[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CDT Policy Post 3.13 - New FBI Crypto Bill To Force Key Recovery

    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/     Volume 3, Number 13
      A briefing on public policy issues affecting civil liberties online
 CDT POLICY POST Volume 3, Number 13                    September 8, 1997

 CONTENTS: (1) New FBI Draft Crypto Bill Would Force Mandatory Key Recovery
           (2) Text of FBI Proposal
           (3) What You Can Do
           (4) How to Subscribe/Unsubscribe
           (5) About CDT, contacting us

  ** This document may be redistributed freely with this banner intact **
        Excerpts may be re-posted with permission of <[email protected]>
         ** This document looks best when viewed in COURIER font **


In its most audacious crypto proposal yet, the FBI is circulating on
Capitol Hill legislation to impose full domestic controls on the
manufacture and use of encryption.  The FBI is seeking support for its
proposal among two crucial House Committees preparing to consider
encryption legislation this week.

The text of the key section of the FBI draft is attached below.

The FBI draft would take two extraordinary steps. It would prohibit the
manufacture, sale, import or distribution within the United States of any
encryption product unless it contains a feature that would create a spare
key or some other trap door allowing "immediate" decryption of any user's
messages or files without the user's knowledge.

In addition, it would require all network service providers that offer
encryption products or services to their customers to ensure that all
messages using such encryption can be immediately decrypted without the
knowledge of the customer.  This would apply to telephone companies and to
online service providers such as America Online and Prodigy.

In the FBI draft, the "key recovery capability" could be activated by the
purchaser or end user.  But requiring that such a capability be installed
in all domestic communications networks and encryption products would be
the critical step in enabling a national surveillance infrastructure.

The proposal requires the Attorney General to set standards for what are
and are not acceptable encryption products. The proposal's requirement of
"immediate" decryption would seem to seriously limit the options available
to encryption manufacturers seeking approval of their products.

While export of encryption products from the United States has long been
restricted, there have never been controls on the manufacture,
distribution, or use of encryption within the United States.

Pending before the House Intelligence and National Security Committees is
the Security and Freedom through Encryption Act (SAFE, HR 695), sponsored
by Rep. Goodlatte (R-VA), which would lift current export controls on
encryption technology. The Goodlatte bill has already been reported
favorably by the House Judiciary and International Relations Committees.
The House National Security Committee is scheduled to consider HR 695 on
Tuesday, September 9. The House Intelligence Committee has scheduled its
vote for September 11. Members of both committees are expected to consider
the FBI draft as a substitute to the SAFE bill.

This FBI proposal represents a major turn-around for the Clinton
Administration, which has denied since its first year that it was seeking
domestic controls on encryption.

The FBI proposal is an attempted end run around the Constitution.  By
creating an avenue for immediate access to sensitive decryption keys
without the knowledge of the user, the proposal denies users the notice
that is a central element of the Fourth Amendment protection against
unreasonable searches and seizures.  Just this past April, the Supreme
Court reaffirmed that the Fourth Amendment normally requires the government
to advise the target of a search and seizure that the search is being

Forcing U.S. citizens and companies to adopt so-called key recovery systems
poses serious security risks, especially when the systems can be accessed
without the knowledge of the users.  A recent study by 11 cryptography and
computer security experts concluded that such key recovery systems would be
costly and ultimately insecure (see http://www.crypto.com/key_study)

CDT executive director Jerry Berman said of the latest proposal, "This is
not the first step towards the surveillance society. It *is* the
surveillance society."


    (From FBI "Technical Assistance Draft" Dated August 28, 1997)


(a)    As of January 1, 1999, public network service providers offering
encryption products or encryption services shall ensure that such products
or services enable the immediate decryption of communications or electronic
information encrypted by such products or services on the public network,
upon receipt of a court order, warrant, or certification, pursuant to
section 106, without the knowledge or cooperation of the person using such
encryption products or services.

(b)    As of January 1, 1999, it shall be unlawful for any person to
manufacture for sale or distribution within the U.S., distribute within the
U.S., sell within the U.S., or import into the U.S. any product that can be
used to encrypt communications or electronic information, unless that
product -

       (1) includes features, such as key recovery, trusted third party
       compatibility or other means, that

           (A) permit immediate decryption upon receipt of decryption
           information by an authorized party without the knowledge or
           cooperation of the person using such encryption product; and

           (B) is either enabled at the time of manufacture, distribution,
           sale, or import, or may be enabled by the purchaser or end user; or

       (2) can be used only on systems or networks that include features, such
       as key recovery, trusted third party compatibility or other means, that
       permit immediate decryption by an authorized party without the knowledge
       or cooperation of the person using such encryption product.

(c)  (1) Within 180 days of the enactment of this Act, the Attorney General
     shall publish in the Federal Register functional criteria for complying
     with the decryption requirements set forth in this section.

     (2) Within 180 days of the enactment of this Act, the Attorney General
     shall promulgate procedures by which data network service providers and
     encryption product manufacturers, sellers, re-sellers, distributors, and
     importers may obtain advisory opinions as to whether a decryption method
     will meet the requirements of this section.

     (3) Nothing in this Act or any other law shall be construed as requiring
     the implementation of any particular decryption method in order to satisfy
     the requirements of paragraphs (a) or (b) of this section.



Are you concerned about protecting privacy and security in the information
age? Curious what your Member of Congress thinks about the issue?

  Adopt Your Legislator! Visit http://www.crypto.com/adopt for details

You will recieve customized alerts with news you can use, inlcuding the
latest information on internet-related issues, the views of your
Representative and Senators, and contact information to help you ensure
your voice is heard in the ongoing debate over the future of the
Information Age.

Visit http://www.cdt.org/crypto or http://www.crypto.com/ for detailed
background information on the encryption policy reform debate, including
the text of various legislative proposals, analysis, and other information.



Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 13,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

     [email protected]

with a subject:

     subscribe policy-posts

If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:

     unsubscribe policy-posts


The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications

Contacting us:

General information:  [email protected]
World Wide Web:       URL:http://www.cdt.org/
FTP                   URL:ftp://ftp.cdt.org/pub/cdt/

Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968

End Policy Post 3.13                                               09/08/97