19 June 1997 Source: Mail list cypherpunks@toad.com -------------------------------------------------------- To: cypherpunks@toad.com Date: Thu, 19 Jun 1997 05:29:20 -0700 (PDT) From: Declan McCullagh Subject: Crypto-compromises in Washington: Burns offers ProCODE II Rocke Verser's announcement couldn't have come at a more embarrassing time for the White House. At 3:46 pm yesterday, after five months of painstaking work, the Colorado computer consultant fired off an excited message to the DES challenge mailing list: "WE FOUND IT!" Verser was talking about his group's successful crack of a message scrambled with the 56-bit DES encryption standard. When subjected to the massive computing power of thousands of machines around the globe, the enciphered message finally yielded the secret phrase, "Strong cryptography makes the world a safer place." That's exactly what the Clinton administration didn't want to hear. For years top government officials have argued the opposite, that strong cryptography makes the world a less secure place where criminals and terrorists can scheme with impunity. The White House has long wanted to ensure that it can listen in to all electronic communications through schemes like "key escrow" or the Clipper Chip. Today the Senate Commerce committee is scheduled to vote on two competing crypto-bills, one backed by the White House and one backed by industry and some privacy groups. And now, I've learned, some of cryptography's most loyal supporters on the Hill are talking about cutting a deal... --- I ran into Jim Bidzos, head of RSA Data Security (which sponsored the DES challenge), at a party in the Watergate last night. "Export regulations are a dinosaur," he said. "But it's a dinosaur that'll take out a lot of the city during its death struggles." Bidzos is testifying before a House Science panel today and plans to stress the problems of 56-bit DES; only 128-bit DES is generally regarded as reasonably secure... --- Washington is a city of complexity, painful complexity, when it comes to encryption. Three different lawsuits are challenging the constitutionality of last year's Federal crypto-regulations. This year's Commerce Department regulations add up to an eye-straining 16,000 words. Four different bills are moving through Congress, and the legislative jockeying is even more abstruse. But throughout this muddle, one point remains clear: The Clinton administration wants to hold on to the status quo as long as possible. That means no judicial or legislative tinkering -- and, above all, no general lifting of export controls on encryption products. Even as officials admit privately that attempts to prop up these Cold War rules are eventually doomed, they argue publicly that removing the rules would be catastrophic. "The proliferation of unbreakable encryption would seriously and fundamentally threaten... critical and central public safety interests," FBI director Louis Freeh said earlier this month. For Freeh, the best way to stall for time was to take the battle to Congress. Earlier this week Sen. Bob Kerrey (D-Neb.) and Sen. John McCain introduced a bill that included everything Freeh and the White House desired: sections creating new Federal crimes for some uses of crypto and an all-but-mandatory key escrow infrastructure. The goal: to facilitate government access to any private data. Privacy advocates leaped to savage it. "The bill threatens any prospect of privacy and security in electronic commerce and on the Internet by opening a huge window of vulnerability to the private data and communications of encryption users," the Center for Democracy and Technology cried. EPIC's Dave Banisar told me it was a "poison pill strategy designed to kill" pro-crypto legislation. The many problems with the bill normally would be bad enough, but it's zooming through Congress at an almost supersonic velocity. Thanks to the sponsorship of McCain, the powerful Senate commerce committee chair, the committee is scheduled to vote on it today, without even holding hearings. This could mean the death of a bill introduced last year, then reintroduced this year by Sen. Conrad Burns (R-Mont.). Called "ProCODE," privacy advocates say it's the best of all the crypto bills in Congress (but then again, that's not saying much). --- In Washington politics, perhaps the worst thing that can be said about you is that you're unwilling to compromise. So it should come as no surprise that the McCain-Kerrey bill prompted Burns himself to offer a substitute ProCODE bill that will be unveiled at the markup session today. "People would say Burns hasn't moved on this issue and he's not willing to compromise. He needs to put something on the table so he can credibly say he has a compromise too. Otherwise it seems like he's not willing to play the game," one Hill observer told me yesterday. "ProCODE II" would allow the export of up to 56-bit DES -- yes, the very same bit length that was cracked yesterday -- only in some circumstances and give the FBI and the CIA more of a say on an encryption panel the bill creates, sources say. (For their part, Burns' staff characterizes it as having only "slight differences" from ProCODE I.) This legislative jockeying takes place against a backdrop of rivalries between Burns and McCain that stretch far beyond encryption. Burns introduced an amendment on a spectrum auction bill that gutted McCain's proposal. A recent National Journal story played up the rift, and only resulted in widening it. McCain's insistence on endorsing the administration's -- and thus the national security establishment's -- position shouldn't be surprising, even if McCain was one of the original sponsors of ProCODE last year. He told Wired Magazine's Todd Lappin in March that "we need to find a middle ground" on crypto: "It's pretty clear that the administration's crypto proposals will have a harmful effect upon the industry. But we can't completely ignore the warnings we get from the heads of the FBI and the National Security Agency... If the president of the United States vetoes a crypto bill we pass, I doubt we'll be able to override his veto." Then there's the Senate Judiciary committee. Its chairman, Sen. Orrin Hatch (R-Utah), said last week that he may introduce an alternative bill to relax export controls on encryption technology. But he's also talking about requiring key escrow in certain circumstances. Judiciary is holding a hearing next Wednesday on key escrow; the FBI's Freeh is scheduled to testify. For his part, Hatch has control of a crypto bill introduced by Sen. Patrick Leahy (D-Ver.) and could block legislation that other committtees report. --- Now the focus is on today's scheduled vote in Senate Commerce. Sources say Sen. Bill Frist (R-Tenn.) is planning to introduce amendments to the McCain bill that would weaken it. They would delay the implementation of some portions by a year. They would also require that NIST, the Department of Justice, and the Department of Defense publish guidelines on key recovery. Today senators will be faced with a series of unpleasant choices: approve the McCain-Kerrey bill (sponsored by the chair), approve the original ProCODE bill, or approve ProCODE II. Certainly some senators would be wary of endorsing a measure that they haven't had time to read. The buzz, however, on the Hill is that McCain doesn't have the votes for his bill and may postpone the vote after all. What all this legislative turmoil means is exactly what McCain predicted in March: for a bill to get out of committee, there has to be a compromise. As I wrote in a recent Netly News column, members of Congress are driven by a fierce, desperate urge to compromise. The drive is primal: legislators are compelled to find a middle ground. But to their chagrin, crypto doesn't offer one. Either you keep a copy of the electronic keys to your files or someone else does -- which is exactly what the White House wants. Either you're free to speak privately over the Net using PGP, or you're not -- which is exactly what the White House also wants. That's why the only sane answer to the encryption struggle might be to wait for the courts to strike down export controls as unconstitutional. They're moving forward: a Federal court yesterday heard arguments in the Bernstein case. (Sure, it would put would-be crypto lobbyists out of business overnight, but that sounds like a good thing to me.) Congress can't be trusted not to compromise away fundamental liberties, and any bill that makes it past McCain, Hatch, and Kerrey -- not to mention their counterparts in the House -- is almost certain to include some key escrow provisions. A veteran lobbyist told last night that this could indeed happen -- but only if high tech firms and their Washington lobbyists sell out our privacy by accepting relaxed export controls in exchange for domestic controls on the use of encryption. Businesses might make money, but American consumers would be the ultimate losers... Additional articles: http://pathfinder.com/netly/editorial/0,1012,931,00.html http://pathfinder.com/netly/opinion/0,1042,1022,00.html -Declan