes a key escrow backdoor and is first
submitted to the government. Export decisions aren't subject to
judicial review, and the "president may by executive order waive
any provision of this act" if he thinks it's a threat to national
security. Within 15 days, he must send a classified briefing to
Congress.


ADVISORY PANEL: Creates the Encryption Industry and Information
Security Board, with seven members from Justice, State, FBI, CIA,
White House, and six from the industry. 


INTERNATIONAL: The president can negotiate international agreements
and perhaps punish noncompliant governments. Can you say "trade
sancation?"


Next the Commerce Committee will vote on SAFE, and a former FBI
agent-turned-Congressman is vowing to ensure that similar language to this
is included. (The committees are voting on the bill in parallel, and a
four-person team of Congressmen is working to forge a compromise before
Commerce votes.) Then the heads of the five committees that have rewritten
the legislation will sit down and work out another compromise. If it's
acceptable to the House Rules committee -- and if the FBI/NSA get what
they want it will be -- the bill can move to the floor for a vote.


That's why the encryption outlook in Congress is abysmal. Crypto-advocates
have lost, and lost miserably. A month ago, the debate was about export
controls. Now the battle is over how strict the //domestic// controls will
be. It's sad, really, that so many millions of lobbyist-dollars were not
just wasted, but used to advance legislation that has been morphed into a
truly awful proposal.


I wrote more about this at:


  http://cgi.pathfinder.com/netly/opinion/0,1042,1385,00.html


-Declan