[252] in Best-of-Security
BoS: U.S. Senate committee approves encryption bill (fwd)
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Jun 20 03:13:54 1997
From: Darren Reed <darrenr@cyber.com.au>
Date: Fri, 20 Jun 1997 10:25:09 +1000 (EST)
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
U.S. Senate committee approves encryption bill
By Sari Kalin
InfoWorld Electric
Posted at 2:25 PM PT, Jun 19, 1997
The U.S. Senate commerce committee Thursday approved the Secure Public Networks Act, a move that software
industry and privacy rights groups called a setback for electronic privacy and electronic commerce.
The act was introduced this week by U.S. Senators John McCain (R-Arizona), Bob Kerrey (D-Nebraska), and
Ernest Hollings (D-South Carolina). It is pitched as a compromise on the controversial encryption export issue, one
that balances individuals' needs to use -- and vendors' desires to export -- strong encryption with law enforcement
concerns about encryption falling into the wrong hands. But opponents say the act all but compels Internet users to
participate in key recovery -- a system that would give government officials access to keys needed to decipher
encrypted data, and which opponents see as an invasion of privacy and a threat to security.
"[The bill] would for the first time impose domestic controls on the ability of American citizens to protect their privacy
and security on the 'net," said Jonah Seiger, communications director at the Center for Democracy and Technology,
in Washington.
The Secure Public Networks Act is expected to move on to the Senate judiciary committee next week, Seiger said.
But it is only one of several encryption-related bills pending in the U.S. Congress, and privacy rights and software
industry representatives say the battle is not over yet.
"We've got a couple of options still open," said Kim Willard, a spokeswoman with the Business Software Alliance
(BSA), a computer industry group based in Washington. "[Today's vote] is a pretty big disappointment and a step
backwards ... but it's not a step off the cliff either."
One Senate bill, called the Pro-CODE (Promotion of Commerce On-Line in the Digital Era) bill, would liberalize
encryption exports and prohibit mandatory key escrow. The bill's backer, U.S. Senator Conrad Burns (R-Montana),
tried unsuccessfully Thursday to add a Pro-CODE-like amendment to the Secure Private Networks Act. In the U.S.
House of Representatives, however, the Security and Freedom Through Encryption Act (SAFE) has already passed
the House's judiciary committee and has the backing of 125 representatives, Willard said. SAFE would also prohibit
mandatory key escrow and liberalize exports.
The Secure Public Networks Act, similar to draft encryption legislation proposed by the Clinton administration earlier
this year, links key recovery systems with the establishment of government-licensed certificate authorities, Seiger said.
Certificate authorities, which certify the identities of participants in an electronic transaction, are essential for the
development of e-commerce, Seiger said. The bill would create incentives for becoming a government-licensed
certificate authority, such as limiting liability. But government-licensed authorities would only be able to issue
certificates to people who agree to participate in key recovery.
"It makes using key recovery a prerequisite for participating in the information society," Seiger said.
The bill would also codify the current administration's encryption export policy, which requires vendors to set up a
key recovery system if they want to export 56-bit or stronger encryption.
One amendment to the bill Thursday, by Kerrey, calls for creating an Encryption Export Advisory Board to study
whether there is an export market for nonkey recovery products that offer stronger than 56-bit encryption. That did
not sit well with the BSA, however, even though the board would be made up of representatives from government
law enforcement and the computer industry.
"It doesn't really give us much of a chance to keep up with the competition," Willard said. "There's a very short
window of opportunity in terms of research and development and production."
A team of graduate students has also already shown that they can break 56-bit DES encryption, even though they
had to spend several months and string together several computers to do it, Seiger said. (See "Hackers crack 56-bit
encryption to prove its weakness.")
"The point is, 56-bit DES is not a long-term solution," Seiger said.
The Center for Democracy and Technology can be reached at (202) 637-9800 or http://www.cdt.org/. The Business
Software Alliance can be reached at (202) 872-5500 or http://www.bsa.org/.
