May 12, 1998 1:30 PM PDT
Bill seeks crypto compromise
As reported earlier, Sen. John Ashcroft (R-Missouri) and Sen. Patrick Leahy's (D-Vermont) so-called E-Privacy Act would relax the Clinton administration's rules that limit the export of strong encryption products and requires that products shipped overseas eventually support key-recovery systems. Key recovery gives law enforcement officials who have obtained a court order a "spare key" to unlock the codes that secure email or computer files.
But in return for lifting some export regulations, the bill also carves out some concessions for law enforcement officers, who say encryption helps high-tech criminals cover their tracks. For example, it would be illegal to encrypt "incriminating" documents.
Software industry trade groups have long opposed the key-recovery mandate on grounds that it inhibits the ability of U.S. companies to compete against foreign competitors that are unrestricted--although some in the industry favor voluntary recovery schemes.
Consumer advocates say the rules threaten privacy because approved 56-bit crypto export products are easily cracked and therefore virtually ineffective.
Drafted in part by the Americans for Computer Privacy, the E-Privacy Act would lift the crypto export regulations for products that generally are available on the international market. The bill also would prohibit the government from mandating within those products key-recovery systems or key escrow, in which copies of people's private crypto keys are stored with licensed third parties or the government.
Moreover, the right to use or sell encryption products of any strength would be secured for people in the United States. But "exports to certain unfriendly nations such as North Korea, Iraq, or Libya are absolutely prohibited," the bill states.
However, before being cleared for export, all encryption products would have to submit to a one-time technical review by the Commerce Department. Furthermore, a joint government-industry board could be established under the bill to determine when foreign suppliers plan to release encryption products that are stronger than U.S. technology.
"There's been a push for legislation which would require individuals to hand over the 'keys' to their private computer files," Ashcroft said in a statement today. "Innocent citizens are expected to trust the bureaucracy not to abuse their personal information, in spite of actions to the contrary by agencies such as the IRS and the FBI. The E-Privacy Act addresses these concerns by balancing privacy rights with legitimate concerns of law enforcement."
In addition, the bill would ban legislative efforts to connect encryption export relief with other security technologies, such as digital certificates or signatures. At least one proposal floated in Congress last year attempted to link domestic key-recovery mandates with the licensing of digital certificate authorities. Digital certificates establish and verify the identity of senders of encrypted communication such as financial transactions, and are touted as a critical element in the success of e-commerce.
Privacy advocates applauded the bill's protections for encrypted data stored on computer networks.
"Under current law, data stored on computer networks outside of a person's possession may receive limited privacy protections. This data may be accessible to government officials without the owner's knowledge and without supervision by the courts," stated the Center for Democracy and Technology's (CDT) analysis of the bill. "The E-Privacy Act would create new standards protecting networked data as if it were stored in an individual's possession. The act would require a court order based upon probable cause, or a subpoena that the information's owner has a meaningful opportunity to challenge."
But the Ashcroft-Leahy bill also makes room for the concerns of law enforcement officers who are worried that strong encryption aids criminals.
For example, the proposal would make it a felony to use encryption to "conceal incriminating communications or information about a crime."
Also, a National Electronic Technology (NET) Center would be set up to bring together encryption makers and nationwide investigators who need assistance in decrypting messages to bust suspected criminals. To break a code, investigators would have to get the same federal court clearance necessary to conduct a wiretap. In some cases, such as getting the keys from a third party, law enforcement could simply obtain a subpoena, however.
Both provisions concern civil liberties groups, but the industry is hopeful that the E-Privacy Act will be the encryption debate compromise embraced by Congress, the president, and the FBI, because other export relief bills have never been cleared.
The Clinton administration's position on export limits has constantly shifted with the tide--from mandating key-recovery in 1996 to last month's admission by a high official that the policy is a failure.
"We strongly support the Ashcroft-Leahy bill. When I look at this bill and compare it against what the administration's position has been, I can't find any reason why it would not support this bill," said Lauren Hall, chief technologist for the Software Publishers Association.
"This bill is a good step forward," she added. "It allows the export of encryption products to foreign market segments where similar products already exist. Law enforcement always has argued that export controls prevent encryption from falling into the wrong hands, but in those market segments those arguments are invalid."
Groups such as the Electronic Privacy Information Center (EPIC) and the CDT oppose the criminal provision, which is similar to a condition in Rep. Bob Goodlatte's (R-Virginia) Security and Freedom through Encryption Act (SAFE), now sitting idle in the House.
"It may, for instance, be the case that a typewritten ransom note poses a more difficult challenge for forensic investigators than a handwritten note. But it would be a mistake to criminalize the use of a typewriter simply because it could make it more difficult to investigate crime in some circumstances," stated EPIC's analysis of the bill.
"If the concern is that encryption techniques may be used to obstruct access to evidence relevant to criminal investigations, we submit that the better approach may be to rely on other provisions in the federal and state criminal codes," EPIC added.
EPIC and the CDT also discouraged the creation of the NET Center.
"The NET Center proposal, if approved, would constitute a fundamental redefinition of the relationship between intelligence agencies and domestic law enforcement," EPIC stated. "Such an approach would ignore 50 years of experience and would pose a serious threat to the privacy and constitutional rights of Americans."
In the coming months these privacy concerns probably will be weighed, but it is unlikely that law enforcement will easily give up its two prominent allowances under the E-Privacy Act. Since the battle over the encryption regulations has raged for more than three years, many say the E-Privacy Act is the best fix.
"If anyone is looking for the compromise to resolve this difficult but important issue, this is it," Sen. Conrad Burns (R-Montana), who introduced the now-defunct Pro-Code encryption export relief bill, said in a statement.
"It is time to move the debate forward," Burns added. "When our high-technology sector gets the sniffles, the world comes down with the flu. Our policies should contribute to the cure, not exacerbate the illness."