Interesting People mailing list archives
IP: Fight-Censorship Dispatch #11: Landmark Crypto Study
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 30 May 1996 20:48:27 -0400
----------------------------------------------------------------------------- Fight-Censorship Dispatch #11 ----------------------------------------------------------------------------- Landmark NRC crypto policy report released ----------------------------------------------------------------------------- By Declan McCullagh / declan () well com / Redistribute freely ----------------------------------------------------------------------------- In this dispatch: National Research Council releases crypto policy study Summary of NRC report recommendations Update on online copyright legislation and the CDA May 30, 1996 WASHINGTON, DC -- The National Research Council released their hefty, long-awaited report on crypto policy today at a two-hour briefing this afternoon at the National Press Club in Washington, DC. The NRC's Computer Science and Telecommunications Board's congressionally-mandated study, named "Cryptography's Role in Securing the Information Society," calls for no restrictions on domestic use of crypto but falls short of recommending that export controls should be eliminated. Instead, the report says that controls "should be progressively relaxed." The inch-thick study is certain to pack a sizeable wallop in the DC crypto policy debate, coming on the heels of the Clinton administration's "Clipper III" white paper and the crypto legislation pending in Congress. Kenneth Dam, a law professor at the University of Chicago and the chair of the NRC committee, summed it up: "We're going to have a national public debate and Congress has to be involved. We hope this report contributed to it." After Dam's overview, Marc Rotenberg from EPIC asked: "There are many issues left unresolved or open by your report. What happens next with key escrow?" Rotenberg also asked about the right to speak anonymously online, which the report didn't address. Dam hedged, as he did throughout the Q&A session: "We did not set out to evaluate key escrow. With regard to the right to speak anonymously, we saw nothing in our report that requires us to take a position. Accountability is a competing interest. It was not vital to our report." The RAND Corporation's Willis Ware clarified: "We by no means advocate authentication in a universal sense." Strangely, the executive summary doesn't even mention Pretty Good Privacy -- the NRC only recommended that 56-bit DES "should be easily exportable," ignoring PGP completely. The text of Recommendation 4.1 says "products providing confidentiality at a level that meets most general commercial requirements should be easily exportable." But does that cover the export of PGP? The report also says, in Recommendation 5.4, that Congress should consider legislation that would criminalize the use of crypto to commit a Federal crime. This portion also attracted flames. Some audience members wondered if this means crypto would continue to be treated as a munition, like guns, that can be regulated. Bottom line: the report is much more favorable than we hoped for, though it doesn't have everything we want. It *is* surprisingly pro-crypto considering that all but three of the 16 committee members had security clearances and were subjected to the NSA's classified briefing -- widely rumored to be designed to scare the recipient into agreeing to restrictions on encryption. As David Sobel from EPIC told me: "These people *did* know what the NSA knew -- but they still rejected the administration's policy." CDT's Danny Weitzner wrote: "The study is without a doubt the most comprehensive and balanced analysis of the complex encryption policy debate yet published." Fortunately, the voluminous report comes with an 35-page executive summary that's available at <http://www2.nas.edu/cstbweb/>. The full text of the report will be available online next week. (Pre-publication hardcopies were distributed at the briefing and will be available from the National Academy Press for $45. Call 202-334-2605 in two months.) +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ SUMMARY OF NRC REPORT RECOMMENDATIONS +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States. Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law. Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces. Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated. 4.1 -- Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable. Today, products with encryption capabilities that incorporate 56-bit DES provide this level of confidentiality and should be easily exportable. 4.2 -- Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request. 4.3 -- The U.S. government should streamline and increase the transparency of the export licensing process for cryptography. Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age. 5.1 -- The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks. 5.2 -- The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications and the improvement of security at telephone switches. 5.3 -- To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic. 5.4 -- Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ UPDATE ON ONLINE COPYRIGHT LEGISLATION AND THE CDA +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ ON THE CDA: Folks involved in the case expect a decision within the next week from the Philadelphia three-judge panel hearing our challenge to the CDA. The Department of Justice has a few weeks to appeal to the Supreme Court if they lose. ON COPYRIGHT: There's plenty of action on the Hill -- and contrary to what I thought a week ago, there's even a fighting chance that this braindead copyright bill will pass this year. So far, full Senate judiciary and the House judiciary intellectual property subcommittee have held hearings. The House has taken the lead now, and the tentative date for the subcommittee markup of HR2441 is June 5. (It was to have been last week, but was cancelled at the last minute when no agreement was reached.) As Brock Meeks wrote in his Muckraker column on HotWired: Both bills contain intellectual property land mines. If they aren't defused, all online service providers - from the single-line BBS to commercial online services to internet service providers - could end up as de facto "copyright cops," made to rig their systems so that they can monitor every single bit of information trafficked by their users. Reason: both bills hold online service providers liable for any infringing information passing through or stored on their system. There are other reasons not to like this bill, including language that makes surfing the Net a copyright violation unless you happen to have a "license" for hitting a particular site with your browser. You see, the courts have ruled that simply sucking bits into your computer's memory, i.e. surfing, is the same as making a copy of something. No, I'm not making this up. Stay tuned for more reports. ----------------------------------------------------------------------------- Mentioned in this Fight-Censorship Dispatch: NRC report overview text: <http://www2.nas.edu/cstbweb/28e2.html> Info on online copyright legislation: <http://www.ari.net/dfc/> Brock Meeks' column on online copyright: <http://www.hotwired.com/muckraker/96/20/index3a.html> This and previous Fight-Censorship Dispatches are available at: <http://fight-censorship.dementia.org/top/> Want to subscribe to the low-traffic, moderated fight-censorship announcement mailing list for future Fight-Censorship Dispatches and related messages? Send "subscribe fight-censorship-announce" in the body of a message addressed to: majordomo () vorlon mit edu Other relevant web sites: <http://www.eff.org/> <http://www.cdt.org/> <http://www.aclu.org/> <http://www.ala.org/>
Current thread:
- IP: Fight-Censorship Dispatch #11: Landmark Crypto Study Dave Farber (May 30)