17 May 1999: See also Ariel Glenn's much superior notes on the meeting: http://www.columbia.edu/~ariel/pecsenc.html
15 May 1999
Source: Hardcopy from President's Export Council Subcommittee on Encryption
(PECSENC) meeting May 14, 1999, at Department of Commerce, Washington, DC.
Items 1, 2 and 4 public handouts (thanks also to SG); item 3 provided by
attendee.
We welcome contributions/corrections/disagreements from attendees. Lob to <jy@jya.com>
1. Agenda3. Memorandum on PECSENC Action Plan
4. Executive Summary, PECSENC Meeting Open Session, March 12, 1999
President's Export Council |
|
| 10:00 Opening Comments (OPEN) |
William Crowell, PECSENC Chairman |
| 10:15 Public comments | |
| 10:20 BXA Update | William A. Reinsch Under Secretary for Export Administration |
| 11:00 | Discussion of PECSENC Action Plan, Meeting Schedule, and List Serv |
| 12:30 | Lunch for Subcommittee Members |
| 12:45 Briefings | Discussion of the "PROTECT" Act (S. 798) |
| 2:00 | Discussion of the Bernstein Decision Robert Corn-Revere Hogan & Hartson Shari Steele Staff Counsel, Electronic Frontier Foundation |
| 3:00 | Adjourn |
05/11/99
U.S. DEPARTMENT OF COMMERCE
BUREAU OF EXPORT ADMINISTRATION
PRESIDENT'S EXPORT COUNCIL
SUBCOMMITTEE ON ENCRYPTION
Chairman:
Mr. William P. Crowell
Cylink Corporation
Mr. Stewart A. Baker
Steptoe & Johnson, LLP
Richard C. Barth, Ph.D. Motorola, Inc. Mr. Lawrence E. Coutorie
University of Texas
SW Medical Center Police Department
Dorothy E. Denning, Ph.D.
Georgetown University
Ms. Esther Dyson EDventure Holdings, Inc.
Mr. Frederick W. Gerbracht, Jr. Merrill Lynch & Company, Inc.
Donald J. Goldstein, Ph.D.
The Nomos Corporation
Ms. Rhonda K. Grant
Jackson National Life Insurance co
Mr. Charles B. Griffis
V-One Corporation
Mr. Peter F. Harter
Netscape Communications Corporation Richard K. Hite, Ph.D. Visa International
Mr. Russell Housley
SPYRUS
Mr. Raymond F. Humphrey
American Society for Industrial Security International Security Management Association
Ambassador Julius L. Katz
Hills & Company
Mr. Stephen R. Katz
Citibank
Mr. Kenneth L. Keefe
Lucent Technologies, Inc.
Mr. John R. Liebman
McKenna & Cuneo, LLP
Mr. William P. Loughrey
Scientific-Atlanta, Inc.
Kevin S. McCurley, Ph.D. IBM Almaden Research Center
Mr. Douglas J. McGowan
Hewlett-Packard Company
Mr. Lynn McNulty
RSA Data Security, Inc. Mr. Thomas R. Morehouse
SourceFile, LLP
Mr. Gant Redmon
AXENT Technologies, Inc.
Col. Michael D. Robinson Michigan State Police Mr. Ira S. Rubinstein Microsoft Corporation Sheriff Fred W. Scoralick Dutchess County Police, NY Barbara Simons, Ph.D. Association for Computing Machinery Mr. Stephen T. Walker
Steve Walker & Associates, Inc. Mr. Michael E. Zeoli
IBM Corporation
[See also government representatives]
May 14, 1999
TO: PECSENC Members
FROM: Stewart Baker
RE: Update
As I contemplate with enthusiasm surrendering the chairman's gavel to Bill Crowell, my conscience requires that I send out this memorandum to wrap up (as much as possible) some of the outstanding issues from my tenure.
A. Topics For PECSENC Consideration
In our last meeting, we identified several encryption and export related topics that we wanted to explore in more detail in the next 12 months, either at PECSENC meetings or at special working group sessions called for that purpose. Ultimately, the group hoped to produce a paper analyzing each topic and recommending policy changes or actions based on the analysis.
A total of 9 topics were suggested for detailed PECSENC review. To date, we have four completed proposals for work. The completed proposals are:
(1) Liberalization 2000;
(2) smart card technology;
(3) authentication processes and technology;
(4) information infrastructure security; and
The remaining proposals are incomplete at this time. (The other five, and those of you who agreed to do the work on them, are listed in an attachment.) Unless we hear from the proponents of these proposals in the very near future, I propose that we suspend our consideration of any incomplete proposal.
B. Experts' Working Group
As we have discussed previously, the PECSENC will seek to offer a set of recommendations on further liberalizations that could be reasonably expected from the Administration over the next year. Several members have been asked to designate an expert to serve as in the PECSENC "experts group." The experts would assist PECSENC in developing a set of recommendations in this area. Thus far, we have received the following nominations to the group of experts:
(1) Elizabeth Banker (nominated by Stewart Baker)(2) Mike Nugent ( nominated by Steve Katz)
(3) Jim Wyatt (nominated by Rich Barth)
(4) Patricia Steiner (nominated by Ken Keefe)
(5) Fred Mailman (nominated by Doug McGowan)
If you have any other nominations, please forward them as soon as possible, certainly no later than the next PECSENC meeting, so that we can plan the group's first meeting in the very near future. Contact details for the experts are attached.
C. Proposed Federal Register Notice
I also attach a draft Federal Register notice covering the four topics for your review. I based this draft on your submissions thus far. Comments and suggestions would be most helpful in getting the notice ready for publication.
Proposed Federal Register Notice
The President's Export Council Subcommittee on Encryption ("PECSENC") is investigating a variety of topics on encryption policy within the United States. The PECSENC is a separately-chartered subcommittee of the President's Export Council. It is composed of senior industry and law enforcement representatives who advise the Executive Branch on how to formulate encryption policy that best reconciles the interests of business, privacy, national security, and public safety. At its recent meeting, the PECSENC identified several encryption export topics that it will consider in detail over the next several months. These topics will be examined by arranging briefings by interested parties, by taking public comment, and by conducting independent research and analysis. The results will be published for public review.
The PECSENC would welcome comments and testimony on the topics outlined below. The issues will be discussed during at least two public sessions of the PECSENC. The first will take place on ___________________ and the second meeting is yet to be scheduled. Individuals who seek an opportunity to be heard, either through oral testimony or by written submission, should contact Jason Gomberg at the Bureau of Export Administration, United States Department of Commerce, 14th Street and Constitution Avenue, N.W., Washington, D.C. 20230.
(1) Liberalization 2000
As commercial and individual use of cryptography has grown throughout the 1990s, previously unquestioned export control policies have been challenged and revised to reduce their impact on deployment of new technologies. The most recent liberalization of encryption controls occurred at the end of 1998. But the deployment of encryption in commercial computer platforms has not slowed. New uses continue to be developed, and tensions remain between industry and government over the proper scope of export controls. It seems appropriate at this stage to examine the new and continuing points where those tensions remain greatest - and to recommend ways of further easing controls consistent with national security concerns. The PECSENC has designated an encryption export control experts' group to evaluate and propose an agenda of plausible, incremental reforms as early as next year. The experts' group will consider proposals from the PECSENC, from industry, and from the public. It will recommend proposals it finds worthy of the PECSENC's consideration. The proposals will be considered independently by the PECSENC and modified, adopted, or rejected as the PECSENC chooses.
Suggestions for reforms and requests to be heard at a public meeting on this topic are welcome.
(2) Smartcard Technology
Smart card use is expanding to new technology platforms as companies find ways to integrate smart card solutions into their current and new product offerings. Today, the majority of smart card applications are found in the telecommunications and financial services industry segments. New applications for smart card technologies are being developed for the personal digital assistant (PDA) markets. Other applications are being developed and tested in such areas as access controls, management and distribution of government benefits, storage of medical data, etc.
These new applications raise many questions concerning export controls on smartcards containing encryption, especially where the security of the application depends on the confidentiality of the underlying data. For example, control policies based on he intended usage of the card and the applications it contains may not be easily applied to cards that may add new applications after the card has been issued.
To address these issues, and the questions they create, the PECSENC will examine the evolving nature and use of smart card based products and the best way to accommodate that evolution in the context of encryption export controls.
(3) Authentication
Authentication products (hardware and software) are freely exportable under specific exceptions noted in ECCNs 5A002 and 5D002. A debate has developed in this area centered on authentication software products. Several "open source" developers have self classified their authentication products and released them on the Internet in order to provide the widest testing platform for these products as possible. Other developers, however, have opted to seek verification from BXA that their authentication products qualify for free exportability under these ECCN entries. Anecdotal evidence suggests that BXA is conservative in classifying cryptographic products as authentication products. BXA has tended to draw a line on the basis of whether authentication software is "easy" or "hard" to modify for confidentiality. It has urged that all authentication products be submitted to BXA for review and not self-classified by the product. Industry has expressed some dissatisfaction with this approach, and argues (inter alia) that BXA's approach violates administrative due process and is contrary to BXA's own rule. The PECSENC will examine this controversy.
(4) Information Infrastructure Security
PECSENC intends to examine the extent to which export controls are responsible for information infrastructures vulnerabilities and for actual or potential exploitation of those vulnerabilities in acts of information warfare, cyberterrorism, and computer crime. To the extent that network vulnerabilities and attacks can be attributed to export controls, the next task is to identify what changes are needed to achieve the level of security desired. Particular attention would be placed on critical infrastructures (as defined by the President's Commission on Critical Infrastructure Protection) that are vital to the U.S. economy. The PECSENC recognizes that there are many factors that may contribute to the availability of cryptographic solutions besides export controls (e.g., user demand, costs, education, and patents) and many factors besides cryptography that can contribute to the overall state of security (e.g., authentication, user training and awareness, malicious code detection). The PECSENC is seeking first to identify these factors and then to consider the relative impact of export controls. The subcommittee recognizes that this could be an extremely difficult task, as there may be little hard data to draw upon. But the prevalence of references to critical infrastructure protection in the encryption debate requires that some effort be made to measure the relationship between the issues.
[Attachment 1]
President's Export Council Subcommittee on Encryption |
||
Project |
Assigned To |
Complete? |
| IP Protection and Encryption | Peter Harter ? | No |
| Source Code/Open Source Products |
Kevin McCurley | No |
| Source Code/Java and byte- code |
Kevin McCurley | No |
| Source Code/Publication on the Web |
Unassigned | No |
| Smartcards | Richard Hite | Yes (attached) |
| Liberalization 2000 | Doug McGowan | Yes |
| Authentication | John Liebman | Yes (attached) |
| Digital Millennium Copyright Act |
Barbara Simons | No |
| Criminal Penalties for "Misuse" of Encryption |
Unassigned | No |
| Data Protection and Encryption |
Bill Loughrey ? | No |
| Information Infrastructure Security |
Dorothy Denning | Yes |
[Attachment 2]
McKenna & Cuneo
LLP
To: Stewart Baker
From: John R. Liebman
Date: March 20, 1999
Re: PECSENC Authentication Project
________________________________________________________
I'm on my way to Mexico City tomorrow, and wanted to get this memo to you in a timely fashion. It responds to your St. Patrick's Day e-mail.
1. Issue. Authentication products (hardware and software) are freely exportable under specific exceptions noted in ECCNs 5A002 and 5D002. I believe that the debate centers exclusively on authentication software products. Several "open source" developers have self-classified their authentication products and released them on the internet in order to provide the widest testing platform for these products as possible. Other developers, however, have opted to seek verification from BXA that their authentication products qualify for free exportability under these ECCN entries. Anecdotal evidence suggests that BXA views authentication products in this context conservatively, and classification requests generally have not succeeded in attracting favorable responses from BXA. BXA believes that many authentication products can be modified to provide confidentiality and are therefore ineligible for this exception. BXA has drawn a line on the basis of which authentication software is "easy" or "hard" to modify for confidentiality. It argues that all authentication products should be submitted to BXA for review. The public has expressed dissatisfaction with this approach, and argues (inter alia) that BXA's approach violates administrative due process and is contrary to BXA's own rule.
2. Stakeholders. Powerful authentication tools are essential
to e-commerce and defense communications security. Domain names on the internet
already have been spoofed or hacked, with potentially serious consequences.
The interests in this debate include:
3. Action Proposal. This issue is far too complex to be dealt with as part of a PECSENC Meeting. Advance preparation and extended hearings may be needed. I suggest that we ask interested parties to submit proposed revised rules, together with supporting arguments. These could then be circulated for comment among PECSENC members, and followed by an open hearing. PECSENC could then produce a proposal (or a non proposal, as appropriate) to BXA. (NB: would a proposal have to be cleared through the PEC?)
I'm prepared to follow up with a more detailed treatment of this issue. Please let me know.
[Attachment 3]
INTRODUCTION
The nature of computing changes day by day. one of the more obvious changes has come in the size of what can be called a computer. No where is this more evident than in the smart card technologies.
The term, "Smart Card" has been used to describe both memory cards and Integrated Circuit (IC) cards. An IC card contains a central processing unit; i.e., a CPU, that has the ability to securely store information and make decisions. These cards also offer a "read/write" capability that allows for the addition of new information. However, the functionality of the smart card is limited because the card itself has no ability to interact with the outside world unless used in conjunction with some peripheral device. Another characteristic of smart cards is that the owner of the data inside the card is typically not the cardholder.
Memory cards are primarily used for the storage of information. Consequently, they are read only devices used for pay phones, vending, and transit applications.
The use of smart cards is wide ranging and includes credit and debit applications, electronic purse products, secure cryptographic cards, etc. Financial service applications are the largest potential market for IC cards.
I. Issues
Smart card use is scaling up with the advent of new technology platforms and as more companies find ways to integrate smart card solutions into their products. Currently under development are smart card solutions for personal digital assistants (PDAs). 3Com has announced plans to build a smart card reader into its Palm IV devices. It has also been announced that when Windows CE 3.0 ships in June, it too will have the capability to read smart cards. It has also been said that both Compaq and NEC will have Window CE devices with smart card slots.
Currently, the majority of smart card applications are used for credit, debit and electronic purse applications. At the terminal level, smart cards, i.e., M-Cards, are used to validate the payment scheme and the transactional data between the card and the terminal. Other applications for smart cards include government payments, benefit transfers, and medical data. New smart card applications are supporting digital certificates and can execute other cryptographic applications including those for confidentiality and integrity. A growing role for smart cards has also been in the arena of securing access to controlled areas by verifying a set of biometrics associated with the cardholder.
In this environment the issues include:
1. What would cause the DOC/BXA to want to regulate smart cards?2. What would be the objectives of such regulation?
3. What would be the market impacts of those objectives?
4. What would be the risks to current encryption export policies of not regulating smart cards?
5. What would be the risks to current encryption export policies of regulating smart cards?
6. Would export controls be imposed based on the architecture of the IC; i.e., cryptographic co-processor?
7. Are smart cards covered by the personal use exceptions?
8. Would smart cards used to transport encryption keys be exempted?
9. Is it necessary to regulate smart cards, because the cryptographic keys are likely recoverable using timing attacks, differential power analysis, static power analysis, or other physical attacks?
10. Would the IC or the software on the card to be regulated? Both?
11. If smart cards are to be controlled are current policies sufficient to regulate smart cards?
12. How would such regulations be implemented?
13. Most smart card applications use cryptography for authentication. What would be required to document that those applications could not be converted to alternative use applications such as confidentiality?
14. Who would be responsible for compliance, the application owner or the cardholder?
II. The Stakeholders
A broad array of U.S. companies has vested interests in the future of the smart card. First, and foremost, are financial service providers. More and more transactional services will be migrated to open communication networks. This will create new market opportunities supporting global customer bases. To maintain the trust of the participants strong cryptography will be required for confirming identities and insuring the confidentiality (and privacy) of individual transactions. No transactional-based service can exist without such trust by all participants.
A second group of stakeholders will be those companies developing and marketing peripheral equipment including terminal manufacturers and other support peripherals such as Personal Digital Assistants and mobile phones. As noted above, the smart card has no way of communication other than via some external device. Many of these companies are currently planning smart card support with the new prototypes and production models.
A third group of stakeholders would be the manufactures of the integrated circuit chips. Domestic producers, like Motorola, could be significantly impacted if the IC platform supporting strong cryptography for confidentiality in exempted and controlled market segments required licensing reviews, before applications have been loaded.
A fourth group of stakeholders is the software developers that create code for the smart card applications. Software developers may be impacted by the controlled access to the cryptographic toolboxes needed to provide the necessary applications to be supported on these IC platforms.
Finally, the end users of the smart card products could be impacted because the time to market would be elongated, increasing the risks of compromise of transactional data resulting in tangible losses attributable to increased regulation and control.
III. Action Plan
A formal presentation on the changed status of the smart card and its usage in new commercial applications is proposed. The following topics would be discussed:
- Financial Services
- Telephony
- Access Control
- PDAs
- PCs
- Confidentiality
- Authentication
- Integrity
- Non-repudiation
The information for the presentation would be gathered from the each of the affected markets identified above.
[Attachment 4]
President's Export Council Subcommittee on Encryption |
|
PECSENC Member |
Designated Staff Person |
| Stewart Baker, Steptoe & Johnson | Elizabeth Banker xxxxxx@steptoe.com 202-429-6275 |
| Rich Barth, Motorola | Jim Wyatt xxxxxx@email.mot.com 847-538-9439 |
| Steve Katz, Citibank | Mike Nugent xxxxxx@citicorp.com 212-559-0142 |
| Ken Keefe, Lucent | Patricia Steiner xxxxxx@lucent.com 908-582-5482 |
| Doug McGowan, Hewlett-Packard | Fred Mailman xxxxxx@hp.com 202-884-7065 |
| Ira Rubinstein, Microsoft | Mike Hintze xxxxxx@microsoft.com 425-936-1392 |
| [JYA note: xxxxxx for anti-spam; full addresses here. Thanks to L for bitching.] | |
EXECUTIVE SUMMARY
PRESIDENT'S EXPORT COUNCIL
SUBCOMMITTEE ON ENCRYPTION
March 12, 1999
SUMMARY OF OPEN SESSION
Acting Chairman Stewart Baker convened the open session of the President's Export Council Subcommittee on Encryption (PECSENC) at 12:40 p.m. Mr. Baker had no opening comments of his own. Before asking if there were any public comments, he requested that public attendees introduce themselves. No public comments were offered.
Acting Chairman Baker introduced Under Secretary of Commerce William Reinsch and requested that he update the PECSENC on current Bureau of Export Administration (BXA) initiatives. Mr. Reinsch informed the PECSENC that BXA was continuing to refine and update its encryption policy. He noted that the comment period for BXA's December 31 regulation had expired and that the public's comments currently were under review.
Mr. Reinsch explained to Subcommittee members that BXA would consider incorporating public recommendations in conjunction with export control revisions stemming from the Wassenaar Arrangement's December 1998 agreement. He stated that he expected senior-level government officials to set forth soon a work plan - to identify the issues to be addressed and on what time frame - for an interagency discussion of encryption regulatory changes. He added that he welcomed public input on the forthcoming encryption update.
Mr. Reinsch also stated to PECSENC members that BXA was "on track" to "take a fresh look" at the Administration's encryption export policy (included by Vice President Gore in his September 16 policy announcement) by the spring or summer.
Acting Chairman Baker then asked Under Secretary Reinsch to address the topic of whether the "Security and Freedom Through Encryption (SAFE)" legislation (H.R. 850) pending in the House of Representatives violated United States export control obligations under the Wassenaar Arrangement. Mr. Reinsch identified provisions of the SAFE bill which he asserted would eliminate the Government's ability to license certain types of encryption items, which would violate the Wassenaar Arrangement. He contended further that provisions of the bill which would permit the President to restrict exports to certain entities did not meet Wassenaar standards for restricting export licenses. Responding to a PECSENC member's question, he stated that he was unsure whether inserting a provision in the SAFE Bill providing for a license exception for those products would satisfy Wassenaar obligations. Several PECSENC members, however, downplayed this issue, as they raised doubts that SAFE would be passed by the Congress.
Following Under Secretary Reinsch's comments, Acting Chairman Baker introduced Patricia Moll, Special Trade Assistant in the European Commission's U.S. Delegation, and invited her to discuss European Union encryption policy. Ms. Moll informed PECSENC members that the Commission had no intentions of proposing new regulations on encryption exports beyond implementing the decisions agreed to in December by the Wassenaar countries. She stated that the EU would have a new dual-use directive ready in April. This directive, she explained, would provide limited liberalization for encryption transfers among EU countries based on notification, and provide general license exceptions for exports to "friendly countries". She added that there is "no support" for key recovery or key-recoverable infrastructure within the EU.
Responding to a PECSENC member's question, Ms. Moll stated that she was unaware of any provisions within the forthcoming EU directive that would restrict Britain or France's abilities to maintain more stringent encryption policies, although she stressed that the directive would emphasize measures for intra-EU trade.
Subcommittee members then engaged Ms. Moll in a dialogue on how the EU's data privacy directive may effect the use of encryption. Ms. Moll acknowledged the interpretations of the data privacy directive that would require the use of encryption to protect transmissions of personal information and encryption's central role in data confidentiality, yet she stressed that the privacy directive did not require its use. she explained further that the Commission's objective is to ensure that its encryption policy remains compatible with the data protection directive.
Acting Chairman Baker then initiated a discussion of the PECSENC's future agenda, and outlined several topics for PECSENC members to select for further Subcommittee consideration. These topics included: intellectual property technologies; source code issues; smartcards; a future regulatory update package; authentication technologies; encryption and the Digital Millennium Copyright Act; criminal penalties for use of encryption in furtherance of a crime; data protection laws; and critical infrastructure protection. Several Subcommittee members volunteered to "champion" the various topics; Mr. Baker requested that each member submit a one-page action plan identifying the equities at stake and how the PECSENC should proceed.
Marc Chittum, the President's Export Council (PEC) Executive Secretary, reminded PECSENC members of the PEC's upcoming April 14 meeting. He informed Subcommittee members that Under Secretary Reinsch would report to the PEC on the PECSENC's activities. Acting Chairman Baker then asked members if there were any objections to the January meeting minutes. None were offered, and the meeting minutes were adopted.
Subcommittee member Dorothy Denning initiated a discussion of the impact of BXA's toolkit/module policy on authentication technologies. Specifically, she requested clarification of BXA's rationale for restricting exports of cryptographic items for authentication purposes. James Lewis, Director of BXA's of five of Strategic Trade and Foreign Policy Controls, explained that a product's capabilities - and not its stated end use - determine whether that item is subject to U.S. export controls. He stated that exporters may self-classify their products if they feel comfortable doing so, but must be willing to accept liability if they classify an item incorrectly.
Bruce Kutz, Deputy Director of BXA's Encryption Policy Controls Division, informed PECSENC members that if a toolkit submitted on a license application could be used to create a confidentiality product, then a condition is placed on the license stipulating that the finished products are subject to the Export Administration Regulations and may require written authorization by BXA prior to reexport, resale or transfer depending on the finished product.
Following completion of this discussion, Acting Chairman Baker adjourned the meeting at 3:00 p.m.
[Attachment]
PRESIDENT'S EXPORT COUNCIL
SUBCOMMITTEE ON ENCRYPTION
March 12, 1999
Attendance
Members:
Stewart Baker Steptoe & Johnston, L.L.P.
Richard Barth Motorola, Inc.
Lawrence Coutorie High Technology Crime Investigation
Association
Dorothy Denning Georgetown University
Ted Gerbracht Merill Lynch & Co., Inc.
Donald Goldstein Nomos Corporation
Peter Harter Netscape Communications Corporation
Richard Hite Visa International
Ambassador Julius Katz Hills & Company
Stephen Katz Citibank
John Liebman McKenna & Cuneo, LLP
Kevin McCurley IBM Almaden Research Center
Douglas McGowan Hewlett-Packard Company
Lynn McNulty RSA Data Security, Inc.
Barbara Simons Association for Computing Machinery
Government Representatives
Mark Bohannon Department of Commerce
Ludwin Borrero National Security Agency
Marc Chittum Department of Commerce
Jason Gomberg Department of Commerce
Kathryn Hitchcock Central Intelligence Agency
Charlotte Knepper National Security Council
Bruce Kutz Department of Commerce
James Lewis Department of Commerce
John Lynch Department of Justice
Dennis O'Connell Department of the Treasury
Bruce McConnell Office of Management and Budget
Patricia Moll European Commission
Michelle O'Neill Department of Commerce
William Reinsch Department of Commerce
Roman Slowniewsky Department of Commerce
Katura Weatherspoon Department of Defense
Digitizing and HTML by JYA/Urban Deadline.
JYA Report on the May 14 1999 PECSENC meeting See note on full proceedings 1. Liberalization 2000: I arrived during the discussion so didn't hear the sponsor's report. See Baker's memo for intent. It was described as "options for change." As noted there, a Federal Register notice will be issued soon about it. A working group meeting is set for June 24-25 for "experts" to prepare policy papers for public response. One or two public meetings will be held, perhaps with work groups and plenary. 2. PECSENC Web site: A Web site is in the works to be run by Commerce, though no target date was available from Jason Gomberg, PECSENC administrator, who will oversee the site and who claims to be an advocate of public access (I reminded him he had never answered my e-mail months ago asking for info; that material promised this week never came from Lisa Carpenter's office; and that BXA's public responsiveness rep sucked (except for lapdogs -- as evidenced by Reinsch's comment during the meeting that if BXA couldn't meet a deadline for completing an application an automatic denial issued, "so it is unrealistic for McCain's bill to set a time limit on application processing.") Jason <jgomberg@bxa.doc.gov> is to field all PECSENC public inquiries, Crowell and he said. 3. WIPO Treaty: Barbara Simons, ACM, reported on the adverse effect of the WIPO copyright act on encryption research and made an appeal for support of Gene Spafford's letter campaign <http://www.cs.purdue.edu/homes/spaf/WIPO/>. After brief discussion of whether researchers will be prosecuted for violating WIPO, the panel decided the topic was not its purview. For more, see Simons column in the CACM, October 1998, pp. 17-18. 4. Smartcards: After the sponsor's report and extended discussion it was declared that "smartcards are not a hot issue" but because of rapidly advancing technology and usage they deserve the panel's deliberations and policy recommendations. Something about this will be put in the Federal Register announcement. 5. Scannable text: Extended discussion of the BXA's statement in 1998 that it reserved the option to control scannable text of encryption. IBM's Kevin McCurley said he had just come out with a CD-book that had many years of Eurocrypt papers on it but only in PDF form and had excluded papers from FES due to the scannable text threat. Reinsch had no words of comfort, invoked the need to reserve options to protect national security. 6. Bernstein: Steele and Corn-Revere highlighted four aspects of the decision: its 1A affirmation for source code, its high level awareness of Snuffle technology to bare the absurdity of crypto export controls; its binding "dicta" (will a lawyer explain this), and its comments on the need for cryptography to protect privacy and political speech. Some panelists commented that they applauded the decision but anxiously awaited next steps by DoJ and were carefully complying with the stay. There was no one from Justice to respond. Reinsch said he was appreciative of the panel's views but that BXA would recommend to Justice to fight the decision, otherwise crypto controls are doomed. Crowell (and others) raised the question of what would happen if export of source code was allowed under Bernstein but executables were not. Consensus was that the the US crypto industry would move offshore and die domestically. (Expect this scare-tactic to get political play in days ahead, for it seemed to have been orchestrated beforehand -- could Cylink's head and everyone there do otherwise and keep their jobs?) Corn-Revere grimaced during this exchange, Steele had the look of a bulletless hunter facing hyenas. Uber Dicta: Steven Levy in Newsweek on the Bernstein heroes. 7. McCain's bill S.768: Reinsch noted these deficiencies: (This is long, get a cupa.) Section 3. Findings (11) "... American companies should be free to sell, license, or otherwise distribute such encryption products and programs worldwide so long as *national security is not put at risk*." The final phrase is the heart of the issue, and the bill fails to resolve it. Section 4. Definitions (5) "Generally Available or General Availability." Determining this is going to be in continuous dispute. Section 101. Development and Deployment of Encryption a Voluntary Private Sector Activity (b) "Limitation on Regulation." Forbidding government to link crypto used for confidentiality and that for authenticity fails to understand the complexity of encryption technology. Section 103. Mandatory Government Access to Plaintext Prohibited (All section deals with key recovery). Government prefers to "use carrots" to gain compliance not prohibition. Section 202. Federal Purchases of Encryption Products (b) "Interoperability Required." and (c) "Citizens Not Required to Purchase Specified Product."Impossible for the government to be able to interop with all possible commercially- available encryption products. Several panelists agreed. Section 301. Deadline for final Selection of Algorithm or Algorithms by NIST (a) "AES Process. Deadline of January 1, 2002 is in conflict with NIST schedule. Section 401. Information Technology Laboratory. Intent of section not clear. Section 502. Presidential Authority (a)(2) "IEEPA and EEA." This section does not reflect the reality that IEEPA is all there is for presidential authority, for Congress will not pass a new EEA. Here, Reinsch commented that "the Senate does not get it, the House does." Sections 503, 504, 505 and 506. Exportability of Encryption Products, the Encryption Export Advisory Board, and AES as Standard of Exportability. The guts of the bill, the parts hardest to accept as written for they interfere with BXA's "national security" mandate. Reinsch and others stated that the bill appeared to be a complete flip-flop of McCain's prior position on crypto and showed the characteristic marks of going from one extreme to another without understanding the related technology and law. Hear, hear, the panel agreed, "we've got to help them, give them acceptable language." Baker said the bill is "stupid," written by the ignorant to be "idiot proof" against key recovery, which is dead. 8. The cafeteria at Commerce, Taser in the gut. Thank you for staying awake.
Candid Meeting Comments (backdoor algorithms):
Stewart Baker (ex-NSA Counsel, ex-PECSENC Acting Chairman): "McCain's bill [S.768] is stupid, written as idiot proof by ignorant people who don't understand that key recovery is dead. (Smile.)" (Emphasis in original)
William Reinsch, Undersecretary of the Bureau of Export Administration: "The Senate doesn't get it, what we want them to do, the House does. (Smile.)"
Several Attendees: "We've got to help them, give them [legislators] language that is acceptable. (Knowing nods.)"
William Reinsch: "BXA will recommend to the Justice Department that the Bernstein decision be fought, we've got to, otherwise encryption export controls are finished. (Frown, '... national security ... '.)"
William Crowell, PECSENC Chairman (ex-Deputy DIRNSA): "While PECSENC recommendations should formally go through the President's Export Council (PEC), we've got access to the White House. (Smile)."
Several Attendees: "What will happen if Bernstein prevails, source code is exportable but executable code is not? Right, all the strong encryption will be developed outside the United States. The encryption industry will abandon America. (Gasps, groans, grins, eyerolls, poots.)"
An audio system was in use for the meeting, probably with automatic recording, so the full proceedings should be available under PECSENC's announced openness initiative. Minutes are customarily presented for approval at the following meeting. Contact Jason Gomberg <jgomberg@bxa.doc.gov>.
Mr. Gomberg said that PECSENC's archives will be offered on its new Web site in accord with Federal Advisory Committee Act (FACA) regulations (http://www.doc.gov/oebam/FACABXA.htm)(http://policyworks.gov/org/main/mc/).
Additional information may be obtained under the FOIA (http://www.doc.gov/oebam/foia25.htm)(http://www.usdoj.gov/oip/foia_rights.htm).
Barbara Simons said PECSENC members do not receive classified information, that any information available to the members should be available to the public.
Chairman Crowell provided his business card:
| William Crowell President and CEO
Corporate Headquarters |
Cylink |