IP: Bidzos of RSA on Rush to Legislation

[David Farber <farber () cis upenn edu>]

Date: Fri, 19 Sep 1997 16:16:05 -0500
To: farber () linc cis upenn edu
From: Vin McLellan <vin () shore net>
Subject: <fyi> Bidzos of RSA on Rush to Legislation


Dave,


Jim Bidzos, the boss at RSA Data Security, bounced a draft of this column
off me.  Given the pace of events in the US Congress, I asked him if I
could pass it on to interested folk online, rather than wait until it gets
ink on paper somewhere.   IP might find it of interest.  I commend the
second to last paragraph to your attention. It's poignant to the point of
painful.


Regards,    _Vin
------------


The Encryption Debate: Too Much at Stake to Rush to Legislation




        Recently, the debate over encryption has intensified. FBI
Director Louis Freeh, in his September 3rd testimony before a
subcommittee of the Senate Judiciary Committee, sought legislation
that would require "key recovery" techniques in all encryption
products made and used in the US. The proposed legislation discussed
at the hearing is S909, the McCain-Kerry bill,  would require that
all encryption products manufactured, sold, or used in the US
provide on-demand government access with a properly authorized court
order.


        No one wants to see the FBI stymied in its efforts to do its
public safety job. But unfortunately, the debate in the Senate seems
to suggest that those opposed to S909 are ignorant of national
security concerns, or, worse, willing to put national security at
risk for commercial interests. This situation may cause lawmakers to
overlook the important issues currently missing from the debate: a
clear picture of the potential implications of the legislation the
FBI seeks, and identification of safeguards against abuse of a key
recovery system.


        This debate centers around the use and export of strong
encryption  (currently, US companies may not freely export products
with strong encryption) for use by businesses and individuals to
ensure privacy and confidentiality of information in a digital
world.  Strong encryption is essential in order to conduct business
securely and to guard against many forms of espionage, attacks,
computer break-ins and theft of information.  Strong encryption
prevents crime.


        However,  the same encryption is also seen as a threat to law
enforcement and national security concerns. They see it hindering,
and possibly preventing them from successfully safeguarding the
public from criminals who will use encryption to conceal their
activities.


        Inside the US, advanced, strong, unescrowed encryption is in use in
tens of millions of  products, including every browser sold by
Netscape and Microsoft, and numerous other products. The
international community quickly moved to adopt and deploy
encryption, with companies springing up in Germany, South Africa,
Ireland, Belgium, Switzerland, and Singapore to exploit
opportunities created by US export policy.


        Criticism of S909 comes from three groups.  First, from privacy
advocates and technologists who fear an unmanageable key recovery
system that would invite abuse from within and outside the
government, and significantly weaken the infrastructure on which we
all will depend.  The second group is the computer industry, which
fears that a law requiring products to include US government access
will make them unable to compete in a world where roughly 60% of
their revenues come from outside the US, where their foreign
competitors are not so bound.  Third, US companies operating
internationally are concerned that foreign governments with key
recovery - we assume no foreign government will let the US
government hold the keys - will use it to steal intellectual
property or other valuable business secrets and pass it on to their
own industry. (Using government intelligence to help state-owned
industries win business from US companies is a well-established
practice in France and elsewhere.)  Let's take a closer look at the
first two arguments.


        In the cyber society we are rapidly moving towards, everything
about us will be stored digitally.  Contrary to assertions by the
FBI (which says it only wants to maintain wiretap capabilities as
they have existed since 1968), the proposal for key recovery is not
the digital equivalent of putting alligator clips on phone wires. It
is more like giving the government the keys to our entire personal
and professional lives. Keys that are difficult to control and
track.  And while the FBI says that access will only be by
authorized court order, they have not addressed how controls and
audit will prevent abuse in the form of non-intrusive, surreptitious
use of these valuable keys. The far-reaching implications of such an
unprecedented government capability must be analyzed and debated
further for the protection of all.  Would you allow local and
federal law enforcement to have and store a copy of the key to your
home and your filing cabinets?  It is interesting to note that the
encryption issue is a rare case where both the National Rifle
Association and the Civil Liberties Union are on the same side,
opposed to any law that restricts an individual's use of encryption.


        Industry has legitimate and serious concerns about the effect
S909 will have on their ability to compete in a global marketplace.
The FBI's plan is to require key recovery in products built, sold,
or used in the US.  Clearly, their hope is that the US market, thus
regulated, will sway the international market.  But if other
countries - as Germany already has - choose not to control the
export of encryption or require key recovery, how will US industry
compete?  Even Director Freeh admits that given a choice of
government key recovery and non-government key recovery products,
corporations and individuals will choose the latter.  Having failed
in its attempts to gain international consensus on key recovery, the
administration, as must the Congress, accept this threat to our
dominance of the high-tech industry as reality.  The threat is
simply that US competitiveness will become a casualty of the
crypto-wars, as we struggle to comply with a law no one fully
understands, and foreign suppliers step in to meet the demand.  With
hundreds of thousands of important, well-paying jobs in an industry
we currently lead at stake, economic well-being must be considered
more carefully as part of the national security formula.


        The chorus of voices supporting an end to government control of
encryption has grown in recent years. It includes millions of
individuals, most of industry; numerous industry groups including
the Software Publisher's Association and the Business Software
Alliance; a majority of the US House of Representatives (1); a
Federal Judge (2), and the California Legislature (3).  These are
organizations and people who have studied this problem closely.
Their position is supported by numerous studies, including one done
by the National Research Council, which urges relaxation of export
controls and a "go slow" policy on key recovery, which it called
unproved.


        There is a fourth group that should be interested, but seems not
to be. That is the Congress itself. Will Congress (and the Judicial
Branch as well) be exempt, and be able to purchase non-key-recovery
products?  Or will the Attorney General and FBI Director have access
to all their most sensitive communications?


        With so much at stake, we can only hope that the Senate will be
willing to look more closely at and hear more voices on this
critical issue before turning S909 into law.  If you have an opinion
on this issue, your representatives in Congress should hear from
you. It's the only vote you'll get.


        **************************************************


        Jim Bidzos is president of RSA Data Security, Inc. of Redwood
City, California, a pioneer in the field of encryption whose
technology is the most widely used in the world.  More information
on the subject, including a "Frequently Asked Questions about
Cryptography" primer, as well as free personal encryption software
with no government access (still legal today), can be found at
www.rsa.com




        (1) More than half of the members of the House are co-sponsors
of the SAFE bill - Security and Freedom Through Encryption - HR695,
authored by Rep. Bob Goodlatte, D-Va., which would prohibit domestic
US government controls on encryption.  However, during the week of
September 8, the House Intelligence Committee modified the SAFE Bill
to look more like McCain-Kerry.


        (2) On August 26, 1997, the Hon. Marilyn Hall Patel ruled
against export control of encryption, saying in part "the encryption
regulations are an unconstitutional prior restraint in violation of
the First Amendment."


        (3)  California Senate Joint Resolution 29 gained final passage
September 5, 1997, when the state Assembly  passed, by a vote of
79-0, a resolution calling for the enactment of the SAFE bill.


      Vin McLellan + The Privacy Guild + <vin () shore net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                                  -- <@><@> --