Interesting People mailing list archives
IP: Notes on the NRC Crypto Report and Briefing
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 30 May 1996 17:59:20 -0400
Danny reported this for IP and CDT .. djf Date: Thu, 30 May 1996 17:49:40 -0400 To: farber () central cis upenn edu From: <djw () cdt org> (Daniel J. Weitzner)
From the National Research Council briefing introducing the report
"Cryptography's Role in Securing the Information Society": Today in Washington, a blue ribbon panel of experts today released a comprehensive report on the state of US encryption policy that calls into question the Administration's current cryptography policy. The 500 page report, sponsored by the National Research Council (NRC) highlights the need for strong, reliable encryption to protect individual privacy, provide security for businesses, and maintain national security. Among other things, the report describes how the current US encryption policy is not working, notes that classified information is not relevant to the policy debate, and outlines the adverse impact export restrictions have had on the domestic market. In addition, the study emphasizes that market forces and user choices, not law enforcement or national security interests, should drive the development of encryption technologies and the debate over US cryptography policy. The report, entitled "Cryptography's Role in Securing the Information Society", provides an important starting point for an honest and open debate on this critical issue. A summary of the report's most important findings and an overview of its policy recommendations is included below. OVERVIEW OF SOME OF THE REPORT'S MOST IMPORTANT FINDINGS -------------------------------------------------------- For the past 3 years, the US government has attempted to leverage the need for strong encryption and the desire of US businesses to export strong privacy and security products as a means impose key-escrow encryption. The result of this has been a policy morass which has stifled innovation, limited the availability of strong, easy to use encryption technologies, and endangered the ability of US companies to compete in the global information marketplace. While acknowledging the complexities and challenges associated with the encryption policy debate, the study's findings directly undermine the Administration's current approach to cryptography policy. The report concludes by noting, that the "Widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography." The NRC study identified several critical issues: * CURRENT US ENCRYPTION POLICY IS NOT WORKING: The study is highly critical of the current ad-hoc approach to US encryption policy, particularly the reliance on export controls. The study states explicitly, "Current national cryptography policy is not adequate to support the information security requirements of an information society." The study goes on to note, "Indeed, current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities. For example, through the use of export controls, national policy has explicitly sought to limit the use of encryption abroad but has also had the effect of reducing the domestic availability to businesses and other users of products with strong encryption capabilities." * CLASSIFIED INFORMATION IS NOT RELEVANT TO THE POLICY DEBATE: The NRC report explicitly states that classified information is "not particularly relevant" to the policy debate. The study states, "The debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis." The study goes on to note, "Although many of the details relevant to policy makers are necessarily classified, these details are not central to making policy arguments one way or another. Classified material, while important to operational matters in specific cases, is neither essential to the big picture or why policy has the shape and texture that it does today nor required for the general outline of how technology will, and why policy should, evolve in the future." This is a startling revelation which will profoundly alter the encryption policy debate. No longer can the government claim, "If you knew what we knew, you would understand this issue." It also suggests that, while national security and law enforcement interests are an important element in the debate, there is no "secret-silver-bullet" which trumps all other considerations. From now on, the debate over cryptography policy should occur in the open, with all issues aired publicly. By removing its arguments from the veil of secrecy, the government can go a long way towards building the trust of the public. * EXPORT CONTROLS DO INFLUENCE THE DOMESTIC MARKET AND HARM COMPETITIVENESS OF US INDUSTRY: The NRC study confirms what civil liberties advocates and the computer industry have long argued: that the current administration policy of limiting the export of strong encryption is impacting the domestic market and harming US business. The study states, "Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities... Thus, domestic users face a more limited range of options for strong encryption than they would in the absence of export controls." * MARKET FORCES, NOT GOVERNMENT INTERESTS, SHOULD DRIVE THE POLICY DEBATE: The study stresses that the domestic availability of encryption should not be restricted in any way, and that the market of individual users, rather than the government's interests, should drive the development of technology and policy. The study notes, "As cryptography has assumed a greater importance to non government interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector ... A national cryptography policy that is aligned with market forces would emphasize the freedom of domestic users to determine cryptographic functionality, protections, and implementations according to their security needs as they see fit." The study is without a doubt the most comprehensive and balanced analysis of the complex encryption policy debate yet published. While stressing the need for strong encryption to protect individual privacy, maintain the competitiveness of US industry in the global marketplace, the report also acknowledges the real challenges posed to law enforcement and national security by the global proliferation of strong encryption technologies. The authors of the study deserve great credit for their work in producing what will clearly become the basis for an open and honest public debate over the need to reform US encryption policy. ****** A complete analysis of the report will be posted on the Center for Democracy and Technology's web site at <http://www.cdt.org/crypto>. Information on how to obtain a copy of the document is available at <http://www2.nas.edu/cstbweb/>. ****** ========================NOTE NEW MAILING ADDRESS============================= Daniel J. Weitzner, Deputy Director <djw () cdt org> Center for Democracy and Technology 202.637.9800 (v) 1634 Eye St., NW Suite 1100 202-637.0968 (f) Washington, DC 20006 http://www.cdt.org/ * PROTECT THE INTERNET AND THE FUTURE OF FREE SPEECH IN THE INFORMATION AGE * Join the legal challenge against the Communications Decency Act! For More Information, Visit the CIEC Web Page http://www.cdt.org/ciec/ or email <ciec-info () cdt org>
Current thread:
- IP: Notes on the NRC Crypto Report and Briefing Dave Farber (May 30)