EPIC Preliminary Analysis of E-PRIVACY Encryption Bill
Senators John Ashcroft (R-MO) and Patrick Leahy (D-VT) have introduced the "Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace (E-PRIVACY) Act." The proposed legislation is the latest in a series of congressional measures designed to resolve the debate surrounding current U.S. encryption policy.
Like the SAFE Act (H.R. 695) now pending in the House, the E-PRIVACY Act seeks to relax existing controls on the export of encryption products. Controls would be lifted for encryption products that are deemed to be "generally available" within the international market. Exporters would be given new procedural rights to obtain expedited determinations on the exportability of their products.
The bill also contains several provisions that would preserve the right of Americans to use encryption techniques and that would enhance the privacy protections currently accorded to personal communications and stored data. Among its positive features, the bill:
- Reiterates the right of Americans to use, develop, manufacture, sell, distribute, or import any encryption product, regardless of the algorithm selected, key length, or the existence of key recovery capabilities;
- Prohibits government-compelled key escrow or key recovery;
- Prohibits government agencies from creating any linkage between cryptographic methods used for authentication and those used for confidentiality;
- Prohibits the federal government from purchasing key recovery encryption systems that are not interoperable with other commercial encryption products; and
- Provides enhanced privacy protections for stored electronic data held by third parties, location information generated by wireless communications services, and transactional information obtained from pen registers and trap and trace devices;
The bill contains two provisions that raise significant civil liberties and privacy concerns:
The Criminalization Provision
The bill would make the use of encryption to conceal "incriminating" communications or information during the commission of a crime a new and independent criminal offense.
While well-intended, the provision could have several unintended consequences that would easily undermine the other desirable features of the bill.
We believe it is a mistake to create criminal penalties for the use of a particular technique or device. Such a provision tends to draw attention away from the underlying criminal act and casts a shadow over a valuable technology that should not be criminalized. It may, for instance, be the case that a typewritten ransom note poses a more difficult challenge for forensic investigators than a handwritten note. But it would be a mistake to criminalize the use of a typewriter simply because it could make it more difficult to investigate crime in some circumstances.
Additionally, a provision which criminalizes the use of encryption, even in furtherance of a crime, would give prosecutors wide latitude to investigate activity where the only indicia of criminal conduct may be the mere presence of encrypted data. In the digital age, where techniques to protect privacy and security will be widely deployed, we cannot afford to view encryption as the potential instrumentality of a crime, just as we would not today view the use of a typewriter with suspicion.
Finally, the provision could also operate as a substantial disincentive to the widespread adoption of strong encryption techniques in the communications infrastructure. Given that the availability of strong encryption is one of the best ways to reduce the risk of crime and to promote public safety, the retention of this provision in the legislation will send a mixed message to users and businesses -- that we want people to be free to use encryption but will be suspicious when it is used.
If the concern is that encryption techniques may be used to obstruct access to evidence relevant to criminal investigations, we submit that the better approach may be to rely on other provisions in the federal and state criminal codes (including sections relating to obstruction of justice or concealment) to address this problem if it arises.
The "NET Center"
The bill creates within the Department of Justice a National Electronic Technology Center (NET Center) to "serve as a center for . . . law enforcement authorities for information and assistance regarding decryption and other access requirements."
The NET Center would have a broad mandate and could spawn a new domestic surveillance bureaucracy within the Department of Justice. Among other powers, the bill authorizes the NET Center to:
- examine encryption techniques and methods to facilitate the ability of law enforcement to gain efficient access to plaintext of communications and electronic information;
- conduct research to develop efficient methods, and improve the efficiency of existing methods, of accessing plaintext of communications and electronic information;
- investigate and research new and emerging techniques and technologies to facilitate access to communications and electronic information; and
- obtain information regarding the most current hardware, software, telecommunications, and other capabilities to understand how to access digitized information transmitted across networks.
The mission of the NET Center is made more troubling by the bill's authorization of "assistance" from other federal agencies, including the detailing of personnel to the new entity. In light of the fact that existing federal expertise in the areas of electronic surveillance and decryption resides at the National Security Agency (NSA), the bill in effect authorizes unprecedented NSA involvement in domestic law enforcement activities. Such a result would be contrary to a half-century-old consensus that intelligence agencies must be strictly constrained from engaging in domestic "police functions."
That consensus arose from the recognition that intelligence agencies created to operate abroad are ill-suited for domestic activities, where U.S. citizens enjoy constitutional protections against governmental intrusions. In 1975, Sen. Frank Church led a congressional investigation into the activities of NSA. He noted that Congress had a "particular obligation to examine the NSA, in light of its tremendous potential for abuse. ... The danger lies in the ability of NSA to turn its awesome technology against domestic communications."
In 1987, Congress enacted the Computer Security Act, which sought to vest civilian computer security authority in the Commerce Department and to limit the domestic role of NSA. The House Report on the Computer Security Act cited congressional concern over a Reagan Administration directive that "gave NSA the authority to use its considerable foreign intelligence expertise within this country." The report noted that such authority was "particularly troubling" since NSA "has, on occasion, improperly targeted American citizens for surveillance."
The NET Center proposal, if approved, would constitute a fundamental re-definition of the relationship between intelligence agencies and domestic law enforcement. Such an approach would ignore 50 years of experience and would pose a serious threat to the privacy and constitutional rights of Americans.
EPIC looks forward to working with the legislation's sponsors and other interested parties to address these issues and develop a national encryption policy that will ensure the widespread availability of robust encryption products and the preservation of constitutional rights. Such a result will be critical for both our nation's continued leadership of the information industry and the protection of personal privacy in the next century.
Return to the EPIC Crypto Page