13 May 1998


Date: Tue, 12 May 1998 17:58:56 -0400
To: cypherpunks@toad.com
From: David Banisar <banisar@epic.org>
Subject: EPIC Analysis of E-Privacy Act


====================================================================

            EPIC Preliminary Analysis of E-PRIVACY Act
                           May 12, 1998
                          Washington, DC


Senators John Ashcroft (R-MO) and Patrick Leahy (D-VT) today
introduced the "Encryption Protects the Rights of Individuals from
Violation and Abuse in Cyberspace (E-PRIVACY) Act."  The proposed
legislation is the latest in a series of congressional measures
designed to resolve the debate surrounding current U.S. encryption
policy.  Like the SAFE Act (H.R. 695) now pending in the House,

the E-PRIVACY Act seeks to relax existing controls on the export
of encryption products.  Controls would be lifted for encryption
products that are deemed to be "generally available" within the
international market.  Exporters would be given new procedural
rights to obtain expedited determinations on the exportability of
their products.

The bill also contains several provisions that would preserve the
right of Americans to use encryption techniques and that would
enhance the privacy protections currently accorded to personal
communications and stored data.  Among its positive features, the
bill:

* Reiterates the right of Americans to use, develop, manufacture,
sell, distribute, or import any encryption product, regardless of
the algorithm selected, key length, or the existence of key
recovery capabilities;

* Prohibits government-compelled key escrow or key recovery;

* Prohibits government agencies from creating any linkage between
cryptographic methods used for authentication and those used for
confidentiality;

* Prohibits the federal government from purchasing key recovery
encryption systems that are not interoperable with other
commercial encryption products; and

* Provides enhanced privacy protections for stored electronic data
held by third parties, location information generated by wireless
communications services, and transactional information obtained
from pen registers and trap and trace devices;

The bill contains two provisions that raise significant civil
liberties and privacy concerns.

The Criminalization Provision

The bill would make the use of encryption to conceal
"incriminating" communications or information during the
commission of a crime a new and independent criminal offense.

While well-intended, the provision could have several unintended
consequences that would easily undermine the other desirable
features of the bill.

We believe it is a mistake to create criminal penalties for the
use of a particular technique or device. Such a provision tends to
draw attention away from the underlying criminal act and casts a
shadow over a valuable technology that should not be criminalized.
It may, for instance, be the case that a typewritten ransom note
poses a more difficult challenge for forensic investigators than a
handwritten note. But it would be a mistake to criminalize the use
of a typewriter simply because it could make it more difficult to
investigate crime in some circumstances.

Additionally, a provision which criminalizes the use of
encryption, even in furtherance of a crime, would give prosecutors

wide latitude to investigate activity where the only indicia of
criminal conduct may be the mere presence of encrypted data. In
the digital age, where techniques to protect privacy and security
will be widely deployed, we cannot afford to view encryption as
the potential instrumentality of a crime, just as we would not
today view the use of a typewriter with suspicion.

Finally, the provision could also operate as a substantial
disincentive to the widespread adoption of strong encryption
techniques in the communications infrastructure. Given that the
availability of strong encryption is one of the best ways to
reduce the risk of crime and to promote public safety, the
retention of this provision in the legislation will send a mixed
message to users and businesses -- that we want people to be free
to use encryption but will be suspicious when it is used.

If the concern is that encryption techniques may be used to
obstruct access to evidence relevant to criminal investigations,
we submit that the better approach may be to rely on other
provisions in the federal and state criminal codes (including
sections relating to obstruction of justice or concealment) to
address this problem if it arises.

The "NET Center"

The bill creates within the Department of Justice a National
Electronic Technology Center (NET Center) to "serve as a center
for . . . law enforcement authorities for information and
assistance regarding decryption and other access requirements."

The NET Center would have a broad mandate and could spawn a new
domestic surveillance bureaucracy within the Department of
Justice.  Among other powers, the bill authorizes the NET Center
to:

* Examine encryption techniques and methods to facilitate the
ability of law enforcement to gain efficient access to plaintext
of communications and electronic information;

* Conduct research to develop efficient methods, and improve the
efficiency of existing methods, of accessing plaintext of
communications and electronic information;

* Investigate and research new and emerging techniques and
technologies to facilitate access to communications and electronic
information; and

* Obtain information regarding the most current hardware,
software, telecommunications, and other capabilities to understand
how to access digitized information transmitted across networks.

The mission of the NET Center is made more troubling by the bill's
authorization of "assistance" from other federal agencies,
including the detailing of personnel to the new entity.  In light
of the fact that existing federal expertise in the areas of
electronic surveillance and decryption resides at the National
Security Agency (NSA), the bill in effect authorizes unprecedented
NSA involvement in domestic law enforcement activities.  Such a
result would be contrary to a half-century-old consensus that
intelligence agencies must be strictly constrained from engaging
in domestic "police functions."

That consensus arose from the recognition that intelligence
agencies created to operate abroad are ill-suited for domestic
activities, where U.S. citizens enjoy constitutional protections

against governmental intrusions.  In 1975, Sen. Frank Church led a
congressional investigation into the activities of NSA.  He noted
that Congress had a "particular obligation to examine the NSA, in
light of its tremendous potential for abuse. ... The danger lies
in the ability of NSA to turn its awesome technology against
domestic communications."

In 1987, Congress enacted the Computer Security Act, which sought
to vest civilian computer security authority in the Commerce
Department and to limit the domestic role of NSA.  The House
Report on the Computer Security Act cited congressional concern
over a Reagan Administration directive that "gave NSA the
authority to use its considerable foreign intelligence expertise
within this country."  The report noted that such authority was
"particularly troubling" since NSA "has, on occasion, improperly
targeted American citizens for surveillance."

The NET Center proposal, if approved, would constitute a
fundamental re-definition of the relationship between intelligence
agencies and domestic law enforcement.  Such an approach would
ignore 50 years of experience and would pose a serious threat to
the privacy and constitutional rights of Americans.

EPIC looks forward to working with the legislation's sponsors and
other interested parties to address these issues and develop a
national encryption policy that will ensure the widespread
availability of robust encryption products and the preservation of
constitutional rights.  Such a result will be critical for both
our nation's continued leadership of the information industry and
the protection of personal privacy in the next century.