16 September 1998


Attached is CDT's initial analysis of the new Administration encryption
rules (available on our Web site at http://www.cdt.org/crypto). As always
with crypto regs, the devil is in the details; we won't know the real
impact until we get to read the fine print. We're told the final
regulations won't be released until later this Fall.

-- Alan

Alan Davidson, Staff Counsel                 202.637.9800 (v)
Center for Democracy and Technology          202.637.0968 (f)
1634 Eye St. NW, Suite 1100                  <abd@cdt.org>
Washington, DC 20006                         PGP key via finger

----------

New Administration Encryption Controls Leave Individual Privacy Concerns
Unanswered

The White House today announced revised controls on the export of
encryption products used to protect security online. While a step in the
right direction, the new policy leaves major individual privacy concerns
unanswered.

The revisions released today would allow export of moderately stronger
encryption and allow certain industry segments to use even more secure
products. However, the Administration policy does not address the security
needs of individuals online, human rights groups, or other non-commercial
users. Moreover, it continues to use export controls as a club to force the
adoption of risky "key recovery" systems without addressing the privacy
concerns raised by backdoor government access to our most sensitive data.

According to CDT Executive Director Jerry Berman, "The Administration has
given us half a loaf in the encryption debate. Unfortunately, the other
half a loaf is the part that deals with individual privacy."

The Administration statement is available on CDT's Web site at
http://www.cdt.org/crypto. Major features of today's announcement include:

* Decontrol of 56-bit (DES-level) encryption -- would permit export of
56-bit products and their equivalent (including 1024-bit asymmetric
systems) to most countries, after a one-time governmental review .

* Export relief for specific industry segments -- would permit export of
stronger products to subsidiaries of U.S companies, health and insurance
industries, and unspecified "electronic commerce" users.

* Exemptions for "recoverable" products -- would permit export of
encryption products of unlimited strength if those products include
backdoor access to plaintext, use key recovery, or allow access to
plaintext through a system administrator or other person independent of the
user.

CDT welcomes these efforts to address the concerns raised about current U.S
policy. However, the new regulations leave significant privacy concerns
unanswered:

* 56 bit (DES level) encryption will not adequately protect online privacy
and security.  Expert cryptographers have argued for years that 56-bit
encryption is not sufficient to protect privacy online. Just this summer, a
group of California researchers created a "DES Cracker" that broke a 56
bit-length encrypted message in just 56 hours, using minimal resources.

* Granting export relief for industry groups leaves the little guy out.
Individuals, human rights workers, or other non-commercial groups who have
a compelling interest in using strong encryption, without backdoor access
built-in, will not get relief under the new proposal.

* Administration policy continues to use export controls to force the
adoption of vulnerable key recovery systems. The new regulations would
continue the Administration's efforts to require "key recovery" or other
plaintext access features in the encryption products that most individuals
use. An experts report on "The Risks of Key Recovery"
(http://www.crypto.com/key_study) recently argued that such recovery
technologies introduce new security risks.

* Standards for government access are not specified. Privacy cannot be
protected under a "recovery" system without a clear understanding of the
legal protection governing access to plaintext -- a discussion that is
absent from this proposal.

The extent to which the proposed new regulations will actually provide
export relief will depend a great deal on the fine print. The new
regulations are expected to be published in the late fall, and CDT will be
monitoring these rules as they are published to ensure that they protect
privacy.

CDT believes that the only way to protect individual security online as
well as the nation's critical infrastructure is through the widespread
availability of strong encryption, without backdoors.  We will continue to
work with members of Congress to push for reforms that preserve the rights
of individuals and businesses to protect sensitive personal information.

For more information on how to get involved in the crypto debate, sign up
for CDT's "Adopt Your Legislator" campaign to be informed when your
representative is voting on encryption issues. Visit CDT's crypto policy
web site at http://www.crypto.com/adopt