25 August 1998

From: Greg Garcia <greg.garcia@computerprivacy.org>
To: jy@jya.com
Subject: ACP Letter to John Hamre
Date: Tue, 25 Aug 1998 11:55:55 -0400

The Executive Director of Americans for Computer Privacy, Ed Gillespie,
signed the following August 5 letter responding to remarks about
encryption made on July 21 by Deputy Secretary of Defense John Hamre to
CIO's in Aspen.  I understand that, subsequently, DOD on August 17
re-posted Hamre's speech without the Q&A.   They have not yet responded
to our points, but we do not necessarily expect them to.

August 5, 1998

Honorable John J. Hamre
Deputy Secretary of Defense
The Pentagon
Washington, DC  20301

Dear Secretary Hamre:

We at Americans for Computer Privacy were interested to review your July
21 speech on the Administration's encryption policy.  As you know, we
are actively involved in discussions with the Administration in an
effort to find a policy that fairly balances the various interests at
stake.  In that regard, we are grateful for your leadership and believe
that we are making progress.  

However, we remain concerned that the Administration's policy, by
relying so heavily on key recovery, does not give adequate weight to the
fact that critical infrastructures depend on robust encryption. They
cannot function securely if they are subject to third-party key
management, which is itself vulnerable to corruption and error.

You made a crucial observation that many of the critical infrastructures
of this country -- from defense to energy, water and emergency response
networks -- increasingly operate electronically across an internet-based
control system.  This system, in turn, is largely built with commercial,
off- the- shelf software and hardware products.  We agree that the
openness, complexity and geographic dispersion of these systems leave
them inherently vulnerable to security attacks unless they are equipped
with state-of-the-art encryption technology.  But any infrastructure
security system that is deliberately designed with another vulnerability
-- such as key recovery advocated by the Administration -- could expose
those systems, and the people and organizations who depend on them, to
serious and potentially catastrophic breaches of security and public

On a related point, we caution that many of our members do not share the
government's interest in key recovery as the best means for "employees
to leave an electronic fingerprint" on their activities within a
company.  Clearly, many companies have internal security systems to
protect against employee loss or abuse of the company's intellectual
property and sensitive business and personnel data.  But it does not
follow that these systems justify a government policy that creates a
national, public infrastructure designed to give the government advance
tools for the surveillance of private information.

Honorable John J. Hamre
August 5, 1998
Page Two

Finally, we applaud your recognition that Americans are not "prepared
for a mandatory key recovery system in this country" and that the
government will "not ask that it be mandated through law on anybody."
Unfortunately, that statement is inconsistent with the Administration's
continued policy of conditioning export approval of strong encryption on
industry's development of key recovery.  If the Administration does "not

want to block American businesses from being able to export strong
encryption" but does "want them to manage this over time," then the
Administration must let industry lead with market-driven innovations
that respond to customer demands and law enforcement and national
security needs.  We already are beginning to see this dynamic play out
in recent industry developments - as a result of market requirements,
not government requirements.

We continue to believe that the long term interests of the American
public, its government and its industry, is best served by working
together to find a solution that is driven by the marketplace, doesn't
threaten innovation or privacy, and satisfies the government's
legitimate needs.  We look forward to working with you to achieve that
goal this year.


Ed Gillespie
ACP Executive Director


Greg Garcia
Coalition Manager
Americans for Computer Privacy
1275 Pennsylvania Avenue, NW, 10th Floor
Washington, DC  20004
(ph) 202.393.5222
(fx)  202.467.0810
(email) greg.garcia@computerprivacy.org
(website)  www.computerprivacy.org