8 June 1998
To: cypherpunks@toad.com Subject: President's Export Council advisors consider Encryption Policy Date: Sun, 07 Jun 1998 21:38:57 -0700 From: John Gilmore <gnu@toad.com> [Largely bureaucratic, but there may be some interesting nuggets. This is an advisory group to watch over exports in general, with a subcommittee that is chartered to watch over encryption issues. --gnu] EXECUTIVE SUMMARY PRESIDENT'S EXPORT COUNCIL SUBCOMMITTEE ON ENCRYPTION APRIL 23, 1998 SUMMARY OF OPEN SESSION The open session of the President's Export Council Subcommittee on Encryption (PECSENC) was called to order at 8:30 a.m. Mr. Adorjan noted the Committee's mandate and described the framework and agenda of the meeting. He then described the proposed focus of the Subcommittee working groups on U.S. regulation and legislation, international, and technology. He emphasized that the objective would be for each working group to address the many subjects related to encryption export policy from the perspective of the primary topic. He noted that as the working groups made progress on issues, they would bring recommendations for decision to the entire Subcommittee. He added that each working group would issue individual reports or recommendations rather than waiting for an integrated report of all three working groups. He again noted his hope that the work of the three groups be integrated further on in the process. He commented that there had been discussion of a fourth group focused on law enforcement, but concluded that it would be more valuable to integrate law enforcement issues into the work of the three groups because of its impact on these areas. He then described the proposed list of working group participants and possible chairs, noting that his goal was to get a balanced representation of members within each group. He said that during the afternoon breakout sessions, he would like each working group to reach a set of decisions on the scope and approach of its work plan, and the timetable for completion. Mr. Adorjan then discussed how the PECSENC, as a Subcommittee of the President's Export Council, would communicate any formal activity to the Administration, noting that the process used by the PEC Subcommittee on Export Administration (PECSEA) worked well. He described this process, and explained that any proposals to send reports or letters to the Administration were submitted by the Subcommittee Chair to the PEC Chair for distribution to Committee members, with the PEC staff coordinating this effort. Mr. Adorjan then commented on Mr. Stewart Baker's e-mail recommendation to submit a letter urging the Administration to move forward on the financial institutions regulation which had been pending. He agreed with Mr. Baker's assessment that the Subcommittee should focus not only on long-term issues, but also intervene in short-term issues. Mr. Adorjan added that issuing a letter to the Administration with support of PEC and Subcommittee members was an effective means of bringing a topic to the forefront. He then suggested that the working groups address such time sensitive issues, as appropriate, and formulate recommendations for circulation throughout the entire Subcommittee. Mr. Adorjan then asked for any comments with regard to the working group activities. As there were none, he turned to the issue of membership, noting that the PECSENC had 23 members with approximately 30 total members planned. He added that at the previous meeting, members had discussed the importance of having a cryptographer and insurance industry representative as members. He assured members that the department was pursuing these recommendations. At the request of Subcommittee members, Under Secretary Reinsch discussed Secretary Daley's recent remarks to a group of information technology associations regarding the release of the Commerce Department report titled "The Emerging Digital Economy." Mr. Reinsch noted that while the report focused on electronic commerce, the Secretary also took the opportunity to comment on the encryption debate. He emphasized that the Secretary supported the President's policy to balance national security, privacy, and commercial interests, but believed that implementation of the policy had not been as successful as it should be. He added that if it could not be implemented successfully, the victims would be the law enforcement community and U.S. business, as foreign products would become more dominant. With respect to the ability of the United States to impact the activities of foreign countries on encryption, Mr. Reinsch noted that each country that confronted the issue had to work out the debate in its own way. Responding to Mr. Lynn McNulty's request for views on the Economic Strategy Institute's report entitled "Finding the Key, Reconciling National and Economic Security Interests in Cryptography Policy", Mr. Reinsch noted that while the report did not offer alternatives, it demonstrated that balancing the competing interests in the debate was difficult. Mr. Adorjan then introduced the first presenter in the Justice Department's threat assessment briefing, Mr. Charles Barry Smith, Supervisory Special Agent, Office of Public and Congressional Affairs at the Federal Bureau of Investigation. Agent Smith began by stating that law enforcement was supportive of strong encryption to protect privacy, but that it would be adversely impacted by commercially available non-recovery encryption products. He discussed the legal issues related to wiretapping, describing it as a technique of last resort done under strict judicial procedures. He then described the adverse impact of non-recovery encryption on law enforcement's ability to perform search and seizure of criminally related electronically stored data. He provided case examples where electronic surveillance had been used successfully and described high-profile cases where encryption played a role. In response to Raymond Humphrey's question as to whether or not criminals would use key recovery products, Agent Smith said that past experience showed that criminals tended to use what was generally available, citing the use of cellular phones as an example. Ambassador Katz raised the issue of whether it was too late to reverse the impact of the general availability of non-key recovery encryption. Agent Smith responded that at this point encryption was just an added feature, but would soon become integrated into products and user-friendly, resulting in increased use. In response to Ms. Simons' question of the issue of domestic controls, Agent Smith noted that law enforcement was in fact concerned about the proliferation of non-recovery products within the United States, as well as the impact of imports of such products. Agent Smith emphasized that law enforcement did not advocate that the government be the holder of the information or key, but that it have access to information pursuant to lawful authority without having to go to the individual who may be engaged in the illegal activity. Adorjan then introduced the second Justice Department speaker, Mr. Scott Charney, Chief of the Computer Crime and Intellectual Property Section in the Criminal Division of the Justice Department. Mr. Charney began by commenting that his office was a large proponent of using cryptography to protect systems for both authentication and privacy and commerce purposes based on its experience with hacker cases. He noted that if information was encrypted, it was not as much of a concern if hackers gained access to it. He said that the question to ask was whether the public wanted the kind of infrastructure that helped criminals protect themselves because products were unbreakable and law enforcement had no access to data, or the kind of infrastructure where the public got the benefits of robust cryptography but where it did more to preserve public safety. Mr. Douglas McGowan asked about the method of controlling keys for individual users of key recovery encryption outside of the corporate environment. Mr. Charney responded that there were many ingenious ways to implement the technology which allow people to retain control to information and keys while providing for government access with the necessary authority. He added that there were ways to implement key recovery that offered benefits for the consumer and public safety, and used the example of "self-wrapping" encryption. Mr. Donald Goldstein noted that there was evidence that the public was relatively trusting and accepting of key management and recovery techniques, citing the example of ATM card usage. He cautioned that the network might become unreliable if a vulnerability was introduced which could result in the public not trusting the system anymore. Mr. Chaney responded that this vulnerability was far less than what existed in today's plaintext world and that an expectation of zero risk on networks was not realistic. He added that there needed to be a balance of benefits and risks and that it was difficult to quantify risks to privacy versus public safety. There was also a general discussion with Messrs. Smith and Charney on related issues, including the concept of a "Net Center", the policies of other countries, imports of non-recovery encryption, the difficulty in designing different products in different markets, the possibility of a single law enforcement standard, economic intelligence and espionage, including losses to the economy if robust encryption was not available, the need for real time access to encrypted communications, and the ability of law enforcement to solve crimes in the future if constrained by non key-recovery encryption products. Mr. Anthony Pentino of the National Security Agency suggested that law enforcement might find a better way to communicate its position beyond the congressional level to the general public at large to counter what appeared to be an exaggeration of privacy concerns fostered by its detractors. Ms. Simons then asked that in the future, the Subcommittee members have the opportunity to submit questions to speakers. Mr Adorjan suggested that these questions be conveyed through the working groups. Mr. Linton Wells from the Department of Defense commented that Deputy Secretary of Defense John Hamre recently spoke to NATO allies in Brussels regarding the importance of each country developing national solutions on encryption. He noted that Hamre's point was that encryption needed to be regarded not just from commerce and law enforcement standpoint, but as a national security issue as well. As NATO moved from military dedicated command and control to public networks, strong identification, authentication, and interoperability were crucial. He also noted that with respect to the Defense Department engaging in electronic commerce, key recovery encryption would be necessary from an internal control standpoint. Mr. Adorjan agreed that this issue was not unique to the Defense Department, but corporations as well. Turning to the briefing foreign activities, Mr. Adorjan introduced Ms. Michelle O'Neill, Executive Director to Ambassador Aaron and Mr. James Lewis, Director of the Office of Strategic Trade and Foreign Policy Controls. Ms. O'Neill began by explaining that Ambassador Aaron, who was unable to attend the meeting, had been appointed as Special Envoy for Cryptography in November 1996. The goal of his discussions with other countries was international consensus on the development of key management and key recovery architectures that would foster robust, dependable security for global information infrastructure while protecting public safety and national security. She said that two key issues were the need for harmonized export control policies and the development compatible infrastructures, as it was clear that no widely used encryption system or any successful national policy would be possible without international cooperation. She also noted that while governments must provide appropriate policy framework, the task of building this infrastructure would lie with the private sector. She said that through Ambassador Aaron's discussions, they had learned that while most governments were behind the United States in development of encryption policies, each shared the same concerns as the United States in trying to strike the right balance. Mr. Lewis' discussion focused on multilateral controls on encryption exports. He began by noting that a number of countries controlled the export of encryption, but that the task was to modernize encryption export controls to reflect today's environment and agree to the implementation of common policies. He added that most governments had common concerns about role of encryption in society. He noted that the U.S. objectives with respect to encryption policy were law enforcement access, use of recoverable encryption, and promotion of electronic commerce. He then explained the history and structure of Wassenaar Arrangement and outlined the issues that the forum was considering with respect to encryption, including moving to a positive control list, consideration of the treatment of commercial encryption products given widespread commercial use, treatment of software and intangible technology (phone conversations, faxes, Internet transmissions), decontrol levels, and transparency in reporting. He said that the United States had raised encryption as an issue for discussion at the last Wassenaar Arrangement plenary in December 1997 and asked countries to adopt similar policies as the United States. He indicated that given the scope of the issues under consideration, he was not sure that resolution would happen anytime soon. He added that Ambassador Aaron's group was finding that other countries were moving slowly in the U.S. direction and had more sympathy for the U.S. position than it would appear. There was a general discussion of the issue of mass market encryption software, the treatment of intangible technology and the need to develop a common approach on encryption. Following the lunch break and the meeting of the non-public working group sessions, Chairman Adorjan reconvened the Subcommittee at 3:00 p.m. He asked each group to give a report on its discussions and began with Mr. Gant Redmon and the working group on technology. Mr. Redmon began by noting that the issue of interoperability was a key part of the group's discussion and said that building key recovery was not an impossible project (with respect to stored data). He said that from a technological standpoint, interoperability could cause a great deal of difficulty in terms of those products that have key recovery and those that do not. He also noted the strong domestic impact of export issues and other pressures to create encryption products a certain way. With respect to mass market software, he said that the working group generally agreed that 56 bit encryption products were the de facto standard. Mr. Adorjan then turned to Ambassador Katz for a briefing on the international working group discussion. Katz noted that the first task they agreed to focus on was developing an understanding of the state of current encryption policies, including foreign availability and policies of other governments. He said that the working group would seek briefings from government and the private sector and perhaps survey suppliers and users. He indicated that the group had identified another issue: whether export control policy is the most effective instrument to meet broader objectives of law enforcement, national security, and privacy. He finished by noting that the working group planned on completing its information gathering prior to the September meeting and would then work on policy recommendations. Mr. Adorjan then turned to the Regulatory and Legislative working group. Mr. Richard Barth began by noting that the working group had considered the letter drafted by Mr. Baker and supported it with minor edits. He added that they felt that the issue of raising the decontrol level to 56 bit encryption products could be included as a second point. He then noted that the group had agreed on a set of operating principles for themselves and perhaps for the use of the entire Subcommittee. These included the objective of balancing the interests of law enforcement, privacy and national, seeking this balance via market driven forces and, where necessary, taking a legislative approach. He concluded with a request for a panel briefing on the legislative environment and a briefing on the export control requirements on encryption. Adorjan agreed that briefings on three issues would be useful, specifically briefings on the status of legislative issues, export policies and administration, and international threat briefing by the National Security Agency. With respect to these briefings, he would ask the presenters to provide topical outlines in advance of the briefings. Mr. Adorjan said he looked forward to the working groups developing a defined scope of work by the next meeting, and suggested that they interact by e-mail. He added that the working groups did not need to get consensus, but that the long term objective was to formulate a set of recommendations. Finally, he noted that he and Under Secretary Reinsch would invite Secretary Daley to participate at the June 22 meeting. Mr. Adorjan asked if there were other issues to be discussed. As there were none, he adjourned the session at 3:35 p.m.