Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: New FBI Crypto Bill To Force Key Recovery

From: David Farber <farber () cis upenn edu>
Date: Thu, 11 Sep 1997 04:37:54 -0400
------------------------------------------------------------------------------
    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/     Volume 3, Number 13
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
 CDT POLICY POST Volume 3, Number 13                    September 8, 1997


 
_____________________________________________________________________________


(1) NEW FBI DRAFT ENCRYPTION LEGISLATION WOULD IMPOSE MANDATORY KEY RECOVERY


In its most audacious crypto proposal yet, the FBI is circulating on
Capitol Hill legislation to impose full domestic controls on the
manufacture and use of encryption.  The FBI is seeking support for its
proposal among two crucial House Committees preparing to consider
encryption legislation this week.


The text of the key section of the FBI draft is attached below.


The FBI draft would take two extraordinary steps. It would prohibit the
manufacture, sale, import or distribution within the United States of any
encryption product unless it contains a feature that would create a spare
key or some other trap door allowing "immediate" decryption of any user's
messages or files without the user's knowledge.


In addition, it would require all network service providers that offer
encryption products or services to their customers to ensure that all
messages using such encryption can be immediately decrypted without the
knowledge of the customer.  This would apply to telephone companies and to
online service providers such as America Online and Prodigy.


In the FBI draft, the "key recovery capability" could be activated by the
purchaser or end user.  But requiring that such a capability be installed
in all domestic communications networks and encryption products would be
the critical step in enabling a national surveillance infrastructure.


The proposal requires the Attorney General to set standards for what are
and are not acceptable encryption products. The proposal's requirement of
"immediate" decryption would seem to seriously limit the options available
to encryption manufacturers seeking approval of their products.


While export of encryption products from the United States has long been
restricted, there have never been controls on the manufacture,
distribution, or use of encryption within the United States.


Pending before the House Intelligence and National Security Committees is
the Security and Freedom through Encryption Act (SAFE, HR 695), sponsored
by Rep. Goodlatte (R-VA), which would lift current export controls on
encryption technology. The Goodlatte bill has already been reported
favorably by the House Judiciary and International Relations Committees.
The House National Security Committee is scheduled to consider HR 695 on
Tuesday, September 9. The House Intelligence Committee has scheduled its
vote for September 11. Members of both committees are expected to consider
the FBI draft as a substitute to the SAFE bill.


This FBI proposal represents a major turn-around for the Clinton
Administration, which has denied since its first year that it was seeking
domestic controls on encryption.


The FBI proposal is an attempted end run around the Constitution.  By
creating an avenue for immediate access to sensitive decryption keys
without the knowledge of the user, the proposal denies users the notice
that is a central element of the Fourth Amendment protection against
unreasonable searches and seizures.  Just this past April, the Supreme
Court reaffirmed that the Fourth Amendment normally requires the government
to advise the target of a search and seizure that the search is being
conducted.


Forcing U.S. citizens and companies to adopt so-called key recovery systems
poses serious security risks, especially when the systems can be accessed
without the knowledge of the users.  A recent study by 11 cryptography and
computer security experts concluded that such key recovery systems would be
costly and ultimately insecure (see http://www.crypto.com/key_study)


CDT executive director Jerry Berman said of the latest proposal, "This is
not the first step towards the surveillance society. It *is* the
surveillance society."


______________________________________________________________________________


(2) TEXT OF MANDATORY KEY RECOVERY SECTION OF FBI DRAFT LEGISLATION
    (From FBI "Technical Assistance Draft" Dated August 28, 1997)


SEC. 105. PUBLIC ENCRYPTION PRODUCTS AND SERVICES


(a)    As of January 1, 1999, public network service providers offering
encryption products or encryption services shall ensure that such products
or services enable the immediate decryption of communications or electronic
information encrypted by such products or services on the public network,
upon receipt of a court order, warrant, or certification, pursuant to
section 106, without the knowledge or cooperation of the person using such
encryption products or services.


(b)    As of January 1, 1999, it shall be unlawful for any person to
manufacture for sale or distribution within the U.S., distribute within the
U.S., sell within the U.S., or import into the U.S. any product that can be
used to encrypt communications or electronic information, unless that
product -


       (1) includes features, such as key recovery, trusted third party
       compatibility or other means, that


           (A) permit immediate decryption upon receipt of decryption
           information by an authorized party without the knowledge or
           cooperation of the person using such encryption product; and


           (B) is either enabled at the time of manufacture, distribution,
           sale, or import, or may be enabled by the purchaser or end user; or


       (2) can be used only on systems or networks that include features, such
       as key recovery, trusted third party compatibility or other means, that
       permit immediate decryption by an authorized party without the
knowledge
       or cooperation of the person using such encryption product.


(c)  (1) Within 180 days of the enactment of this Act, the Attorney General
     shall publish in the Federal Register functional criteria for complying
     with the decryption requirements set forth in this section.


     (2) Within 180 days of the enactment of this Act, the Attorney General
     shall promulgate procedures by which data network service providers and
     encryption product manufacturers, sellers, re-sellers, distributors, and
     importers may obtain advisory opinions as to whether a decryption method
     will meet the requirements of this section.


     (3) Nothing in this Act or any other law shall be construed as requiring
     the implementation of any particular decryption method in order to
satisfy
     the requirements of paragraphs (a) or (b) of this section.


______________________________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: