[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SAFE Bill is a Good Thing--"Crypto For The Masses"
The SAFE encryption bill would put more non-escrow, strong encryption in
the hands of many more people -- and mark the death knell for government
regulation of encryption. That's why CDT supports it. That's why we hope
that people who care about privacy and security online will support it too.
1. The SAFE Bill Will Bring More Strong Crypto To More People
There is a right we don't have now: The right to export strong
cryptography. The result is that strong, easy-to-use encryption is not
seamlessly integrated into most popular products, and is not accessible to
most people (who are not as technically sophisticated as the members of
this list.)
SAFE would legalize the export (to all but a few countries such as Iran, N.
Korea, and Cuba) of non-escrow encryption *of unlimited strength* that is
designed for the mass market or is in the public domain, i.e.:
"(i) that is generally available, as is, and is
designed for installation by the purchaser; or
"(ii) that is in the public domain for which
copyright or other protection is not available
under title 17, United States Code, or that is
available to the public because it is generally
accessible to the interested public in any form;"
(See also Footnote below)
Translation:
If it's sold in Egghead Software, it's exportable.
If it's available on the Web: exportable.
PGP: exportable.
3DES, IDEA, or Blowfish in mass-market products or
public domain toolkits: Exportable. Exportable. Exportable.
So the export control provisions in SAFE would put a lot more strong crypto
-- and the freedom to use it -- in the hands of a lot more people.
SAFE's export control relief is not unlimited. The bill does not allow
export to Iran, Iraq, Cuba, or N. Korea (that's what the "Trading With The
Enemy" provision is about); Congress is not likely to pass a law saying you
can export strong crypto to Saddam Hussein. Relief is also limited for
non-mass-market hardware and software (e.g., custom systems not available
to the public). Non-mass-market hardware is exportable if "commercially
available" in the destination country; such software is exportable
according to a hard-to-parse "financial institutions" standard that roughly
translates into DES. Less than ideal -- but these provisions do not apply
to most of the hardware and software that most people use.
What SAFE does legalize is strong, non-escrow encryption in the products
that are most widely used, in almost all countries worldwide. Once
*ordinary people* have strong crypto built in to the products they use
every day, it will be much harder for governments to take it away or
restrict it.
SAFE is "strong crypto for the masses." SAFE is a huge step forward.
2. CDT Does Not Support The Criminal Provision in SAFE
CDT is actively working to get the criminal provision taken out of the SAFE
bill. We are not alone: CDT signed a letter with other groups including
EPIC, EFF, ACLU, VTW, PGP, IEEE, and ACM, urging Congress to remove the
provisions -- "while expressing our support for the measure."
Contrary to reports, the SAFE bill does not say: "Use a cipher, go to
prison." It does say: "Use cryptography TO COMMIT A CRIME, go to prison":
2805. Unlawful use of encryption in furtherance of a criminal act
"Any person who willfully uses encryption in furtherance
of the commission of a criminal offense for which the
person may be prosecuted in a court of competent jurisdiction...
[may be imprisoned or fined]"
The Leahy bill version is narrower. It says: "Use cryptography to willfully
obstruct justice in furtherance of a felony, go to prison."
"Whoever willfully endeavors by means of encryption to
obstruct, impede, or prevent the communication to an
investigative or law enforcement officer of information
in furtherance of a felony that may be prosecuted in
a court of the United States shall...[may be imprisoned or fined]"
CDT opposes both these provisions because they are unnecessary and could
chill the use of encryption (especially by self-confessed felons like Tim
May!). But they are not as sweeping as some on this list have said.
On balance, CDT believes that SAFE's giant step forward of export relief
and prohibitions on Executive Branch key escrow controls outweigh the
problems created by these criminal provision. That is why we will fight to
get criminal provisions removed, while we still support the bill.
Passage of the SAFE Bill would put strong security tools in the hands of
many more people. That's why CDT supports SAFE, and why we think people
who care about privacy and security online should support it too.
-- Alan Davidson, CDT
FOOTNOTE: The Export Provisions in SAFE
The export control provisions in SAFE differentiate between so-called
mass-market and non-mass-market hardware and software.
Mass-market software and hardware with non-escrow encryption of *unlimited
strength* may be exported under the Act to all but a few countries (such as
Iran, N. Korea, and Cuba):
(2) ITEMS NOT REQUIRING LICENSES. -- No validated license
may be required, except pursuant to the Trading With the
Enemy Act or the International Emergency Economic Powers
Act (but only to the extent that the authority of such Act
is not exercised to extend controls imposed under this
Act), for the export or reexport of--
"(A) any software, including software with encryption
capabilities --
"(i) that is generally available, as is, and is
designed for installation by the purchaser; or
"(ii) that is in the public domain for which
copyright or other protection is not available
under title 17, United States Code, or that is
available to the public because it is generally
accessible to the interested public in any form;
or
"(B) any computing device solely because it incorporates or
employs in any form software (including software with
encryption capabilities) exempted from any - requirement for a
validated license under subparagraph (A).
[See http://www.cdt.org/crypto/legis_105/SAFE/hr695_text.html for the
Bill's definitions of "generally available," "as is", etc.]
Non-mass-market hardware and software -- suach as code not generally
available to the public via the Internet, or custom implementations not
generally available or sold "as is" -- receive less favorable treatment:
"(3) SOFTWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary
shall authorize the export or reexport of software with encryption
capabilities for nonmilitary end-uses in any country to which
exports of software of similar capability are permitted for
use by financial institutions not controlled in fact by
United States persons, unless there is substantial evidence
that such software will be --
"(A) diverted to a military end-use or an end-use supporting
international terrorism;
"(B) modified for military or terrorist end-use; or
"(C) reexported without any authorization by the United States
that may be required under this Act.
This "financial institutions" standard is supposed to roughly translate
into DES.
"(4) HARDWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary
shall authorize the export or reexport of computer hardware
with encryption capabilities if the Secretary determines
that a product offering comparable security is commercially
available outside the United States from a foreign supplier,
without effective restrictions.
So non-mass-market hardware can be exported *with any encryption algorithm*
if a "comparable" product is available outside the U.S. from a foreign
supplier without restriction.