From: Bob Palacios <editor@cdt.org>
Date: Mon, 18 Nov 1996 15:53:58 -0800 (PST)
To: cypherpunks@toad.com
Subject: CDT Policy Post 2.38 - President Takes First Steps TowardsClipper 3.1.1
Message-ID: <v03007803aeb6a50ea233@[204.157.127.16]>
MIME-Version: 1.0
Content-Type: text/plain


-----------------------------------------------------------------------------
    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/     Volume 2, Number 38
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
 CDT POLICY POST Volume 2, Number 38                     November 18, 1996

 CONTENTS: (1) President Takes First Steps Towards Clipper 3.1.1
           (2) Details of the Executive Order
           (3) How to Subscribe/Unsubscribe
           (4) About CDT, contacting us

  ** This document may be redistributed freely with this banner intact **
        Excerpts may be re-posted with permission of <editor@cdt.org>
         ** This document looks best when viewed in COURIER font **
-----------------------------------------------------------------------------

(1) PRESIDENT TAKES FIRST STEPS TOWARDS CLIPPER 3.1.1

In a move that leaves major unanswered questions about the privacy of global
communications on the Internet,  President Clinton has taken the first
concrete steps towards implementing the government's controversial key
recovery encryption proposal.  On Friday November 15, the President appointed
an ambassador-level "Special Envoy for Cryptography" and signed an Executive
Order that gives the Commerce Department jurisdiction over encryption exports
but includes the Justice Department in all such export decisions.  These
developments do little to change the underlying regulations on encryption
that have prevented the development of a strong worldwide encryption standard
needed to protect privacy and security on the Internet.

The full text of the executive order and other relevant background materials
are available on CDT's Encryption Policy Page:

     http://www.cdt.org/crypto/

Friday's White House announcements demonstrate the Administration's
commitment to its dangerous key recovery approach to worldwide encryption.
This approach fails to meet the fundamental privacy needs of computer users
and industry because:

*  International communications are still vulnerable since products sold
   by the dominant U.S. hardware and software manufacturers must conform
   to U.S. export controls.

*  Key recovery won't protect privacy internationally and institutionalizes
   a global government surveillance mechanism without privacy safeguards.

*  U.S. exports are still controlled and uncompetitive making it harder for
   the market to develop a secure global encryption standard.

The Administration policy, initially announced on October 1st and dubbed
"Clipper 3.1.1," leaves Internet users without the technical means to secure
their communications or the international legal standards needed to protect
their privacy.

In other developments this week, Hewlett-Packard and other companies announced
preliminary approval to export new "dormant encryption" products, which
contain strong encryption that can only be activated with a special license.
While this new architecture is expected to make it easier for industry to
market encryption products, this technology does not change the underlying
privacy problems created by the Administration's export control policy.
Granting of licenses to use strong encryption will still be subject to the
current export controls limiting key length and requiring key recovery for
strong encryption.

CONTINUING A DANGEROUS KEY RECOVERY POLICY

The Administration's announcements mark the first real steps towards
implementing an approach to encryption policy based on the dangerous and
untested idea of global key recovery.  This approach would institutionalize
worldwide governmental access to encrypted communications without providing
any privacy standards for electronic communications or stored data.

The Administration's approach leaves computer users at risk operating on a
global network without the technical security provided by strong encryption
or the legal privacy rights afforded here in the United States by the Fourth
Amendment and federal law.  For example, the Administration policy would not
solve the following privacy problems:

*  International communications are still vulnerable.  For example, an
   American individual doing business with someone in France would still
   be forced to use weaker forms of encryption, or use key recovery systems
   that make their communications accessible to law enforcement officials of
   both countries.

*  Key recovery won't protect privacy internationally.  A Chinese dissident
   communicating with supporters in the U.S. and fearful of weaker encryption
   would be to forced to use key recovery. The Administration indicates that
   such key recovery mechanisms would be based on bilateral key-access
   arrangements between governments. Even if the dissident's keys were
   recoverable only in the U.S., such a global key access policy would
   almost certainly make those keys accessible to the Chinese government. If
   the United States expects China to assist U.S. law enforcement with key
   recovery for issues of national interest, such as anti-piracy efforts in
   China, we can also expect China to require U.S. disclosure of keys to its
   law enforcement community.

*  Exports are still controlled and uncompetitive.  A Japanese company using
   exportable U.S. encryption products would be forced to use lower strength
   encryption -- or use an key recovery agent approved by the U.S. law
   enforcement community. This is unlikely to help the global market develop
   a worldwide standard for secure communications.

As a result of this policy, computer users all over the world will be left
with a lowest common denominator infrastructure that does not provide for
either technical security or legal privacy for sensitive communications and
data. CDT believes that any workable U.S. encryption policy must be designed
to protect the privacy and security of Internet users.

------------------------------------------------------------------------

(2) DETAILS OF THE EXECUTIVE ORDER

The Executive Order signed by the President on Friday does not change the
type of encryption products that will be exportable. Rather, it lays the
groundwork for the eventual transfer of encryption export control
jurisdiction from the State Department to the Commerce Department pending
Final Regulations by both departments.

Encryption exports have traditionally been regulated as "munitions"
controlled by the State Department. While the Commerce Department is widely
viewed as more sensitive to the needs of business and individual encryption
users, Commerce is still constrained by Administration encryption policy.
Additional provisions of the Executive Order indicate that the Commerce
Department's encryption controls will continue to be dominated by law
enforcement and national security interests:

*  New Justice Department role in export review committee -- In an unusual
   step, the Order adds the Justice Department to the interagency group
   reviewing Commerce encryption export decisions.

*  Source code treated as a "product" -- The Order specifically singles out
   encryption source code to be given the stricter review scrutiny of a
   "product" rather than a "technology."

*  Broad definition of export -- The export of encryption source code or
   object code is extended to explicitly include posting to FTP sites or
   electronic bulletin boards unless "adequate" precautions are taken to
   prevent transfer abroad. As reflected by a recent Federal Court finding
   in the CDA indecency case that Internet users rarely have control over
   the parties accessing materials via FTP, Usenet, or the Web, this
   provision could have the chilling effect of preventing most
   dissemination or discussion of new cryptographic tools on the Internet.

The Administration's announcements will have little effect on the existing
encryption privacy problem unless the underlying policies governing the
export and use of encryption are changed. These announcements do little to
address the unanswered questions about how privacy will be protected in the
key recovery system envisioned by the Administration.

APPOINTMENT OF THE "SPECIAL ENVOY FOR CRYPTOGRAPHY"

On Friday the President also designated Ambassador David L. Aaron as the
new "Special Envoy for Cryptography."  According to the White House, this
Special Envoy will have "responsibility to promote the growth of electronic
commerce and robust, secure global communications in a manner that protects
the public safety and national security. . . . Ambassador Aaron will promote
international cooperation, coordinate U.S. contacts with foreign governments
on encryption matters and provide a focal point for identifying and resolving
bilateral and multilateral encryption issues."  Ambassador Aaron is currently
the U.S. Ambassador to the OECD.

CDT hopes that the new Special Envoy, as a representative of the United
States, will work to represent the needs of Americans to communicate
privately in the currently insecure global environment.  Until now, U.S.
encryption representation abroad has been dominated by law enforcement and
national security interests. CDT hopes that the new Special Envoy will also
consult with the computer user community, consumers, privacy advocates, and
industry to promote their need for secure networks worldwide.

NEXT STEPS

In the coming months, both the Department of Commerce and the State
Department must issue rules to implement the Administration's new encryption
policy.

*  The State Department will issue a rule transferring its jurisdiction of
   encryption licensing  to the Commerce Department.

*  The Commerce Department will issue rules spelling out exactly how it will
   approve products for export, and what the requirements for approved key
   recovery centers and key recovery plans will look like.

CDT hopes and expects that the Administration will provide an opportunity
for public comment in the rulemaking process to allow input from those
concerned about privacy and security in the formulation of U.S. encryption
policy.

------------------------------------------------------------------------

(3) SUBSCRIPTION INFORMATION

Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
nearly 10,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

     policy-posts-request@cdt.org

with a subject:

     subscribe policy-posts

If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:

     unsubscribe policy-posts

-----------------------------------------------------------------------

(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.

Contacting us:

General information:  info@cdt.org
World Wide Web:       URL:http://www.cdt.org/
FTP                   URL:ftp://ftp.cdt.org/pub/cdt/

Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968

-----------------------------------------------------------------------
End Policy Post 2.38                                           11/18/96
-----------------------------------------------------------------------