8 September 1997
Source: Mail list ukcrypto@maillist.ox.ac.uk

See McCain-Kerrey legislation: http://jya.com/s909.htm
See legislative draft on encryption: http://jya.com/gakbill-text.htm


To: ukcrypto@maillist.ox.ac.uk
Date: Mon, 08 Sep 97 18:17:32 EST
From: "Stewart Baker" <sbaker@mail.steptoe.com>
Subject: Re: US now wants to ban all non-escrowed crypto


          Here is a quick analysis of the latest leaked Administration 
     legislative draft on encryption.  Whether this language ever sees the light 
     of day in this form, however, is open to doubt.  With that disclaimer, 
     here's what the bill seems likely to do.
     
     Stewart Baker
     
     
          THE LANGUAGE
          
                    The draft borrows heavily from the structure and content of 
          the Kerrey/McCain legislation--it even retains the title, the "Secure 
          Public Networks Act".   In fact, the provisions in Titles IV through X 
          of McCain/Kerrey regarding the registration of certificate authorities 
          and key recovery agents, liability, criminal penalties, defenses, 
          international negotiations, authority of the Secretary of Commerce to 
          investigate compliance with the Act, and authority for the Attorney 
          General to bring actions to enjoin violations of the Act are largely 
          unchanged in this draft.  The significant changes are:
          
               --   gone is the section (102) that would prohibit mandatory 
          third party escrow of keys.  In its place is a new section (105) that 
          would prohibit, after January 1, 1999, the provision of encryption 
          services in the U.S., or the manufacture for sale or distribution in 
          the U.S. of encryption products/systems, that do not have a plaintext 
          recovery feature that may be turned on at the option of the user.
          
               --   gone is the exclusive emphasis on key recovery as the 
          technology for assuring plaintext recovery.  Instead, this legislation 
          would require products and systems that permit immediate decryption 
          without the knowledge or cooperation of the user.  The Attorney 
          General is to issue regulations describing these functional criteria, 
          but there is no provision requiring public notice and comment on such 
          regulations.
          
               --   gone is the language requiring key recovery agents to 
          disclose recovery information when presented with a subpoena.  In its 
          place is language that indicates a court order or court authorized 
          warrant is required before a key recovery agent may disclose recovery 
          information.  
          
               --   added is export license exception treatment for products 
          that are access or recovery enabled, regardless of algorithm, key 
          length,  or even whether the access feature is activated.  This would 
          be broader than McCain/Kerrey which would extend license exception 
          treatment to products with over 56-bit key lengths only if the product 
          includes an access feature and the access feature is turned on at the 
          time of export.
          
               --   retained is the provision to decontrol 56-bit encryption 
          after one time review.  However, the bill adds an Encryption Export 
          Advisory Board, composed of industry and government representatives, 
          to, among other things, recommend to the President whether the key 
          length of encryption exports to be decontrolled should be raised 
          beyond 56 bits.  The President retains the final decision making 
          authority, however.
          
               --   gone is the McCain/Kerrey provision that would authorize the 
          Secretary of Commerce to prohibit any exports that could be contrary 
          to U.S. security interests.
          
               --   added is a provision to permit license exceptions for voice 
          products with encryption if the Secretary of Commerce determines that 
          requiring an access feature  would be a competitive disadvantage and 
          permitting the export would be compatible with U.S. foreign and 
          national security policies.
          
               --   retained are the provisions that require the use of 
          accessible encryption products and services on any system used or 
          funded by the Government, but this draft sets a January 1, 1999 date 
          of compliance.
          
               --   contrary to earlier indications, there is no requirement for 
          certificate authorities registered under the Act to ensure recovery 
          information is escrowed with a recovery agent registered under the 
          Act.
          
          ANALYSIS
          
                    Even though expected, the big news with this draft is the 
          introduction of domestic control of encryption products and services 
          available in the U.S.  For many, the idea of such controls is simply 
          an unacceptable infringement on privacy.  But even for those who could 
          be persuaded of the need for such controls, the implementation date 
          provided (January 1, 1999) is unworkable.  Industry must have the time 
          to research and develop access technology appropriate to their 
          products, particularly in the telecommunications industry where the 
          demand for security is increasing, but there is little or no market 
          for key recovery and its associated infrastructure.  Likewise, 
          manufacturers cannot afford to write off the investments they have 
          made in existing security products or services by being compelled to 
          implement new designs before technology turnover would normally be 
          expected to occur.
          
                    A related concern would be to ensure new products with 
          access features may interoperate with products or services that are 
          already in use without such features.  It is unreasonable to expect 
          that users could afford to replace their existing systems with new 
          products that include access features.  The language of this draft 
          would seem to permit such interoperability since the access feature is 
          required only to be an option that may be turned on by the user, or 
          not.  But even if the legislation is understood as permitting such 
          interoperability, the cost to manufacturers and consumers of meeting 
          this new requirement could be substantial.  
               


Stewart Baker, Steptoe & Johnson LLP, on the Web: http://www.steptoe.com/baker.htm