13 May 1998
From: Greg Garcia <greg.garcia@computerprivacy.org> To: "'jya@pipeline.com'" <jya@pipeline.com> Subject: FW: Encryption Bill Introduced Today Date: Wed, 13 May 1998 11:00:19 -0500 Attached is the Ashcroft-Leahy press release and bill summary for you to post on Cryptome if you wish. Subject: Encryption Bill Introduced Today Senators cosponsoring the following legislation include: Ashcroft, Leahy, Burns, Craig, Boxer, Faircloth, Wyden, Kempthorne, Murray. Ashcroft-Leahy Bill Protects Privacy of Computer Messages WASHINGTON -- U.S. Senators John Ashcroft (R-MO) and Patrick Leahy (D-VT) today introduced legislation, the E-PRIVACY Act, which protects Americans' private computer communications and allows U.S. companies to export stronger encryption programs. "Fundamentally, the debate over computer privacy is about the relationship of U.S. citizens to our government. There's been a push for legislation which would require individuals to hand over the 'keys' to their private computer files. Innocent citizens are expected to trust the bureaucracy not to abuse their personal information, in spite of actions to the contrary by agencies such as the IRS and the FBI," Ashcroft said. "The E-PRIVACY Act addresses these concerns by balancing privacy rights with legitimate concerns of law enforcement." The E-PRIVACY (Encryption Protects the Rights of Individuals from Violation and Abuse in CYberspace) Act prohibits the government from establishing a mandatory key escrow system where decryption codes are required to be deposited with a federal agency or third party. Under this bill, authorities must have a court order or subpoena to obtain decryption keys. The Ashcroft-Leahy measure also clears the way for Americans to use and sell encryption products of any strength. However, general export laws will continue to apply, including embargoes to terrorist countries. "Privacy is critical not just for personal information, but for financial and business information as well. Our bill seeks to create an environment where electronic commerce is secure and where America's technology sector continues to flourish in the global marketplace. Simply put, strong encryption means a strong economy," Ashcroft said. Americans for Computer Privacy (ACP), a broad-based coalition of businesses and organizations dedicated to protecting the privacy of all Americans' electronic communications, today announced its support for the Ashcroft-Leahy bill. As Chairman of the Senate Constitution Subcommittee, Ashcroft held a hearing in March to examine the constitutionality of placing restrictions on encryption, as the McCain-Kerrey bill (S. 909) would do. The hearing focused on the government's desire for access to computer codes that protect e-mail and other electronic communications, and Washington's effort to impose limits on the strength of computer software that secures data transmissions. SUMMARY OF THE ASHCROFT-LEAHY E-PRIVACY ACT ("Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace") Protects Privacy of Communications and Electronic Information Affirms the rights of Americans to use and sell whatever encryption products they want at whatever strength they desire; Prohibits government-compelled key escrow or key recovery encryption; Prohibits indirect controls or ties to encryption used for authentication or integrity purposes; Requires a Title III court order to obtain decryption keys held by a third party that will be used to decrypt communications (i.e., same as is required to wiretap communications today); Extends to remotely-stored electronic information the same protections as exist under existing law (e.g., ECPA) for information stored in your home, thereby requiring a court order or subpoena to obtain either the plaintext or a decryption key/assistance from third party. Requires a judge to affirmatively decide to give the government access to location information generated by mobile electronic services. Assists Law Enforcement to Obtain Information Consistent with Constitutional Protections Makes the intentional use of encryption to conceal incriminating communications or information a crime; Clarifies that existing wiretap authority can be used to obtain communications decryption keys/assistance from third parties; Provides that decryption keys/assistance for remotely-stored electronic information can be obtained from third parties with a court order or subpoena with notice; Requires the release upon judicial order of a decryption key/assistance to the Attorney General so that plaintext of encrypted communications or stored electronic information (but not the key) may be furnished to a foreign government under certain conditions; and Creates a National Electronic Technology Center ("NET Center") to serve as a focal point for information and assistance to federal, state, and local law enforcement authorities to address the technical difficulties of obtaining plaintext of communications and electronic information because of encryption, steganography, compression, multiplexing, and other techniques. Modernizes Export Controls on Commercial Encryption Products The E-Privacy Act does not allow for unrestricted export of any encryption product; exports to certain unfriendly nations (such as North Korea, Iraq, or Libya) are absolutely prohibited; Permits exportability under a license exception for mass market products which, by their nature, are uncontrollable given the volume sold and ease of distribution; Permits exportability under a license exception for products which do not themselves provide encryption, but are capable of working with encryption products; Permits exportability under a license exception for product support and consulting services; Permits exportability under a license exception for custom hardware and software (i.e., not mass market) when comparable foreign products are available-establishes a joint government-industry board to determine whether encryption products utilizing the same or greater key length or otherwise providing comparable security are, or will be, within the next 18 months commercially available outside the U.S. from a foreign supplier; Affirms that there will be no export controls on encryption products used for non-confidentiality purposes, such as authentication, integrity, digital signatures, non-repudiation, and copy protection; Assures that before export, all products undergo a one-time technical review to check that the encryption product works as represented; and Affirms the continued applicability of general export controls-the government will continue to be able to limit exports to terrorist countries, as part of a general embargo, and with respect to particular encryption products that would be exported to an individual or organization in a specific foreign country. -end- Contact: Steve Hilton (417) 881-7068 or Greg Harris (202) 224-4589