[340] in Best-of-Security
BoS: FBI calls for mandatory key escrow; Denning on export ctrls
daemon@ATHENA.MIT.EDU (Nev Dull)
Tue Sep 9 14:48:13 1997
Date: Fri, 5 Sep 1997 12:05:01 -0400 (EDT)
From: Nev Dull <nev@bostic.com>
Old-X-Originally-To: To: nev@bostic.com (/dev/null)
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Forwarded-by: Jim Thompson <jim@hosaka.SmallWorks.COM>
Forwarded-by: Declan McCullagh <declan@well.com>
WASHINGTON, DC -- All encryption products sold or distributed in the U.S.
must have a key escrow backdoor "like an airbag in a car," law enforcement
agents advised a Senate panel this afternoon.
FBI Director Louis Freeh also told a Senate Judiciary subcommittee that
"network service providers should be required to have some immediate
decryption ability available" permitting agents to readily descramble
encrypted messages that pass through their system.
This marks the most aggressive push to date for mandatory domestic key
escrow (or "key recovery"), which means someone else other than the
recipient can decipher messages you send out. Now, the easiest way to win
such a political tussle in Washington is to control the terms of the
debate. And nobody understands that rule better than Sen. Jon Kyl
(R-Arizona), chair of the Judiciary subcommittee on technology, terrorism,
and government information.
Kyl opened today's hearing not by saying its purpose was to discuss crypto
in a balanced manner, but that he wanted "to explore how encryption is
affecting the way we deal with criminals, terrorists, and the security
needs of business." Then he talked at length about "criminals and
terrorists" using crypto, and child pornographers "using encryption to
hide pornographic images of children that they transmit across the
Internet."
Kyl also stacked the three panels. Out of seven witnesses, five were
current or former law enforcement agents. No privacy or civil liberties
advocates testified. Some companies including FedEx apparently dropped
out when told they'd have to pay lip service to key escrow if they wanted
to speak.
Dorothy Denning, a Georgetown University professor of computer science,
did testify. Kyl made a point of asking her if she still supported key
escrow systems (two recent articles by Will Rodger and Simson Garfinkel
said she was changing her mind). "I think key recovery offers a very
attractive approach," Denning said. What about export controls? "In the
absence of any controls, the problem for law enforcement would get worse,"
she replied.
But when Sen. Dianne Feinstein (D-Calif) asked if Denning would support
a *mandatory* key escrow system, the computer scientist said she wouldn't.
"No, because we don't have a lot of experience we key recovery systems...
a lot of people are legitimately nervous."
(Keep in mind that although Feinstein supposedly represents Silicon
Valley, she's no friend of high tech firms. She opposes lifting export
controls; in fact, she says that "nothing other than some form of
mandatory key recovery really does the job" of preventing crime. Of
course, Feinstein doesn't have a clue. She talks about whether businesses
would want "a hard key or digital key or a key infrastructure." Yes,
folks, this is in fact meaningless blather.)
Marc Rotenberg, director of the Electronic Privacy Information Center in
Washington, DC, says, "Simply stated, the Senate train is headed in the
wrong direction. But of course this doesn't answer the question of what
will ultimately be resolved by Congress? There's a very popular measure
in the House right now that's heading in a different direction."
Rotenberg is talking about Rep. Bob Goodlatte's SAFE bill, which is much
more pro-business than S.909, the McCain-Kerrey Senate bill that Kyl
supports. Now, S.909 doesn't mandate key recovery; it only strongly
encourages it by wielding the federal government's purchasing power to
jumpstart a key recovery infrastructure.
But Kyl would go further. At a recent Heritage Foundation roundtable on
encryption, I asked him, "Why not make key recovery technology mandatory
-- after all, terrorists, drug kingpins and other criminals won't use it
otherwise." Kyl's response? Not that it would be a violation of the
Constitution's due process and search and seizure protections. Instead,
he told me he simply didn't have enough votes...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Forwarded-by: chuck yerkes <Chuck@Yerkes.com>
Forwarded-by: David HM Spector <spector@zeitgeist.com>
The Washington Post has a good piece on the whole encryption
thing too:
http://www.washingtonpost.com/wp-srv/tech/analysis/encryption/encrypt.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FBI chief calls for encryption control at home
Published: Sept. 4, 1997
BY RORY J. O'CONNOR
Mercury News Washington Bureau
WASHINGTON -- In an abrupt departure from stated Clinton administration
policy, the director of the FBI said Wednesday the government should
control how U.S. computer users can scramble their data to keep it secret.
The White House has pledged for years to never ask for domestic controls
on encryption. Encryption technology, once confined to the military and
spy agencies, is now commonly used to keep the contents of electronic
mail, computer files or digital phone calls from prying eyes and ears.
But FBI head Louis Freeh insisted to a Senate subcommittee that
controlling unbreakable encryption inside the United States is "a public
safety issue" and that the government should require any scrambling
technology used in the United States to incorporate a "back door"
authorities can access to decode otherwise secret data and transmissions.
The unchecked spread of unbreakable encryption, he said, threatens the
use of wiretaps to combat serious crime.
"We cannot leave to private industry the task of solving this problem
for law enforcement," Freeh said. "We are looking to the Congress for
some type of assistance, for some kind of protection against unbreakable
domestic encryption."
In an indication of how divisive the issue is within the administration,
however, the White House reaffirmed its 1996 pledge that "any American
will remain free to use any encryption system domestically."
"The administration has not changed its position and does not support
domestic controls on encryption," Heidi Kukis, a spokeswoman for Vice
President Al Gore, said after Freeh's testimony.
But she reiterated the administration's support for a Senate bill, opposed
by industry and civil libertarians, that would encourage development of
an encryption technique known as "key recovery."
Under that system, electronic "keys" to unlock a user's scrambled
messages would be available to outsiders, like law-enforcement officials.
Most privacy and encryption advocates favor so-called public key
encryption, which can be made strong enough that not even the most
sophisticated computers can crack the code without a key held only by the
computer's owner.
Civil libertarians responded angrily to Freeh's proposal, saying it would
be an attack on privacy and prevent both individual and corporate computer
users from protecting confidential information from thieves or rogue
government officials.
"The idea of requiring every manufacturer in the United States to
implement data recovery features is new and outrageous from a privacy
point of view," said Alan Davidson, staff counsel of the Center for
Democracy and Technology. "This is a dramatic shift from where the
administration has been."
Some senior administration officials privately acknowledge the encryption
issue is a seemingly intractable problem within the White House. Even the
administration's current policy of restricting the export of strong
U.S.-made encryption and pressing for key recovery is "untenable," one
official said. But the FBI and the Justice Department have proven
"unshakable" in their insistence that the policy be tightened and
expanded to cover domestic encryption use as well.
Freeh's testimony before the Senate Judiciary Committee's technology
subcommittee found a receptive audience in Chairman Jon Kyl, R-Ariz., and
ranking member Sen. Dianne Feinstein, D-Calif. Freeh said he believes
computer manufacturers, software makers and Internet service providers
should be required to provide easy access points for police to wiretap
scrambled digital communications.
"What we need as a minimum is a feature implemented by design that allows
law enforcement to have an immediate, lawful decryption" of suspect
material, Freeh said. Like new rules for air bags in cars, users could
choose to turn the encryption feature off.
Feinstein went even further, saying the only solution she could envision
is one that makes "key recovery" technology mandatory. Opponents say
that, while key recovery could be useful to some people and companies, it
means that the electronic "keys" to unlock scrambled messages would be
available to outsiders.
The apparent public disagreement between the White House and the FBI on
the issue angered Mountain View-based Netscape Communications Corp., whose
Internet browsing software is employed by 70 percent of those online.
"The fact of the matter is the vice president said twice last year the
administration policy is not about domestic control," said Peter Harter,
vice president of public policy for Netscape. "It is very hard for
industry to work out a balanced policy when the administration can't keep
all its senior (officials) in line. It's getting increasingly
frustrating," Harter said.
Comparing Freeh's proposal to the digital wiretap law for telephones,
which has pitted the FBI against industry for three years in an unresolved
technical standards battle, Harter said a similar encryption law could
wreak havoc on the Internet.
"The Internet industry in this country can't afford to be put into a
three-year tailspin and get into a technical standards wrestling match
with the FBI," he said.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Forwarded-by: chuck yerkes <Chuck@Yerkes.com>
Forwarded-by: David HM Spector <spector@zeitgeist.com>
Senators Embrace Mandatory Data Keys
by Wired News Staff 12:03pm 4.Sep.97.PDT
In a major advance for hard-line proponents of giving the government wide
access to electronic data, several influential senators have declared
their support of mandatory key recovery features for all
encryption-enabled software sold in the United States.
At a Judiciary subcommittee meeting Wednesday, Senator Dianne Feinstein
was among those who came out strongly in support of the position taken by
FBI Director Louis Freeh that mandatory key recovery is essential to
deterring crime.
"Nothing other than some kind of mandatory key recovery really does the
job," the California Democrat said at a hearing of the Senate Judiciary
Committee's technology, terrorism, and government information
subcommittee. "The public-safety issue is a paramount one."
The subcommittee's chairman, Senator Jon Kyl (R-Arizona), added that he
was "in complete agreement."
The Clinton White House, like past administrations, have, along with major
police and spy agencies, been strong supporters of such measures. But in
Congress, sweeping measures to give government agents an easy-open back
door to scrambled data have been met with strong opposition and
legislation that cuts in the opposite direction.
Bills in both the House and Senate have sought to exclude mandatory key
recovery systems as a requirement not only for US software-makers and
users but also for export products. The Senate version of this liberalized
policy is, practically speaking, dead, supplanted by the Secure Public
Networks Act by Senators Bob Kerrey (D-Nebraska) and John McCain
(R-Arizona). The bill offers incentives to software manufacturers for
building key recovery features into their products. In the House, a
liberalization bill by Representative Bob Goodlatte (R-Virginia) is not
only alive but has gained a majority of members as cosponsors.
The software industry, civil liberties advocates, and privacy groups on
both the right and the left have opposed mandatory key recovery. Some
opponents were stunned by Wednesday's hearing.
"It was really shocking to hear how casually senators and the FBI director
talked about imposing domestic controls," said Alan Davidson, staff
counsel at the Center for Democracy and Technology. "They've crossed a
new line in this debate."
"It appears that Senator Feinstein wants a Constitution-free zone for
the Internet," said David Banisar, staff counsel at the Electronic Privacy
Information Center.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Forwarded-by: chuck yerkes <Chuck@yerkes.com>
Forwarded-by: David HM Spector <spector@zeitgeist.com>
[From today's CyberTimes in the online NYT -- check out Sen. Feinstein's
last word on the subject (incidentally, the last line of the piece). You'd
think the Sedition Act could be used against Her, and Freeh... but no, it
only applies to the hoypaloy like you and me... not government officials.
_DHMS]
September 4, 1997
Encryption Tops Wide-Ranging Net Agenda in Congress
By JERI CLAUSING
WASHINGTON -- As Congress returns from its summer break this week, it
faces a host of legislative initiatives that could shape the future of
online privacy, commerce and jurisdiction.
Topping the agenda is encryption, an issue that has pitted President
Clinton and his top crime fighters against virtually everybody else.
The word encryption traditionally conjures images of spies and
sophisticated international organized crime rings. But with the dawn of
the Internet, it is also the key to private communication and secure
business transactions.
And while Clinton on July 1 took a very public stand for a tax-free,
self-governed Internet, his administration is pushing to create a
key-recovery system that would keep encrypted codes on file for law
enforcement officials to access.
But the administration is not alone in backing bills that would appear to
be contradictory to the principles of a free, self-governed Internet. Some
groups are fighting to ban or regulate unsolicited commercial e-mail, or
spam. Others want to ban gambling on the Internet and criminalize
copyright infringements.
Of the dozen or so Internet or computer-related bills pending in Congress,
encryption is among the first orders of business. Subcommittees of both
the House and Senate Judiciary committees have scheduled hearings this
week.
The House bill, known as the Security and Freedom Through Encryption Act,
or SAFE, legislation backed by virtually everyone but the administration,
would lift all current export controls on encryption software and prohibit
a government key-recovery system. Despite intense lobbying by the
administration, which included classified briefings for members of key
House committees, the bill has been endorsed by the House Commerce and
International Relations committees. And with more than 250 of the House's
435 members cosponsoring the act, sponsoring Representatives Bob
Goodlatte, Republican of Virginia, and Zoe Lofgren, a California Democrat,
are optimistic about getting the bill through the full House as early as
this month.
The Senate, however, has been less inclined to buck the administration.
The Senate Commerce Committee passed a bill by Senator Bob Kerrey,
Democrat of Nebraska, and the committee's chariman, John McCain,
Republican of Arizona, that includes the administration-backed
key-recovery plan. But there are two other Senate encryption bills that
are closer to the SAFE act in the House and a Judiciary subcommittee
hearing is scheduled on the issue Thursday.
Still, at a Judiciary subcommittee hearing on Wednesday, Congress's first
day back, Senator Dianne Feinstein, a Democrat who represents California
and its technology-rich Silicon Valley, called for mandatory key recovery
of encrypted software. And Louis J. Freeh, the director of the FBI,
raised the prospect of also requiring Internet service providers to have
keys to the data flowing over their networks.
"Law enforcement needs to have a system for immediate decryption" when a
judge determines it is likely that crime is being or is about to be
committed, Freeh told the Subcommittee on Technology, Terrorism and
Government Information. "We should also look at whether network service
providers should have a system for immediate decryption."
Encouraged by the Supreme Court's decision striking down the
Communications Decency Act this summer, an unusually broad cross section
of advocacy groups, including the American Civil Liberties Union, the
Electronic Freedom Foundation, the Business Software Alliance and the
National Rifle Association are bent on killing bills that would regulate
encryption technology.
And as was the case with the Communications Decency Act, lawmakers backing
the administration's call for a key-recovery system are warning of dire
consequences if Congress fails to enact such a system in an effort to
thwart terrorists, online pedophiles and drug dealers.
"The looming specter of the widespread use of robust, virtually
uncrackable encryption is one of the most difficult problems confronting
law enforcement as the next century approaches," Freeh told the Senate
Judiciary Committee earlier this summer. "At stake are some of our most
valuable and reliable investigative techniques and the public safety of
our citizens. We believe that unless a balanced approach to encryption
is adopted that includes a viable key infrastructure, the ability of law
enforcement to investigate and sometimes prevent the most serious crimes
and terrorism will be severely impaired. Our national security will also
be jeopardized."
Opponents of a key recovery system, on the other hand, insist that
terrorists and drug cartels are smart enough not to use encrypted codes
to which law enforcement agencies have access. And they argue that the
current export restrictions on strong encryption developed in the United
States could put the nation at a competitive disadvantage in the
fast-growing and fast-changing digital communications industry.
Others say it's a serious threat to civil liberties.
"This is equally as serious as the Communications Decency Act," said Shari
Steele of the Electronic Frontier Foundation. While the Communications
Dececny Act "was about freedom of speech, making sure that speech was
protected online," she said, "encryption is about privacy -- making sure
we are able to speak privately, and making sure our transactions are
private."
In contrast to Clinton's support of proposals like the Internet Tax
Freedom Act, which would prohibit states from taxing online commerce,
Steele says the administration's encryption policies will stymie Internet
development.
"The administration, if anything, is moving in the wrong direction,"
Steele said. "We are very dissatisfied. When we first voted for Clinton,
there was an expectation that Vice President Al Gore was this
technologically savvy guy. Instead, he has turned out to be a real enemy
of the people when it comes to Internet issues."
Software companies insist that the freedom to develop strong encryption
would prove to be the best weapon against online crime because encryption
would thwart more thieves and eavesdroppers than it would facilitate
organized crime and terrorism.
The issue is also changing the perception of Washington among high-tech
companies. In the wake of the Communications Decency Act, and facing a
threat on the encryption issue, the computer industry, increasingly wary
of what it sees as the technical naivete of Congress, is moving quickly
to improve its clout through campaign donations and lobbying.
According to a recent report by the Center for Responsive Politics, the
industry donated $7.3 million through political action committees, "soft
money" and individual contributions to federal candidates and parties.
That's 52 percent more than was spent in the 1991-1992 election cycle.
During calendar year 1996, the industry spent another $19.9 million on
lobbying expenses.
Among the Top 10 of Congressional beneficiaries of this new high-tech
largesse is Feinstein, who, given her support of the FBI's position, is
sure to be feeling some pressure as the Judiciary Committee prepares to
take up the issue. During discussion of the Kerrey-McCain bill in July,
Feinstein left before her constituents from the software industry in the
Silicon Valley testified -- and after telling representatives of the FBI
and the National Security Agency that she would defer to their expertise
on what was a confusing issue.
At Wednesday's subcommittee hearing, Feinstein said "The bottom line is,
I think nothing short of mandatory key recovery does the job."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Forwarded-by: chuck yerkes <Chuck@yerkes.com>
Forwarded-by: David HM Spector <spector@zeitgeist.com>
Freeh Seeks Encryption Decoding Key
By Rajiv Chandrasekaran
Washington Post Staff Writer
Thursday, September 4, 1997; Page E01
The Washington Post
FBI Director Louis Freeh told a Senate subcommittee yesterday that
data-scrambling software sold in the United States should be required to
have a feature that would allow law enforcement agencies to decode many
scrambled messages.
Under Freeh's plan, the decoding technology would have to be built into
the software, but savvy computer users could legally deactivate the
technology, allowing them to transmit data that would be inaccessible to
authorities. Authorities, however, assume that most messages would be sent
in the crackable form.
Freeh's comments reflect a new, more forceful stance on the use of
encryption technology within the United States. His position is contrary
to statements by President Clinton and Vice President Gore earlier this
year that the Clinton administration would stay with a long-standing
policy of imposing no rules on sales of any such products in the United
States. Exports of the products are regulated, however.
A White House official said last night that "the administration has not
formally endorsed" Freeh's position. His comments, however, drew strong
criticism from the software industry, which called the proposal costly
and unworkable.
At a hearing of the Senate Judiciary subcommittee on technology, terrorism
and government information, Freeh also called for regulations that would
require online service providers to set their networks so that law
enforcement authorities could easily intercept communications.
Privacy advocates contend that the United States should have no rules
restricting encryption software. The technology is the only way people
will be able to assure confidentiality of personal information in the
electronic age, they contend.
Freeh said that legislation being considered by the Senate should "require
the manufacturers of encryption products and services -- those which will
be used in the United States or imported into the United States for use
-- include a feature which would allow for the immediate, lawful
decryption of the communications or the electronic information once that
information is found by a judge to be in furtherance of a criminal
activity or a national security matter." Freeh made his comments in
response to a question posed by Sen. Dianne Feinstein (D-Calif.).
Feinstein questioned whether Freeh's approach, which would allow the
code-breaking technology to be turned off, would amount to a "a massive
loophole that everyone would take advantage of." But Freeh called his
proposal "a step forward" that would improve the odds of authorities
accessing coded messages.
Freeh told the committee he would favor requiring people who send
encrypted messages to use technology that would allow the communications
to be unscrambled, saying it "would be the best law enforcement solution."
He conceded, however, that such a rule would be impossible to enact
because of opposition from industry groups and many in Congress.
Freeh's stance prompted complaints from the software industry.
"The impact is going to be clear," said Lauren Hall, an official with the
Software Publishers Association, a Washington-based trade group. "It's
going to be very expensive, and it's going to raise the price of software.
Adding these features are not as simple as flipping a switch."
Becca Gould, the vice president for public policy at the Business Software
Alliance, another industry group in Washington, called the director's
statement "horrible."
"It's basically saying the government should have a back-door key to all
private citizens' records," Gould said.
Gould added that adding such a feature to all software that uses
encryption technology would not be feasible. "It would be awfully
complex," she said.
The software industry has long complained about the government's export
restrictions, which require firms exporting high-powered encryption
products to put aside electronic "keys" that intelligence agencies could
use to descramble data. The industry says this puts U.S. firms at a
disadvantage in competition with foreign companies that have no such
controls. Administration officials say the ability to unscramble files is
a necessary tool in the fight against terrorism and other crimes.
The subcommittee is considering a bill introduced by Sens. John F. Kerry
(D-Mass.) and John McCain (R-Ariz.) that would loosen export restrictions
on encryption software but provide incentives to have companies make the
decoding keys available to law enforcement. The administration supports
the legislation but it is opposed by much of the software industry.
