From: Steve Schear <azur@netcom.com>
Date: Sun, 14 Sep 1997 02:45:34 +0800
To: Bill Frantz <cypherpunks@cyberpass.net
Subject: Letter to Senator Bryan, was Re: Key Recovery is Bad for USSecurity
In-Reply-To: <3.0.32.19970905103052.00700338@homer.communities.com>
Message-ID: <v03102800b0408bd4b2e1@[10.0.2.15]>
MIME-Version: 1.0
Content-Type: text/plain



Bill, I hope you don't mind me basing my letter on yours.

-----------

September 11, 1997


Richard S. Bryan
364 Russell Senate Office Building
Washington, DC 20510-2804


	RE: Secure Public Networks Act


Dear Senator Bryan,

Thank you for your July 23 letter, however, I am still extremely disturbed
by Congressional and Administration comments in favor of mandatory "key
recovery".  Besides being a disaster for American software companies, and a
clear violation of the constitution's protections of freedom of speech,
these systems are harmful to the security of the United States.

All cryptographic systems are extremely difficult to get right.  Netscape's
SSL protocol, used for secure credit card transactions, which doesn't
provide for "key recovery", went through three versions before the major
problems were removed.  "Key recovery" systems are, as Professor Dorothy
Denning testified, much more complex than similar systems which do not
include that feature.  In fact, the key recovery system built into Clipper,
with the advice of NSA, had major flaws.  If the best cryptographic group
in the world can't get it right, after years of effort, how can we expect
"key recovery" systems to be secure.

What do we risk with insecure systems?  We risk compromising the
information of non-classified government agencies, including IRS records;
United States companies, including delicate international negotiations; and
individual Americans, including their medical records.  Even worse, if some
group should decide to launch an information war attack on the United
States, these flaws may allow them to access sensitive systems in the
finance, transportation, and energy sectors.  One simple way this attack
could occur is if the access codes are distributed using a flawed
encryption system.

The calls from law enforcement for these cryptographic backdoors to thwart
drug-kingpins, terrorists and the like, were recently refuted by the
government's own studies.  "Encryption and Evolving Technologies in
Organized Crime and Terrorism" found that there is no real "encryption
problem" which justifies placing limitations on the use of encryption.

Even if "key recovery" were implemented there are many ways for it to be
thwarted.  It is a simple matter to insert messages using unbreakable
crypto "inside" the lawful formats for communication.  This cannot be
detected by law enforcement without decrypting all communication traffic
and having all such keys immediately available, something no one is
suggesting, and without which no improvement in lawful access is achieved.
Only the most incompetent of the evil-doers will not know this, therefore,
the most likely law enforcement use of "key recovery" is surveillance of
those who do not pose a threat to the security of our nation, that is, the
common citizen.  The only reason I can see for such expansion of government
authority in this area is tyranny.

I hope you will consider these thoughts when deciding your stand on this issue.

Sincerely,

Steve Schear
CEO
First ECache Corporation

--------------------------- Senator Bryan's letter ---------------

July 23, 1997

Mr. Steve Schear
7075 West Gowan Road, #2148
Las Vegas, Nevada 89129

Dear Mr. Schear:

Thank you for contacting me regarding encryption technology export
controls. I appreciate having the benefit of your views.

As a member of the Senate Commerce Committee, I am very aware of the
explosive growth and popularity of electronic commerce, as well as the
importance of ensuring the privacy of electronic transactions. In addition,
I am concerned with reports that American software and hardware producers
are hampered by export controls on encryption technology.

As you know, there are no restrictions on the production or use of any
strength encryption product within the United States. There are legitimate
concerns regarding export controls, but I am also concerned with the spread
of this technology. Unfortunately, encryption technology provides criminal
organizations, terrorists, drug traffickers, and child pornographers with
an effective method of shielding illegal activities from law enforcement
agencies.

Certain members of Congress have advocated eliminating most export
restrictions on encryption technology. Legislation such as Senator Conrad
Burn's Promotion of Commerce On-Line in the Digital Era Act (S.377), would
prohibit the Commerce Department from regulating or enforcing any standards
on the private sector for encryption products.

While I understand Senator Conrad's support for safeguardinq electronic
commerce and promoting American software exports, I do not think these
concerns should completely outweigh the concerns of public safety and
national security. At a Commerce Committee hearing regarding Senator Burn's
legislation, Federal Bureau of Investigation Director Louis Freeh expressed
his concerns on this issue. Mr. Freeh advocated developing trusted third
parties to hold encryption access keys to aid in swift criminal
investigations. Mr. Freeh further testified that several American allies
have expressed concerns that releasing all export controls will flood the
market with unbreakable encryption products that can be utilized by
criminals, which might ultimately lead other nations to enact import
controls.

Clearly this would not be favorable for American encryption exports.

In June, the Senate passed an encryption bill which should provide a
compromise. The Secure Public Networks Act will expand the bit length of
exportable encryption software to 56 bits, and longer bit software could be
exported if they include a key recovery mechanism. As you know, key
recovery allows law enforcement agencies to decipher encrypted information
with the proper court orders. This legislation will also contain the
following provisions:

*criminalize the use of encryption in a crime;

*criminalize the decryption of data or communications without the proper
authority; and,

*criminalize the decoding of encryption for the purpose of violating
another person's privacy security or property rights.

I am hopeful that this legislation will provide a compromise that will
facilitate the production, exportation, and use of strong American
encryption products, without undermining public safety and national
security. Again, thank you for contacting me.

Sincerely,



Richard H. Bryan
United States Senator