|
Encryption Legislation |
|
I. 105th
Congress H.R. 695, the THE SECURITY AND FREEDOM THROUGH ENCRYPTION "SAFE" Bill introduced by Rep. Goodlatte in February 1997. The "SAFE" Act: Gives all Americans the freedom to use any type of encryption anywhere in the world, and allows the sale of any type of encryption domestically; Prohibits the government from creating a back door into peoples' computer systems (mandatory key escrow); Creates criminal penalties for the unlawful use of encryption in furtherance of a crime -- up to 5 years imprisonment for a first offense, and up to 10 years for each subsequent offense; and Modernizes U.S. export controls to permit the export of generally available software, and other types of software and hardware under a license if a product with comparable security is commercially available from foreign suppliers (creates a level playing field). http://www.cs.virginia.edu/~jones/www.cdt.org/crypto/legis_105/SAFE/hr695_summary.html S. 377, the "Pro-CODE" Bill introduced by Sen. Conrad Burns, Sen. Patrick Leahy and others on February 1997. Please see the following website: "Encrypted Communications Privacy Act"; (ECPA II) introduced by Sen. Leahy, Sen. Burns and others on February 1997.
S. 909, the "Secure Public Networks Act" (the McCain-Kerrey bill), introduced by Sen. John McCain (R-AZ) and Sen. Robert Kerrey(D-NE) in June 1997. S. 909: The McCain-Kerrey Bill a revised version of their encryption bill, S.909.
Following are the modifications to the original bill: EXPORTS -- The Encryption Export Advisory Board, now made up of eight industry representatives and four government representatives, will approve levels of encryption for export based on worldwide availability or anticipatory availability. The President still has the power to veto the Board's decisions, only as it relates to national security issues, and if a level of encryption is vetoed, Congressional notification is required. End user approval: allows U.S. companies to export with optional recovery features to approved end users. DOMESTIC CONTROLS -- The bill continues to prohibit any domestic encryption controls. No domestic controls on encryption allowed. No keys -- or similar technology -- are required to be turned over to agents. Key recovery -- or any other similar type of technology -- is encouraged but not required. The bill will also preserve the requirement that if a key is handed over to an agent; such key can only be obtained by the government with a court order subpoena. The dual registration language regarding certificate authorities and key recovery agents has been eliminated. Changes to S.909 -- The revised S.909 contains a number of significant changes, most of which are direct responses to criticisms raised by privacy advocates and industry groups. Major changes include: Removal of the linkage between certificate authority and key recovery agents -- Sec. 405 of the original bill would have required users of federally licensed certificate authorities to also use key recovery. In the revised bill, this linkage has been completely deleted. However, the complex federal registering structure for CA's and key recovery agents is retained, along with the powerful safe harbor provisions designed to force companies to submit to licensing. Heightened standards for access to keys -- The original S.909 allowed government to obtain key information on a mere subpoena. The revised bill requires a "court order" based "upon a finding that the recovery information is relevant to an ongoing law enforcement or counterintelligence investigation." Sec. 106(4). CDT believes this standard is still too low for sensitive key information. In the emerging world of digital commerce and personal communication, decryption keys will be among the most sensitive information in an individual's life. Criminal inquiry can be very broad; counterintelligence investigations are even broader. It is not sufficient for the government to merely show that a decryption key is "relevant" to an investigation. Export controls -- Allows export of key recovery products that allow government access to plaintext "without the knowledge or cooperation of the person using the product." Retains the 56-bit limit on non-recovery products, with the limit to be raised based upon findings of an Encryption Export Advisory Board. (This change was already adopted at the Commerce Committee mark-up last year.) The 13-member board is appointed by the President and the Congress; its findings can be waived by executive order. The new bill also allows the Secretary to license products with user-controlled key recovery features. Bottom line: It would grant the Executive discretion to continue export control policies identical to those in place today. Procurement -- Attempts to narrow key recovery requirement to federal systems and those federally funded networks "for the transaction of business with the federal government." Intended to carve out Internet 2 and universities (according to staff). Other changes include narrower access to key information at the request of foreign governments (only plaintext, not keys, can be released), and narrowed Presidential waiver authority (does not apply to Title I privacy protections.) S. 1726, the Burns/Leahy "Pro-CODE" Bill introduced on May 2, 1996 H.R. 3011, the "SAFE" Bill introduced by Reps. Goodlatte and Eshoo in March 1996 S.1587, introduced by Sens. Burns and Leahy in March 1996 Clinton Administration Policy Initiatives Clipper 3.1.1 (Administration Announcement - October 1, 1996)
Commerce Department Issues New Crypto Regs, Maintains Export Controls on Strong Encryption The Administration has released regulations that continue export controls on strong encryption while shifting those controls to the Commerce Department. The new rules would permit export of moderately stronger 56-bit encryption systems -- but for the next two years only, and only by companies that make "satisfactory commitments" to develop and market "key recovery" products. The rules also provide a first look at detailed new regulations and criteria for government-approved exportable key recovery systems. Clipper III (Administration draft report - May 21, 1996) TO: Interested Parties FROM: Center for Democracy and Technology DATE: May 21, 1996 SUBJECT: Preliminary Analysis of "Clipper III" Encryption Proposal The Administration's latest encryption policy proposal, already dubbed "Clipper III," would use a new government-sanctioned certification system as an incentive to virtually impose key escrow on domestic encryption users. The draft proposal, "Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure," would establish a new "public key infrastructure" for encryption. Such a public key infrastructure would enable users of encryption to clearly identify the people they are communicating with, and is widely viewed as an important prerequisite for the widespread use of secure electronic communications. However, the Clipper III proposal would establish this infrastructure at a price: All users of the public key infrastructure would have to ensure government access to their encryption keys through an approved key escrow agent. Clipper III will not meet the privacy and security needs of Internet users. While the proposal represents real progress by the Administration in recognizing the importance of encryption, in reality it provides few provisions to protect individual privacy. The proposal is hardly voluntary -- it makes key escrow a virtual precondition for participation in a secure GII. It targets domestic users of encryption, contains few guidelines for key exchanges with foreign governments, and encourages collection of highly sensitive private key information. Moreover, it contains none of the standards for key holder liability, limits on access to keys by law enforcement, or audit requirements that many have already identified as crucial to protecting individual privacy in even a voluntary key escrow system. For these reasons, CDT believes that the Clipper III proposal is another step in the wrong direction for U.S. encryption policy. http://www.cs.virginia.edu/~jones/www.cdt.org/crypto/clipper_III/clipper_III_analysis.html NIST Private Key Escrow Encryption Initiative (Clipper II)
Clinton Administration Continues to Push For Flawed Crypto Export Policy The Clinton Administration has continued to push its latest key escrow cryptography export proposal, despite a chorus of disapproval from civil liberties advocates and the computer and communications industry. At a public meeting at the National Institute for Standards and Technology (NIST) on December 5, 1995, Administration officials presented a revised version of their proposed Key Escrow Export Criteria (initially proposed in September 1995). The proposal keeps in place the current export ban on strong cryptography, and allows for the export of moderately stronger (64-bit key length) systems meeting strict key escrow criteria. The proposal was roundly criticized by civil liberties organization, companies, and individuals at the December 5, 1995 meeting on the grounds that it would create a barrier to security and privacy on the Net. It is expected that the Administration will soon move forward to formally adopt the proposal as part of its current export criteria for cryptography. http://www.cs.virginia.edu/~jones/www.cdt.org/crypto/clipper.html The Clipper Chip Government Key Escrow Proposal Congressional Legislative Proposals |
|