25 August 1998
From: Greg Garcia <greg.garcia@computerprivacy.org> To: jy@jya.com Subject: ACP Letter to John Hamre Date: Tue, 25 Aug 1998 11:55:55 -0400 The Executive Director of Americans for Computer Privacy, Ed Gillespie, signed the following August 5 letter responding to remarks about encryption made on July 21 by Deputy Secretary of Defense John Hamre to CIO's in Aspen. I understand that, subsequently, DOD on August 17 re-posted Hamre's speech without the Q&A. They have not yet responded to our points, but we do not necessarily expect them to. August 5, 1998 Honorable John J. Hamre Deputy Secretary of Defense The Pentagon Washington, DC 20301 Dear Secretary Hamre: We at Americans for Computer Privacy were interested to review your July 21 speech on the Administration's encryption policy. As you know, we are actively involved in discussions with the Administration in an effort to find a policy that fairly balances the various interests at stake. In that regard, we are grateful for your leadership and believe that we are making progress. However, we remain concerned that the Administration's policy, by relying so heavily on key recovery, does not give adequate weight to the fact that critical infrastructures depend on robust encryption. They cannot function securely if they are subject to third-party key management, which is itself vulnerable to corruption and error. You made a crucial observation that many of the critical infrastructures of this country -- from defense to energy, water and emergency response networks -- increasingly operate electronically across an internet-based control system. This system, in turn, is largely built with commercial, off- the- shelf software and hardware products. We agree that the openness, complexity and geographic dispersion of these systems leave them inherently vulnerable to security attacks unless they are equipped with state-of-the-art encryption technology. But any infrastructure security system that is deliberately designed with another vulnerability -- such as key recovery advocated by the Administration -- could expose those systems, and the people and organizations who depend on them, to serious and potentially catastrophic breaches of security and public safety. On a related point, we caution that many of our members do not share the government's interest in key recovery as the best means for "employees to leave an electronic fingerprint" on their activities within a company. Clearly, many companies have internal security systems to protect against employee loss or abuse of the company's intellectual property and sensitive business and personnel data. But it does not follow that these systems justify a government policy that creates a national, public infrastructure designed to give the government advance tools for the surveillance of private information. Honorable John J. Hamre August 5, 1998 Page Two Finally, we applaud your recognition that Americans are not "prepared for a mandatory key recovery system in this country" and that the government will "not ask that it be mandated through law on anybody." Unfortunately, that statement is inconsistent with the Administration's continued policy of conditioning export approval of strong encryption on industry's development of key recovery. If the Administration does "not want to block American businesses from being able to export strong encryption" but does "want them to manage this over time," then the Administration must let industry lead with market-driven innovations that respond to customer demands and law enforcement and national security needs. We already are beginning to see this dynamic play out in recent industry developments - as a result of market requirements, not government requirements. We continue to believe that the long term interests of the American public, its government and its industry, is best served by working together to find a solution that is driven by the marketplace, doesn't threaten innovation or privacy, and satisfies the government's legitimate needs. We look forward to working with you to achieve that goal this year. Sincerely, Ed Gillespie ACP Executive Director ----- Greg Garcia Coalition Manager Americans for Computer Privacy 1275 Pennsylvania Avenue, NW, 10th Floor Washington, DC 20004 (ph) 202.393.5222 (fx) 202.467.0810 (email) greg.garcia@computerprivacy.org (website) www.computerprivacy.org