11 May 1998

Date: Mon, 11 May 1998 17:27:47 -0700 (PDT)
From: Declan McCullagh <declan@well.com>
To: cypherpunks@cyberpass.net
Subject: Summary of E-PRIVACY encryption bill

---------- Forwarded message ----------
Date: Mon, 11 May 1998 17:27:16 -0700 (PDT)

From: Declan McCullagh <declan@well.com>
To: politech@vorlon.mit.edu
Subject: Summary of E-PRIVACY encryption bill

Tomorrow morning Sens. John Ashcroft and Patrick Leahy will hold a press
conference to announce the E-PRIVACY act, largely drafted by the Americans
for Computer Privacy industry group. 

The Netly News obtained a draft of the bill last month:


Here's my summary of the legislation. Keep in mind that portions are
likely to have changed: for instance, an ACP core group met today for a
closed-door confab.



Summary of E-PRIVACY Act

* Encryption purchased by the federal government must interoperate with
commercial crypto that doesn't have key recovery. The government can't
require key recovery crypto for interactions with the government. 

* Neither federal nor state governments can set standards for
non-confidentiality encryption such as digital signatures.

* Creates a NET center inside Justice Department that can ask any federal
agency for decryption help -- think NSA (this is from the House Commerce
committee version). 

* Amends 18 USC 2518 to let courts compel wire or electronic communication
service provider to help with decryption for 30 days; FISA also extended

* Offers the same protection for stored data that you'd have "if the
electronic records had remained in that person's possession." Also, the
government may require the key holder to help in decryption with warrant
or subpoena (Who is the "key holder?" Probably not the "person who created
the electronic data or communication," though this is unclear.)  Also
defines "networked electronic storage" 

* Allows the U.S. government to sign crypto-assistance treaties; other
countries can ask the U.S. attorney general to ask for a court order that
"directs the key holder involved" to hand their keys over to the other
country. The judge will consider whether foreign country's law "provides
for adequate protection against arbitrary interference with respect to
privacy rights," whatever that means.

* Encryption that's "generally available" -- mass market -- can be
exported after a one-time 15 day Commerce Department review. (Some
observers say this would give the government the source code to programs
where it would be otherwise unavailable, thus making cryptanalysis

* Products that provide an "interface mechanism for interaction with other
encryption products covered" may be exportable after one-time 15 day
Commerce Department review. Like operating systems, maybe?

* No license needed for technical data export (think consulting services)

* If the crypto product is *not* generally available, an export advisory
board will make recommendation to the secretary of commerce. The makeup of
the board: 3 spooks, 4 private sector members, commerce department
undersecretary for export administration chairs (currently William
Reinsch). FACA does not apply, but judicial review does. 

* Non-confidentiality crypto such as digital signatures is freely

* The "use crypto in a crime go to jail" looks like the narrowed -- that
is, not as pernicious -- version with 5-10 year penalties, not the 10-20
year penalties that were in one version of SAFE last year. 

* The president can still nix crypto exports to terrorist countries,
whatever those are.

* The Commerce Department should identify trade barriers to exports other
countries have set up (presumably via import ctrls) and report to Congress