EPIC Analysis of the Encrypted Communications Privacy Act
Sen. Patrick Leahy (D-VT) and several other co-sponsors have introduced
the Encrypted Communications Privacy Act of 1996 (S.1587). The proposed
legislation comes in the midst of an ongoing debate concerning U.S.
encryption policy and at a time when the need for secure electronic
communications is becoming widely recognized. The explosive growth of
the Internet underscores the need for policies that encourage the
development and use of robust security technologies to protect sensitive
personal and commercial information in the digital environment. The
Electronic Privacy Information Center (EPIC) has long advocated adoption
of a national encryption policy that emphasizes the protection of
personal data and encourages the widespread dissemination of privacy-
enhancing technologies.
The text of the proposed legislation is available at:
http://www.epic.org/crypto/legislation/s1587.html
Analysis
The proposed Encrypted Communications Privacy Act addresses a number of
unresolved issues concerning the use of encryption technology. The
proposed legislation would:
- Relax export controls by transferring authority for export decisions
to the Secretary of Commerce, and mandate the removal of controls on
"generally available" encryption software;
- Create a legal framework for key escrow agents, including an
obligation to disclose keys and assist law enforcement, and establish
penalties for improper disclosure;
- Affirm the freedom to use and sell encryption within the United
States; and
- Criminalize the use of encryption which may have the effect of
obstructing a felony investigation.
Export Controls
The bill moves encryption policy in the right direction by placing
export control authority in the Commerce Department, rather than the
State Department and the National Security Agency (NSA) -- the agencies
currently charged with that responsibility. However, the legislation
would only remove export controls on encryption software to the extent
that software with similar capabilities is "generally available," or in
the "public domain or publicly available." Likewise, controls would be
lifted on hardware with encryption capabilities only if "a product
offering comparable security is commercially available from a foreign
supplier." These limitations raise two concerns:
- The Commerce Department historically has been dependent upon NSA for
assessments of the worldwide availability of encryption technology. The
Commerce Department recently released the results of a survey it
conducted of foreign encryption products. Portions of the Department's
report were classified by NSA and withheld from public disclosure
(EPIC is currently seeking the release of the complete report in a
lawsuit filed under the Freedom of Information Act; Electronic Privacy
Information Center v. Department of Commerce, C.A. No. 95-2228
(D.D.C.)). By conditioning the relaxation of export controls on a
finding that similar products are "generally available," the legislation
will likely perpetuate NSA's ability to influence export determinations
and to thwart public oversight of Commerce Department actions.
- The "generally available" requirement will continue to hamper the
development of innovative security technology by U.S. firms.
Restricting exports to products comparable to those already "available
from a foreign supplier" will ensure that foreign, and not domestic,
firms will be on the leading edge of privacy-enhancing technology. This
is necessarily a non-competitive trade policy that will continue to
obstruct the development of strong encryption.
EPIC supports the efforts of the bill's sponsors to liberalize export
control, but EPIC believes the bill should go further. EPIC supports the
complete repeal of these out-dated barriers to the development and
dissemination of software and hardware with encryption capabilities.
This is a necessary step to ensure the development of a secure Global
Information Infrastructure that promotes on-line commerce and preserves
individual privacy.
Key Escrow Procedures
As currently drafted, the bill does little to roll back the deployment
of Clipper-inspired key-escrow encryption within the federal government.
Indeed, a significant portion of the legislation is devoted to
establishing a legal framework for the management of key-escrow systems
in the private sector.
The bill would restrict certain activities by key holders and impose
criminal and civil penalties for the unauthorized disclosure of keys.
Key holders could only release keys (1) with the consent of the person
whose key is held; (2) as may be "necessarily incident to the holding of
the key;" and (3) to law enforcement or investigative officers pursuant
to federal wiretap law or the Foreign Intelligence Surveillance Act.
Under the current bill, keys could be disclosed to law enforcement
officials without satisfying a warrant requirement.
The legislation also establishes reporting requirements on the number of
orders and extensions served on key holders to obtain access to
decryption keys or decryption assistance consistent with current
reporting requirements in the federal wiretap statute.
Statutory protection for the privacy of encryption keys appears to be a
worthy goal. The bill's key-escrow procedures, however, must be
considered in the context of the larger policy debate concerning
encryption. Beginning with Clipper and continuing with the more recent
"commercial key-escrow" proposal, law enforcement agencies and the
national security community have lobbied aggressively for the
implementation of key-escrow systems that would provide government the
ability to decrypt secure data. Such proposals have also been supported
by companies that have received substantial government contracts or
promises of special deals on export licenses.
Users and most businesses
have remained firmly opposed to the key-escrow concept. Indeed, there
is virtually no installed base for key-escrow encryption, while the
number of users of non-escrowed encryption is in the millions. By
placing a Congressional imprimatur on the key-escrow concept, the
legislation will have the effect of supporting an escrow scheme that has
already been rejected by users and businesses. A statutory scheme that
creates a legal framework for key-escrow is contrary to the privacy
interests of network users and the security needs required for network
development.
EPIC recommends that the key escrow provisions of the bill be dropped.
Freedom to Use and Sell Encryption
The proposed legislation appears to affirm an absolute right to use and
sell encryption, but a close reading of the bill shows otherwise. The
proposed legislation provides that it "shall be lawful for any person
within ... the United States ... to use any encryption ..." and "to
sell in interstate commerce any encryption ..." It then modifies that
language with the words "except as provided in this Act and the
amendments made in this Act or in any other law."
As described below, the bill then sets out the first criminal penalties
yet proposed for the domestic use of encryption. Other similar
provisions could easily be added. Since there is currently no
regulation of encryption in the United States, supporters of the bill
must explain what will be accomplished by this effort to establish a
government regulatory scheme for the use of encryption.
EPIC believes that there is a fundamental constitutional right to use
encryption and would support only an unconditional articulation of that
right. The current statutory framework clearly opens the door to
further regulation of privacy-enhancing technologies.
"Unlawful Use of Encryption"
The proposed legislation contains the first explicit criminal penalties
for the use of encryption within the United States. It would
criminalize the use of encryption to "obstruct, impede, or prevent the
communication of information in furtherance of a felony ... to an
investigative or law enforcement officer." This provision is unlikely
to add much to the existing legal arsenal available to law enforcement
agencies or prosecutors. Use of encryption in furtherance of a crime
could currently be prosecuted under existing conspiracy and obstruction
of justice statutes. The effect of the proposed provision could be to
discourage the deployment of encryption where it is appropriate and to
raise unnecessary suspicion about the use of routine security
procedures. The net result could be an increased risk to public safety
and network security.
EPIC recommends that this provision be struck from the bill. As
currently drafted, it is far too broad to serve any useful purpose.
Conclusion
The proposed Encrypted Communications Privacy Act provides an
opportunity to revise outdated encryption policies that have undermined
network security, jeopardized personal privacy and frustrated public
accountability. Although the current draft of the bill does not go far
enough in removing antiquated controls on the export of encryption
technology, the proposal recognizes the need for sweeping changes to the
export regime. Removal of export restrictions on encryption technology
is a pressing need and Congress should address the issue expeditiously.
Less desirable is the bill's promotion of key-escrow encryption. This
is the Clipper-like scheme that should finally be laid to rest.
Congressional action on key-escrow management is unnecessary and the
issue certainly need not be addressed in conjunction with a relaxation
of export controls. Legislation concerning key-escrow will have a
detrimental effect on the development of secure network technologies and
necessary privacy safeguards. EPIC will remain opposed to this
provision.
EPIC commends the sponsors of the proposed legislation for moving the
public debate on the relaxation of export controls forward and
recognizing the need for an overhaul of an out-dated policy. We are
confident that further consideration of the unnecessary and potentially
dangerous provisions contained in the current version will result in a
legislative approach that best serves the needs of all concerned --
users, industry and government.
EPIC Cryptography Litigation
EPIC makes frequent and effective use of the Freedom of Information Act
(FOIA) to obtain the public release of government information concerning
cryptography and privacy policy. The following cases are among those we
are currently litigating:
- EPIC v. Department of Commerce, C.A.
No. 95-2228 (D.D.C.). This case seeks the full release of a survey
conducted by the Department on the foreign availability of encryption
software. The report was created after Congress decided not to pass
legislation in 1994 that would have relaxed export controls on
encryption. An "unclassified" version of the survey was released in
January, but substantial portions were withheld at the behest of the
National Security Agency (NSA).
- EPIC v. National Security Council, C.A.
95-0461 (D.D.C.). In this lawsuit, EPIC is seeking disclosure of
information concerning the Security Policy Board, which was established
by classified Presidential directive in September 1994 and is charged
with developing government-wide policy on information security. Based
on information we have already obtained, it appears that this new
structure is a formalization of the process that gave rise to the
Digital Signature Standard and Clipper initiatives.
- CPSR v. National Security
Agency, C.A. No. 93-1074 (D.D.C.). This lawsuit seeks the disclosure of
key NSA and National Security Council documents concerning the
controversial Clipper Chip encryption initiative. Issues to be decided
include the propriety of NSA's classification of the Clipper algorithm
on national security grounds.
EPIC Cryptography Resources
The EPIC website contains key materials on cryptography policy issues,
including:
These and other relevant materials are available at:
http://www.epic.org/crypto/
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to focus
public attention on emerging privacy issues relating to the National
Information Infrastructure, such as the Clipper Chip, the Digital
Telephony proposal, medical record privacy, and the sale of consumer
data. EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights. EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, email info@epic.org, HTTP://www.epic.org
or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes).