EPIC Testimony on Crypto Legislation

EPIC logo

EPIC TESTIMONY ON CRYPTO LEGISLATION



TESTIMONY OF
MARC ROTENBERG, DIRECTOR
ELECTRONIC PRIVACY INFORMATION CENTER
WASHINGTON, DC
HTTP://WWW.EPIC.ORG/
ON
THE PROMOTION OF COMMERCE ON-LINE IN THE DIGITAL ERA
ACT OF 1996, S. 1726
BEFORE THE
SENATE COMMITTEE ON COMMERCE, SCIENCE & TRANSPORTATION,
SUBCOMMITTEE ON SCIENCE, SPACE & TECHNOLOGY


JUNE 26, 1996


My name is Marc Rotenberg. I am director of the Electronic Privacy Information in Washington, DC. I very much appreciate the opportunity to appear before the Senate today as you consider legislation to promote the availability of strong encryption. It is also a privilege to sit at this hearing table with some of the leading cryptographers in the world.

I can say without hesitation that EPIC and the many members of the net community that we work with support your efforts to reform encryption policy. It is clear to virtually everyone in the online world that strong encryption is the cornerstone of personal privacy and on-line security in the emerging information economy.

There are three points that I will make this morning in support of the Pro-Code Legislation

First, users of the Internet require good tools for privacy. Without good privacy and security, users of advanced networked services and consumers in the on-line world will literally take their business elsewhere. They will look to services and suppliers in other countries that will provide the necessary technology for good privacy.

Second, our current policies for encryption are destined for the history books. Current legislation, policies and codes no longer reflect market reality or modern conditions. Even if one supported these policies, which I do not, they cannot be made to work. The recent report of the National Research Council makes clear that there is a crisis in our current policy. These problems will escalate if Congress fails to act.

Third, EPIC's litigation under the Freedom of Information Act has shown that the White House will pursue every opportunity to establish key escrow encryption that will enable the interception of private communications. It will use export regulation, industry coercion, taxpayer dollars, international organizations, and even threatened prosecution to attempt to impose a standard for encryption that is widely opposed by the user community and the public at large. It is not enough to simply oppose legal schemes that could mandate key escrow. The Congress must make clear to the Administration, as the National Research Council has already suggested, that there should be no promotion of key escrow encryption in the private sector unless and until the government can demonstrate that this particular encryption technique can be made to work.

EPIC AND ENCRYPTION

The promotion of good encryption has always been a central mission of the Electronic Privacy Information Center. EPIC began in early 1994 with a campaign on the Internet to oppose the White House's Clipper encryption scheme. That plan was a dangerous and inappropriate attempt to control a technology vital to the development of the Internet. We wrote in a letter to the President that the Clipper proposal should not be adopted.

We believe that if this proposal goes forward, even on a voluntary basis, privacy protection will be diminished, innovation will be slowed, accountability will be lessened, and the openness necessary to ensure to ensure the successful development of the nation's communications infrastructure will be threatened.

The letter was signed by a number of famous cryptographers, including several of the people at this hearing table. Soon the letter became a petition. And then researchers, students, and company CEOs put their names to the statement. In all, more than 47,000 people on the Internet said "I oppose Clipper" and supported our effort to send a clear message to the White House that it was not for the government to prevent citizens from using good tools for privacy protection.

The Clipper campaign was probably the most successful petition drive ever organized on the Internet. Shortly after it was delivered to the White House, the Administration indicated that it was rethinking its proposals for the escrowed encryption standard. It gave up its original plan for the government to hold keys. But predictions that Clipper was dead proved to be premature. Within months the White House was promoting a new plan based on so-called voluntary escrow systems.

While I am proud of our work to bring to light the problems with the Clipper plan, I have no illusion that this battle is over. The government has continued to press for various forms of encryption designed to promote interception of private communications. Most recently, Attorney General Janet Reno suggested at a speech to the Commonwealth Club in San Francisco that key escrow encryption would be necessary to protect public safety. And, so once again, the White House is pushing forward with an effort to limit encryption techniques that are necessary to protect privacy and security, and will certainly reduce the level of criminal activity in the on-line world.

I should say a word also about our efforts to obtain information about the development of encryption policies. We have pursued Freedom of Information Act litigation to obtain documents from the federal agencies concerning encryption. Thanks to the efforts of EPIC's Legal Counsel David Sobel, who is today chairing a session on the Internet and Civil Liberties at the Internet Society's conference in Montreal, we have obtained previously classified documents from the White House, the National Security Council, the Department of Commerce, that raise serious questions about the true intent of the Administration's encryption policy.

I will come back to some of the key discoveries in just a moment.

EPIC has also organized important meetings on encryption matters. EPIC's Policy Analyst Dave Banisar, who is today attending the meeting of the OECD Expert Panel in Paris, has organized the leading cryptography policy roundtable in Washington for the last six years. It was at our roundtable this year that Senator Burns described efforts to pass the Pro-Code legislation and Jim Bidzos, CEO of RSA Data Security, first displayed chips manufactured in Japan with Triple DES and 1,024 bit RSA.

I am also pleased to note that both David Sobel in Montreal and Dave Banisar in Paris have made arrangements for this hearing to be received over the Internet by the cybercast transmission at those two locations. That we are able to do this underscores the fact that we truly operating in a global environment.

Through these various activities, it has been EPIC's goal to promote a more informed, more public debate about encryption policy. We recognize that there are many strongly held views on this issue, and that there is great complexity. We believe that the best policies will result from an open, informed discussion. For this reason we particularly appreciate these hearings on the Pro-Code legislation.

I. THE USER COMMUNITY AND ENCRYPTION

A few years ago, only a small number of people knew about encryption. Today, virtually everyone who is familiar with the Internet recognizes that encryption is critical to the growth of the on-line economy, and the protection of privacy and security. Encryption is not just good for business and the economy. It is necessary for the growth of the Internet and the safety of consumers in the twenty-first century. Encryption is a tool of privacy.

It is critical that users be able to choose from a wide range of good tools that are designed for privacy and security. Efforts to limit the availability of good encryption are naturally viewed with suspicion. The Administration's Clipper Chip initiative was the least popular technical proposal to come out of the federal government in my life-time. One White House aide called Clipper the "Bosnia of communications policy." Perhaps that was an understatement. At every opportunity that the user community had an opportunity to express its opinion on this proposal, it said no. Users did not simply object to the proposal that the government will hold the keys, they objected to a technology that was clearly intended to promote government surveillance of private communication.

Let me be very clear about this point. To the best of my knowledge, there is virtually no support for key escrow in the user community. There is virtually no support for key escrow among our trading partners in North America, Europe or East Asia. There is virtually no support for key escrow among any person using the Internet today who values privacy. And if the Clipper campaign proves anything it is that users of the Internet value privacy.

II. THE WORLD IS CHANGING

Our current export control policies were developed in an era when encryption was largely the province of spies and soldiers. The policies of our government, which emphasized secrecy and control, were appropriate in their day. But the world has changed. Today encryption is stitched into commercial software like rivets hold together cars and planes. It protects not only the confidentiality of communications, but also authentication and verification. Encryption can even provide techniques for anonymous transactions that will promote commerce and protect privacy.

The electronic communications infrastructure is clearly no longer the exclusive domain of governments. Today's network carries not only diplomatic communiques and military plans as in an earlier day -- it is the conduit for global electronic commerce, private correspondence and the most sensitive bits of personal information, including medical and financial records. The average citizen now has a vested interest in the absolute security and privacy of the electronic data that traverses the network. As this committee recognizes, it is encryption technology that provides that security and privacy.

We also know that government proposals are invariably flawed. This is not surprising. The government is prepared to sacrifice the workings of the marketpace and consumer demand for its own best guess about what will work. Even if we agreed with the government's goal, there is little reason to believe that the Administration's encryption strategy would succeed. Security technology is no longer the monopoly of the U.S. government -- if, in fact, it ever was. The technological know-how is now global, and if the U.S. computer industry is not permitted to deliver these crucial products to the marketplace, other providers will quickly fill the void.

In such a world, the best policies are those that seek to adapt to changing circumstance. It would be foolhardy for our government not to anticipate that strong, unbreakable encryption will be widely available on the Internet. And it would be equally wrong to prevent American citizens and American businesses from making use of the best tools available to protect their sensitive information from potential criminal threats.

We are therefore in a period of transition when law must be updated to reflect new realities. Reforming the export control regime so that it reflects the need for good encryption in commercial products and to protect personal privacy is a sensible first step. Further delay is likely only to increase the risks to users and businesses.

III. THE ADMINISTRATION'S COMMITMENT TO CLIPPER

We therefore believe it is essential to oppose any form of key escrow that is promoted by the government rather than demanded by the users. The White House will use every opportunity to force the adoption of breakable encryption -- government spending, intimidation of developers and outdated export controls. It will even threaten prosecution of a former peace activist for arms dealing if it believes it can slow the use of good tools of privacy.

It is a critical to understand that the White House continues to believe that encryption should only be available if it is can easily be broken. There have been several proposals all based on this same premise. Each has a new name. The White House will promote "Voluntary Key Escrow." They will endorse "Commercial Key Escrow." They will support "Escrow Encryption Standard. " And they will back a new plan for "Key Management Infrastructure." Call it what you will, it is still Clipper.

As I have mentioned, EPIC has made extensive use of the Freedom of Information Act to seek the disclosure of previously classified documents concerning encryption policy. FBI documents we obtained last year show that key federal agencies concluded more than three years ago that the Clipper Chip key-escrow initiative will only succeed if alternative security techniques are outlawed and key-escrow is made mandatory.

The conclusions contained in the documents appear to conflict with frequent Administration claims that use of Clipper technology will remain "voluntary." Critics of the government's initiative, including EPIC, have long maintained that the Clipper key-escrow technique would only serve its stated purpose if made mandatory. According to the FBI documents, that view is shared by the Bureau, the National Security Agency (NSA) and the Department of Justice (DOJ).

In a briefing document titled "Encryption: The Threat, Applications and Potential Solutions," and sent to the National Security Council in February 1993, the FBI, NSA and DOJ concluded that:

Technical solutions, such as they are, will only work if they are incorporated into all encryption products. To ensure that this occurs, legislation mandating the use of Government-approved encryption products or adherence to Government encryption criteria is required.

Likewise, an undated FBI report titled "Impact of Emerging Telecommunications Technologies on Law Enforcement" observes that "[a]lthough the export of encryption products by the United States is controlled, domestic use is not regulated." The report concludes that "a national policy embodied in legislation is needed." Such a policy, according to the FBI, must ensure "real- time decryption by law enforcement" and "prohibit[] cryptography that cannot meet the Government standard."

The FBI conclusions stand in stark contrast to public assurances that the government does not intend to prohibit the use of non-escrowed encryption. Testifying before a Senate Judiciary Subcommittee on May 3, 1994, Assistant Attorney General Jo Ann Harris asserted that:

As the Administration has made clear on a number of occasions, the key-escrow encryption initiative is a voluntary one; we have absolutely no intention of mandating private use of a particular kind of cryptography, nor of criminalizing the private use of certain kinds of cryptography.

These documents demonstrate that the architects of the Clipper program -- the NSA and the FBI -- have always recognized that key-escrow must eventually be mandated. As privacy advocates and industry representatives have always said, Clipper does nothing for law enforcement unless the alternatives are outlawed. For that reason, Mr. Chairman, we are particularly pleased with that provision of the PRO-Code legislation that would prohibit any mandatory key-escrow procedure.

There is no question that law enforcement has legitimate concerns. There will be lawful criminal investigations frustrated because some data was encrypted. But, as the distinguished National Research Council panel found, the widespread availability of strong encryption will also prevent crime.

It is also important to understand that in our constitutional form of government, obtaining private information on citizens is supposed to be difficult. Nowhere in our Constitution is it stated that the federal government has the right to tap our phones or decode our private conversations. But it is clear that the framers intended to prevent the type of open-ended search authority that underlies the current push for wiretap-friendly networks and a key-escrow infrastructure.

PRO-CODE LEGISLATION

The Pro-Code legislation moves us all in the right direction. It creates opportunities for business. It promotes good tools for Internet users. It puts in place the techniques necessary for good privacy and security that will protect public safety and reduce the risk of criminal attack. The legislation is a necessary step to ensure the development of a Global Information Infrastructure that promotes on-line commerce and preserves individual privacy.

EPIC welcomes the opportunity to work with the Committee and the sponsors of the legislation to ensure that this bill accomplishes the goal of ensuring good privacy and security in the on-line world. I can also assure you that the Internet community is very grateful for your efforts.

I thank you again for the opportunity to testify today. I would be pleased to answer your questions.


Marc Rotenberg is director of the Electronic Privacy Information Center in Washington, DC (www.epic.org) and a faculty member at the Georgetown University Law Center, where he has taught the Law of Information Privacy since 1991. Mr. Rotenberg is a member of the OECD Expert Panel on Cryptography Policy and the Federal Networking Council Advisory Committee. He is secretary of Privacy International (www.privacy.org/pi) and coordinator of the Internet Privacy Coalition (www.privacy.org/ipc/), which launched the Golden Key Campaign to raise public awareness of the need for strong privacy and security on the Internet.

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

Privacy International (http://www.privacy.org/pi/) was formed in 1990 as a watchdog on surveillance by governments and corporations. With members in more than 40 countries, it has created an international movement that has helped to counter abuses of privacy by way of information technology. Privacy International has conducted campaigns in Europe, Asia and North America to raise awareness about the dangers of ID card systems, military surveillance, data matching, police information systems, and credit reporting. It is based in London, UK, and is administered by the Electronic Privacy Information Center (EPIC) in Washington, D.C. Privacy International publishes a quarterly newsletter (the International Privacy Bulletin) and organizes conferences each year on privacy and technology.

The mission of the Internet Privacy Coalition (http://www.privacy.org/ipc) is to promote privacy and security on the Internet through widespread public availability of strong encryption and the relaxation of export controls on cryptography. The Coalition includes more than forty organizations, businesses, and associations. The founding members of the Coalition include Ross Anderson, Steven Bellovin, Matt Blaze, George Davida, Whitfield Diffie, Taher Elgamal, Carl Ellison, John Gilmore, Phil Karn, Bruce Koball, William Hugh Murray, Ron Rivest, Allan Schiffman, Jeff Schiller, Bruce Schneier, Michael Wiener, and Philip Zimmermann.

- - - - [FOIA Documents attached] - - - -