Policy Post 5.22 | Administration Announces Export Revisions, Privacy Advocates Remain Skeptical

CDT POLICY POST Volume 5, Number 22 September 17, 1999

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:
(1) Administration Announces Export Revisions, Privacy Advocates
Remain Skeptical
(2) The Devil is in the Details: Export Control Proposal
(3) The Proposed CESA Bill and Government Access to Keys
(4) Policy Post Administration
_______________________________________________________________________

(1) ADMINISTRATION ANNOUNCES EXPORT REVISIONS, PRIVACY
ADVOCATES REMAIN SKEPTICAL

Just as the SAFE Act was about to come to the House floor, the Clinton
Administration has announced plans to ease long-standing export controls
on encryption products. The changes, if actually delivered as proposed,
could make it much easier for people all over the world to gain access to
the strongest encryption. At the same time, however, the White House
announced its support for new legislation giving government officials access
to sensitive decryption keys, when held by third parties, without full Fourth
Amendment privacy protections.

Documents detailing the new policy are available on CDT's web site at
http://www.cdt.org/crypto/. Major features of the
new policy include:

* Export Relief -- The Administration plans to release revised regulations in
December allowing export of "retail" encryption products of unlimited strength,
subject to a one-time technical review, reporting requirements, and restrictions
on sales to the seven terrorist nations.

* Administration Support for New Law Enforcement Access Standards - The
White House to support the Cyberspace Security Enhancement Act (CESA).
While abandoning "secret search" provisions floated last month, the bill would
establish standards for law enforcement access to decryption keys held by
third parties.

The devil is in the details when it comes to encryption regulations, and CDT will
be watching carefully to see that the promised export relief is actually reflected in
the new regulations without hedges or discretionary exceptions. Congressional
backers of the SAFE Act, which would lift most encryption export controls,
have vowed to keep the pressure up. Meanwhile, though, they are expected to
postpone a vote on SAFE pending satisfactory regulations from the Administration.

CDT remains concerned that the access provisions in the new CESA bill fall short
of the kind of protections needed in the evolving networked environment.

For up-to-date information and further background about the encryption debate
please visit CDT's web site at /http://www.cdt.org/crypto/.

________________________________________________________________________

(2) THE DEVIL IS IN THE DETAILS: EXPORT CONTROLS

The Administration policy, if implemented as promised, would represent a major
change in U.S. export policy. As described by White House officials, widely-available
encryption products like 128-bit web browsers or PGP software would be exportable
to all but a few countries after a technical review and subject to reporting
requirements about who the product was shipped to.

Officials say that under regulations due to be released before the end of the year:

* "Retail" encryption hardware and software of unlimited strength could be
exported without a license after a "one-time technical review" and subject to
post-export reporting of transfers. Reporting is to be limited to the information
that "companies normally collect" (i.e., who the product was transferred to, not
who the end user was.)

* Non-retail "custom" products would face further restrictions on sales to foreign
governments and identified terrorist or criminal organizations.

* Export of encryption products with bit lengths up to 64 bits would be entirely
decontrolled.

As described, the regulations would represent an abandonment of the U.S. policy
that had been based on bit-length limits and the promotion of key recovery.

A remaining concern is whether the regulations will in fact give the broad relief
promised. On more than one occasion in the years since the failed 1993 Clipper
Chip proposal, hopes for substantial progress on encryption policy have failed to
provide comprehensive reform. (For some examples, see CDT's "History of
Administration Encryption Policy" on the Web at
http://www.cdt.org/crypto/admin/initiatives.shtml)

In addition, the announcement leaves many export controls problems unresolved.
For example, cryptographic researchers and small encryption distributors would
apparently remain unable to easily distribute encryption without satisfying the
federal regulatory process. Challenges to these restrictions - such as the Bernstein,
Karn, and Junger cases - will remain important in asserting the First Amendment
rights of encryption publishers.
________________________________________________________________________

(3) THE PROPOSED CESA BILL AND GOVERNMENT ACCESS TO KEYS

CDT remains concerned that the provisions of the new CESA legislation will not
adequately protect the privacy of sensitive decryption keys in the new online
environment.

Major provisions of CESA include:

* Prohibits the disclosure of decryption information, when held by third parties,
without appropriate legal authority as spelled out in the bill.

* Requires disclosure of keys to government agents with a court order, when
needed to decrypt information where there is no "constitutional expectation of
privacy" in the underlying plaintext. Many privacy protections stem from laws
passed by Congress and not from the Constitution directly. Under this provision,
keys could be readily accessible for sensitive encrypted information stored with
third parties such as financial records, medical records, or in fact any encrypted
data stored on a network server or with an ISP.

* Authorizes $80 million for the FBI's Tech Center, designed to promote law
enforcement tools and techniques for defeating encryption.

* Prohibits disclosure in open court of the techniques used to obtain the plaintext
of encrypted information. A delicate legal balance has been struck over time
between the rights of defendants and the need to protect law enforcement agents
and methods. This new provision could undermine that balance and the ability of
citizens to receive a fair trial.

CESA no longer includes "secret search" authority allowing government agents to
secretly break into people's homes and install "recovery devices" on their computer
if they did not use key recovery. The bill also no longer contains other provisions
to promote the use of key recovery.

CDT remains concerned that CESA's provisions do not require the more
stringent showing of "probable cause" and notice of a seizure that the Fourth
Amendment would demand of keys taken from a person's own computer or
data seized from one's own house. In the Information Age, more and more of
our most personal data is moving out of the desk drawer and off of the desktop
computer and out onto the Internet. CESA has opened a new and complex debate
about the standards that are needed to protect sensitive data in networked
electronic storage.

_______________________________________________________________________

(4) POLICY POST ADMINISTRATION

To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org
In the BODY of the message type "subscribe policy-posts" without the quotes.

To unsubscribe from CDT's Policy Post list, send mail to majordomo@cdt.org
In the BODY of the message type "unsubscribe policy-posts" without the quotes.

E-mail questions or comments to info@cdt.org.

Detailed information about online civil liberties issues may be found at http://www.cdt.org/

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_5.22.shtml.
Excerpts may be re-posted with prior permission of info@cdt.org