[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Washington Post says McCain-Kerrey bill "raises red flags"






---------- Forwarded message ----------
Date: Sun, 22 Jun 1997 20:52:08 -0700 (PDT)
From: Declan McCullagh <[email protected]>
To: [email protected]
Subject: Washington Post says McCain-Kerrey bill "raises red flags"

The Washington Post has a long history of endorsing the
Clinton administration's position on export controls of
encryption products. On June 10, 1996 the paper
editorialized that "national security and law enforcement
questions remain too important to be sacrificed lightly."
On July 27, 1996: "Congress should be exceedingly cautious
about getting out ahead of administration concerns on
controls." "Unbreakable codes on the loose strike us as a
real danger, a legitimate reason for tight export
controls," the Post said on October 4, 1996 -- worrying
the White House wasn't strict enough -- and again last month.

But even the Post couldn't quite stomach the McCain-Kerrey
bill that the Senate Commerce committee approved last week.
In an editorial today, the Post said:

	...the McCain-Kerrey legislation goes the
	other way, seeking to expand such
	restrictions to cover most of the uses of
	encryption software in the United States.
	That proposal raises red flags even if you
	believe, as we do, that there are
	legitimate national security and law
	enforcement reasons for controlling the
	diffusion of such `robust' coding software
	overseas.

Below I've attached five Washington Post editorials
on encryption. Thanks to Alan Olsen, Peter Trei,
and especially John Young for holding on to these
editorials and sending them to me.
	
-Declan

---

Senate Commerce committee and McCain-Kerrey bill:

  http://www.jya.com/declan3.txt

  http://www.jya.com/declan2.txt

Problems with SAFE and ProCODE:

  http://cgi.pathfinder.com/netly/editorial/0,1012,1022,00.html

Kerrey crypto-bill:

  http://cgi.pathfinder.com/netly/editorial/0,1012,931,00.html

------

Net Tangle on Privacy
   
   Sunday, June 22, 1997; Page C06
   The Washington Post
   
   
   PITY THE senator or representative who still hasn't quite mastered the
   details of how the Internet works, or the difference between the World
   Wide Web and e-mail. On the Net-related issues that, by all
   indications, draw the most urgent public interest -- those relating to
   privacy protection -- there are now multiple clumps of competing
   bills, whose differences are both highly important and highly
   technical.
   
   Three of these involve different strategies to curb junk e-mail; two,
   diametrically opposed, concern encryption. All these bills are
   tangential, strictly speaking, to the basic concern expressed at
   hearings before the Federal Trade Commission: how to safeguard
   personal and sensitive data about yourself once it gets into the hands
   of institutions and third parties. (The commission itself is weighing
   whether to recommend such legislation based on what it heard.) But any
   of them could powerfully affect future privacy protection.
   
   A striking example is the newest bill on encryption, sponsored by
   Sens. Robert Kerrey and John McCain, which the Senate Commerce
   Committee on Thursday voted to adopt as a replacement for a
   long-standing proposal by Sen. Conrad Burns, dubbed Pro-CODE. Where
   the Burns bill would have lifted restrictions on the export of
   "uncrackable" encryption software abroad -- restrictions that the
   administration has fought to maintain for national security reasons --
   the McCain-Kerrey legislation goes the other way, seeking to expand
   such restrictions to cover most of the uses of encryption software in
   the United States. That proposal raises red flags even if you believe,
   as we do, that there are legitimate national security and law
   enforcement reasons for controlling the diffusion of such `robust'
   coding software overseas.
   
   The bill, offered as a compromise between the administration's
   priorities and those of Congress, shows how difficult it is to square
   this particular circle. It would require users of domestic networks
   with any government funding (such as universities, many hospitals and
   government contractors) to deposit an extra "key" to their codes with
   a licensed "key management" authority -- with the licensing to be done
   by the government. Like the administration's international policy,
   this bill envisions the development of whole new government-regulated
   industries for key management, retrieval and authentication. This
   meets the needs of domestic law enforcement agencies, which could get
   the keys with an ordinary subpoena, but at a considerable cost to the
   consumer confidence that would be expected to drive a market in
   encryption software to begin with.
   
   What you think of these bills has a good deal to do with how you think
   the worlds of electronic commerce and networked communal life will
   develop -- and, of course, no one knows. Even the most enthusiastic
   boosters of the right to encryption concede that very few people
   actually use it yet. Electronic commerce itself has yet to take real
   shape. The main force shaping the Internet for now continues to be the
   perception -- not to mention fear -- of the all-too-likely prospect
   that anyone who wants to can snoop around in the stacks of your most
   private data, which are constantly accumulating in unknown files.
   
----------

   The Washington Post, June 10, 1996, p. A18.


   Global Village Cops?


   What will be the long-term effect of Internet technologies
   on global law enforcement? The amazing story of Bill and
   Anna Young, a k a Leslie Rogge and Judy Kay Wilson, offers
   one possible scenario. The pseudonymous Youngs, residents
   of Guatemala who the FBI says have been on a decade-long
   run from U.S. justice since Mr. Rogge was convicted of a
   string of bank robberies and other offenses, turned
   themselves in to authorities after a neighbor recognized
   Mr. Rogge's face on the FBI home page's Most Wanted list.
   According to a story first told in the Guatemala Weekly,
   the person who recognized him was a newly Internet-wired
   14-year-old.

   The vision of the future evoked by this story, of a world
   in which the familiar "global village" becomes a place not
   just of instant communication but of neighborly nosiness
   and where no one can just melt into the crowd, is
   reassuring and unnerving in about equal proportions. (What
   if it were a network of hit men or an authoritarian
   government seeking a dissident, rather than the FBI, making
   use of this powerful technology?) But it's also worth
   keeping in mind that, other than the romance of the
   technology, it doesn't represent that great an advance on
   current global media that have made celebrities or
   fugitives' faces familiar to a vast public -- just ask
   Salman Rushdie. The Rogge nabbing is the first that the FBI
   credits to its home page specifically, but TV's "America's
   Most Wanted" has scored similar coups.

   The impossibility of predicting the exact shape of these
   extensions of policing is relevant as well to a report that
   the National Research Council recently issued on another
   computer technology issue -- the vexed matter of whether to
   ease export controls on encryption software, which encodes
   information sent electronically so that only a user with a
   key can decipher it.

   The government until now has resisted lifting controls on
   "uncrackable" encryption software --  that is, codes that
   are too complex to be broken by brute force -- unless the
   industry agrees to deposit keys in an escrow arrangement
   with a third party so the government can seek and obtain a
   warrant to read encoded communications if necessary.
   Software makers, meanwhile, are pushing hard to have these
   restrictions eased. The research council, an arm of the
   generally neutral National Academy of Sciences, sought to
   bridge the gap between industry interests and such
   government agencies as the FBI and national security
   agencies, whose case, they say, is based largely on
   classified matter that can't be publicly discussed.

   Part of the report's conclusion, which favors the easing
   though not the abolition of current restrictions, is that
   wider use of encryption technology will actually *help*
   national security and law enforcement because more data,
   economic and otherwise, will be secure to begin with. But
   if the news of the changing terrain tells anything, it is
   that it is far too soon to base arguments on such a
   premise. Our own sense on encryption is that the national
   security and law enforcement questions remain too important
   to be sacrificed lightly, despite the considerable economic
   interests of the parties on the other side. But the world
   of Internet law enforcement is still taking shape. Whatever
   the public conclusion on encryption, the debate should not
   rest on any assumptions about what that shape will be.

-----------

>   The Washington Post, July 27, 1996, p. A22. 
> 
> 
>   Speaking in Code on the Internet ... [Editorial] 
> 
> 
>   The decibel level has been rising in the argument over how 
>   much control the federal government should have over the 
>   export of encryption technology. The Senate Commerce 
>   Committee held hearings Thursday on a proposal dubbed 
>   Pro-CODE (Promotion of Commerce On-line in the Digital Era) 
>   that would lift current restrictions on exporting 
>   encryption software above a certain level of complexity. 
>   The move is opposed strongly by law enforcement and 
>   national security authorities, who fear the consequences to 
>   their tracking of terrorism or crime if uncrackable 
>   cryptography becomes the global standard. 
> 
> 
>   But encryption software -- which scrambles a person's 
>   computer messages so no one can read them without a key -- 
>   also is thought by many in the computer industry to be the 
>   missing piece that's preventing customers from a full-scale 
>   move to the Internet for banking and other confidential 
>   transactions, rather than, as now, worrying about the 
>   security of their data. They also see it as a market in 
>   which the United States maintains a comfortable lead, one 
>   that is threatened if domestic encryption makers can't sell 
>   their products elsewhere. The makers argue that foreign 
>   encryption software will rush in to fill the gap, doing 
>   nothing about the uncrackability problem -- indeed, making 
>   it worse. The administration in turn is pursuing a wider 
>   international agreement to maintain controls on cryptology 
>   export by all the industrialized nations and has been 
>   putting pressure on its colleagues in the Organization for 
>   Economic Cooperation and Development, which will rule on 
>   the matter in a Paris meeting in September. 
> 
> 
>   Administration officials, including FBI chief Louis Freeh, 
>   have been pushing for an alternative policy of "voluntary 
>   key escrow" -- encryption makers would deposit a key to the 
>   code with a neutral third body before exporting the 
>   products and could then have access to the codes only by 
>   court order, as happens now with wiretapping. Mr. Freeh, 
>   testifying at Thursday's hearing in favor of an optional 
>   key escrow plan, noted that the point is not to prevent all 
>   copies of uncrackable code from going abroad --  that's 
>   clearly impossible -- but to prevent such high-level code 
>   from becoming the international standard, with architecture 
>   and transmission channels all unreadable to world 
>   authorities. To software companies and Internet users who 
>   have been clamoring for the right to encrypt as securely as 
>   possible, Mr. Freeh and others argue, "the genie is not yet 
>   out of the bottle" on "robust," meaning uncrackable, 
>   encryption. 
> 
> 
>   It's far from obvious to anyone that an optional escrow 
>   plan really can prevent the growth of inaccessible 
>   transmissions by international terrorists or criminals. 
>   Encryption, if widely used, could conceivably ease some 
>   privacy problems concerning who gets to see personal and 
>   financial data on individuals -- though such data usually 
>   are vulnerable to being dug out of storage rather than 
>   intercepted in transmission. But neither is it clear that 
>   the encryption enthusiasts' desire for free development 
>   should take precedence over the tracking of terrorism. At 
>   the very least, Congress should be exceedingly cautious 
>   about getting out ahead of administration concerns on 
>   controls that, once lifted, are hardly reversible. 

----

   The Washington Post, October 4, 1996, p. A22. 

   Crypto Politics [Editorial] 


   The Clinton administration once had a coherent, if 
   unpopular, position on encryption software, the stuff that 
   allows you to encode your email messages or other data so 
   that no one can read it en route without a key. Now, in the 
   wake of word that the president will sign an executive 
   order, the position is no longer coherent, nor discernibly 
   more popular with the high-tech audience it attempts to 
   mollify. 

   People and companies doing international financial business 
   are highly interested in this kind of software, the more 
   powerfully "uncrackable" the better. The U.S. software 
   industry thinks there's a lot of money in it, especially if 
   encryption becomes routine. 

   The administration position till recently was that, much as 
   U.S. software companies might profit from being able to 
   market "uncrackable" encryption software freely, national 
   security and law enforcement considerations dictated that 
   such exports be controlled by license. Powerful encryption, 
   like arms, could be dangerous in the hands of terrorists, 
   rogue governments or international criminals. The software 
   was classed as a munition; software above a certain 
   uncrackability level could not be exported unless law 
   enforcement authorities could get access somehow to the 
   "key" after obtaining the proper warrants. 

   Unbreakable codes on the loose strike us as a real danger, 
   a legitimate reason for tight export controls. But if the 
   administration really believes this, you'd think it would 
   stick with steps that can plausibly meet the goal of 
   control. 

   Instead, trying to please, it has been splitting and 
   splitting the difference between itself and the largely 
   unmoved industry, which argues that no one will buy an 
   encryption product that a government can decrypt at will. 
   As with arms sales, the companies also argue that if they 
   don't sell it, somebody else will, and that anyway it's far 
   too late to fence off rogues. The national security people 
   respond that there is still a "window," perhaps two years, 
   in which they can prevent, if not all leaks of unauthorized 
   crypto technology, at least its off-the-shelf use and wide 
   adoption as the international standard. 

   The administration initially proposed, then repeatedly 
   refined, the concept of key "escrow" -- depositing a copy 
   of the code with trusted third parties -- but never came up 
   with a version the industry would accept. It commissioned 
   a National Research Council report, which recommended a 
   significant easing of restrictions. Now the president 
   appears to have embraced a yet looser form of licensure 
   upon declaration by a company that it will develop a plan 
   within two years for key recovery. Also, the technology no 
   longer will be considered munitions. 

   What kind of plan? Nobody can quite say. What if the plans 
   aren't acceptable? Licensing will revert to the old rule in 
   two years. Will the security issue be moot by then? 
   Probably. Barring some burst of clarity, one is left 
   wondering whether the administration has compromised or 
   caved, and what it now believes about the dangers of 
   exporting uncrackable software. 


----------
                                      
Showdown on Encryption
                 
   
   Sunday, May 25 1997; Page C06
   The Washington Post
   
   AFTER A YEAR'S rumbling, Congress seems ready to mount a direct
   challenge to the administration's position on encryption, the sticky
   issue of how to handle software that creates, for commercial use,
   codes too strong to break. The House Judiciary Committee the other day
   passed a bill dubbed Security and Freedom Through Encryption, or SAFE,
   which would undo existing curbs on the export of "uncrackable"
   encryption technology abroad without a license. The administration has
   fought to maintain those curbs against increasing pressure from the
   manufacturers of such software and from a loose but growing coalition
   of privacy and civil liberties groups. A similar bill is pending in
   the Senate.
   
   The administration maintains that the sellers of software capable of
   encrypting electronic messages to a complexity beyond ready cracking
   shouldn't sell it abroad -- or, if they do, should be prepared to
   deposit keys to the codes with trusted commercial third parties at
   home. Police or national security authorities could get these keys
   with a search warrant or court order, as in normal investigations, and
   a market would develop to provide the third-party service of holding
   them.
   
   This vision of a worldwide "key management" structure is a clever way
   to reconcile two otherwise contradictory desires: the desire of
   Internet users for absolute security and privacy in electronic
   transactions and the government's desire to prevent criminals and
   terrorists from making themselves impregnable to a degree never before
   seen. "Key management" does not, however, exist. And the
   administration has gone so far toward undercutting its own position --
   saying key escrow should be voluntary, trying to accommodate industry
   with numerous exemptions, licensing uncrackable software separately
   for banks -- that it's not clear it ever will exist.
   
   Meanwhile, the once-obscure drive to make unlimited-strength
   cryptography available to all has picked up momentum -- and some odd
   allies. Phyllis Schlafly was among those who testified in favor of the
   SAFE bill, saying it would protect Americans from unprecedented
   government intrusion and the FBI reading their mail. Libertarian
   groups such as Americans for Tax Freedom are enthusiastic about the
   vision of a world where powerful, widely available encryption renders
   communications totally safe.
   
   The odd part is that there currently are no restrictions on use of
   uncrackable encryption software within this country. The software
   industry has argued that the export control makes for a de facto
   domestic curb, because it's too complicated to market a full-strength
   version for the domestic market and a weaker one for the foreign
   market. But this isn't a very persuasive argument, since most popular
   software programs exist in dozens of versions for different markets
   and in different languages.
   
   The real question is whether you believe this stuff poses a
   significant national security threat in the wrong hands. If you do --
   and we think it irresponsible to assume otherwise -- then it's not
   enough to declare uncrackable privacy a civil right. You have to at
   least address the question of how to minimize intrusion into that
   right while preserving some ability to grapple with the potential
   danger. Neither the SAFE advocates in Congress nor the
   administration's voluntary escrow enthusiasts up to now have laid out
   that vision in a convincing way.

###