Previous Next Index Thread
Previous Next Index Thread
Sent from: mech@eff.org (Stanton McCandlish)
New "Encrypted Communications Privacy Act" - Enabling Electronic Envelopes
==========================================================================
FOR IMMEDIATE RELEASE ELECTRONIC FRONTIER FOUNDATION
+1 415 436 9333
ask@eff.org
March 5, 1996 http://www.eff.org
The Electronic Frontier Foundation (EFF) is encouraged to see
Congressional support for lifting restrictions on encryption and
affirming privacy rights for U.S. citizens. The bill introduced today
by Senators Pat Leahy (D-VT), Patricia Murray (D-WA) and Conrad Burns
(R-MT) is an important step in reclaiming privacy and encryption
rights for society and business. The bill would legalize wide use of
"electronic envelopes" to protect private information. Today this
information travels on "electronic postcards" which can easily be
altered or intercepted. However, the bill also includes key escrow
and obstruction of justice provisions which would cause problems if
enacted.
"The bill provides a new opportunity to bring reason into the crypto
policy debate," said EFF co-founder John Gilmore. "We support the
Senators for bringing their energy into the process. The bill is a
good start, and with healthy debate and modification, it could become
acceptable legislation."
Electronic privacy and encryption policy is extremely complex because
it intertwines our constitutional rights of free speech, publication,
association, and protection from self-incrimination and unreasonable
search, with issues of wiretapping, spying, military security,
personal privacy, and computer security. This bill would pick a new
balance among these competing interests, with long-term impacts on our
society and economy. EFF is committed to working with government,
industry and public interest organizations to raise the level of
understanding and debate in resolving these complex issues.
Export Control Liberalization
-----------------------------
The Encrypted Communications Privacy bill would make long-overdue changes
to the export restrictions currently hampering the deployment of privacy
and security "envelopes" for Windows, Unix, the Mac, and the Internet.
The bill:
* Moves export control of all non-military information security products,
incuding encryption, to the Commerce Dept., whose rules protect
constitutional rights and reflect market realities.
* Requires that no license be required to export generally available
mass-market software, public domain software, and computers that
include such software.
* Requires that export be authorized for non-military encryption
software to any country where similar software is exportable from
the U.S. to foreign financial institutions.
* Requires that export be authorized for encryption hardware if a
comparable product is available overseas.
The above changes would significantly improve the nation's crypto
policy. But they make detailed changes in a very complex section of
the law and regulations. There is a significant risk that they will
be implemented by the Administration in a different fashion than
Congress intended. This happened in 1987, for example, when
Congress tried to eliminate NSA meddling with civilian computers by
passing the Computer Security Act. It was subverted by a series of
Presidential directives and agreements among Executive Branch
departments. The result today is that NSA is still in control of
domestic security and privacy policy.
We would encourage futher deregulation as a simpler, more effective,
and far more reliable solution. The bill should simply eliminate all export
controls on non-military encryption.
Criminalization of Encryption and Encouragement of Key Escrow
-------------------------------------------------------------
The following provisions raise serious concerns about the imbalance
between the rights of the people and the desires of the goverment. EFF
feels that the impact of these provisions must be closely considered,
and will work to modify or remove them to better serve the public
interest. The bill:
* Makes it a new crime to "use encryption to obstruct justice", with
5-10 year sentences, plus fines. In plain language, this is a
extra criminal charge that can be applied when police are frustrated
in an investigation but happen to catch someone breaking the law in
some other way. It's like Adding an extra ten-year jail term if you
close your curtains while committing a crime. Americans have the
right to protect their own privacy by any nonviolent means, and we
expect that encryption will soon be built into all computers,
phones, and networks.
* Provides a legal infrastructure for key escrow, a system in which
all users' keys are copied to permit government access. The
Clinton Administration has been pushing key escrow to replace its
failed "Clipper chip", out of fear that if Americans have real
privacy they will abuse it. These provisions in the bill would
encourage people to use the flawed key-copying system.
Clarification and Refinement
----------------------------
The are a number of areas of the bill that would benefit from additional
debate and clarification. Specifically, where the bill:
* Explicitly does not mandate key escrow, but fails to prohibit
the Administration from attempting to impose it with regulations.
* Outlaws disclosure of others' keys except to the government, with
1-2 year sentences, plus fines, but includes a broad "good
faith" exemption for when the government does something illegal or
unconstitutional.
* Requires disclosure of other peoples' keys to the government, under
the same procedures currently used for wiretaps, searches of online
records and backup tapes, and fishing expeditions in billing records.
The provision does not always require adversary legal process, in
which citizens can argue for their privacy before a judge, but instead
relies solely on the integrity of prosecutors.
* Legalizes the use any encryption "except as provided in this
Act...or in any other law".
EFF's Proposed Crypto-Privacy Principles
----------------------------------------
EFF's Cryptography and Privacy Policy Principles, which were
originally written during the Clipper Chip debate, are the touchstone
by which we measure privacy legislation and policy issues:
* Private-sector access to encryption technology must not be hindered,
either by regulation of what crypto may be used domestically, or by
restriction on what may be exported.
* Government policy on encryption usage and standards must be set in open
forums with proper attention paid to public input. Secret hearings and
classified algorithms have no part to play in a democratic process.
* Encryption must become part of the "information infrastructure" to
protect personal, commercial and governmental privacy and security.
Cryptographic tools must not be crippled or weakened for the convenience
of government agents, and users must be free to choose what encryption
they prefer and whether and to whom they will reveal encryption keys.
Law enforcement must obtain court orders, not simply administrative
subpoenas to seize keys or decrypt and search encrypted information.
* Government policy regarding emerging technologies like encryption
must not erode Constitutional protections. In particular, any such
policies must be compatible with the rights to freedom of speech,
press and association, freedom from coerced self-incrimination,
and freedom from unreasonable search and seizure.
* Encryption will be built into all next-generation Internet,
communications and computer technology. There must be no government
policy equating use of encryption with evidence of criminal
behavior, nor the creation of any new crime category that holds
encryption users liable for making criminal investigation more
difficult.
* Government at all levels should explore cryptography's potential to
replace identity-based or dossier-based systems - such as driver's
licenses, credit cards, social security numbers, and passports - with
less invasive technology.
The Encrypted Communications Privacy bill at this time passes some of these
tests, and we are committed to working with industry, government, and public
interest organiations to address the remaining issues.
Background: EFF and Crypto-Privacy Policy
-----------------------------------------
The Electronic Frontier Foundation (EFF) is a nonprofit public interest
organization devoted to the protection of online privacy and free
expression. EFF was founded in 1990, and is based in San Francisco,
California.
The International Traffic in Arms Regulations (ITARs), administered by
the State Department, and in the background by the National Security
Agency, unreasonably treat encryption software and hardware as if they
were weapons of war, like rockets and bombs. It has proven very difficult
to deploy U.S.-made encryption products in an increasingly important global
market due to these regulations, at a time when the need for online
security systems for personal and commercial use has never been more
keenly felt.
EFF has for several years led efforts to fend off governmental attempts
to restrict the development and public availability of secure
privacy technology. In 1993-4, EFF and other civil liberties organizations
successfully opposed implementation of the U.S. Administration's "Clipper"
or "Skipjack" system - hardware encryption for voice and data
communications in which all encryption keys are held by government for
the convenience of law enforcement and intelligence agencies. In 1994, we
helped ensure that crypto export became a major legislative topic,
laying the groundwork for eventual liberalization of the ITARs. In
1994 and 1995 EFF opposed implementation of and helped defeat funding for
the FBI's "Digital Telephony" scheme, in which up to one person on every
city block could be simultaneously wiretapped. In 1995, we filed an ongoing
federal lawsuit with mathematician Daniel Bernstein, challenging the
constitutionality of the export control laws.
Online Resources for More Information
-------------------------------------
Please see EFF's Internet archives for more details on this and other issues.
EFF Privacy & Encryption Archive: http://www.eff.org/pub/Privacy/
EFF Legal Issues & Policy Archive: http://www.eff.org/pub/Legal/
Action Alerts: http://www.eff.org/pub/Alerts/
Topical Index of the EFF Archive: http://www.eff.org/links.html
Contact Information
-------------------
The Electronic Frontier Foundation
1550 Bryant St., Suite 725
San Francisco CA 94103 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Internet: ask@eff.org
John Gilmore, Co-founder and Member of the Board
gnu@eff.org +1 415 221 6524