[452] in cryptography@c2.net mail archive
Clintons new crypto regs
daemon@ATHENA.MIT.EDU (jay holovacs)
Tue Apr 1 21:06:57 1997
Date: Thu, 27 Mar 1997 19:37:06 -0500
From: jay holovacs <holovacs@idt.net>
To: cryptography@c2.net
By now many of you may have seen the draft of Clinton's proposed
key escrow program (http://www.cdt.org/crypto/admin_397_draft.html).
While the bill *claims* to be voluntary, it has a number of very
frightening features, and is probably just a first step toward domestic
government crypto control.
Below are a few sections and my initial quick and dirty comments.
*Highlighted text* is emphasis mine. [My comments] are in brackets.
Jay Holovacs
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzCmKpkAAAEEANq8z8b2fiVI8rB3n3iJVyqDSGu7KdYy0hE95DDAbkh017ew
oTEASfiZmP7mPXy9y7HWi9oYYIY1eGSH9Xe/oGLOfjoETKGES6YqObRJ5B5LmK+y
Xxsv89NCw/K7s/OSm+CscewZqXt0cHnHFx7/9heGEqDNii3xgdXsLniA5KoFAAUR
tB9KYXkgSG9sb3ZhY3MgPGhvbG92YWNzQGlvcy5jb20+
=c5gz
-----END PGP PUBLIC KEY BLOCK-----
>From section 302:
[After ballyhooing official government approved key recovery (escrow)
agents, the following duties are described
(A) A Key Recovery Agent, *whether or not registered* by the
Secretary under this Act, shall disclose recovery information stored by a
person:
(1) to a government agency acting pursuant to a duly authorized
warrant or court order, a subpoena authorized by Federal or State
statute or rule, a certification issued by the Attorney General
under the Foreign Intelligence Surveillance Act, or other lawful
authority that allows access to recovery information by such agency;
[This appears to apply to all private parties including internal
MIS organizations. Would this apply to PGP keyservers? Since
PGP keyservers do not hold private keys hence cannot provide access
when requested, are they essentially banned under this bill?]
>From 401(b):
(1) The amount of the civil penalty may not exceed $10,000 per
violation, *unless* the violation was willful, ...
[$10000 penalty limit applies only to *accidental* violation!!??]
" . . .or was committed by a
Key Recovery Agent or a Certificate Authority not
registered under this Act. In determining the amount of the
penalty the court shall consider the risk of harm to law
enforcement, public safety, and national security the risk of
harm to affected persons, the gross receipts of the charged
party, the judgment of the Attorney General concerning the
appropriate penalty, and the willfulness of the violation.
[This implies that someone acting as a defacto cetificate
authority (theoretically legal) but not registered is subject to
enhanced legal vulnerability, without limits.]
>From 302(A):
(2) to a law enforcement or national security government agency
upon receipt of written authorization in a *form to be specified by
the Attorney General*..
[No reference to the court system, only DOJ. This agrees with
earlier leaked memos obtained under FOIA by EPIC which suggested
that the administration considered the courts to recalcitrant
for effective access.]
>From 302:
(B) The *Attorney General* shall issue regulations governing
the use of written authorizations to require release of recovery
information to law enforcement and national security government
agencies. . . . or to comply with a request from a duly
authorized agency or a *foreign government*.
[So here Uncle Sam is not going to defend his citizens against his
foreign allies].
>From section 404:
(A) Whoever knowingly encrypts data or communications in
furtherance of the commission of a criminal offense for which
the person may be prosecuted in a court of competent jurisdiction
shall, in *addition to any penalties* for the underlying criminal
offense, be fined under title 18, United States Code, or imprisoned
not more than five years, or both.
(B) It is an affirmative defense to a prosecution under this
section that the defendant stored sufficient information to decrypt the
data or communications with a Key Recovery Agent registered under Act if
that information is reasonable available to the government. The
defendant bears the burden of persuasion on this issue.
[Yeah, it's voluntary, but if you get in trouble for something
and you didn't escrow, 5 more years in the slammer. We're not
just talking evil drug lords here, consider, for instance, you
are involved in a bit of more or less legitimate civil
disobedience, and you use PGP...OK $500 fine for obstructing a
federal building, and 5 years for protecting your name list]
>From 605: (Definitions)
(6) The term "encryption" means the transformation of data
*(including communications)* in order to hide its information
content. To "encrypt" is to perform encryption.
If this *includes communications* then it apparently also applies to
*non communication* data, i.e. resident on machines. As such it
goes far beyond current wiretapping authority which does not
extend to violating a target's physical site.
�
