IP: CDT POLICY POST -- Administration Proposes Domestic

[David Farber <farber () cis upenn edu>]

-----------------------------------------------------------------------------
    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/      Volume 3, Number 2
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
 CDT POLICY POST Volume 3, Number 2                       March 26, 1997


 CONTENTS: (1) Administration Proposes Domestic Encryption Controls
       
(1) ADMINISTRATION PROPOSES DOMESTIC ENCRYPTION CONTROLS


The Clinton Administration has drafted legislation to control the domestic
use of encryption technologies and compel participation in key recovery
systems open to the government. The bill would:


* Create a vast new government-dominated "key management infrastructure"
  designed to be a prerequisite for participation in electronic
  commerce.


* Compel people to use key recovery as a condition of participating in
  the key management infrastructure.


* Require the disclosure of private keys held by third parties,
  without a court order and upon mere written request of any law
  enforcement or national security agency.


CDT has obtained a draft of the proposed bill, which the Administration has
floated to several members of Congress. To the best of our knowledge, the
bill does not yet have a supporter on the Hill.


The text of the draft is available online at http://www.cdt.org/crypto/
________________________________________________________________________
SHORT SUMMARY


The proposed bill would destroy any prospect of privacy and security on the
Internet by opening a huge window of vulnerability to the private
communications of Internet users.  An initial analysis of the proposal by
CDT reveals the following significant concerns:


1. EASY ACCESS TO PRIVATE COMMUNICATIONS BY LAW ENFORCEMENT:


   Under the proposal, the government is granted carte blanche access to
   private decryption keys through a "subpoena" or "written
   authorization in a form to be specified by the Attorney General,"
   whenever the government has encrypted information (Sec. 302).


   The draft bill specifies no further standards for the release of keys
   and PROHIBITS notice to the person whose key has been revealed.


   The Administration's proposal would dramatically increase law
   enforcement surveillance authority by allowing access to decryption
   keys without a court order.


   Current electronic surveillance law requires law enforcement to obtain a
   Title III court order, upon a showing of probable cause, before
obtaining the
   contents of an electronic communication or data from a wiretap.


2. NEW DOMESTIC CONTROLS ON ENCRYPTION TECHNOLOGY:


   Until now, the debate over encryption policy has centered on US
   export controls, which have had the indirect but intended effect of
   limiting the availability of strong, easy-to-use encryption
   technologies inside the United States.


   The Administration's proposal for the first time explicitly
   encourages the use of key recovery inside the United States.  The
   bill seeks to accomplish this by granting government approved "Key
   Recovery Agents" and "Certificate Authorities" immunity for
   mishandling keys.


3. COMPELLED USE OF KEY RECOVERY DOMESTICALLY:


   While the Administration claims that its proposal is voluntary, the
   draft uses a variety of means to force use of government-approved
   key-recovery agents.


   In other words, in order to conduct business, engage in electronic
   commerce, or have a secure communication online, individuals would be
   compelled to use encryption systems with GUARANTEED GOVERNMENT
   ACCESS.


   Broadly speaking, a public key infrastructure would enable users to
   clearly identify the people they are communicating with and
   facilitate key management, and is widely viewed as an important
   component of a secure and trusted communications environment.
   However, the administration's proposal would establish this
   infrastructure at a heavy price: All users of the public key
   infrastructure would have to ensure government access to their
   encryption keys upon a mere government request.
________________________________________________________________________
MORE TO COME


CDT will post a detailed analysis of the Administration's proposal on our
Encryption Policy Issues Page (URL below) shortly.  The full text of the
Administration's draft is available now.


Bills are currently pending in both the House and Senate to relax US
encryption export controls and promote the widespread availability of
strong, easy-to-use encryption technologies to protect privacy and security
on the Internet.  Two of these bills (S. 377 - the 'Promotion of Commerce
Online in the Digital Era (Pro-CODE) Act of 1997' and HR --, the 'Security
and Freedom through Encryption (SAFE) Act of 1997' were the subject of
Congressional Hearings last week. Detailed background information on both
proposals is available at CDT's encryption policy issues page and the
Encryption Policy Resource Page (URLs below)


* CDT's Encryption Policy Issues Page   -- http://www.cdt.org/crypto
* the Encryption Policy Resource Page   -- http://www.crypto.com/