8 September 1997
Source: Mail list firstname.lastname@example.org
See McCain-Kerrey legislation:
See legislative draft on encryption: http://jya.com/gakbill-text.htm
To: email@example.com Date: Mon, 08 Sep 97 18:17:32 EST From: "Stewart Baker" <firstname.lastname@example.org> Subject: Re: US now wants to ban all non-escrowed crypto Here is a quick analysis of the latest leaked Administration legislative draft on encryption. Whether this language ever sees the light of day in this form, however, is open to doubt. With that disclaimer, here's what the bill seems likely to do. Stewart Baker THE LANGUAGE The draft borrows heavily from the structure and content of the Kerrey/McCain legislation--it even retains the title, the "Secure Public Networks Act". In fact, the provisions in Titles IV through X of McCain/Kerrey regarding the registration of certificate authorities and key recovery agents, liability, criminal penalties, defenses, international negotiations, authority of the Secretary of Commerce to investigate compliance with the Act, and authority for the Attorney General to bring actions to enjoin violations of the Act are largely unchanged in this draft. The significant changes are: -- gone is the section (102) that would prohibit mandatory third party escrow of keys. In its place is a new section (105) that would prohibit, after January 1, 1999, the provision of encryption services in the U.S., or the manufacture for sale or distribution in the U.S. of encryption products/systems, that do not have a plaintext recovery feature that may be turned on at the option of the user. -- gone is the exclusive emphasis on key recovery as the technology for assuring plaintext recovery. Instead, this legislation would require products and systems that permit immediate decryption without the knowledge or cooperation of the user. The Attorney General is to issue regulations describing these functional criteria, but there is no provision requiring public notice and comment on such regulations. -- gone is the language requiring key recovery agents to disclose recovery information when presented with a subpoena. In its place is language that indicates a court order or court authorized warrant is required before a key recovery agent may disclose recovery information. -- added is export license exception treatment for products that are access or recovery enabled, regardless of algorithm, key length, or even whether the access feature is activated. This would be broader than McCain/Kerrey which would extend license exception treatment to products with over 56-bit key lengths only if the product includes an access feature and the access feature is turned on at the time of export. -- retained is the provision to decontrol 56-bit encryption after one time review. However, the bill adds an Encryption Export Advisory Board, composed of industry and government representatives, to, among other things, recommend to the President whether the key length of encryption exports to be decontrolled should be raised beyond 56 bits. The President retains the final decision making authority, however. -- gone is the McCain/Kerrey provision that would authorize the Secretary of Commerce to prohibit any exports that could be contrary to U.S. security interests. -- added is a provision to permit license exceptions for voice products with encryption if the Secretary of Commerce determines that requiring an access feature would be a competitive disadvantage and permitting the export would be compatible with U.S. foreign and national security policies. -- retained are the provisions that require the use of accessible encryption products and services on any system used or funded by the Government, but this draft sets a January 1, 1999 date of compliance. -- contrary to earlier indications, there is no requirement for certificate authorities registered under the Act to ensure recovery information is escrowed with a recovery agent registered under the Act. ANALYSIS Even though expected, the big news with this draft is the introduction of domestic control of encryption products and services available in the U.S. For many, the idea of such controls is simply an unacceptable infringement on privacy. But even for those who could be persuaded of the need for such controls, the implementation date provided (January 1, 1999) is unworkable. Industry must have the time to research and develop access technology appropriate to their products, particularly in the telecommunications industry where the demand for security is increasing, but there is little or no market for key recovery and its associated infrastructure. Likewise, manufacturers cannot afford to write off the investments they have made in existing security products or services by being compelled to implement new designs before technology turnover would normally be expected to occur. A related concern would be to ensure new products with access features may interoperate with products or services that are already in use without such features. It is unreasonable to expect that users could afford to replace their existing systems with new products that include access features. The language of this draft would seem to permit such interoperability since the access feature is required only to be an option that may be turned on by the user, or not. But even if the legislation is understood as permitting such interoperability, the cost to manufacturers and consumers of meeting this new requirement could be substantial.
Stewart Baker, Steptoe & Johnson LLP, on the Web: http://www.steptoe.com/baker.htm