________________ _______________ _______________
/_______________/\ /_______________\ /\______________\
\\\\\\\\\\\\\\\\\/ ||||||||||||||||| / ////////////////
\\\\\________/\ |||||________\ / /////______\
\\\\\\\\\\\\\/____ |||||||||||||| / /////////////
\\\\\___________/\ ||||| / ////
\\\\\\\\\\\\\\\\/ ||||| \//// e c t o r
_________________________________________________________________________
EFFector Vol. 10, No. 10 Oct. 10, 1997 editor@eff.org
A Publication of the Electronic Frontier Foundation ISSN 1062-9424
Decoding the Encryption Debate
Background Briefing
What's Happening Globally
Encryption Bills Considered By This Congress
Encryption Cases Decided in the Courts
What You Can Do
Quote of the Day
Administrivia
* See http://www.eff.org/hot.html for more information
on current EFF activities and online activism alerts! *
----------------------------------------------------------------------
Subject: Decoding the Encryption Debate
---------------------------------------
Sections:
Background Briefing
What's Happening Globally
Encryption Bills Considered By This Congress
Encryption Cases Decided in the Courts
What You Can Do
* Background Briefing
Encryption is the science of secret codes and ciphers. Through the use of
encryption, we can scramble digital signals so that only intended parties
can read them. This is important to privacy, network security and free
encrypting their personal messages and files. System operators can
card information. And mathematicians and researchers can exercise their
free speech rights by sharing encryption equations and codes with one
another as part of a scientific exchange.
Encryption is also critical to electronic commerce for two reasons.
from illegal intruders through encryption. Identification verification, a
The strength of encryption, and therefore its ability to protect
nformation, is determined by the size of the mathematical key that is
used to scramble the message. A large key results in strong, unbreakable
encryption. A small key leads to weak, easily-compromised encryption.
The NSA and FBI are scared of public use of encryption. "Bad guys" might
use encryption to thwart legitimate government attempts to do
nvestigative wiretaps. The NSA and FBI have relied on the export control
laws, which are designed to protect national security, to restrict the
national security issues usually cannot be challenged in court.
These law enforcement agencies, in conjunction with Clinton
Administration, want to be able to access the "plaintext" (i.e.,
unencrypted version) of messages at any time. In order to accomplish
this, the government has limited the key size of encryption to be exported
to that which the NSA could crack. But the government is not satisfied.
Over the past several years, the Clinton Administration has floated
of messages, including the Clipper Chip proposal (which would have
that made encrypted messages vulnerable) and the current key escrow
encryption key with some entity who would give it to law enforcement
officers when requested). Other, even more dangerous, propositions have
been floated this year, including what appears to be a requirement that
all encryption products have a "back door" for instantanous decryption by
law enforcement or intelligence agents.
The United States has vested the regulation of nonmilitary encryption
all decisions regarding the exportability of particular encryption
Administration political interests. Strong encryption cannot be exported
unless the encryption can be decoded by the National Security Agency.
There are no limitations on the use, production, or sale of encryption
encryption into the United States.
There has been much activity in Congress and in the courts over the past
year relating to encryption, as well as crypto-regulation debate at the
nternational level.
* What's Happening Globally
Since the introduction of the Clipper (a.k.a. Skipjack) key escrow
to adopt similar, compatible systems, and even the US systems themselves.
Despite some initial "crypto-panic" such as that leading to what are
effectively bans on encryption in France and Russia, and the introduction
by a few policy-makers of plans for so-called "Trusted Third Party" (TTP)
key escrow systems, most of the rest of the world seems to be leaning away
from such criminalization and regulation of encryption.
Europe-wide laws on encryption. This report, despite years of US attempts
to push the "government access to keys" idea overseas, finds key escrow
encouraging the adoption of leaner, freer laws, and even for the EC to
override member state's rules if they are over-regulatory. While the
Commission was mostly considering issues of trade and economy, this is
Administration hopes for broad foreign support of repressive US
anti-encryption measures. The EC report is available online
( http://www.ispo.cec.be/eif/policy/97503.html ),
as is a short summary of it:
( http://europa.eu.int/rapid/cgi/rapcgi.ksh?p_action.gettxt=gt&doc=IP/97/862|0|RAPID&lg=EN ).
However, many other jurisdictions than the US have outdated and harmful
agencies around the world are likely to continue to press for laws and
* Encryption Bills Considered By This Congress
This year, both the United States House of Representatives and Senate
considered encryption legislation. EFF believes that all of the bills
ntroduced are flawed.
- SAFE
The most talked-about bill introduced this Congress, the Security and
Freedom through Encryption (SAFE) bill, H.R. 695
( http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.695: ), was sponsored by
Representatives Goodlatte and Eshoo and gathered over 250 co-sponsors.
SAFE was unanimously approved by the House Judiciary Committee on May 14,
Committee by a voice vote, rejecting an amendment offered by Committee
Chairman Ben Gilman
( http://www.cdt.org/crypto/legis_105/SAFE/970722_amd_Gilman.html ) that
very excuses now being used to justify export controls against encryption
n the first place.
On September 9, 1997, the House National Security Committee added an
amendment from Reps. Dave Weldon and Ronald Dellums
( http://www.cdt.org/crypto/legis_105/SAFE/970909_amd.html ) that
approved the amended bill. This version would increase export controls by
approvals. The amendment was so poorly and short-sightedly written it
branches of US companies.
On September 11, 1997, the House Permanent Select Committee on
bill again, even further away from the bill's purpose, and passed it
( http://www.cdt.org/crypto/fbi_draft_text.html ). This version imposes
encryption, to ensure that police and spy agencies have "immediate
of encyrption or encrypting network service give law enforcement this
access without the knowledge of the party being spied upon.
On September 24, 1997, the House Commerce Committee added an amendment
that yet again changed the bill by calling for the creation of a National
Electronic Technologies Center that would assist law enforcement in
enforcement agencies in coping with encryption encountered in the course
of investigations. The amendment, by Reps. Markey and White,
( http://www.cdt.org/crypto/legis_105/SAFE/Markey_White.html )
also would direct the National Telecommunications and Information
Administration (NTIA) to conduct a study of the implications of mandatory
key recovery, and the amendment increases the criminal penalties under
SAFE for the use of encryption in the furtherance of a federal felony.
This amendment was passed over an even more sinister one calling for
"immediate access" by police to any encrypted message or other data, and
encryption. The amendment represented an incredibly bold move by the FBI,
Committee amendment - it essentially attempted to illegalize real
encryption, since the only way to provide "immediate access" is to either
can be instantly cracked by police - or anyone else. This, fortunately
( http://www.cdt.org/crypto/legis_105/SAFE/Oxley_Manton.html )
These disparate versions of the bill - none of them good - must now be
version can be voted on the House floor. Late in Sept., Rules Committee
leadership declared allegiance to the law enforcment and intelligence
agencies' position, and vowed to kill SAFE if it did not grant government
the powers it demanded.
or all of the police "wish list" intact if they cannot be convinced to
kill the bill entirely. Such an "unSAFE" bill could pass the House. Even
f it fails, the McCain-Kerrey bill (see below) may pass the Senate and
enter the House for consideration. Neither eventuality is probable, but
vigilance is necessary.
EFF believes that there are serious civil liberties problems with *all*
versions of SAFE. First, SAFE creates a new crime (which calls for five
years imprisonment for a first offense and ten years for subsequent
offenses, on top of any other criminal penalities) for using encryption in
furtherance of any criminal offense.
This short-sighted proposal would make anyone convicted of any crime, even
a minor one, subject to life-wrecking prosecution and imprisonment simply
because they did what we will all soon be doing - using an encrypting
like making it an extra crime to speak English or to wear shoes during the
commission of a crime. Legislators hoped this farcical "crypto-in-a-crime"
Louis Freeh has made it clear that investigative agencies want export and
mport controls, access to everyone's messages without a warrant and
The problems with SAFE do not stop with "crypto-in-a-crime". SAFE gives
law enforcement officers the authority to gain access to encrypted
nformation without notification to the owners of the information. And it
mass-marketed or is not in the public domain.
Amended versions of SAFE are even worse. They would put new restrictions
on the *domestic* use of encryption (requirements that go beyond the
current limitations on the export of encryption), and/or even more severe
EFF believes that all limitations on encryption are in violation of the
First Amendment, and domestic restrictions are an extreme power grab by
law enforcement at a time when most citizens do not fully understand the
mplications of this action.
EFF is working to ensure that the SAFE bill is killed before it reaches
the House floor for a vote.
YOU CAN HELP. Please see the "What You Can Do" section, below.
- Secure Public Networks Act
The misnamed Secure Public Networks (SPN) bill, S. 909
( http://thomas.loc.gov/cgi-bin/query/z?c105:S.909: ), is the Clinton
Administration's bill. It was sponsored by Senators McCain and Kerrey.
This bill is an anti-privacy measure, in that it would require
third-parties holding decryption keys to surrender them in response to a
mere subpoena, issued without judicial approval and without notice to the
encryption user.
While its sponsors claim that it would not make key recovery mandatory,
SPN would require the use of key recovery systems in order to obtain the
"public key certificates" needed to participate in electronic commerce and
funds -- including the Internet II project and most university networks.
key recovery (not all of them bad from a privacy standpoint.)
because of some of the things that it does *not* specify. SPN directs the
for international government access to keys, but provides no limitations
on the President's power. Even more disturbing, SPN gives the President
the authority to disregard any or all of the provisions of the bill on the
basis of a Presidential Executive Order - yet another way for "national
also grants the Commerce Department sweeping new enforcement powers. The
bill was referred to the Senate Commerce Committee, and may also be taken
up by the Constitution Subcommittee of the Senate Committee on the
Judiciary. Some form of the SPN stands a fair chance of passing the
Senate (to be taken up and passed, possibly with amendments, or rejected
by the House).
- Pro-CODE
The Promotion of Commerce Online in the Digital Era (Pro-CODE) bill, S.
by Senator Burns on February 27, 1997. Pro-CODE was considered one of the
"better" encryption bills, in fact, the best bill introduced in the
Senate, but it was still contained civil liberties concerns. Pro-CODE
that nothing in the bill could be construed to affect any law intended to
offered by Burns, when it came for a vote in the Senate Commerce
committee, March 19, 1997.
- ECPA II
The Encrypted Communications Privacy Act (ECPA II, ECPA I being the
Electronic Communications Privacy Act of 1986), S. 376
( http://thomas.loc.gov/cgi-bin/query/z?c105:S.376: ), was introduced by
Senator Leahy on February 27, 1997. ECPA II would prohibit mandatory use
of key recovery but would permit law enforcement to obtain keys if
obstruct justice, while offering partial deregulation of encryption export
The bill was referred to the Senate Judiciary Committee, which held
nfluence the SPN legislation in the form of attempts at compromise.
- Computer Security Enhancement Act
The Computer Security Enhancement Act of 1997, H.R. 1903,
( http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.1903: ) was introduced by
Representative Sensenbrenner on June 17, 1997. It would amend and update
the National Institute of Standards and Technology Act to: (1) upon
nteroperable standards, guidelines, and associated methods and techniques
to facilitate and expedite the establishment of non-Federal public key
management infrastructures that can be used to communicate with and
conduct transactions with the Federal Government; and (2) provide
assistance to Federal agencies in the protection of computer networks, and
coordinate Federal response efforts related to unauthorized access to
Federal computer systems. The bill also would authorize NIST to perform
evaluation and tests of: (1) information technologies to assess security
vulnerabilities; and (2) commercially available security products for
their suitability for use by Federal agencies for protecting sensitive
nformation in computer systems. This bill was passed by the House on
September 16, 1997, and was referred to the Senate Committee on Commerce,
- Communications Privacy and Consumer Empowerment Act
The Communications Privacy and Consumer Empowerment Act, H.R. 1964
( ftp://ftp.loc.gov/pub/thomas/c105/h1964.ih.txt ), was introduced by
Representative Markey on June 19, 1997. This bill would codify existing
criteria for encryption licensing. The bill was referred to the House
Committee on Commerce. Passage is considered unlikely.
* Encryption Cases Decided in the Courts
There have been three important challenges to the export controls on
encryption in the courts. While decisions in these cases would only
affect currently existing laws, findings that the current export control
laws are unconstitutional would put Congress on notice that any
limitations it planned to make on domestic controls would be equally
llegal. Two of the cases, Junger vs. U.S. Department of Commerce and
Karn v. U.S. Department of State, are going through procedural hurdles at
the trial level. The third case, Bernstein v. U.S. Department of State,
s extremely important in that the trial court has found that the export
control laws on encryption are an unconstitutional prior restraint on
- Bernstein v. U.S. Department of State, et al.
( http://www.eff.org/pub/Privacy/ITAR_export/Bernstein_case/Legal/ )
Daniel J. Bernstein was a Ph.D. student in Mathematics at the University
of California at Berkeley. He wrote an encryption program, along with a
for discussion and scrutiny by other cryptographers. After asking the
State Department, Mr. Bernstein was informed that he would need a *license
to be an arms dealer* before he could post his encryption algorithm and
cryptography") Usenet newsgroup, and that if he applied for a license his
EFF-sponsored case, Mr. Bernstein sued several government agencies,
ncluding the Commerce Department, which now oversees exportation of
non-military encryption products, claiming that the export control laws
act as a prior restraint on his constitutionally protected speech and are
too overbroad to serve their purpose of protecting national security.
This case was filed in the federal district court for the Northern
District of California and was heard by Judge Marilyn Hall Patel.
Court's Rulings:
Judge Patel has made several rulings in this case. The first ruling
(Bernstein I, 922 F. Supp. 1426 (N.D. Cal. 1996)) was on April 15, 1996,
and was in response to the government's motion to dismiss the case for
lack of jurisdiction. The court held that source code was speech
n the case.
The second ruling (Bernstein II, 945 F. Supp. 1279 (N.D. Cal. 1996)) was
on December 6, 1996, and was in response to Bernstein's motion for an
njunction so he could post materials to a Web site for the students in
laws on encryption promulgated by the State Department were an
unconstitutional prior restraint on speech and that Bernstein could
The final ruling (Bernstein III) was on August 25, 1997, and held that the
Department regulations. The court granted an injunction to Professor
Bernstein, forbidding the government from prosecuting him for exporting
Snuffle, the encryption program he wrote, or any other encryption
njunction against the enforcement of any encryption restrictions against
anyone. However, the court declined to do this, stating that it expected
an appeal and wanted the most narrow holding it could devise.
The court also held that allowing printed source code to be exported
undermined the government's claim that this export control scheme protects
any national security interest. The court thought that distinguishing
ACLU (_U.S._ (1997)), which held that Internet speech deserves the same
Current Status:
The government was granted an emergency stay from the 9th Circuit Court of
Appeals, prohibiting Bernstein and others from publishing any secure
encryption until after it has heard the government's appeal. The court
* What You Can Do
[Consider this alert expired as of Oct. 18, 1997.]
Non-US: Available action will vary considerably on what anti-encryption
urge your law-makers to relax any existing restriction on encryption, and
to oppose new propositions for anti-encryption laws, perhaps basing your
argument on the fact that encryption *reduces* crime and *bolsters* your
country's national security and electronic commerce.
US: As above, but with some targeted specifics. Please take a few minutes
to contact key Congresspeople. Yes, it does cost a little bit to call or
fax them. By most wages, the time spent reading an average newsgroup for
fun or watching a sitcom on tv is worth more than it costs to make the
mportant calls. Eating out at a fast food restaurant costs more than
The most important members to contact are marked "+". Please call and/or
fax AT LEAST these members, plus your own Representative. If you are
truly concerned and can spare the time and dimes please call/fax the whole
list.
Unfortunately, most members of Congress are not yet truly up to speed on
email. Capitol Hill staffers say that most email really isn't taken very
not a substitute for a phone call or fax.
WHEN TO CALL: Voice phone calls are best attempted during East Coast
business hours, Fri., Oct. 10, and the working week of Oct. 13-17. No
committee action is scheduled for the SAFE bill during this week - it's a
lull in the action that can be used to our advantage.
WHAT TO SAY: Ask for the legislator's staffer who handles encryption and
technology issues. Use the speaking points provided below to tell this
firm, and brief. This is not a time to panic or to bring out the
vitriolic invective!
WHAT TO FAX: Address the fax to the legislator's name. It will be passed
to the apropos staffer. You can be somewhat longer in a fax, but it
opinion, not give a dissertation. The "Background" section of this
alert/update should give you enough things to say if you want to back up
your opinion with some liberty and/or commerce reasoning. Again, please
make all of the points in the speaking points below.
SPEAKING POINTS:
Americans' privacy.
crypto-related crimes and import restrictions - these two are a threat to
everyone's privacy.
via the Net. (this may make a good lead-in comment, and it is good to
When communicating with your own Representative:
- Contact House Leadership
+Newt Gingrich (R-GA), Speaker of the House, p: 202-225-4501 f: 202-225-4656
+Dick Armey (R-TX), Majority Leader, p: 202-225-7772 f: 202-225-7614
+Dick Gephardt (D-MO), Minority Leader, p: 202-225-2671 f: 202-225-7452
Tom DeLay (R-TX), Majority Whip p: 202-225-5951 f: 202-225-5241
David Bonior (D-MI), Minority Whip p: 202-225-2106 f: 202-226-1169
John Boehner (R-OH), Rep. Conference Chair, p: 202-225-6205 f: 202-225-0704
Vic Fazio (D-CA), Dem. Caucus Chair, p: 202-225-5716 f: 202-225-5141
+ = the most important to contact - call/fax them first.
The duties of these leaders include coordinating party-wide policy
- Contact the members of the House Rules Committee
+Gerald Solomon (R-NY), Chair, p: 202-225-5614 f: 202-225-6234
+John Moakley (D-MA), Ranking Minority Mem., p: 202-225-8273 f: 202-225-3984
David Dreier (R-CA), p: 202-225-2305 f: 202-225-7018
Martin Frost (D-TX), p: 202-225-3605 f: 202-225-4951
Porter Goss (R-FL), p: 202-225-2536 f: 202-225-6820
John Linder (R-GA), p: 202-225-4272 f: 202-225-4696
Louise Slaughter (D-NY), p: 202-225-3615 f: 202-225-7822
Deborah Pryce (R-OH), p: 202-225-2015 f: 202-226-0986
Lincoln Diaz-Balart (R-FL), p: 202-225-4211 f: 202-225-8576
Scott McInnis (R-CO), p: 202-225-4761 f: 202-226-0622
Doc Hastings (R-WA), p: 202-225-5816 f: 202-225-3252
Sue Myrick (R-NC), p: 202-225-1976 f: 202-225-3389
Tony P. Hall (D-OH) p: 202-225-6465 f: 202-225-9272
+ = the most important to contact - call/fax them first.
House Rules in the next and last committee to examine SAFE. The Rules
Committee will either kill the bill, or pass a "compromise" version that
- Contact your own Representative
not know who your representative is, there is an easy way to find out:
can instantly look it up via the USPS's address-to-ZIP+4 database search:
( http://www.usps.gov/ncsc/lookups/lookup_zip+4.html ).
Enter "Delivery Address", "City", and "State", then select "Process
Address".
( http://www.house.gov/writerep )
( http://www.capweb.net/housealpha.html )
"Adopt-Your-Legislator" service:
( http://www.crypto.com/adopt ).
You can also look up legislators by ZIP code, but not with the accuracy of
the ZIP+4 search, above.
------------------------------
Subject: Quote of the Day
-------------------------
"The conservation movement is a breeding ground of Communists and other
every bird watcher in the country."
- John Mitchell, US Attorney General, (1969-72)
Find yourself wondering if your privacy and freedom of speech are safe
the rush to make us secure from ourselves that our government
Concerned that legislative efforts nominally to "protect children" will
actually censor all communications down to only content suitable for
the playground? Alarmed by commercial and religious organizations abusing
the judicial and legislative processes to stifle satire, dissent and
criticism?
Join EFF!
You *know* privacy, freedom of speech and ability to make your voice heard
n government are important. You have probably participated in our online
campaigns and forums. Have you become a member of EFF yet? The best way
to protect your online rights is to be fully informed and to make your
opinions heard. EFF members are informed and are making a difference.
Join EFF today!
------------------------------
Administrivia
=============
EFFector is published by:
The Electronic Frontier Foundation
San Francisco CA 94103 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Membership & donations: membership@eff.org
Legal services: ssteele@eff.org
General EFF, legal, policy or online resources queries: ask@eff.org
Editor: Stanton McCandlish, Program Director/Webmaster (mech@eff.org)
This newsletter is printed on 100% recycled electrons.
Reproduction of this publication in electronic media is encouraged. Signed
articles do not necessarily represent the views of EFF. To reproduce
ually at will.
To subscribe to EFFector via email, send message body of "subscribe
effector-online" (without the "quotes") to listserv@eff.org, which will add
you to a subscription list for EFFector. To unsubscribe send a similar
message like so: "unsubscribe effector-online". Please tell ask@eff.org to
manually remove you from the list if this does not work (e.g. if you get
mail at a different address, such as pop.domain.com, than the one you are
example.)
Back issues are available at:
ftp.eff.org, /pub/EFF/Newsletters/EFFector/
To get the latest issue, send any message to effector-reflector@eff.org (or
er@eff.org), and it will be mailed to you automagically. You can also get
the file "current" from the EFFector directory at the above sites at any
time for a copy of the current issue.
------------------------------
End of EFFector Online v10 #10 Digest
*************************************
$$
