------------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 5, Number 7
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 5, Number 7 April 15, 1999
CONTENTS:
(1) Key Senators Introduce Encryption Bill
(2) Major Provisions of the PROTECT Act
(3) SAFE vs. PROTECT
(4) Subscription Information
(5) About the Center for Democracy and Technology
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of <ari@cdt.org>
________________________________________________________________________________
(1) Key Senators Introduce Encryption Bill
Senators McCain (R-AZ), Burns (R-MT), Wyden (D-OR) and Leahy (D-VT)
introduced a new encryption bill this week expected to dramatically change
the political dynamic of the encryption debate on Capitol Hill. The new
bill does not include the immediate, broad changes in US encryption policy
long sought by privacy advocates, but does lay out significant steps toward
export relief by allowing the immediate export of 64-bit products and the
export of 128-bit and higher Advanced Encryption Standard products by 2002.
The bill represents a major shift by Senator John McCain, the bill's author
and Chairman of the powerful Senate Commerce Committee. Senator McCain was
previously an important supporter of Administration encryption policy and
opponent of encryption relief efforts. In the 105th Congress, McCain
cosponsored the controversial Secure Public Networks Act (S.909), which
included domestic key recovery provisions. In contrast, the new bill
prohibits mandatory key recovery or other government access to plaintext
and represents a significant shift away from Administration policy.
The new bill, the "Promote Reliable Online Transactions to Encourage
Commerce and Trade (PROTECT) Act of 1999," is also cosponsored by Senators
Spencer Abraham (R-MI) and John Kerry (D-MA). The full text of the bill,
along with other background information, will be available on CDT's
encryption web site at http//www.cdt.org/crypto
________________________________________________________________________________
(2) Major Provisions of the PROTECT Act
* Immediately decontrols 64-bit encryption products.
PROTECT raises the current 56-bit ceiling on key length to 64-bits, a
moderate increase in strength that falls far short of 128-bit and
"Triple-DES" worldwide standards for good security. A 56-bit key message
was cracked this January by a group of researchers and encryption
enthusiasts in 22 hours. While 64-bit keys are significantly stronger than
these 56-bit products, experts have long argued that higher key lengths are
needed to ensure security from brute-force attacks over time.
* Directs NIST to complete development of the Advanced Encryption Standard
(AES) and decontrols export of AES and equivalent products by 2002.
NIST is currently in the process of developing the Advanced Encryption
Standard (AES), a strong new global standard based on encryption of 128
bits and higher. In January 1999, NIST advised the U.S. government to
revise its current encryption standard, "DES," because "exhaustion of DES
(i.e. breaking a DES encryption ciphertext by trying all possible keys) has
become increasingly more feasible with technology advance."
The PROTECT Act gives NIST a deadline of Jan. 1, 2002 for development of
AES. After Jan. 1, 2002, the US "may no longer impose United States
encryption export controls on encryption products if the encryption
algorithm and key length employed were incorporated in the AES, or have
equivalent strengthÅ "
This significant provision would effectively sunset most encryption export
controls by allowing wide export of the strongest security products by
2002. In doing so, however, the bill would place a great deal of pressure
on the process of developing AES. Care will be needed to ensure that AES
remains a secure standard that can be trusted by encryption users.
* Does not contain criminal provisions.
Several encryption export relief bills, including the SAFE Act, contain
provisions that penalize the use of encryption in the furtherance of a
crime. These provisions have long been a concern for privacy advocates
because, while narrowly drafted, they represent the first domestic
restrictions on that threaten to chill the use of encryption. The PROTECT
Act does not contain any of these criminal provisions.
* Allows export of strong encryption products to certain trusted end-users,
export of recoverable products, and export of "crypto-ready" products.
PROTECT allows immediate export through license exceptions of any
encryption products to "legitimate and responsible entities," on-line
merchants, and foreign governments that are U.S. allies. "Legitimate and
responsible" entities broadly includes: firms with publicly traded shares;
U.S. corporate subsidiaries or affiliates; firms required by law to
maintain plaintext records; regularly audited organizations; and "online
merchants who use encryption to support electronic commerce." It appears
the bill would not necessarily allow export to non-profit groups like human
rights organizations, or to individual users of mass market encryption.
PROTECT would allow export of any encryption that provides plaintext access
capabilities, such as key recovery. The bill would also export of so-called
"crypto-with-a-hole" encryption-ready systems.
* Allows export of generally available products over 64-bits.
The PROTECT Act gives the Secretary of Commerce authority to grant license
exemptions to products over 64-bits if they are "generally available" or if
a comparable product "is, or will be within the next 12 months" generally
available from a foreign supplier. The bill creates an Encryption Export
Advisory Board to make recommendations to the Secretary of Commerce
regarding the availability of encryption products. While the Secretary's
decision is subject to judicial review, the President may override the
Board's determinations for purposes of national security without review.
* Prohibits domestic controls and mandatory plaintext access.
The PROTECT Act contains a sweeping provision prohibits any federal or
state agency from requiring, setting standards, or providing incentives
requiring key recovery "or any other plaintext access capability."
The bill also affirmatively allows the domestic use and sale of encryption
of any strength. While this provision does not change current law, PROTECT
makes a useful statement of principal by Congress that the Administration's
export controls should not restrict the domestic use of encryption.
________________________________________________________________________________
(3) SAFE vs. PROTECT
The Security and Freedom through Encryption (SAFE) Act, currently making
its way through the House of Representatives, provides immediate export
relief for the strongest encryption products, regardless of key length and
algorithm. CDT believes that computer users around the world need this
immediate, comprehensive export relief in order to protect their privacy
online. SAFE is broadly supported by CDT, other civil liberties groups, and
industry representatives, and was recently passed by the House Judiciary
Committee.
The PROTECT Act does not go as far in providing encryption export relief,
or as fast. While it takes steps forward by allowing the immediate export
of 64-bit products and stronger products to certain end users, the new bill
does not allow for the export of the strongest products to consumers of
mass market encryption products until 2002.
Another significant difference between the two bills is that PROTECT,
unlike SAFE, does not contain criminal penalties for use encryption in the
furtherance of a crime.
For background on SAFE: cdt.org
To become more involved in the public debate over encryption and other
Internet civil liberties issues, join CDT's Internet Activist list. For
more information, see:
cdt.org
________________________________________________________________________________
(4) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting civil
liberties online and how they will affect you! Subscribe to the CDT Policy
Post news distribution list. CDT Policy Posts, the regular news publication
of the Center for Democracy and Technology, are received by Internet users,
industry leaders, policymakers and activists, and have become the leading
source for information about critical free speech and privacy issues
affecting the Internet and other interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
majordomo@cdt.org
In the BODY of the message (leave the SUBJECT LINE BLANK), type
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the above
address with NOTHING IN THE SUBJECT LINE and a BODY TEXT of:
unsubscribe policy-posts
_____________________________________________________________________________
(5) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: cdt.org
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
----------------------------------------------------------------------------
End Policy Post 5.7 4/13/99
----------------------------------------------------------------------------
------------------------------------
Ari Schwartz
Policy Analyst
Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
202 637 9800
fax 202 637 0968
ari@cdt.org
cdt.org
--------------------------------- |
