31 March 1998
Thanks to Alan Davidson, Center for Democracy and Technology


To: Interested Parties
From: CDT
Re: Preliminary Analysis of Revised McCain-Kerrey Bill (S.909)




Senators McCain and Kerrey are circulating a revised version of their encryption bill, S.909. The new draft includes several changes in response to industry and privacy concerns: It heightens the legal standards for access to escrowed keys; it removes the linkage between key recovery and the regulation of certificate authorities; and it refines export control requirements.

Despite these changes, CDT remains opposed to S.909 for one fundamental reason: The revised draft still seeks, through a series of incentives (export controls, government procurement, and liability safe harbors), to require encryption users to surrender control over their keys on the government's terms. We also oppose the revised bill because its privacy standards fall short; it criminalizes a wide range of uses of encryption; and it effectively retains current export controls on encryption. CDT believes S.909 is at best a codification of a bad status-quo. Overall, the new bill still threatens electronic privacy and security through the coercion of the marketplace towards adoption of a government key recovery standard, with all the risks that entails.

Senators McCain and Kerrey have said they are seeking a compromise on the encryption issue. However, any legislation that includes government-dictated standards for key recovery is not a compromise. It entails too many risks and is fundamentally inconsistent with the user-controlled nature of the new electronic technologies. It requires people to do something they would never do otherwise do: place their keys in the hands of someone they don't control.

Overview of S.909 -- S.909 is a comprehensive bill regulating the use and export of encryption. The original bill included export controls, procurement requirements, new criminal penalties, and a complex federal licensing system for certificate authorities (CA's) and key recovery agents. It was widely criticized for: linking key recovery to CA's; using export, procurement, and liability relief to force the use of key recovery; allowing access to keys with a subpoena; codifying a weak 56-bit limit on exports; and creating sweeping new federal criminal penalties. For a detailed review of the provisions of S.909, see CDT's analysis available at http://www.cdt.org/crypto.

Problems with the revised S.909 -- CDT continues to oppose S.909 as a bill intended to make government-designed key recovery all but mandatory through coercion of the marketplace. Government-mandated key recovery is fundamentally different from the type of key recovery that the marketplace is now developing in response to user needs. Under the revised bill, "qualified key recovery systems" will still be defined by the Commerce Secretary. They will likely require that key recovery occur "without the knowledge or cooperation of the key owner" and they will likely extend to communications, key points that are in current regulations. These features directly threaten privacy and security online and are not acceptable to the marketplace.

Changes to S.909 -- The revised S.909 contains a number of significant changes, most of which are direct responses to criticisms raised by privacy advocates and industry groups. Major changes include --

Other changes include narrower access to key information at the request of foreign governments (only plaintext, not keys, can be released), and narrowed Presidential waiver authority (does not apply to Title I privacy protections.)

Specific reasons why we oppose the revised bill --

Conclusion: CDT appreciates the efforts made by Senators McCain and Kerrey to address privacy and industry concerns with S.909. However, the bill still attempts to impose the government's vision of key recovery -- an international, ubiquitous system that allows access to keys without the knowledge or consent of the key owner -- on an unwilling marketplace. Insufficient access standards, limited export relief, and sweeping new criminal penalties would chill the use of encryption and threaten information privacy. For these reasons CDT believes that the revised bill, if passed, would be a serious blow to electronic privacy and security.