19 September 1997

Date: Fri, 19 Sep 1997 19:30:58 -0500
To: John Young <jya@pipeline.com>
From: Vin McLellan <vin@shore.net>
Subject: <fyi> Bidzos of RSA on "Rush to Legislation"

Hi John,

I don't know if you might have a use for this, but I've decided we desperately need to get more brief and relatively straightforward educational pieces in circulation. Jim Bidzos of RSA bounced a draft of this column off me. Given the pace of events in Congress, I asked him if I could pass it on to interested folk online rather than wait until it gets ink on paper somewhere. I particularly commend the second to last graph to your attention. Use it as you see fit and useful.

Suerte, _Vin

Vin McLellan
The Privacy Guild

The Encryption Debate: Too Much at Stake to Rush to Legislation

By Jim Bidzos

Recently, the debate over encryption has intensified. FBI Director Louis Freeh, in his September 3rd testimony before a subcommittee of the Senate Judiciary Committee, sought legislation that would require "key recovery" techniques in all encryption products made and used in the US. The proposed legislation discussed at the hearing is S909, the McCain-Kerry bill, would require that all encryption products manufactured, sold, or used in the US provide on-demand government access with a properly authorized court order.

No one wants to see the FBI stymied in its efforts to do its public safety job. But unfortunately, the debate in the Senate seems to suggest that those opposed to S909 are ignorant of national security concerns, or, worse, willing to put national security at risk for commercial interests. This situation may cause lawmakers to overlook the important issues currently missing from the debate: a clear picture of the potential implications of the legislation the FBI seeks, and identification of safeguards against abuse of a key recovery system.

This debate centers around the use and export of strong encryption (currently, US companies may not freely export products with strong encryption) for use by businesses and individuals to ensure privacy and confidentiality of information in a digital world. Strong encryption is essential in order to conduct business securely and to guard against many forms of espionage, attacks, computer break-ins and theft of information. Strong encryption prevents crime.

However, the same encryption is also seen as a threat to law enforcement and national security concerns. They see it hindering, and possibly preventing them from successfully safeguarding the public from criminals who will use encryption to conceal their activities.

Inside the US, advanced, strong, unescrowed encryption is in use in tens of millions of products, including every browser sold by Netscape and Microsoft, and numerous other products. The international community quickly moved to adopt and deploy encryption, with companies springing up in Germany, South Africa, Ireland, Belgium, Switzerland, and Singapore to exploit opportunities created by US export policy.

Criticism of S909 comes from three groups. First, from privacy advocates and technologists who fear an unmanageable key recovery system that would invite abuse from within and outside the government, and significantly weaken the infrastructure on which we all will depend. The second group is the computer industry, which fears that a law requiring products to include US government access will make them unable to compete in a world where roughly 60% of their revenues come from outside the US, where their foreign competitors are not so bound. Third, US companies operating internationally are concerned that foreign governments with key recovery - we assume no foreign government will let the US government hold the keys - will use it to steal intellectual property or other valuable business secrets and pass it on to their own industry. (Using government intelligence to help state-owned industries win business from US companies is a well-established practice in France and elsewhere.) Let's take a closer look at the first two arguments.

In the cyber society we are rapidly moving towards, everything about us will be stored digitally. Contrary to assertions by the FBI (which says it only wants to maintain wiretap capabilities as they have existed since 1968), the proposal for key recovery is not the digital equivalent of putting alligator clips on phone wires. It is more like giving the government the keys to our entire personal and professional lives. Keys that are difficult to control and track. And while the FBI says that access will only be by authorized court order, they have not addressed how controls and audit will prevent abuse in the form of non-intrusive, surreptitious use of these valuable keys. The far-reaching implications of such an unprecedented government capability must be analyzed and debated further for the protection of all. Would you allow local and federal law enforcement to have and store a copy of the key to your home and your filing cabinets? It is interesting to note that the encryption issue is a rare case where both the National Rifle Association and the Civil Liberties Union are on the same side, opposed to any law that restricts an individual's use of encryption.

Industry has legitimate and serious concerns about the effect S909 will have on their ability to compete in a global marketplace. The FBI's plan is to require key recovery in products built, sold, or used in the US. Clearly, their hope is that the US market, thus regulated, will sway the international market. But if other countries - as Germany already has - choose not to control the export of encryption or require key recovery, how will US industry compete? Even Director Freeh admits that given a choice of government key recovery and non-government key recovery products, corporations and individuals will choose the latter. Having failed in its attempts to gain international consensus on key recovery, the administration, as must the Congress, accept this threat to our dominance of the high-tech industry as reality. The threat is simply that US competitiveness will become a casualty of the crypto-wars, as we struggle to comply with a law no one fully understands, and foreign suppliers step in to meet the demand. With hundreds of thousands of important, well-paying jobs in an industry we currently lead at stake, economic well-being must be considered more carefully as part of the national security formula.

The chorus of voices supporting an end to government control of encryption has grown in recent years. It includes millions of individuals, most of industry; numerous industry groups including the Software Publisher's Association and the Business Software Alliance; a majority of the US House of Representatives (1); a Federal Judge (2), and the California Legislature (3). These are organizations and people who have studied this problem closely. Their position is supported by numerous studies, including one done by the National Research Council, which urges relaxation of export controls and a "go slow" policy on key recovery, which it called unproved.

There is a fourth group that should be interested, but seems not to be. That is the Congress itself. Will Congress (and the Judicial Branch as well) be exempt, and be able to purchase non-key-recovery products? Or will the Attorney General and FBI Director have access to all their most sensitive communications?

With so much at stake, we can only hope that the Senate will be willing to look more closely at and hear more voices on this critical issue before turning S909 into law. If you have an opinion on this issue, your representatives in Congress should hear from you. It's the only vote you'll get.


Jim Bidzos is president of RSA Data Security, Inc. of Redwood City, California, a pioneer in the field of encryption whose technology is the most widely used in the world. More information on the subject, including a "Frequently Asked Questions about Cryptography" primer, as well as free personal encryption software with no government access (still legal today), can be found at www.rsa.com

(1) More than half of the members of the House are co-sponsors of the SAFE bill - Security and Freedom Through Encryption - HR695, authored by Rep. Bob Goodlatte, D-Va., which would prohibit domestic US government controls on encryption. However, during the week of September 8, the House Intelligence Committee modified the SAFE Bill to look more like McCain-Kerry.

(2) On August 26, 1997, the Hon. Marilyn Hall Patel ruled against export control of encryption, saying in part "the encryption regulations are an unconstitutional prior restraint in violation of the First Amendment."

(3) California Senate Joint Resolution 29 gained final passage September 5, 1997, when the state Assembly passed, by a vote of 79-0, a resolution calling for the enactment of the SAFE bill.

[End Bidzos statement]

"Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege."

_ A thinking man's Creed for Crypto/ vbm.

* Vin McLellan + The Privacy Guild + <vin@shore.net> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548