From: Declan McCullagh <declan@eff.org>
Date: Fri, 31 May 1996 17:01:19 +0800
To: cypherpunks@toad.com
Subject: Fight-Censorship Dispatch #11: Landmark Crypto Study Released
Message-ID: <Pine.SUN.3.91.960530172021.4678C-100000@eff.org>
MIME-Version: 1.0
Content-Type: text/plain







-----------------------------------------------------------------------------
                        Fight-Censorship Dispatch #11
-----------------------------------------------------------------------------
                 Landmark NRC crypto policy report released
-----------------------------------------------------------------------------
         By Declan McCullagh / declan@well.com / Redistribute freely
-----------------------------------------------------------------------------

In this dispatch: National Research Council releases crypto policy study
                  Summary of NRC report recommendations
                  Update on online copyright legislation and the CDA

May 30, 1996


WASHINGTON, DC -- The National Research Council released their hefty,
long-awaited report on crypto policy today at a two-hour briefing this
afternoon at the National Press Club in Washington, DC.

The NRC's Computer Science and Telecommunications Board's
congressionally-mandated study, named "Cryptography's Role in Securing
the Information Society," calls for no restrictions on domestic use of
crypto but falls short of recommending that export controls should be
eliminated.

Instead, the report says that controls "should be progressively
relaxed."

The inch-thick study is certain to pack a sizeable wallop in the DC
crypto policy debate, coming on the heels of the Clinton
administration's "Clipper III" white paper and the crypto legislation
pending in Congress.

Kenneth Dam, a law professor at the University of Chicago and the
chair of the NRC committee, summed it up: "We're going to have a
national public debate and Congress has to be involved. We hope this
report contributed to it."

After Dam's overview, Marc Rotenberg from EPIC asked: "There are many
issues left unresolved or open by your report. What happens next with
key escrow?" Rotenberg also asked about the right to speak anonymously
online, which the report didn't address.

Dam hedged, as he did throughout the Q&A session: "We did not set out
to evaluate key escrow. With regard to the right to speak anonymously,
we saw nothing in our report that requires us to take a position.
Accountability is a competing interest. It was not vital to our
report."

The RAND Corporation's Willis Ware clarified: "We by no means advocate
authentication in a universal sense."

Strangely, the executive summary doesn't even mention Pretty Good
Privacy -- the NRC only recommended that 56-bit DES "should be easily
exportable," ignoring PGP completely. The text of Recommendation 4.1
says "products providing confidentiality at a level that meets most
general commercial requirements should be easily exportable."

But does that cover the export of PGP?

The report also says, in Recommendation 5.4, that Congress should
consider legislation that would criminalize the use of crypto to
commit a Federal crime. This portion also attracted flames. Some
audience members wondered if this means crypto would continue to be
treated as a munition, like guns, that can be regulated.

Bottom line: the report is much more favorable than we hoped for,
though it doesn't have everything we want. It *is* surprisingly
pro-crypto considering that all but three of the 16 committee members
had security clearances and were subjected to the NSA's classified
briefing -- widely rumored to be designed to scare the recipient into
agreeing to restrictions on encryption.

As David Sobel from EPIC told me: "These people *did* know what the NSA
knew -- but they still rejected the administration's policy."

CDT's Danny Weitzner wrote: "The study is without a doubt the most
comprehensive and balanced analysis of the complex encryption policy
debate yet published."

Fortunately, the voluminous report comes with an 35-page executive
summary that's available at <http://www2.nas.edu/cstbweb/>. The 
full text of the report will be available online next week.
(Pre-publication hardcopies were distributed at the briefing and
will be available from the National Academy Press for $45. Call
202-334-2605 in two months.)


+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+
                    SUMMARY OF NRC REPORT RECOMMENDATIONS
+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+

Recommendation 1:  No law should bar the manufacture, sale, or use of
any form of encryption within the United States.

Recommendation 2:  National cryptography policy should be developed by
the executive and legislative branches on the basis of open public
discussion and governed by the rule of law.

Recommendation 3:  National cryptography policy affecting the
development and use of commercial cryptography should be more closely
aligned with market forces.

Recommendation 4:  Export controls on cryptography should be
progressively relaxed but not eliminated.

        4.1 -- Products providing confidentiality at a level that
        meets most general commercial requirements should be easily
        exportable.  Today, products with encryption capabilities that
        incorporate 56-bit DES provide this level of confidentiality
        and should be easily exportable.

        4.2 -- Products providing stronger confidentiality should be
        exportable on an expedited basis to a list of approved
        companies if the proposed product user is willing to provide
        access to decrypted information upon legally authorized request.

        4.3 -- The U.S. government should streamline and increase the
        transparency of the export licensing process for cryptography.

Recommendation 5:  The U.S. government should take steps to assist law
enforcement and national security to adjust to new technical realities
of the information age.

        5.1 -- The U.S. government should actively encourage the use of
        cryptography in nonconfidentiality applications such as user
        authentication and integrity checks.

        5.2 -- The U.S. government should promote the security of the
        telecommunications networks more actively.  At a minimum, the
        U.S. government should promote the link encryption of cellular
        communications and the improvement of security at telephone
        switches.

        5.3 -- To better understand how escrowed encryption might
        operate, the U.S. government should explore escrowed
        encryption for its own uses.  To address the critical
        international dimensions of escrowed communications, the U.S.
        government should work with other nations on this topic.

        5.4 -- Congress should seriously consider legislation that
        would impose criminal penalties on the use of encrypted
        communications in interstate commerce with the intent to
        commit a federal crime.


+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+
            UPDATE ON ONLINE COPYRIGHT LEGISLATION AND THE CDA
+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+

ON THE CDA:

Folks involved in the case expect a decision within the next week from
the Philadelphia three-judge panel hearing our challenge to the
CDA. The Department of Justice has a few weeks to appeal to the
Supreme Court if they lose.

ON COPYRIGHT:

There's plenty of action on the Hill -- and contrary to what I thought a
week ago, there's even a fighting chance that this braindead copyright
bill will pass this year. 

So far, full Senate judiciary and the House judiciary intellectual
property subcommittee have held hearings. The House has taken the lead
now, and the tentative date for the subcommittee markup of HR2441 is
June 5. (It was to have been last week, but was cancelled at the last
minute when no agreement was reached.)

As Brock Meeks wrote in his Muckraker column on HotWired:

  Both bills contain intellectual property land mines. If they aren't
  defused, all online service providers - from the single-line BBS to
  commercial online services to internet service providers - could end
  up as de facto "copyright cops," made to rig their systems so that
  they can monitor every single bit of information trafficked by their
  users. Reason: both bills hold online service providers liable for any
  infringing information passing through or stored on their system.

  There are other reasons not to like this bill, including language
  that makes surfing the Net a copyright violation unless you happen to
  have a "license" for hitting a particular site with your browser. You
  see, the courts have ruled that simply sucking bits into your
  computer's memory, i.e. surfing, is the same as making a copy of
  something. No, I'm not making this up.

Stay tuned for more reports.


-----------------------------------------------------------------------------

Mentioned in this Fight-Censorship Dispatch:

  NRC report overview text:
    <http://www2.nas.edu/cstbweb/28e2.html>
  Info on online copyright legislation:
    <http://www.ari.net/dfc/>
  Brock Meeks' column on online copyright:
    <http://www.hotwired.com/muckraker/96/20/index3a.html>

This and previous Fight-Censorship Dispatches are available at:
  <http://fight-censorship.dementia.org/top/>

Want to subscribe to the low-traffic, moderated fight-censorship
announcement mailing list for future Fight-Censorship Dispatches and
related messages?

Send "subscribe fight-censorship-announce" in the body of a message
addressed to: 
  majordomo@vorlon.mit.edu

Other relevant web sites:
  <http://www.eff.org/>
  <http://www.cdt.org/>
  <http://www.aclu.org/>
  <http://www.ala.org/>

-----------------------------------------------------------------------------