[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Crypto-compromises in Washington: Burns offers ProCODE II




Rocke Verser's announcement couldn't have come at a
more embarrassing time for the White House. At 3:46 pm
yesterday, after five months of painstaking work, the
Colorado computer consultant fired off an excited
message to the DES challenge mailing list: "WE FOUND IT!"

Verser was talking about his group's successful crack
of a message scrambled with the 56-bit DES encryption
standard. When subjected to the massive computing
power of thousands of machines around the globe, the
enciphered message finally yielded the secret phrase,
"Strong cryptography makes the world a safer place."

That's exactly what the Clinton administration didn't
want to hear. For years top government officials have
argued the opposite, that strong cryptography makes
the world a less secure place where criminals and
terrorists can scheme with impunity. The White House
has long wanted to ensure that it can listen in to all
electronic communications through schemes like "key
escrow" or the Clipper Chip.

Today the Senate Commerce committee is scheduled to
vote on two competing crypto-bills, one backed by the
White House and one backed by industry and some
privacy groups. And now, I've learned, some of
cryptography's most loyal supporters on the Hill are
talking about cutting a deal...

---

I ran into Jim Bidzos, head of RSA Data Security
(which sponsored the DES challenge), at a party in the
Watergate last night. "Export regulations are a
dinosaur," he said. "But it's a dinosaur that'll take
out a lot of the city during its death struggles."
Bidzos is testifying before a House Science panel
today and plans to stress the problems of 56-bit DES;
only 128-bit DES is generally regarded as reasonably
secure...

---

Washington is a city of complexity, painful
complexity, when it comes to encryption. Three
different lawsuits are challenging the
constitutionality of last year's Federal
crypto-regulations. This year's Commerce Department
regulations add up to an eye-straining 16,000 words.
Four different bills are moving through Congress, and
the legislative jockeying is even more abstruse.

But throughout this muddle, one point remains clear:
The Clinton administration wants to hold on to the
status quo as long as possible. That means no judicial
or legislative tinkering -- and, above all, no general
lifting of export controls on encryption products.
Even as officials admit privately that attempts to
prop up these Cold War rules are eventually doomed,
they argue publicly that removing the rules would be
catastrophic. "The proliferation of unbreakable
encryption would seriously and fundamentally
threaten... critical and central public safety
interests," FBI director Louis Freeh said earlier this
month.

For Freeh, the best way to stall for time was to take
the battle to Congress. Earlier this week Sen. Bob
Kerrey (D-Neb.) and Sen. John McCain introduced a bill
that included everything Freeh and the White House
desired: sections creating new Federal crimes for some
uses of crypto and an all-but-mandatory key escrow
infrastructure. The goal: to facilitate government
access to any private data.

Privacy advocates leaped to savage it. "The bill
threatens any prospect of privacy and security in
electronic commerce and on the Internet by opening a
huge window of vulnerability to the private data and
communications of encryption users," the Center for
Democracy and Technology cried. EPIC's Dave Banisar
told me it was a "poison pill strategy designed to
kill" pro-crypto legislation.

The many problems with the bill normally would be bad
enough, but it's zooming through Congress at an almost
supersonic velocity. Thanks to the sponsorship of
McCain, the powerful Senate commerce committee chair,
the committee is scheduled to vote on it today,
without even holding hearings. This could mean the
death of a bill introduced last year, then
reintroduced this year by Sen. Conrad Burns (R-Mont.).
Called "ProCODE," privacy advocates say it's the best
of all the crypto bills in Congress (but then again,
that's not saying much).

---

In Washington politics, perhaps the worst thing that
can be said about you is that you're unwilling to
compromise. So it should come as no surprise that the
McCain-Kerrey bill prompted Burns himself to offer a
substitute ProCODE bill that will be unveiled at the
markup session today. "People would say Burns hasn't
moved on this issue and he's not willing to
compromise. He needs to put something on the table so
he can credibly say he has a compromise too. Otherwise
it seems like he's not willing to play the game," one
Hill observer told me yesterday.

"ProCODE II" would allow the export of up to 56-bit
DES -- yes, the very same bit length that was cracked
yesterday -- only in some circumstances and give the
FBI and the CIA more of a say on an encryption panel
the bill creates, sources say. (For their part, Burns'
staff characterizes it as having only "slight
differences" from ProCODE I.)

This legislative jockeying takes place against a
backdrop of rivalries between Burns and McCain that
stretch far beyond encryption. Burns introduced an
amendment on a spectrum auction bill that gutted
McCain's proposal. A recent National Journal story
played up the rift, and only resulted in widening it.

McCain's insistence on endorsing the administration's
-- and thus the national security establishment's --
position shouldn't be surprising, even if McCain was
one of the original sponsors of ProCODE last year. He
told Wired Magazine's Todd Lappin in March that "we
need to find a middle ground" on crypto: "It's pretty
clear that the administration's crypto proposals will
have a harmful effect upon the industry. But we can't
completely ignore the warnings we get from the heads
of the FBI and the National Security Agency... If the
president of the United States vetoes a crypto bill we
pass, I doubt we'll be able to override his veto."

Then there's the Senate Judiciary committee. Its
chairman, Sen. Orrin Hatch (R-Utah), said last week
that he may introduce an alternative bill to relax
export controls on encryption technology. But he's
also talking about requiring key escrow in certain
circumstances. Judiciary is holding a hearing next
Wednesday on key escrow; the FBI's Freeh is scheduled
to testify. For his part, Hatch has control of a
crypto bill introduced by Sen. Patrick Leahy (D-Ver.)
and could block legislation that other committtees
report.

---

Now the focus is on today's scheduled vote in Senate
Commerce. Sources say Sen. Bill Frist (R-Tenn.) is
planning to introduce amendments to the McCain bill
that would weaken it. They would delay the
implementation of some portions by a year. They would
also require that NIST, the Department of Justice, and
the Department of Defense publish guidelines on key
recovery.

Today senators will be faced with a series of
unpleasant choices: approve the McCain-Kerrey bill
(sponsored by the chair), approve the original ProCODE
bill, or approve ProCODE II. Certainly some senators
would be wary of endorsing a measure that they haven't
had time to read. The buzz, however, on the Hill is
that McCain doesn't have the votes for his bill and
may postpone the vote after all.

What all this legislative turmoil means is exactly
what McCain predicted in March: for a bill to get out
of committee, there has to be a compromise. As I wrote
in a recent Netly News column, members of Congress are
driven by a fierce, desperate urge to compromise. The
drive is primal: legislators are compelled to find a
middle ground. But to their chagrin, crypto doesn't
offer one. Either you keep a copy of the electronic
keys to your files or someone else does -- which is
exactly what the White House wants. Either you're free
to speak privately over the Net using PGP, or you're
not -- which is exactly what the White House also
wants.

That's why the only sane answer to the encryption
struggle might be to wait for the courts to strike
down export controls as unconstitutional. They're
moving forward: a Federal court yesterday heard
arguments in the Bernstein case. (Sure, it would put
would-be crypto lobbyists out of business overnight,
but that sounds like a good thing to me.) Congress
can't be trusted not to compromise away fundamental
liberties, and any bill that makes it past McCain,
Hatch, and Kerrey -- not to mention their counterparts
in the House -- is almost certain to include some key
escrow provisions.

A veteran lobbyist told last night that this could
indeed happen -- but only if high tech firms and
their Washington lobbyists sell out our privacy
by accepting relaxed export controls in exchange
for domestic controls on the use of encryption.
Businesses might make money, but American
consumers would be the ultimate losers...

Additional articles:

http://pathfinder.com/netly/editorial/0,1012,931,00.html

http://pathfinder.com/netly/opinion/0,1042,1022,00.html

-Declan