June 19, 1997 6:00 PM PDT

Pro-Code bill all but dead

With the swiftness of a palace coup, one encryption bill has replaced its ideological rival as the center of the contentious debate over how much freedom Internet users should have in protecting their private correspondence.

Just days after its introduction, the Secure Public Networks Act has passed a major hurdle and usurped center stage from the Pro-Code bill sponsored by Sen. Conrad Burns (R-Montana). The former seeks to impose domestic "key recovery" controls on encryption use, almost a complete turnaround from the Burns bill's aim to ban any federally mandated key recovery scheme either for domestic use or for exported software.

Under such a system, the cryptographic keys used to decode encrypted information must be available by court order if a law enforcement agency needs to unscramble data in the investigation of a crime.

Pro-Code supporters this week jeered at the new bill, sponsored by Senators John McCain (R-Arizona) and Bob Kerrey (D-Nebraska). The industry association Software Publishers Association called it "dead on arrival." It was dead wrong. (See related story)

The McCain-Kerrey bill passed on a voice vote today more or less intact, all but replacing Pro-Code as the main encryption bill in the Senate. Burns's press secretary, Matt Raymond, admitted that Pro-Code is going nowhere, even after it was hastily amended to provide a compromise alternative to McCain-Kerrey.

"We don't see this, however, as the end of the goals contained in Pro-Code," Raymond said.

Given today's last minute amendment, it is unclear what those goals have become. Part of the amendment required key recovery in any exported product over 56 bits, no different from the administration's current regulations that Pro-Code once sought to overturn. The amended Pro-Code was nonetheless voted down 12-8.

One observer of today's proceedings who asked not to be identified underlined how quickly the terms of the debate have changed. "Burns knew he wasn't going to win this one," the observer said.

Burns and his supporters hope to have more opportunities to tinker with the McCain-Kerrey legislation, which mandates key recovery for encryption purchased by the government and for public networks even partially funded by the government. It would also make electronic commerce difficult for users who refuse to register their encryption keys with a key recovery agent.

McCain-Kerrey will most likely head to the Senate Judiciary Committee, where chairman Orrin Hatch (R-Utah) has put encryption hearings on the agenda. There is also talk of the bill going to the Intelligence Committee.

"If it ends up on Senate floor, it's very unlikely that it'll look like it does today," said SPA chief technologist Lauren Hall. The SPA had lobbied hard for Pro-Code and will now focus its efforts on key senators and on promoting the SAFE Act, a House bill that, like the previous Pro-Code, seeks to ban most export restrictions.

McCain-Kerrey has gone through some changes already. Sen. John Kerry (D-Massachusetts) added language to create an advisory board where software companies could complain that foreign products without key recovery were posing a threat to the competitiveness of American software firms. The board would consist of four industry representatives, the Commerce Department secretary, and representatives from the National Security Agency, the FBI, and the CIA.

The SPA's Hall questioned how such a board will help counteract foreign products as they hit the market: "It puts industry in position of having to ask to do business overseas. That's not the best way to preserve American competitiveness. How likely is it that a foreign competitor will call up an American company and say, 'Hey, we're about to release a competing product?'"

Sen. Bill Frist (R-Tennessee) successfully introduced four amendments that require the following:

  • The process of getting a subpoena to obtain private keys must be as stringent as obtaining any other type of subpoena.

  • Government communications systems must operate with key recovery.

  • The National Institute of Science and Technology and the Justice and Defense departments must publish a reference implementation plan for key recovery systems, as well as a definition of key recovery.

  •  

    Join the conversation

    Add your comment

    The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

    What's Hot

    Discussions

    Shared

    RSS Feeds

    Add headlines from CNET News to your homepage or feedreader.