[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Washington Post says McCain-Kerrey bill "raises red flags"
---------- Forwarded message ----------
Date: Sun, 22 Jun 1997 20:52:08 -0700 (PDT)
From: Declan McCullagh <[email protected]>
To: [email protected]
Subject: Washington Post says McCain-Kerrey bill "raises red flags"
The Washington Post has a long history of endorsing the
Clinton administration's position on export controls of
encryption products. On June 10, 1996 the paper
editorialized that "national security and law enforcement
questions remain too important to be sacrificed lightly."
On July 27, 1996: "Congress should be exceedingly cautious
about getting out ahead of administration concerns on
controls." "Unbreakable codes on the loose strike us as a
real danger, a legitimate reason for tight export
controls," the Post said on October 4, 1996 -- worrying
the White House wasn't strict enough -- and again last month.
But even the Post couldn't quite stomach the McCain-Kerrey
bill that the Senate Commerce committee approved last week.
In an editorial today, the Post said:
...the McCain-Kerrey legislation goes the
other way, seeking to expand such
restrictions to cover most of the uses of
encryption software in the United States.
That proposal raises red flags even if you
believe, as we do, that there are
legitimate national security and law
enforcement reasons for controlling the
diffusion of such `robust' coding software
overseas.
Below I've attached five Washington Post editorials
on encryption. Thanks to Alan Olsen, Peter Trei,
and especially John Young for holding on to these
editorials and sending them to me.
-Declan
---
Senate Commerce committee and McCain-Kerrey bill:
http://www.jya.com/declan3.txt
http://www.jya.com/declan2.txt
Problems with SAFE and ProCODE:
http://cgi.pathfinder.com/netly/editorial/0,1012,1022,00.html
Kerrey crypto-bill:
http://cgi.pathfinder.com/netly/editorial/0,1012,931,00.html
------
Net Tangle on Privacy
Sunday, June 22, 1997; Page C06
The Washington Post
PITY THE senator or representative who still hasn't quite mastered the
details of how the Internet works, or the difference between the World
Wide Web and e-mail. On the Net-related issues that, by all
indications, draw the most urgent public interest -- those relating to
privacy protection -- there are now multiple clumps of competing
bills, whose differences are both highly important and highly
technical.
Three of these involve different strategies to curb junk e-mail; two,
diametrically opposed, concern encryption. All these bills are
tangential, strictly speaking, to the basic concern expressed at
hearings before the Federal Trade Commission: how to safeguard
personal and sensitive data about yourself once it gets into the hands
of institutions and third parties. (The commission itself is weighing
whether to recommend such legislation based on what it heard.) But any
of them could powerfully affect future privacy protection.
A striking example is the newest bill on encryption, sponsored by
Sens. Robert Kerrey and John McCain, which the Senate Commerce
Committee on Thursday voted to adopt as a replacement for a
long-standing proposal by Sen. Conrad Burns, dubbed Pro-CODE. Where
the Burns bill would have lifted restrictions on the export of
"uncrackable" encryption software abroad -- restrictions that the
administration has fought to maintain for national security reasons --
the McCain-Kerrey legislation goes the other way, seeking to expand
such restrictions to cover most of the uses of encryption software in
the United States. That proposal raises red flags even if you believe,
as we do, that there are legitimate national security and law
enforcement reasons for controlling the diffusion of such `robust'
coding software overseas.
The bill, offered as a compromise between the administration's
priorities and those of Congress, shows how difficult it is to square
this particular circle. It would require users of domestic networks
with any government funding (such as universities, many hospitals and
government contractors) to deposit an extra "key" to their codes with
a licensed "key management" authority -- with the licensing to be done
by the government. Like the administration's international policy,
this bill envisions the development of whole new government-regulated
industries for key management, retrieval and authentication. This
meets the needs of domestic law enforcement agencies, which could get
the keys with an ordinary subpoena, but at a considerable cost to the
consumer confidence that would be expected to drive a market in
encryption software to begin with.
What you think of these bills has a good deal to do with how you think
the worlds of electronic commerce and networked communal life will
develop -- and, of course, no one knows. Even the most enthusiastic
boosters of the right to encryption concede that very few people
actually use it yet. Electronic commerce itself has yet to take real
shape. The main force shaping the Internet for now continues to be the
perception -- not to mention fear -- of the all-too-likely prospect
that anyone who wants to can snoop around in the stacks of your most
private data, which are constantly accumulating in unknown files.
----------
The Washington Post, June 10, 1996, p. A18.
Global Village Cops?
What will be the long-term effect of Internet technologies
on global law enforcement? The amazing story of Bill and
Anna Young, a k a Leslie Rogge and Judy Kay Wilson, offers
one possible scenario. The pseudonymous Youngs, residents
of Guatemala who the FBI says have been on a decade-long
run from U.S. justice since Mr. Rogge was convicted of a
string of bank robberies and other offenses, turned
themselves in to authorities after a neighbor recognized
Mr. Rogge's face on the FBI home page's Most Wanted list.
According to a story first told in the Guatemala Weekly,
the person who recognized him was a newly Internet-wired
14-year-old.
The vision of the future evoked by this story, of a world
in which the familiar "global village" becomes a place not
just of instant communication but of neighborly nosiness
and where no one can just melt into the crowd, is
reassuring and unnerving in about equal proportions. (What
if it were a network of hit men or an authoritarian
government seeking a dissident, rather than the FBI, making
use of this powerful technology?) But it's also worth
keeping in mind that, other than the romance of the
technology, it doesn't represent that great an advance on
current global media that have made celebrities or
fugitives' faces familiar to a vast public -- just ask
Salman Rushdie. The Rogge nabbing is the first that the FBI
credits to its home page specifically, but TV's "America's
Most Wanted" has scored similar coups.
The impossibility of predicting the exact shape of these
extensions of policing is relevant as well to a report that
the National Research Council recently issued on another
computer technology issue -- the vexed matter of whether to
ease export controls on encryption software, which encodes
information sent electronically so that only a user with a
key can decipher it.
The government until now has resisted lifting controls on
"uncrackable" encryption software -- that is, codes that
are too complex to be broken by brute force -- unless the
industry agrees to deposit keys in an escrow arrangement
with a third party so the government can seek and obtain a
warrant to read encoded communications if necessary.
Software makers, meanwhile, are pushing hard to have these
restrictions eased. The research council, an arm of the
generally neutral National Academy of Sciences, sought to
bridge the gap between industry interests and such
government agencies as the FBI and national security
agencies, whose case, they say, is based largely on
classified matter that can't be publicly discussed.
Part of the report's conclusion, which favors the easing
though not the abolition of current restrictions, is that
wider use of encryption technology will actually *help*
national security and law enforcement because more data,
economic and otherwise, will be secure to begin with. But
if the news of the changing terrain tells anything, it is
that it is far too soon to base arguments on such a
premise. Our own sense on encryption is that the national
security and law enforcement questions remain too important
to be sacrificed lightly, despite the considerable economic
interests of the parties on the other side. But the world
of Internet law enforcement is still taking shape. Whatever
the public conclusion on encryption, the debate should not
rest on any assumptions about what that shape will be.
-----------
> The Washington Post, July 27, 1996, p. A22.
>
>
> Speaking in Code on the Internet ... [Editorial]
>
>
> The decibel level has been rising in the argument over how
> much control the federal government should have over the
> export of encryption technology. The Senate Commerce
> Committee held hearings Thursday on a proposal dubbed
> Pro-CODE (Promotion of Commerce On-line in the Digital Era)
> that would lift current restrictions on exporting
> encryption software above a certain level of complexity.
> The move is opposed strongly by law enforcement and
> national security authorities, who fear the consequences to
> their tracking of terrorism or crime if uncrackable
> cryptography becomes the global standard.
>
>
> But encryption software -- which scrambles a person's
> computer messages so no one can read them without a key --
> also is thought by many in the computer industry to be the
> missing piece that's preventing customers from a full-scale
> move to the Internet for banking and other confidential
> transactions, rather than, as now, worrying about the
> security of their data. They also see it as a market in
> which the United States maintains a comfortable lead, one
> that is threatened if domestic encryption makers can't sell
> their products elsewhere. The makers argue that foreign
> encryption software will rush in to fill the gap, doing
> nothing about the uncrackability problem -- indeed, making
> it worse. The administration in turn is pursuing a wider
> international agreement to maintain controls on cryptology
> export by all the industrialized nations and has been
> putting pressure on its colleagues in the Organization for
> Economic Cooperation and Development, which will rule on
> the matter in a Paris meeting in September.
>
>
> Administration officials, including FBI chief Louis Freeh,
> have been pushing for an alternative policy of "voluntary
> key escrow" -- encryption makers would deposit a key to the
> code with a neutral third body before exporting the
> products and could then have access to the codes only by
> court order, as happens now with wiretapping. Mr. Freeh,
> testifying at Thursday's hearing in favor of an optional
> key escrow plan, noted that the point is not to prevent all
> copies of uncrackable code from going abroad -- that's
> clearly impossible -- but to prevent such high-level code
> from becoming the international standard, with architecture
> and transmission channels all unreadable to world
> authorities. To software companies and Internet users who
> have been clamoring for the right to encrypt as securely as
> possible, Mr. Freeh and others argue, "the genie is not yet
> out of the bottle" on "robust," meaning uncrackable,
> encryption.
>
>
> It's far from obvious to anyone that an optional escrow
> plan really can prevent the growth of inaccessible
> transmissions by international terrorists or criminals.
> Encryption, if widely used, could conceivably ease some
> privacy problems concerning who gets to see personal and
> financial data on individuals -- though such data usually
> are vulnerable to being dug out of storage rather than
> intercepted in transmission. But neither is it clear that
> the encryption enthusiasts' desire for free development
> should take precedence over the tracking of terrorism. At
> the very least, Congress should be exceedingly cautious
> about getting out ahead of administration concerns on
> controls that, once lifted, are hardly reversible.
----
The Washington Post, October 4, 1996, p. A22.
Crypto Politics [Editorial]
The Clinton administration once had a coherent, if
unpopular, position on encryption software, the stuff that
allows you to encode your email messages or other data so
that no one can read it en route without a key. Now, in the
wake of word that the president will sign an executive
order, the position is no longer coherent, nor discernibly
more popular with the high-tech audience it attempts to
mollify.
People and companies doing international financial business
are highly interested in this kind of software, the more
powerfully "uncrackable" the better. The U.S. software
industry thinks there's a lot of money in it, especially if
encryption becomes routine.
The administration position till recently was that, much as
U.S. software companies might profit from being able to
market "uncrackable" encryption software freely, national
security and law enforcement considerations dictated that
such exports be controlled by license. Powerful encryption,
like arms, could be dangerous in the hands of terrorists,
rogue governments or international criminals. The software
was classed as a munition; software above a certain
uncrackability level could not be exported unless law
enforcement authorities could get access somehow to the
"key" after obtaining the proper warrants.
Unbreakable codes on the loose strike us as a real danger,
a legitimate reason for tight export controls. But if the
administration really believes this, you'd think it would
stick with steps that can plausibly meet the goal of
control.
Instead, trying to please, it has been splitting and
splitting the difference between itself and the largely
unmoved industry, which argues that no one will buy an
encryption product that a government can decrypt at will.
As with arms sales, the companies also argue that if they
don't sell it, somebody else will, and that anyway it's far
too late to fence off rogues. The national security people
respond that there is still a "window," perhaps two years,
in which they can prevent, if not all leaks of unauthorized
crypto technology, at least its off-the-shelf use and wide
adoption as the international standard.
The administration initially proposed, then repeatedly
refined, the concept of key "escrow" -- depositing a copy
of the code with trusted third parties -- but never came up
with a version the industry would accept. It commissioned
a National Research Council report, which recommended a
significant easing of restrictions. Now the president
appears to have embraced a yet looser form of licensure
upon declaration by a company that it will develop a plan
within two years for key recovery. Also, the technology no
longer will be considered munitions.
What kind of plan? Nobody can quite say. What if the plans
aren't acceptable? Licensing will revert to the old rule in
two years. Will the security issue be moot by then?
Probably. Barring some burst of clarity, one is left
wondering whether the administration has compromised or
caved, and what it now believes about the dangers of
exporting uncrackable software.
----------
Showdown on Encryption
Sunday, May 25 1997; Page C06
The Washington Post
AFTER A YEAR'S rumbling, Congress seems ready to mount a direct
challenge to the administration's position on encryption, the sticky
issue of how to handle software that creates, for commercial use,
codes too strong to break. The House Judiciary Committee the other day
passed a bill dubbed Security and Freedom Through Encryption, or SAFE,
which would undo existing curbs on the export of "uncrackable"
encryption technology abroad without a license. The administration has
fought to maintain those curbs against increasing pressure from the
manufacturers of such software and from a loose but growing coalition
of privacy and civil liberties groups. A similar bill is pending in
the Senate.
The administration maintains that the sellers of software capable of
encrypting electronic messages to a complexity beyond ready cracking
shouldn't sell it abroad -- or, if they do, should be prepared to
deposit keys to the codes with trusted commercial third parties at
home. Police or national security authorities could get these keys
with a search warrant or court order, as in normal investigations, and
a market would develop to provide the third-party service of holding
them.
This vision of a worldwide "key management" structure is a clever way
to reconcile two otherwise contradictory desires: the desire of
Internet users for absolute security and privacy in electronic
transactions and the government's desire to prevent criminals and
terrorists from making themselves impregnable to a degree never before
seen. "Key management" does not, however, exist. And the
administration has gone so far toward undercutting its own position --
saying key escrow should be voluntary, trying to accommodate industry
with numerous exemptions, licensing uncrackable software separately
for banks -- that it's not clear it ever will exist.
Meanwhile, the once-obscure drive to make unlimited-strength
cryptography available to all has picked up momentum -- and some odd
allies. Phyllis Schlafly was among those who testified in favor of the
SAFE bill, saying it would protect Americans from unprecedented
government intrusion and the FBI reading their mail. Libertarian
groups such as Americans for Tax Freedom are enthusiastic about the
vision of a world where powerful, widely available encryption renders
communications totally safe.
The odd part is that there currently are no restrictions on use of
uncrackable encryption software within this country. The software
industry has argued that the export control makes for a de facto
domestic curb, because it's too complicated to market a full-strength
version for the domestic market and a weaker one for the foreign
market. But this isn't a very persuasive argument, since most popular
software programs exist in dozens of versions for different markets
and in different languages.
The real question is whether you believe this stuff poses a
significant national security threat in the wrong hands. If you do --
and we think it irresponsible to assume otherwise -- then it's not
enough to declare uncrackable privacy a civil right. You have to at
least address the question of how to minimize intrusion into that
right while preserving some ability to grapple with the potential
danger. Neither the SAFE advocates in Congress nor the
administration's voluntary escrow enthusiasts up to now have laid out
that vision in a convincing way.
###