Analysis of S. 1587

EPIC Analysis of the Encrypted Communications Privacy Act

Sen. Patrick Leahy (D-VT) and several other co-sponsors have introduced the Encrypted Communications Privacy Act of 1996 (S.1587). The proposed legislation comes in the midst of an ongoing debate concerning U.S. encryption policy and at a time when the need for secure electronic communications is becoming widely recognized. The explosive growth of the Internet underscores the need for policies that encourage the development and use of robust security technologies to protect sensitive personal and commercial information in the digital environment. The Electronic Privacy Information Center (EPIC) has long advocated adoption of a national encryption policy that emphasizes the protection of personal data and encourages the widespread dissemination of privacy- enhancing technologies.

The text of the proposed legislation is available at:

http://www.epic.org/crypto/legislation/s1587.html

Analysis

The proposed Encrypted Communications Privacy Act addresses a number of unresolved issues concerning the use of encryption technology. The proposed legislation would:

Relax export controls by transferring authority for export decisions to the Secretary of Commerce, and mandate the removal of controls on "generally available" encryption software;
Create a legal framework for key escrow agents, including an obligation to disclose keys and assist law enforcement, and establish penalties for improper disclosure;
Affirm the freedom to use and sell encryption within the United States; and
Criminalize the use of encryption which may have the effect of obstructing a felony investigation.

Export Controls

The bill moves encryption policy in the right direction by placing export control authority in the Commerce Department, rather than the State Department and the National Security Agency (NSA) -- the agencies currently charged with that responsibility. However, the legislation would only remove export controls on encryption software to the extent that software with similar capabilities is "generally available," or in the "public domain or publicly available." Likewise, controls would be lifted on hardware with encryption capabilities only if "a product offering comparable security is commercially available from a foreign supplier." These limitations raise two concerns:

The Commerce Department historically has been dependent upon NSA for assessments of the worldwide availability of encryption technology. The Commerce Department recently released the results of a survey it conducted of foreign encryption products. Portions of the Department's report were classified by NSA and withheld from public disclosure (EPIC is currently seeking the release of the complete report in a lawsuit filed under the Freedom of Information Act; Electronic Privacy Information Center v. Department of Commerce, C.A. No. 95-2228 (D.D.C.)). By conditioning the relaxation of export controls on a finding that similar products are "generally available," the legislation will likely perpetuate NSA's ability to influence export determinations and to thwart public oversight of Commerce Department actions.
The "generally available" requirement will continue to hamper the development of innovative security technology by U.S. firms. Restricting exports to products comparable to those already "available from a foreign supplier" will ensure that foreign, and not domestic, firms will be on the leading edge of privacy-enhancing technology. This is necessarily a non-competitive trade policy that will continue to obstruct the development of strong encryption.

EPIC supports the efforts of the bill's sponsors to liberalize export control, but EPIC believes the bill should go further. EPIC supports the complete repeal of these out-dated barriers to the development and dissemination of software and hardware with encryption capabilities. This is a necessary step to ensure the development of a secure Global Information Infrastructure that promotes on-line commerce and preserves individual privacy.

Key Escrow Procedures

As currently drafted, the bill does little to roll back the deployment of Clipper-inspired key-escrow encryption within the federal government. Indeed, a significant portion of the legislation is devoted to establishing a legal framework for the management of key-escrow systems in the private sector.

The bill would restrict certain activities by key holders and impose criminal and civil penalties for the unauthorized disclosure of keys. Key holders could only release keys (1) with the consent of the person whose key is held; (2) as may be "necessarily incident to the holding of the key;" and (3) to law enforcement or investigative officers pursuant to federal wiretap law or the Foreign Intelligence Surveillance Act. Under the current bill, keys could be disclosed to law enforcement officials without satisfying a warrant requirement.

The legislation also establishes reporting requirements on the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance consistent with current reporting requirements in the federal wiretap statute.

Statutory protection for the privacy of encryption keys appears to be a worthy goal. The bill's key-escrow procedures, however, must be considered in the context of the larger policy debate concerning encryption. Beginning with Clipper and continuing with the more recent "commercial key-escrow" proposal, law enforcement agencies and the national security community have lobbied aggressively for the implementation of key-escrow systems that would provide government the ability to decrypt secure data. Such proposals have also been supported by companies that have received substantial government contracts or promises of special deals on export licenses.

Users and most businesses have remained firmly opposed to the key-escrow concept. Indeed, there is virtually no installed base for key-escrow encryption, while the number of users of non-escrowed encryption is in the millions. By placing a Congressional imprimatur on the key-escrow concept, the legislation will have the effect of supporting an escrow scheme that has already been rejected by users and businesses. A statutory scheme that creates a legal framework for key-escrow is contrary to the privacy interests of network users and the security needs required for network development.

EPIC recommends that the key escrow provisions of the bill be dropped.

Freedom to Use and Sell Encryption

The proposed legislation appears to affirm an absolute right to use and sell encryption, but a close reading of the bill shows otherwise. The proposed legislation provides that it "shall be lawful for any person within ... the United States ... to use any encryption ..." and "to sell in interstate commerce any encryption ..." It then modifies that language with the words "except as provided in this Act and the amendments made in this Act or in any other law."

As described below, the bill then sets out the first criminal penalties yet proposed for the domestic use of encryption. Other similar provisions could easily be added. Since there is currently no regulation of encryption in the United States, supporters of the bill must explain what will be accomplished by this effort to establish a government regulatory scheme for the use of encryption.

EPIC believes that there is a fundamental constitutional right to use encryption and would support only an unconditional articulation of that right. The current statutory framework clearly opens the door to further regulation of privacy-enhancing technologies.

"Unlawful Use of Encryption"

The proposed legislation contains the first explicit criminal penalties for the use of encryption within the United States. It would criminalize the use of encryption to "obstruct, impede, or prevent the communication of information in furtherance of a felony ... to an investigative or law enforcement officer." This provision is unlikely to add much to the existing legal arsenal available to law enforcement agencies or prosecutors. Use of encryption in furtherance of a crime could currently be prosecuted under existing conspiracy and obstruction of justice statutes. The effect of the proposed provision could be to discourage the deployment of encryption where it is appropriate and to raise unnecessary suspicion about the use of routine security procedures. The net result could be an increased risk to public safety and network security.

EPIC recommends that this provision be struck from the bill. As currently drafted, it is far too broad to serve any useful purpose.

Conclusion

The proposed Encrypted Communications Privacy Act provides an opportunity to revise outdated encryption policies that have undermined network security, jeopardized personal privacy and frustrated public accountability. Although the current draft of the bill does not go far enough in removing antiquated controls on the export of encryption technology, the proposal recognizes the need for sweeping changes to the export regime. Removal of export restrictions on encryption technology is a pressing need and Congress should address the issue expeditiously.

Less desirable is the bill's promotion of key-escrow encryption. This is the Clipper-like scheme that should finally be laid to rest. Congressional action on key-escrow management is unnecessary and the issue certainly need not be addressed in conjunction with a relaxation of export controls. Legislation concerning key-escrow will have a detrimental effect on the development of secure network technologies and necessary privacy safeguards. EPIC will remain opposed to this provision.

EPIC commends the sponsors of the proposed legislation for moving the public debate on the relaxation of export controls forward and recognizing the need for an overhaul of an out-dated policy. We are confident that further consideration of the unnecessary and potentially dangerous provisions contained in the current version will result in a legislative approach that best serves the needs of all concerned -- users, industry and government.

EPIC Cryptography Litigation

EPIC makes frequent and effective use of the Freedom of Information Act (FOIA) to obtain the public release of government information concerning cryptography and privacy policy. The following cases are among those we are currently litigating:

EPIC v. Department of Commerce, C.A. No. 95-2228 (D.D.C.). This case seeks the full release of a survey conducted by the Department on the foreign availability of encryption software. The report was created after Congress decided not to pass legislation in 1994 that would have relaxed export controls on encryption. An "unclassified" version of the survey was released in January, but substantial portions were withheld at the behest of the National Security Agency (NSA).

EPIC v. National Security Council, C.A. 95-0461 (D.D.C.). In this lawsuit, EPIC is seeking disclosure of information concerning the Security Policy Board, which was established by classified Presidential directive in September 1994 and is charged with developing government-wide policy on information security. Based on information we have already obtained, it appears that this new structure is a formalization of the process that gave rise to the Digital Signature Standard and Clipper initiatives.

CPSR v. National Security Agency, C.A. No. 93-1074 (D.D.C.). This lawsuit seeks the disclosure of key NSA and National Security Council documents concerning the controversial Clipper Chip encryption initiative. Issues to be decided include the propriety of NSA's classification of the Clipper algorithm on national security grounds.

EPIC Cryptography Resources

The EPIC website contains key materials on cryptography policy issues, including:

These and other relevant materials are available at:

http://www.epic.org/crypto/

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes).