[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CDT Policy Post No. 29 - Coalition Says New Crypto Policy Flawed
Pardon the massive mailing (I have never posted a full Policy Post to this
list before), but I thought a majority of you would find this interesting
and relevant.
Jonah
([email protected])
------------------------------------------------------------------------
****** ******** *************
******** ********* *************
** ** ** *** POLICY POST
** ** ** ***
** ** ** *** November 9, 1995
** ** ** *** Number 29
******** ********* ***
****** ******** ***
CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST Number 29 November 9, 1995
CONTENTS: (1) Public Interest/Industry Coalition Says Administration Crypto
Policy Flawed -- Pledges to Develop Alternative
(2) Text of CDT-led coalition letter to Vice President Gore
(3) How To Subscribe To The CDT Policy Post Distribution List
(4) About CDT, Contacting Us
This document may be re-distributed freely provided it remains in its
entirety. Excerpts may be re-posted by permission ([email protected])
-------------------------------------------------------------------------
(1) Public Interest/Industry Coalition Says Administration Crypto Policy
Flawed -- Pledges to Develop Alternative
A broad coalition of nearly forty public-interest organizations, trade
associations, and representatives from the telecommunications and computer
hardware and software industries sent the attached letter to Vice President
Albert Gore on Wednesday, objecting to the Administration's recently
announced cryptography policy.
While the letter praised the administration for its efforts to develop a
national cryptography policy, the signatories, which include groups such as
EFF and companies such as America Online, Apple, AT&T, MCI, Lotus,
Microsoft, and Tandem Computer (organized by CDT), expressed concern that
the Administration's proposal is weighed heavily in favor of law
enforcement and national security while neglecting the privacy and security
needs of individuals and the marketplace.
The letter states:
"A secure, private, and trusted Global Information Infrastructure
(GII) is essential to promote economic growth and meet the needs of
the Information Age society. Competitive businesses need cryptography
to protect proprietary information as it flows across increasingly
vulnerable global networks. Individuals require privacy protection in
order to build the confidence necessary to use the GII for personal and
financial transactions... The undersigned groups recognize that
the Administration's recently articulated cryptography initiative was a
serious attempt to meet some of these challenges, but the proposed
initiative is no substitute for a comprehensive national cryptography
policy. To the extent that the current policy becomes a substitute for
a more comprehensive policy, the initiative actually risks hindering
the development of a secure and trusted GII."
The coalition pledged to work together to formulate recommendations for an
alternative cryptography policy based on the following principals:
* ROBUST SECURITY: access to levels of encryption sufficient to address
domestic and international security threats, especially as advances in
computing power make currently deployed cryptography systems less
secure.
* INTERNATIONAL INTEROPERABILITY: the ability to securely interact
worldwide.
* VOLUNTARY USE: freedom for users to choose encryption solutions,
developed in the marketplace, that meet their particular needs.
* ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to
meet the expressed needs of cryptography users.
* CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth
Amendment privacy protection and regulation of searches, seizures, and
interceptions.
* RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national
security, while recognizing the reality that determined criminals will
have access to virtually unbreakable encryption.
A second group, composed of conservative/libertarian organizations
including Americans for Tax Reform and Citizens for A Sound Economy, issued
a similar letter on Wednesday to House Speaker Newt Gingrich. The text of
that letter, as well as additional information on the cryptography policy
debate, can be found on CDT's Cryptography Issues Page:
URL:http://www.cdt.org/crypto.html
The letters come as the National Institute of Standards & Technology (NIST)
this week announced revisions to the Administration's proposed export
criteria announced last September (See CDT Policy Post No. 24). The revised
proposal is substantively similar to the previous version, and maintains
controversial provisions including:
* LIMITS ON KEY LENGTH: The revised proposal would continue to only
allow the export of cryptography systems with 64 bit key lengths, but
only if the keys are escrowed by an agent approved by the U.S.
Government and if the systems meet the other export criteria.
* RESTRICTED INTEROPERABILITY: While the revised proposal does clarify
the interoperability provision, it would continue to prohibit
exportable products from operating with any other cryptographic
products that do not meet the NIST criteria.
* NO PRIVACY SAFEGUARDS: The proposal contains no mention of the
procedures for law enforcement access to escrowed keys, the standards
for certifying escrow agents, or the obligations on escrow agents to
protect privacy.
CDT believes that the NIST proposals fall far short of the promise for a
more sensible and comprehensive cryptography policy outlined last July in
Vice President Gore's letter to Rep. Maria Cantwell. The current proposal
fails to provide adequate security, protect the privacy of individuals, and
meet the needs of the global marketplace. CDT believes that a more
comprehensive approach to cryptography policy is necessary to address both
the immediate need for strong cryptographic applications and the long-term
development of a secure and trusted Global Information Infrastructure. CDT
will work with the signatories of the letter to over the next six months to
develop an alternative to the Administration's proposal.
-----------------------------------------------------------------------
(2) Text of CDT-led Coalition Letter to Vice President Gore
November 8, 1995
The Honorable Albert Gore, Jr.
Office of the Vice President
Old Executive Office Building, Room 276
Washington, D.C. 20501
Dear Mr. Vice President:
A secure, private, and trusted Global Information Infrastructure (GII) is
essential to promote economic growth and meet the needs of the Information
Age society. Competitive businesses need cryptography to protect
proprietary information as it flows across increasingly vulnerable global
networks. Individuals require privacy protection in order to build the
confidence necessary to use the GII for personal and financial
transactions. Promoting the development of the GII and meeting the needs
of the Information Age will require strong, flexible, widely-available
cryptography. The undersigned groups recognize that the Administration's
recently articulated cryptography initiative was a serious attempt to meet
some of these challenges, but the proposed initiative is no substitute for
a comprehensive national cryptography policy. To the extent that the
current policy becomes a substitute for a more comprehensive policy, the
initiative actually risks hindering the development of a secure and trusted
GII.
A number of the undersigned organizations have already written to express
concern about the latest Administration cryptography initiative. As some of
us have noted, the Administration's proposed export criteria will not allow
users to choose the encryption systems that best suit their security
requirements. Government ceilings on key lengths will not provide an
adequate level of security for many applications, particularly as advances
in computing render current cryptography systems less secure. Competitive
international users are steadily adopting stronger foreign encryption in
their products and will be unlikely to embrace U.S. restrictions. As they
stand, current export restrictions place U.S. hardware manufacturers,
software developers, and computer users at a competitive disadvantage,
seriously hinder international interoperability, and threaten the
strategically important U.S. communications and computer hardware and
software industries. Moreover, the Administration policy does not spell out
any of the privacy safeguards essential to protect individual liberties and
to build the necessary public trust in the GII.
The current policy directive also does not address the need for immediate
liberalization of current export restrictions. Such liberalization is vital
to enable U.S. companies to export state-of-the-art software products
during the potentially lengthy process of developing and adopting a
comprehensive national cryptography policy. Without relief, industry and
individuals alike are faced with an unworkable limit on the level of
security available and remain hamstrung by restrictions that will not be
viable in the domestic and international marketplace.
Many members of the undersigned groups have been working actively with the
Administration on a variety of particular applications, products, and
programs promoting information security. All of us are united, however, by
the concern that the current network and information services environment
is not as secure as it should be, and that the current policy direction
will delay the secure, private, and trusted environment that is sought.
Despite the difficulties of balancing the competing interests involved, the
undersigned companies, trade associations, and privacy organizations are
commencing a process of collective fact-finding and policy deliberation,
aimed at building consensus around a more comprehensive cryptography policy
framework that meets the following criteria:
* ROBUST SECURITY: access to levels of encryption sufficient to address
domestic and international security threats, especially as advances in
computing power make currently deployed cryptography systems less
secure.
* INTERNATIONAL INTEROPERABILITY: the ability to securely interact
worldwide.
* VOLUNTARY USE: freedom for users to choose encryption solutions,
developed in the marketplace, that meet their particular needs.
* ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to
meet the expressed needs of cryptography users.
* CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth
Amendment privacy protection and regulation of searches, seizures, and
interceptions.
* RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national
security, while recognizing the reality that determined criminals will
have access to virtually unbreakable encryption.
In six months, we plan to present our initial report to the Administration,
the Congress, and the public in the hopes that it will form the basis for a
more comprehensive, long-term approach to cryptography on the GII. We look
forward to working with the Administration on this matter.
Sincerely,
American Electronics Association
America Online, Inc.
Apple Computer, Inc.
AT&T
Business Software Alliance
Center for Democracy & Technology
Center for National Security Studies
Commercial Internet eXchange Association
CompuServe, Inc.
Computer & Communications Industry Association
Computing Technology Industry Association
Crest Industries, Inc.
Dun & Bradstreet
Eastman Kodak Company
Electronic Frontier Foundation
Electronic Messaging Association
EliaShim Microcomputers, Inc.
Formation, Inc.
Institute for Electrical and Electronic Engineers - United States Activities
Information Industry Association
Information Technology Industry Council
Information Technology Association of America
Lotus Development Corporation
MCI
Microsoft Corporation
Novell, Inc.
OKIDATA Corporation
Oracle Corporation
Securities Industry Association
Software Industry Council
Software Publishers Association
Software Security, Inc.
Summa Four, Inc.
Sybase, Inc.
Tandem Computers, Inc.
Telecommunications Industry Association
ViON Corporation
---------------------------------------------------------------------------
(3) HOW TO SUBSCRIBE TO THE CDT POLICY POST LIST
CDT Policy Posts, which is what you have just finished reading, are the
regular news publication of the Center For Democracy and Technology. CDT
Policy Posts are designed to keep you informed on developments in public
policy issues affecting civil liberties online.
SUBSCRIPTION INFORMAITON
1. SUBSCRIBING TO THE LIST
To subscibe to the policy post distribution list, send mail to
"[email protected]" with:
subscribe policy-posts
in the body of the message (leave the subject line blank)
2. UNSUBSCRIBING FROM THE LIST
If you ever want to remove yourself from this mailing list,
you can send mail to "[email protected]" with the following command
in the body of your email message:
unsubscribe policy-posts [email protected] (your name)
(leave the subject line blank)
You can also visit our subscription web page URL:http://www.cdt.org/join.html
-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance constitutional civil liberties
and democratic values in new computer and communications technologies.
Contacting us:
General information: [email protected]
World Wide Web: URL:http://www.cdt.org
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1001 G Street NW * Suite 500 East * Washington, DC 20001
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post No. 29 11/9/95
-----------------------------------------------------------------------