23 September 1998
Source: http://www.fbi.gov/publish/encrypt/en7898.pdf (136K)


Encryption:

Impact on Law Enforcement

[FBI seal omitted]

July 8, 1998



Information Resources Division
Engineering Research Facility
Quantico, Virginia

For Policy Information:
Digital Telephony & Encryption Policy Unit
Office of Public & Congressional Affairs
935 Pennsylvania Avenue, N.W.
Washington, D.C. 20535
(202) 324-5355
For Technical Information:
Signal Analysis & Processing Unit
Electronic Surveillance Technology Section
Engineering Research Facility
Quantico, VA 22135
(703) 630-6378


EXECUTIVE SUMMARY

     Encryption is extremely beneficial when used legitimately to
protect commercially sensitive information and communications.
The law enforcement community, both domestically and abroad, is
extremely concerned about the serious threat posed by the
proliferation and use of robust encryption products that do not
allow for lawful and immediate access to “plaintext” of encrypted
communications and electronically stored data.

     The potential use of such encryption products by a vast
array of criminals and terrorists to conceal their criminal
communications and information poses an extremely serious threat
to public safety and national security. Law enforcement fully
supports a balanced encryption policy that satisfies both the
commercial needs of industry for robust encryption while at the
same time satisfying law enforcement's public safety and national
security needs. Robust encryption, combined with a recoverable
feature which allows lawful and immediate access to “plaintext”
is clearly the best method to achieve the goals of both industry
and law enforcement.

     Several bills on encryption have been introduced in the
105th Congress. The bills are: H.R. 695, the “Security and
Freedom Through Encryption (SAFE) Act” introduced by Congressman
Goodlatte; S.376, the “Encryption Communications Privacy Act of
1997" introduced by Senator Leahy; S.377, the “Promotion of
Commerce On-Line in the Digital Era (Pro-CODE) Act of 1997,”
introduced by Senator Burns; S.909, the “Secure Public Networks
Act,” introduced by Senators McCain, Kerrey and Hollings; and
S.2067, the “Encryption Protects the Rights of Individuals from
Violation and Abuse in Cyberspace (E-Privacy) Act,” introduced by
Senators Ashcroft and Leahy.

     Of these bills, only the House Permanent Select Committee on
Intelligence’s substitute bill to H.R. 695 adopted by the
Committee during their 9/11/97 mark-up effectively addresses all
of the law enforcement and national security concerns regarding
encryption products and services manufactured for use in the U.S.
as well as for those encryption products and services
manufactured for export.

     The “Secure Public Networks Act” (S.909) seeks to use
“market forces” as a means of attempting to address law
enforcement’s public safety needs in the area of encryption.
S.909 does not contain sufficient legislative assurances to
adequately address law enforcement’s public safety needs
regarding encryption products and services manufactured for use
in the United States and law enforcement is opposed to its
enactment in its current form.


                                1


THE PROLIFERATION OF SECURE OR ENCRYPTED COMMUNICATIONS AND ELECTRONICALLY STORED INFORMATION WILL MAKE IT INCREASINGLY DIFFICULT FOR LAW ENFORCEMENT TO OBTAIN AND DECIPHER THE ENCRYPTED CONTENT OF LAWFULLY INTERCEPTED COMMUNICATIONS AND LAWFULLY OBTAINED ELECTRONICALLY STORED INFORMATION THAT IS NECESSARY TO PROVIDE FOR EFFECTIVE LAW ENFORCEMENT, PUBLIC SAFETY, AND NATIONAL SECURITY. WHAT IS ENCRYPTION? Encryption is the method of hiding the content of a message. In broad terms, any system or technique that renders a message unintelligible by anyone other than the intended recipient of the message is utilizing encryption. A message which has not been encrypted is often referred to as “plaintext”. After a message has been encrypted, it is referred to as “ciphertext”. Whereas encryption is used to secure a message, decryption is the method for converting ciphertext back to its original plaintext. Many encryption systems use a mathematical function, known as a cryptographic algorithm, to encrypt and decrypt messages. Just as a lock box requires a key to lock or unlock it, a cryptographic algorithm requires a key to encrypt and decrypt a message. [Image] 2
USES AND BENEFITS OF ENCRYPTION Governments have always been very concerned with the secrecy of information related to military, economic and foreign policy issues. For many years, military and government missions drove the development and use of applications for encryption. Protecting one's intentions from an opposing party is critical and for that reason information security is very important. Although encryption software and hardware devices have been commercially available for years, their cost, degradation of voice quality, and user “friendliness” have, in the past made these devices unattractive to the general public. The introduction of digitally-based technologies as well as the widespread use of computers and computer networks which may incorporate privacy features/capabilities through the use of encryption are facilitating the development, production, and use of affordable and robust security products and services for use by the private sector. These encryption systems provide robust security to conventional and cellular telephone conversations, facsimile transmissions, local and wide area networks, communications transmitted over the Internet, personal computers, wireless communications systems, electronically stored information, remote keyless entry systems, advanced messaging systems, and radio frequency communications systems. [Image] 3
Various applications will use encryption to provide privacy, information integrity, authentication and non-repudiation. Privacy, or confidentiality, is probably the best known application of encryption. Unauthorized individuals are prevented from listening in or viewing electronic information. Information integrity protects against unauthorized changes to information after it is sent. This is important for the validation of legal electronic documents. Authentication techniques verify the identity of a sender of a message. This provides assurance that the claimed sender (e.g., return address on a letter envelope) of information is the actual sender and vice versa for destination authentication. Non-repudiation ensures that a sender is not able to deny that he or she sent a particular message. This verification is important when auditing or when litigation is being considered. [Image] ADVERSE IMPACTS OF ENCRYPTION The ability of encryption to ensure the confidentiality and the content of important messages, files or communications of corporations and private citizens can also prevent those same entities from accessing that critical information should the keys needed for decryption become lost or corrupted. Unless there is an alternative access method, such as a recovery feature contained within the encryption product to allow access, this important information could be lost forever. 4
The use of encryption can effectively prevent access not only to law enforcement acting under proper legal authority, but also to corporations in situations where an employee could potentially use encryption to commit illegal acts against the corporation. A report from Congress’s Office of Technology Assessment entitled, “Information Security and Privacy in Network Environments,” cited the following: "There is also growing recognition of the potential misuses of encryption, such as by disgruntled employees as a means to sabotage an employer's database." Encryption can also be used to conceal criminal activity and thwart law enforcement efforts to collect critical evidence needed to solve serious and often violent criminal activities, including illegal drug trafficking, organized crime, child pornography and terrorism. In these instances, the use of encryption to secure the content or confidentiality of information poses substantial threats to law enforcement's abilities to: interpret and analyze stored electronic records and files which have been obtained through court-order or other lawful procedures; and perform court-ordered electronic surveillance. Encrypted information obtained through the use of lawfully intercepted communications and/or lawfully accessed electronic records or files will be useless in solving crimes and preventing criminal activity unless law enforcement, pursuant to a court order, has immediate access to the “plaintext” of encrypted communications and electronically stored data. As previously discussed, encryption technology was historically used by governments and the military, but legitimate commercial interests and needs are now making this technology increasingly available to industry and individuals alike. As with cellular telephones and other emerging technologies, criminals quickly incorporate readily available technology in furtherance of their illegal activities. A 1993 survey conducted as part of a National Institute of Justice report entitled, “A Summary of a Counternarcotics Technology Needs Assessment of State and Local Law Enforcement Agencies,” revealed that "encryption, scrambling, or other audio countermeasures have been encountered by 28.4% of the respondents, with an additional 23.9% anticipating the use of these countermeasures." Law enforcement is already beginning to encounter the harmful effects of conventional encryption in some of its most important cases. These include: The Aldrich Ames spy case where Ames was told by his Soviet handlers to encrypt computer file information to be passed to them. 5
The Ramzi Yousef (mastermind of the World Trade Center)/Manilla Air terrorist case where Yousef and other international terrorists were plotting to blow up 11 U.S. owned airliners in the Far East. Data regarding this terrorist plan was found in encrypted computer files discovered in Manilla after Yousef’s arrest. A child pornography case where the subject’s used commercially-available encryption to encrypt pornographic images of children that were transmitted to other subject’s of the investigation. [Image] The FBI Laboratory Division’s Computer Analysis and Response Team (CART) has been tasked with the responsibility of providing assistance in law enforcement investigations where computer generated or stored magnetic media has been obtained pursuant to search and seizure. The CART has seen the number of cases utilizing encryption and/or password protection increase from two percent to seven percent, to include the use of 56-bit Data Encryption Standard and 128-bit Pretty Good Privacy encryption over the past two years. 6
THE CONCEPT OF RECOVERABLE ENCRYPTION Technical solutions that provide robust encryption, combined with a recoverable feature which allows lawful and immediate access to "plaintext" of encrypted communications and electronically stored data, is clearly the best way to achieve the goals of both industry and law enforcement. Law enforcement’s needs in dealing with its responsibility for protecting public safety and national security are best met by ensuring that encryption products manufactured or imported into the U.S. include features that allow for the immediate access to the plaintext of encrypted criminal-related data (both transmitted and stored), pursuant to a lawful court order. The concept of recoverable encryption: Ensures the integrity of the investigation through the escrowing of the recovery information with a trusted third party (this would provide the assurance to commercial and individual users of encryption that their protected communications and information are secure against unauthorized disclosure and illegal "hacker-type" attacks); Allows for an overt process for legally obtaining recovery information that is subject to public scrutiny and accountability; Provides confidentiality of law enforcement's request for escrowed recovery information; Provides an immediate decryption capability which is available to law enforcement upon presentation of proper legal authority (to include the state and local levels) of encrypted communications or electronically stored information. LEGISLATION UNDER CONSIDERATION BY CONGRESS ENCRYPTION-RELATED BILLS INTRODUCED IN THE 105TH CONGRESS: H.R. 695, the "Security and Freedom Through Encryption (SAFE) Act," introduced by Congressman Goodlatte (R-6th-VA) on February 12, 1997; S. 376, the "Encryption Communications Privacy Act of 1997," introduced by Senator Leahy (D-VT) on February 27, 1997; 7
S. 377, the "Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1997," introduced by Senator Burns (R-MT) on February 27, 1997; S. 909, the "Secure Public Networks Act," introduced by Senators McCain (R-AZ), Kerrey (D-NE), Hollings (D-SC) on June 16, 1997. S. 2067, the “Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace (E-Privacy) Act,” introduced by Senators Ashcroft (R-MO) and Leahy (D-VT) on May 12, 1998. * Four of the aforementioned encryption-related bills [Goodlatte (H.R. 695), Leahy (S. 376), Burns (S. 377), and Ashcroft/Leahy (S. 2067)] would largely remove export controls on hardware and software encryption products of comparable strength to those that are commercially available from a foreign supplier, regardless of the adverse impact to national security. All five bills place a prohibition on mandatory key recovery encryption by the government and include provisions making it a crime to use encryption in furtherance of a criminal act. The McCain/Kerrey, Leahy, and Ashcroft/Leahy bills would allow for the voluntary use of key recovery encryption and would establish in law, requirements for the release of decryption keys to law enforcement (Leahy and Ashcroft/Leahy bills by court order, McCain/Kerrey bill by subpoena). * The McCain/Kerrey bill (S. 909) is more of a comprehensive encryption bill draft some what along the same lines as the Administration's "incentive/market-based" voluntary approach and attempts to address law enforcement’s public safety needs through such a “market-based” approach; however, the bill fails to contain sufficient legislative assurance to adequately address law enforcement’s public safety needs regarding encryption for use in the United States. The bill does liberalize export controls to a limited degree but still requires an export license and a one time review by NSA prior the allow the export of any encryption product to address any national security issues. It also attempts to address law enforcement’s concerns with regard to the use of encryption domestically, however, it falls short of meeting law enforcement's needs with regard to ensuring that key recovery information is placed in escrow. (Section 402 of the bill indicates that Certificate Authorities (CA) may be licensed by the federal government, but if they choose to be licensed by the federal government, prior to the issuance of a public key certificate to an encryption user by the CA, the user must show proof that their key recovery information has been stored with an approved key recovery agent. 8
During a March 4, 1998 news conference, it was reported that Senators McCain and Kerrey plan to amend their bill and decouple the linkage between government licensed’s CAs and the requirement that such key recovery information be first stored with a key recovery agent prior to the issuance of a public key certificate by a government licensed CA. Such an amend would not be in the best interest of law enforcement. STATUS OF ENCRYPTION BILLS INTRODUCED IN THE 105TH CONGRESS: * H.R. 695 - Reported favorably out of the House Judiciary Committee on May 14, 1997 with three amendments. (Congressman McCollum's amendment--members of the Intelligence Community could obtain key recovery information if escrowed, Congressman Asa Hutchinson's amendment--AG is to maintain records regarding the number of cases where encryption prevented law enforcement from enforcing the law, and Congressman Delahunt's amendment--would make it a felony to encrypt information of a criminal nature). The bill was then referred to the House International Relations Committee for consideration and appropriate action. On May 24, 1997, the Committee's Subcommittee on International Economic Policy and Trade held a mark-up concerning the bill and favorably reported the bill out of subcommittee by a fourteen (14) to one (1) vote. On 7/22/97, the House International Relations Committee held a mark-up concerning H.R. 695. The Committee voted to report H.R. 695 out of Committee with no amendments. H.R. 695 was then referred to the House National Security Committee, the House Permanent Select Committee on Intelligence and the House Commerce Committee for appropriate action. Hearings were also held concerning H.R.695 before the House National Security Committee on July 30, 1997, before the House Commerce Committee’s Subcommittee on Telecommunications, Trade and Consumer Protection on September 4, 1997 and before the House Permanent Select committee on Intelligence on September 9, 1997. The House National Security Committee held a mark-up of H.R.695 on September 9, 1997 and adopted an amendment which continues to require a “one time review” and export license for export of encryption products. This action effectively addressed the national security concerns associated with the bill. The House Permanent Select Committee on Intelligence held a mark-up of H.R.695 on September 11, 1997 and adopted an amendment by way of a substitute bill that effectively addresses all of the +law enforcement and national security concerns associated with encryption products and services manufactured for use in the U.S. as well as for export. Highlights include: requirements 9
for immediate access to plaintext features to be included in all encryption products and services manufactured for use in the United States or imported for use in the United States by 1/31/2000; “one time review” by NSA of all encryption products for export and voluntary enabling of any decryption feature included in encryption products for export by the destination country; provide for criminal and civil penalties for unauthorized access to plaintext or decryption information; and, require the U.S. government to only purchase encryption products which include such immediate access to plaintext features. On September 24, 1997, the House Commerce Committee held a mark-up of H.R.695. Two competing amendments were offered: Congressmen Oxley and Manton offered an amendment to require all encryption products manufactured for use in the U.S. or imported into the U.S. to contain an immediate access to plaintext feature which would have effectively address law enforcement’s domestic encryption needs and would be supported by law enforcement; Congressmen Markey and White offered an amendment to establish a “National Electronic Technologies Center” to foster the “exchange of information and expertise” between government and industry. However, the Markey/White amendment provided no funding for this center. It did not mandate industry participation, nor is it the goal of the “Center” to provide law enforcement with immediate decryption technical capabilities. Markey/White was supported by industry but was opposed by law enforcement. The Commerce Committee defeated the Oxley/Manton proposal and adopted the Markey/White Amendment, agreeing to favorably report H.R.695 out of committee as amended. H.R.695 (as amended by all five committees) has been sent to the House Rules Committee, which now must consider the different versions of the bill adopted by the five House Committees (Judiciary, International Relations, National Security, Intelligence and Commerce). The Rules Committee must determine if a workable compromise bill can be obtained and forwarded to the House floor for action. No date for Rules Committee action on the bill has been set. * S. 909 - Reported favorably out of the Senate Commerce Committee on June 19, 1997 with five amendments: one amendment to section 106 regarding the strength of the subpoena used to obtain recovery information; one amendment to section 201 requiring NIST to release a public reference plan regarding key recovery systems prior to the policy provisions of this section being enforced; one amendment to section 205 to clarify that this section only covers networks for the transaction of government business; and one amendment to section 1005 to define what key recovery means. Another amendment was introduced that would create an export advisory board consisting of a chairman appointed by the President, four (4) industry representatives and four (4) 10
government representatives-one each from the CIA, NSA, FBI and Commerce. The bill is scheduled to be referred to the Senate Judiciary and Intelligence Committees for appropriate action but has not been officially reported out of the Senate Commerce Committee. It should be noted that during a March 4, 1998, news conference, it was reported that Senators McCain and Kerrey plan to amend their bill in such a way that would not be in the interest of law enforcement and/or national security and are planning to have the full Senate vote on encryption legislation in May. It was also reported that both Senate Majority Leader Lott and Senate Minority Leader Daschle were “on-board” with a May schedule for Senate consideration of S.909, which did not occur. * S. 377 - Introduced. Failed to be favorably reported out of the Commerce Committee by a 12 to 8 vote on June 19, 1997 as a substitute to S. 909. Senators Burns, Gorton, Lott, Ashcroft**, Abraham**, Brownback, Dorgan and Wyden voted in favor of S.377; Senators McCain, Stevens, Hutchison, Snowe, Frist, Hollings, Inouye, Ford, Rockefeller, Kerry, Breaux and Bryan voted against S.377. (** denotes member of Senate Judiciary Committee) * S. 376 - Only introduced. * S. 2067 - Only introduced. 11 [End]


Conversion to HTML by JYA/Urban Deadline.