[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Dems Critique Crypto Policy
These views from Democratic legislators on the SAFE
crypto bill is excerpted from House Report 105-108, dated
May 22, 1997, which reports on the recent hearing testimony,
DoJ's critique, and Goodlatte's responses to administration
criticism. It cites the Blaze et al report on the risks of key
recovery, Sun's alliance with Elvis, current litigation and
non-US commercial exploitation of the crypto stalemate.
http://jya.com/hr105-108.htm (94K)
-----
ADDITIONAL MINORITY VIEWS
John Conyers, Jr.
Rick Boucher.
Zoe Lofgren.
Maxine Waters.
William Delahunt.
Martin T. Meehan.
We offer these additional views not to foment dissent but
to encourage dialogue with the Administration on the issues
related to encryption. We would like to work with federal law
enforcement and national security agencies to address their
concerns.
We sympathize with the difficulties faced by investigative
and security agencies in combating crime, terrorism, and
espionage. We believe it is quite legitimate for the
Administration to be concerned about the uncertain impact that
strong and ubiquitous encryption products may have on law
enforcement and national security agencies. We realize that it
may ultimately become impossible for government agencies to
decipher intercepted or retrieved data and communications that
have, by encryption, been transformed into a seemingly
unintelligible form.
We recognize the days of cracking strong codes are nearly
gone. Unbreakable codes (256-bit key algorithms can generate
more possible solutions than there are particles in the known
universe) are already widely known. Private security experts
and sophisticated hackers have already realized this and are
beginning to develop ways of attacking the vulnerable points
before and after the information is encrypted (i.e., on the
sender's hard drive or at a ``good-guy'' recipient such as a
bank). We suspect that law enforcement and national security
experts within the government are acquiring similar
capabilities. But these alternative (and more subtle)
approaches are not reflected in the Administration's current
public policy toward encryption.
The Administration's current encryption policy, a policy
that runs back at least to the Bush Administration, creates
more problems than it resolves. The policy is a combination of
encryption export controls and a key escrow system by which the
key to the code encrypting the information is to be held by a
third party (so it may be made available to the government).
We need to be honest about this situation. We don't expect
most narcotics traffickers, terrorists, or criminals to respect
export restrictions on encryption when they don't respect our
underlying drugs or weapons laws. And we don't generally expect
anyone who employs encryption in furtherance of a crime to
readily give their keys to some third party so they may be made
available to the government.
The Administration maintains that there is a commercial
need for key recovery. While that may be true to some extent,
there appears to be little or no demand for the all-
encompassing system they want to mandate. Experts have
uniformly concluded the government's proposed system is either
excessively costly and complex or insecure. In part, this is
true because the government seeks access to real-time
communications and data transmissions, rather than the ability
to recover stored data.
The Administration insists it doesn't want domestic
restrictions on encryption. We are concerned, however, that the
Administration policy does have this effect. Development of
software programs, including those utilizing encryption, occurs
at an amazingly rapid pace, so it is not feasible for computer
software and hardware companies to develop separate products
for export and for domestic use. As a result, as a practical
matter, only products that are exportable, with weaker
encryption or with government-approved key recovery-escrow, can
be marketed at present.
We fear that current encryption policy, encouraging as it
does weaker encryption, makes every American more vulnerable to
illicit or surreptitious access to our computer files, our
phone conversations, and personal information, and thus exposes
our citizens to hackers, terrorists, and thieves. It is ironic
that what is trumpeted as an aid to law enforcement may
instead compromise individual and corporate security.
What we have here is not only a combination of export
controls and a key recovery system that does not work, we have
a system that compromises the competitiveness and security of
this nation's software and hardware industry, as well as our
privacy rights. As conceded by Administration witnesses, the
proposed key recovery system can succeed only as long as there
is no non-conforming encryption software readily available in
the market. But there is already an abundance of such software,
some of it freeware, that is readily available over the
Internet.
The proposed key recovery system can not work unless the
United States persuades every other nation to adopt key
recovery. We can safely say we are unlikely to obtain the
agreement of Libya, Iran, Iraq, or North Korea. In addition,
the efforts to date of David Aaron, U.S. Ambassador to the
Organization for Economic Cooperation and Development (OECD),
to obtain a consensus in support of key recovery resulted
instead in a consensus opposing it.
The Administration's policy has therefore been a strong
market incentive:
(a) for non-participants (in the Administration's key
escrow program) to make non-standard, secure encryption
available, and
(b) for U.S. companies to set up abroad in
"encryption havens'' so they may legally market
strong, secure encryption products to customers who
decline to make their "international key'' available
to diverse governments around the world.
There are already U.S. companies establishing ties with foreign
companies in Japan, Russia, and elsewhere.
Nor is this policy without its cost. It is estimated that,
if the U.S. persists in its current policy through the year
2000, we shall lose 200,000 jobs and $60 billion each year.
This is what it will cost this nation to lose the cryptography
lead we enjoy and the competitive expertise necessary to
maintain our market position.
Unfortunately, our discussions to date with law enforcement
and intelligence agencies have not admitted of the possibility
of any further relaxation of export restrictions as part of the
broader process essential to resolving this complex question.
Nor has the Administration offered to consider alternatives to
its key escrow or key recovery system.
H.R. 695 need not be the end of the process but the
beginning of a real dialogue. This is what we would like to
happen. We continue to remain hopeful that the Administration
will acknowledge the shortcomings of its current policy and
sincerely hope that this will happen soon lest more serious
damage be done to our industry, to our security and to our
privacy.
[End exceprt]