[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CDT Policy Post No. 29 - Coalition Says New Crypto Policy Flawed



Pardon the massive mailing (I have never posted a full Policy Post to this
list before), but I thought a majority of you would find this interesting
and relevant.

Jonah
([email protected])

------------------------------------------------------------------------
   ******    ********    *************
  ********   *********   *************
  **         **      **       ***               POLICY POST
  **         **      **       ***
  **         **      **       ***               November 9, 1995
  **         **      **       ***               Number 29
  ********   *********        ***
   ******    ********         ***

  CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
  A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST Number 29                      November 9, 1995

CONTENTS: (1) Public Interest/Industry Coalition Says Administration Crypto
              Policy Flawed -- Pledges to Develop Alternative
          (2) Text of CDT-led coalition letter to Vice President Gore
          (3) How To Subscribe To The CDT Policy Post Distribution List
          (4) About CDT, Contacting Us

This document may be re-distributed freely provided it remains in its
entirety. Excerpts may be re-posted by permission ([email protected])
-------------------------------------------------------------------------

(1) Public Interest/Industry Coalition Says Administration Crypto Policy
    Flawed -- Pledges to Develop Alternative

A broad coalition of nearly forty public-interest organizations, trade
associations, and representatives from the telecommunications and computer
hardware and software industries sent the attached letter to Vice President
Albert Gore on Wednesday, objecting to the Administration's recently
announced cryptography policy.

While the letter praised the administration for its efforts to develop a
national cryptography policy, the signatories, which include groups such as
EFF and companies such as America Online, Apple, AT&T, MCI, Lotus,
Microsoft, and Tandem Computer (organized by CDT), expressed concern that
the Administration's proposal is weighed heavily in favor of law
enforcement and national security while neglecting the privacy and security
needs of individuals and the marketplace.

The letter states:

 "A secure, private, and trusted Global Information Infrastructure
  (GII) is essential to promote economic growth and meet the needs of
  the Information Age society.  Competitive businesses need cryptography
  to protect proprietary information as it flows across increasingly
  vulnerable global networks. Individuals require privacy protection in
  order to build the confidence necessary to use the GII for personal and
  financial transactions... The undersigned groups recognize that
  the Administration's recently articulated cryptography initiative was a
  serious attempt to meet some of these challenges, but the proposed
  initiative is no substitute for a comprehensive national cryptography
  policy.  To the extent that the current policy becomes a substitute for
  a more comprehensive policy, the initiative actually risks hindering
  the development of a secure and trusted GII."

The coalition pledged to work together to formulate recommendations for an
alternative cryptography policy based on the following principals:

* ROBUST SECURITY:  access to levels of encryption sufficient to address
  domestic and international security threats, especially as advances in
  computing power make currently deployed cryptography systems less
  secure.

* INTERNATIONAL INTEROPERABILITY:  the ability to securely interact
  worldwide.

* VOLUNTARY USE: freedom for users to choose encryption solutions,
  developed in the marketplace, that meet their particular needs.

* ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to
  meet the expressed needs of cryptography users.

* CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth
  Amendment privacy protection and regulation of searches, seizures, and
  interceptions.

* RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national
  security, while recognizing the reality that determined criminals will
  have access to virtually unbreakable encryption.

A second group, composed of conservative/libertarian organizations
including Americans for Tax Reform and Citizens for A Sound Economy, issued
a similar letter on Wednesday to House Speaker Newt Gingrich. The text of
that letter, as well as additional information on the cryptography policy
debate, can be found on CDT's Cryptography Issues Page:

        URL:http://www.cdt.org/crypto.html

The letters come as the National Institute of Standards & Technology (NIST)
this week announced revisions to the Administration's proposed export
criteria announced last September (See CDT Policy Post No. 24). The revised
proposal is substantively similar to the previous version, and maintains
controversial provisions including:

* LIMITS ON KEY LENGTH: The revised proposal would continue to only
  allow the export of cryptography systems with 64 bit key lengths, but
  only if the keys are escrowed by an agent approved by the U.S.
  Government and if the systems meet the other export criteria.

* RESTRICTED INTEROPERABILITY: While the revised proposal does clarify
  the interoperability provision,  it would continue to prohibit
  exportable products from operating with any other cryptographic
  products that do not meet the NIST criteria.

* NO PRIVACY SAFEGUARDS: The proposal contains no mention of the
  procedures for law enforcement access to escrowed keys, the standards
  for certifying escrow agents, or the obligations on escrow agents to
  protect privacy.

CDT believes that the NIST proposals fall far short of the promise for a
more sensible and comprehensive cryptography policy outlined last July in
Vice President Gore's letter to Rep. Maria Cantwell.  The current proposal
fails to provide adequate security, protect the privacy of individuals, and
meet the needs of the global marketplace. CDT believes that a more
comprehensive approach to cryptography policy is necessary to address both
the immediate need for strong cryptographic applications and the long-term
development of a secure and trusted Global Information Infrastructure. CDT
will work with the signatories of the letter to over the next six months to
develop an alternative to the Administration's proposal.

-----------------------------------------------------------------------

(2) Text of CDT-led Coalition Letter to Vice President Gore


November 8, 1995

The Honorable Albert Gore, Jr.
Office of the Vice President
Old Executive Office Building, Room 276
Washington, D.C. 20501

Dear Mr. Vice President:

A secure, private, and trusted Global Information Infrastructure (GII) is
essential to promote economic growth and meet the needs of the Information
Age society.  Competitive businesses need cryptography to protect
proprietary information as it flows across increasingly vulnerable global
networks. Individuals require privacy protection in order to build the
confidence necessary to use the GII for personal and financial
transactions.  Promoting the development of the GII and meeting the needs
of the Information Age will require strong, flexible, widely-available
cryptography.  The undersigned groups recognize that the Administration's
recently articulated cryptography initiative was a serious attempt to meet
some of these challenges, but the proposed initiative is no substitute for
a comprehensive national cryptography policy.  To the extent that the
current policy becomes a substitute for a more comprehensive policy, the
initiative actually risks hindering the development of a secure and trusted
GII.

A number of the undersigned organizations have already written to express
concern about the latest Administration cryptography initiative. As some of
us have noted, the Administration's proposed export criteria will not allow
users to choose the encryption systems that best suit their security
requirements.  Government ceilings on key lengths will not provide an
adequate level of security for many applications, particularly as advances
in computing render current cryptography systems less secure.   Competitive
international users are steadily adopting stronger foreign encryption in
their products and will be unlikely to embrace U.S. restrictions.  As they
stand, current export restrictions place U.S. hardware manufacturers,
software developers, and computer users at a competitive disadvantage,
seriously hinder international interoperability, and threaten the
strategically important U.S. communications and computer hardware and
software industries. Moreover, the Administration policy does not spell out
any of the privacy safeguards essential to protect individual liberties and
to build the necessary public trust in the GII.

The current policy directive also does not address the need for immediate
liberalization of current export restrictions. Such liberalization is vital
to enable U.S. companies to export state-of-the-art software products
during the potentially lengthy process of developing and adopting a
comprehensive national cryptography policy. Without relief, industry and
individuals alike are faced with an unworkable limit on the level of
security available and remain hamstrung by restrictions that will not be
viable in the domestic and international marketplace.

Many members of the undersigned groups have been working actively with the
Administration on a variety of particular applications, products, and
programs promoting information security.  All of us are united, however, by
the concern that the current network and information services environment
is not as secure as it should be, and that the current policy direction
will delay the secure, private, and trusted environment that is sought.

Despite the difficulties of balancing the competing interests involved, the
undersigned companies, trade associations, and privacy organizations are
commencing a process of collective fact-finding and policy deliberation,
aimed at building consensus around a more comprehensive cryptography policy
framework that meets the following criteria:

* ROBUST SECURITY:  access to levels of encryption sufficient to address
  domestic and international security threats, especially as advances in
  computing power make currently deployed cryptography systems less
  secure.

* INTERNATIONAL INTEROPERABILITY:  the ability to securely interact
  worldwide.

* VOLUNTARY USE: freedom for users to choose encryption solutions,
  developed in the marketplace, that meet their particular needs.

* ACCEPTANCE BY THE MARKETPLACE: commercial viability and ability to
  meet the expressed needs of cryptography users.

* CONSTITUTIONAL PRIVACY PROTECTIONS: safeguards to ensure basic Fourth
  Amendment privacy protection and regulation of searches, seizures, and
  interceptions.

* RESPECT FOR THE LEGITIMATE NEEDS OF LAW ENFORCEMENT and national
  security, while recognizing the reality that determined criminals will
  have access to virtually unbreakable encryption.

In six months, we plan to present our initial report to the Administration,
the Congress, and the public in the hopes that it will form the basis for a
more comprehensive, long-term approach to cryptography on the GII. We look
forward to working with the Administration on this matter.

Sincerely,

American Electronics Association
America Online, Inc.
Apple Computer, Inc.
AT&T
Business Software Alliance
Center for Democracy & Technology
Center for National Security Studies
Commercial Internet eXchange Association
CompuServe, Inc.
Computer & Communications Industry Association
Computing Technology Industry Association
Crest Industries, Inc.
Dun & Bradstreet
Eastman Kodak Company
Electronic Frontier Foundation
Electronic Messaging Association
EliaShim Microcomputers, Inc.
Formation, Inc.
Institute for Electrical and Electronic Engineers - United States Activities
Information Industry Association
Information Technology Industry Council
Information Technology Association of America
Lotus Development Corporation
MCI
Microsoft Corporation
Novell, Inc.
OKIDATA Corporation
Oracle Corporation
Securities Industry Association
Software Industry Council
Software Publishers Association
Software Security, Inc.
Summa Four, Inc.
Sybase, Inc.
Tandem Computers, Inc.
Telecommunications Industry Association
ViON Corporation

---------------------------------------------------------------------------

(3) HOW TO SUBSCRIBE TO THE CDT POLICY POST LIST

CDT Policy Posts, which is what you have just finished reading, are the
regular news publication of the Center For Democracy and Technology. CDT
Policy Posts are designed to keep you informed on developments in public
policy issues affecting civil liberties online.

SUBSCRIPTION INFORMAITON

1. SUBSCRIBING TO THE LIST

To subscibe to the policy post distribution list, send mail to
"[email protected]" with:

    subscribe policy-posts

in the body of the message (leave the subject line blank)


2. UNSUBSCRIBING FROM THE LIST

If you ever want to remove yourself from this mailing list,
you can send mail to "[email protected]" with the following command
in the body of your email message:

    unsubscribe policy-posts [email protected] (your name)

(leave the subject line blank)

You can also visit our subscription web page URL:http://www.cdt.org/join.html

-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance constitutional civil liberties
and democratic values in new computer and communications technologies.

Contacting us:

General information:  [email protected]
World Wide Web:       URL:http://www.cdt.org
FTP                   URL:ftp://ftp.cdt.org/pub/cdt/

Snail Mail:  The Center for Democracy and Technology
             1001 G Street NW * Suite 500 East * Washington, DC 20001
             (v) +1.202.637.9800 * (f) +1.202.637.0968

-----------------------------------------------------------------------
End Policy Post No. 29                                        11/9/95
-----------------------------------------------------------------------