From: shabbir@vtw.org (Shabbir J. Safdar)
Date: Thu, 28 Mar 1996 09:38:02 +0800
To: tcmay@got.net (Timothy C. May)
Subject: Re: So, what crypto legislation (if any) is necessary?
Message-ID: <199603260708.CAA21623@panix4.panix.com>
MIME-Version: 1.0
Content-Type: text/plain


I think this is a very important area to consider, and I thank Tim for
putting his thoughts into this very organized form.  My replies:

Timothy C. May writes:
>>If the Leahy bill is unacceptable, what legistlation is necessary? I
>>can't see how the use of cryptography in the commission of a crime needs
>>to be a separate offence, but I could see how it could be treated as a
>>special circumstance - that doesn't really needed a new law though.
>
>I don't see any compelling need for U.S. legislation. And given the
>pressures to attach all sorts of language to bills, I think it best that no
>legislation happen.

Unfortunately, this is not an option.  Legislation will happen, with our
endorsement or without it.  One good example is the Grassley computer
crime bill earlier in 1995.  Nobody advised him on this, as far as I can
tell, he just went out and drafted it.  Lo and behold, he drafted a
provision that basically criminalized all crypto, including rot13.

We have to wake up and learn from the fight against the net censorship
legislation.  This is realpolitik.  Congress will legislate crypto,
whether we want them to or not.  This is not news anyone wants to hear,
but we have to face up to it.

>* DOMESTIC USE OF ENCRYPTION: Currently, no restrictions whatsoever. No
>laws saying messages can't be encrypted, no laws saying keys must be
>escrowed, no laws about permissable strength of ciphers, no special laws
>covering disclosure of keys. Just silence, blessed silence. The
>Constitution says there shall be no laws about permissable speech (what
>language one speaks in, or writes in), and other provisions about compelled
>testimony seem adequate.

Congress has discovered the net, and partly though the widespread fame
of this list, they have also discovered crypto.  Simply saying, "we don't
want any laws that address crypto" may be the ideal solution, but that won't
stop them from passing laws that govern the domestic use of crypto.

>* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S.
>companies, but is not _per se_ an issue I worry about. So long as I have
>strong crypto, I don't really care too much about export. It would be nice
>to get the ITARs modified, but not at the risk of adding language (such as
>Leahy did) making use of encryption a possible crime (we've debated this,
>so I won't elaborate here). Besides, I think the best way to overturn the
>ITARs is through a court challenge; as I have noted, even the NSA's lawyers
>felt that the ITARs would not withstand court scrutiny.

Unfortunately, many U.S. software companies don't agree with you.
While I agree with you (I've got PGP, what's the problem?), several of
these companies are working through their trade organizations to introduce
and push crypto legislation to allow them to raise the key length in their
products.

Put ourselves in their shoes for a minute.  They're sitting there, with
their 40 bit products, knowing that it blows chunks.  They want to
produce stronger crypto, but know they won't be able to export it.
They talk to the company's attorneys, who speak to speak to the
lobbyists, and poof, a crypto bill.

>* KEY ESCROW: A matter of contract law, nothing more. If I want to give a
>copy of my key to my lawyer, fine. If I want to give a copy to Vince's
>Offshore Key Repository, no current U.S. laws stops me from doing so, and I
>can even get it to him securely without violating any ITARs by using the
>cipher that _he_ uses and then importing it here!
>
>IMPORTANT NOTE: It is often said, in a correct interpretation I think, that
>a third party holding a key (Joe's Key Warehouse) is _not_ covered by the
>5th Amendment's protections against self-incrimination, and so must honor a
>subpoena. Sounds accurate to me. However, what if Joe is _also_ one's
>lawyer? Does attorney-client privilege apply here? Perhaps. A better
>solution is also fully legal at this time: use only offshore key storage. A
>U.S. subpoena to Vince's Offshore Key Repository will carry no weight in
>Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince
>and I could have a stipulation that such "duress requests" will not be
>honored, no matter how loudly I squawk.)

This is actually very important.  The Leahy bill forces Joe's Key
Warehouse to only divulge your key when they've been presented with a
warrant that's on par with whatever they used to get your original
communication.  That means that Louis Freeh can't issue an
administrative subpoena to get your key, after he's got a judge to
allow the FBI to search your house.  They have to get a judge involved
for both parts.

It's better than where we are today, where Joe's Key Warehouse is vulnerable
to every law enforcement joker that can write an administrative subpoena.  We
haven't yet had an incident that demonstrates this, but we will.

Of course, if you're the sort of person who thinks that the FBI and the
Department of Justice are involved in a big criminal conspiracy to begin
with, we shouldn't even be talking about due process, as you don't believe
it exists...

>In conclusion, things are fine as they are. I see no compelling need to
>write a special law confirming the rights we already are enjoying. If the
>Congress wants to relax the ITARs (fat chance), they can direct that the
>language of specific sections be redrafted. (I'm not even sure when and how
>the original language was crafted, though it is part, I believe, of the
>ancient Munitions Act and/or Trading with the Enemy Act. The enabling
>legislation for the ITARs, and especially for the specific items actually
>ON the "Munitions List" could be trivially changed. Were this Leahy's
>intent, an easy thing to write a bill for. I doubt this was his intent,
>however.

I think this indeed is what Leahy was aiming for.  A quick glance at the
bill will prove this out.  The approach that "things are fine as they are"
is like saying "I'm on a freight train, heading for a cliff, but they're
still serving me caviar so it's OK".

Sure, it feels ok, but the train's still moving, no matter how far you are
into your denial. 

I can't say this enough: the net has moved into realpolitik.  Congress
has found us, and their first step is to regulate us.  Then, they'll outlaw
us.  Let's hope we convert enough legislators to netizens before they outlaw
us.

-Shabbir J. Safdar
co-founder, Voters Telecommunications Watch