September 23, 1999

As part of its package of encryption policy reforms announced on September 16, the Clinton Administration is transmitting to Congress draft legislation entitled the Cyberspace Electronic Security Act ("CESA"). The proposal raises important issues concerning the application of Fourth Amendment search and seizure standards to the digital age. However, critical details of the draft are ambiguous or objectionable:

• The standard proposed by the Administration for government access to decryption keys falls far short of Fourth Amendment privacy protections.
• A provision for foreign governments to access passwords and keys of US citizens or foreigners using US recovery agents raises a host of questions.
• Another provision allowing courts to cast a cloak of secrecy over government decryption methods and product vulnerabilities raises due process concerns, implicating the Sixth Amendment right of defendants to cross-examine government witnesses.
• Finally, by narrowly focusing only on access to keys and passwords, the legislation fails to address the much larger question of privacy for documents and information stored in the emerging networked environment.

The proposal does not include the highly objectionable secret search provision previously circulated within the Administration.

This is our initial analysis of the proposed access provisions. We conclude that CESA does not set adequate privacy standards. The difficult issues it raises require hearings and deliberate consideration. The basic laws governing privacy in cyberspace have not been updated since 1986 -- well before the full emergence of the Internet. Last year, CDT convened a consultation with civil liberties groups, industry, and government officials to begin exploring privacy standards for decryption keys and networked information. CDT will be working to learn more about CESA and to promote through the Digital Privacy and Security Working Group a dialogue among policymakers and all interested parties aimed at developing a consensus on better privacy protections.

CESA has four primary components, which would --

• prohibit "recovery agents" (those who hold keys, passwords or other decryption information for others under a confidentiality arrangement) from disclosing recovery information without a court order;

• establish standards for courts to issue orders for government access to escrowed keys or passwords;

• authorize courts to issue protective orders to block disclosure of trade secrets and government information about decryption techniques;

• authorize funds for the FBI Tech Center, to assist the FBI in building up a decryption capability.

CESA would establish a statutory standard for law enforcement access to decryption information held by third parties: courts would issue orders compelling disclosure of decryption information --

The draft also would prohibit immediate notice to the person whose decryption information is being given to the government.

This standard falls far short of the standard in the Constitution for government access to keys held by encryption users -- probable cause to believe that a crime is being committed and notice at the time of the seizure. The CESA standard is not found in any other statute. It was apparently created solely for CESA. The section by section analysis of the Justice Department does not cite any judicial precedent for it. It requires a magistrate or trial court judge, based on the unchallenged presentation of the government, to determine whether there is a "constitutionally" protected privacy interest in certain plaintext. This means that any statutory privacy interest in the plaintext is irrelevant.

Technological starting points: (1) A major technological trend today is the movement of information out of people's homes and onto networks. While most computerized information used to be stored locally on disks and hard-drives, the Internet offers considerable incentives to store information on networks, so that it can be accessed remotely from any location. (2) Communications that travel over networks and information stored on networks are technologically vulnerable unless protected by encryption. (3) For some applications, particularly those involving stored data, encryption users will place their keys or other decryption information in the hands of third parties so they can recover their encrypted data if they lose or forget their key (or password).

Legal starting point: These technological trends give rise to difficult questions under the Fourth Amendment. Information stored on a computer in your home or office is entitled to full Fourth Amendment protection: in order to seize it, the government needs a warrant issued by a judge on a finding of probable cause served on you at the time of the search. But if you store information with a third party, do you retain a Fourth Amendment protection in it? The courts have held in a number of situations that if you give information to a third party, you lose constitutional privacy rights in it. Therefore, people have absolutely no constitutionally protected privacy interest in their bank records in the hands of banks; their medical records in the hands of HMOs, pharmacies and insurance companies; their book store purchases; their credit card records, etc.

With the rise of networking, this problem is exacerbated. Do people have a constitutionally protected privacy interest in their calendars stored on Yahoo? In their data on remote servers they do not own or control? In passwords or decryption keys stored with third party recovery agents? At best, the answer is unclear.

In the past, when the privacy status of communications and information created by emerging technologies was unclear, Congress acted to create statutory privacy rights. Most notable is the Electronic Communications Privacy Act of 1986 (ECPA), which established probable cause requirements for access to e-mail and cellular phone conversations.

As people begin to use key recovery and engage the services of key recovery agents, do escrowed keys lose the probable cause and notice protections of the Fourth amendment? CDT has argued that keys even in the hands of third parties are so sensitive and will play such a vital role in the still emerging world of cyberspace that they should be protected by the Fourth Amendment. No court has considered the issue. The Justice Department's analysis of CESA clearly states, "there is no constitutionally protected expectation of privacy in recovery information held by a third party but not under a confidentiality arrangement." Thus, in the Justice Department's view, key recovery agents, in the absence of a contractual confidentiality agreement, could voluntarily disclose keys to the government, and even with such an agreement, the government might be able to compel disclosure of a key with a mere grand jury or administrative subpoena issued without judicial approval and without notice to the person who created the key.

CESA seeks to moot the constitutional question by creating a narrow statutory privacy right in escrowed keys, while simultaneously providing a mechanism for the government to get those keys.

But the protections in CESA fall short of the privacy standard established by the Fourth Amendment. CESA requires disclosure of keys to government agents with a court order, when needed to decrypt information where there is no "constitutionally protected expectation of privacy" in the underlying plaintext. This is a new formulation, with no track record. Many privacy protections stem from laws passed by Congress and not from the Constitution directly. Under this provision, keys could be readily accessible for sensitive encrypted information stored with third parties such as financial records, medical records, or in fact any encrypted data stored on a network server or with an ISP. It is not even clear that there is a constitutionally protected expectation of privacy in email. (There is a certain circularity to privacy law. The Constitution honors "reasonable expectations of privacy." Does the statutory right of privacy in email established by ECPA before the courts could rule on its constitutional status give rise to a reasonable expectation of privacy such that it is now "constitutionally protected?")

Probable cause lacking: CESA does not require the more stringent showing of "probable cause" that the Fourth Amendment would demand of keys taken from a person's own computer or data seized from one's own house. Instead, CESA relies on a bootstrapping exercise: the authority to seize the key depends on a finding of no constitutional privacy interest in the plaintext. Normally, when the government executes a warrant and learns there is something else it wants in another location, it must go back to the judge and obtain a second warrant for that second location. Under CESA, obtaining of a warrant for seizure of information in the hands of one party would serve as the basis for the seizure of different information in the hands of a different party. This is not what the Fourth Amendment would require. Why not adhere to the standards of the Fourth Amendment and get a second warrant to seize the keys?

Notice: Under the Fourth Amendment, when the government wants to seize something from you, it must not only obtain a warrant from a judge based on a finding of probable cause, it also must serve the warrant on you at the time of the seizure, giving you the opportunity to protect your interests. CESA prohibits the contemporaneous notice required in a normal search, and allows even after-the-fact notice to be delayed indefinitely.

In the case of stored records, there is no justification for delayed notice. If the government seizes stored records and finds they have been encrypted, it can serve notice on the encryption user at the same time that keys are seized from a recovery agent, with no ill effect on its investigation.

In the case of communications, the government would want to delay notice in order to be able to continue to intercept and decrypt communications surreptitiously. But it is not clear that there will be very many situations where individuals escrow keys for their communications.

Foreign access: CESA also provides that a federal government entity may require a recovery agent to disclose stored recovery information "for the benefit of a foreign government, pursuant to a request of a foreign government under applicable legislation, treaties, or other international agreements." This one sentence masks a host of issues. How will the US government respond when a government like China's seeks the keys of human rights activists? Or when France seeks the keys of US corporations doing business in France, claiming that the keys are necessary for a tax evasion investigation?

Emergency access: CESA also has an emergency access provision, under which the Attorney General or other senior Justice Department officials can designate any federal law enforcement officer (park police, poultry inspector, building guard) to make the determination that there is an emergency and to demand a key from a recovery agent. The emergency language is similar to language in the wiretap law, but the justification for it here is hard to understand. The emergency procedures in the wiretap law are themselves outdated, having been enacted in 1968, before there were fax machines, pagers, cell phones and email, which make it always possible to find a federal judge on duty and able to review and approve a search warrant application. It should be noted that in 1997 the Federal Rules of Criminal Procedure were amended to allow for telephonic submission of search warrant applications and affidavits in emergency situations, with procedures for the contemporaneous recording of the oral testimony supporting probable cause. Fed. R. Crim. P. 41(c)(2). This keeps judges in the process and seems to be a far more appropriate model for emergency authority under a CESA.

CESA vs Chairman Goss' language: In matters of detail, there are significant differences between CESA and the access language drafted by the House Intelligence Committee chairman Porter J. Goss.

• The Goss amendment covers access to both plaintext and decryption information, while CESA covers only the latter. (As the Justice Department's analysis of CESA explains, "CESA is not intended to affect the standards for government access to plaintext.")
• The Goss bill does not specify the burden of proof that the government must meet: it simply requires a "factual basis" for the government's assertion of relevance. CESA uses the phrase "specific and articulable facts," which is a very low threshold.
• The standard in the Goss amendment is "relevance" to an ongoing investigation, relevance being the lowest standard for compelling disclosure of information, while CESA does not even require relevance. CESA merely says that there must be "no constitutionally protected expectation of privacy" or the expectation must be overcome by some means.
• The Goss amendment did not specify to whom a plaintext access order would be directed; CESA makes it clear that orders for decryption information are directed only to recovery agents.

What about the underlying data? CESA recognizes that keys stored with third parties are entitled to statutory privacy protection. But if keys in the hands of third parties are not constitutionally protected, what about the substance of one's files? The technological trends toward hand-held computers with Internet access and other mobile devices that access the data stored on networks mean that information may come more and more to be stored in configurations not protected by the Fourth Amendment. (The Supreme Court's statement that the Fourth Amendment "protects people, not places" clashes with its rulings that judge whether privacy expectation are "reasonable" based on where, with whom and how information is stored and accessed.) CESA does not address the privacy standards applicable to information stored on networks. A true Cyberspace Electronic Security Act would establish strong privacy protections for information stored on networks. (So far, the only statutory protection accorded networked information is under the obscure "remote computing provision of 18 USC 2703(b), adopted in 1986, before the World Wide Web existed, which provides less than the full Fourth Amendment protections.)

The challenge raised by CESA is to draft government access standards that map the privacy protections of the Fourth Amendment onto the emerging networked environment. Technology is exploding the home - personal data is moving out of the desk drawer and off of the desktop computer and out onto the Internet. It is not the end of the privacy debate to say that this technological change takes information outside the protection of the Fourth Amendment. To stop there would leave the Fourth Amendment protections available in the home when increasingly information is not stored there anymore. Rather, it is necessary to adopt legislative protections that give to information on networks the same level of Fourth Amendment privacy protections that it would have in the home. CESA falls well short of that goal.

For more information, contact: Jim Dempsey

Senior staff counsel

(202) 637-9800

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy