From: editor@cdt.org (Bob Palacios)
Date: Fri, 31 May 1996 15:15:44 +0800
To: cypherpunks@toad.com
Subject: CDT Policy Post 2.22 - NRC Report Calls Admin Crypto Policy Into Question
Message-ID: <v02140b0badd3d67b09c4@[204.157.127.16]>
MIME-Version: 1.0
Content-Type: text/plain


-----------------------------------------------------------------------------
    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/     Volume 2, Number 22
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
 CDT POLICY POST Volume 2, Number 22                         May 30, 1996

 CONTENTS: (1) NRC Report Calls Admin. Crypto Policy Into Question
           (2) Join Rep. White Wed 6/5 At HotWired to Discuss the Internet
               Caucus, the CDA, and other Internet Policy Issues
           (3) Subscription Information
           (4) About CDT, contacting us

  ** This document may be redistributed freely with this banner in tact **
        Excerpts may be re-posted with permission of <editor@cdt.org>
-----------------------------------------------------------------------------

(1) NATIONAL RESEARCH COUNCIL REPORT CALLS ADMINISTRATION CRYPTO

A blue ribbon panel of experts today released a comprehensive report on the
state of US encryption policy that calls the Administration's current
cryptography policy into question. The 500 page report, sponsored by the
National Research Council (NRC), highlights the need for strong, reliable
encryption to protect individual privacy, provide security for businesses,
and maintain national security.

Among other things, the report describes how the current US encryption
policy is not working, notes that classified information is not relevant to
the policy debate, and outlines the adverse impact export restrictions have
had on the domestic market.  In addition, the study emphasizes that market
forces and user choices, not law enforcement or national security
interests, should drive the development of encryption technologies and the
debate over US cryptography policy.

The report, entitled "Cryptography's Role in Securing the Information
Society", provides an important starting point for an honest and open
debate on this critical issue. A summary of the report's most important
findings and an overview of its policy recommendations is included below.

OVERVIEW OF SOME OF THE REPORT'S MOST IMPORTANT FINDINGS

For the past 3 years, the US government has attempted to leverage the need
for strong encryption and the desire of US businesses to export strong
privacy and security products as a means impose key-escrow encryption. The
result of this has been a policy morass which has stifled innovation,
limited the availability of strong, easy to use encryption technologies,
and endangered the ability of US companies to compete in the global
information marketplace.

While acknowledging the complexities and challenges associated with the
encryption policy debate, the study's findings directly undermine the
Administration's current approach to cryptography policy. The report
concludes by noting that the "[w]idespread commercial and private use of
cryptography in the United States and abroad is inevitable in the long run
and that its advantages, on balance, outweigh its disadvantages.  The
committee concluded that the overall interests of the government and the
nation would best be served by a policy that fosters a judicious transition
toward the broad use of cryptography."

The NRC study identified several critical issues:

* CURRENT US ENCRYPTION POLICY IS NOT WORKING:  The study is highly
  critical of the current ad-hoc approach to US encryption policy,
  particularly the reliance on export controls. The study states
  explicitly, "Current national cryptography policy is not adequate to
  support the information security requirements of an information
  society."

  The study goes on to note, "Indeed, current policy discourages the use
  of cryptography, whether intentionally or not, and in so doing impedes
  the ability of the nation to use cryptographic tools that would help
  to remediate certain important vulnerabilities.  For example, through
  the use of export controls, national policy has explicitly sought to
  limit the use of encryption abroad but has also had the effect of
  reducing the domestic availability to businesses and other users of
  products with strong encryption capabilities."

* CLASSIFIED INFORMATION IS NOT RELEVANT TO THE POLICY DEBATE: The NRC
  report explicitly states that classified information is "not
  particularly relevant" to the policy debate. The study states, "The
  debate over national cryptography policy can be carried out in a
  reasonable manner on an unclassified basis."  The study goes on to
  note, "Although many of the details relevant to policy makers are
  necessarily classified, these details are not central to making policy
  arguments one way or another. Classified material, while important to
  operational matters in specific cases, is neither essential to the big
  picture or why policy has the shape and texture that it does today nor
  required for the general outline of how technology will, and why
  policy should, evolve in the future."

  This is a startling revelation which will profoundly alter the
  encryption policy debate.  No longer can the government claim, "If you
  knew what we knew, you would understand this issue." It also suggests
  that, while national security and law enforcement interests are an
  important element in the debate, there is no "secret-silver-bullet"
  which trumps all other considerations.

  From now on, the debate over cryptography policy should occur in the
  open, with all issues aired publicly.  By removing its arguments from
  the veil of secrecy, the government can go a long way towards building
  the trust of the public.

* EXPORT CONTROLS DO INFLUENCE THE DOMESTIC MARKET AND HARM
  COMPETITIVENESS OF US INDUSTRY: The NRC study confirms what civil
  liberties advocates and the computer industry have long argued: that
  the current administration policy of limiting the export of strong
  encryption is impacting the domestic market and harming US business.

  The study states, "Export controls also have had the effect of
  reducing the domestic availability of products with strong encryption
  capabilities... Thus, domestic users face a more limited range of
  options for strong encryption than they would in the absence of
  export controls."

* MARKET FORCES, NOT GOVERNMENT INTERESTS, SHOULD DRIVE THE POLICY
  DEBATE: The study stresses that the domestic availability of
  encryption should not be restricted in any way, and that the market of
  individual users, rather than the government's interests, should drive
  the development of technology and policy.

  The study notes, "As cryptography has assumed a greater importance to
  non government interests, national cryptography policy has become
  increasingly disconnected from market reality and the needs of parties
  in the private sector ... A national cryptography policy that is
  aligned with market forces would emphasize the freedom of domestic
  users to determine cryptographic functionality, protections, and
  implementations according to their security needs as they see fit."

The study is without a doubt the most comprehensive and balanced analysis
of the complex encryption policy debate yet published. While stressing
the need for strong encryption to protect individual privacy and to
maintain the competitiveness of US industry in the global marketplace,
the report also acknowledges the real challenges posed to law
enforcement and national security by the global proliferation of strong
encryption technologies. The authors of the study deserve great credit for
their work in producing what will clearly become the basis for an open and
honest public debate over the need to reform US encryption policy.

Information on how to obtain a copy of the document is available at
<http://www2.nas.edu/cstbweb/>

OVERVIEW OF THE NRC REPORT'S POLICY RECOMMENDATIONS

The report also outlines several recommendations for a national
cryptography policy.  An overview of these recommendations is attached
below. CDT will post an analysis of the NRC's policy recommendations in the
near future.

Recommendations of the Committee for national cryptography policy would:

1. Free domestic manufacture, sale, and use of encryption -- The
   committee argued that any future legal prohibitions on the domestic
   use of any kind of cryptography are "inappropriate." While no such
   prohibitions are currently in effect, many encryption users have been
   concerned over law enforcement's articulated desire to slow the
   domestic use of encryption.

2. Call for open policy-making process -- The report supports the
   development of national cryptography policy based on open public
   discussion. Policy to date has often taken place outside of the
   public eye, and with little guidance from Congress or the general
   public.

3. Align national policy with market and user demand -- The report notes
   that national policy has "become increasingly disconnected from
   market reality and the needs of parties in the private sector."

4. Progressively relax, but not eliminate, export controls -- The
   committee recommends that export controls should be "progressively
   relaxed but not eliminated." This would include:

4.1.  Products that meet "most general commercial requirements" for
      confidentiality should be exportable -- The report suggested that
      56-bit DES products would meet this need and should be exportable
      today, and that this level of security should be increased over
      time. The report noted that DES provides a significantly more
      attractive level of security than 40-bit products currently
      exportable, without imposing too great a burden on national
      security as many sophisticated targets do not use U.S. products
      today.

4.2.  Stronger products should be exportable to a list of approved
      companies if access to decrypted information is provided -- The
      report argues that exports of encryption greater than 56-bit DES
      should be permitted for "trustworthy" users who will guarantee
      access to decrypted information upon a legally authorized request.
      The report does, however, acknowledge the significant privacy and
      security concerns raised by any such "key escrow" plan.

4.3.  The U.S. government should streamline the export licensing process.

5.  Provide assistance for law enforcement -- The report recognizes that
    "cryptography is a two-edged sword" for law enforcement, providing
    both a tool to help prevent crime such as economic espionage, fraud,
    or destruction of the information infrastructure, and a potential
    impediment to law enforcement investigations and signals
    intelligence. Specific suggestions to assist in adjustment to "new
    technical realities of the information age" include:

5.1.  The government should encourage use of encryption for
      authentication and integrity.

5.2.  The government should promote telecommunications security,
      especially for cellular phones and telephone switches.

5.3.  The government should explore escrowed encryption for its own
      uses. The report recommends further use of escrowed encryption for
      government purposes as a testbed for the technical and privacy
      concerns raised by key escrow policies. The report acknowledged
      many of the problems of escrow, and noted that escrow may never be
      adopted freely by the market for real-time communications but that
      such communications will be of less concern to law enforcement
      over time.

5.4.  The government should seriously consider criminalizing "the use of
      encrypted communications in interstate commerce with the intent to
      commit a federal crime." The report acknowledged the risks posed
      by such legislation, including ambiguity about what is an
      encrypted communication, how to deal with automatic or ubiquitous
      encryption, and how to define intent and the need for an
      underlying criminal conviction.

5.5.  Research and development of additional capabilities for law
      enforcement should be given a high priority.

6.  The government should develop a mechanism to promote information
    security in the private sector.

CDT will post an analysis of the report's recommendations soon.  In the
meantime, detailed background information on the encryption policy debate,
including the text of several bills pending before the Congress to
liberalize the export of encryption technology, is available at CDT's
encryption policy web page: http://www.cdt.org/crypto/.

------------------------------------------------------------------------
(2) JOIN CONGRESSMAN RICK WHITE (R-WA) LIVE ONLINE TO TALK ABOUT THE
    INTERNET CAUCUS, THE CDA, AND TAKE YOUR QUESTIONS

Congressman Rick White (R-WA) will be live online at HotWired on Wednesday
June 5 at 9:00 pm ET to discuss his efforts to encourage better
communication between members of Congress and the Internet community, his
plans for the Congressional Internet Caucus, and other topics.
Representative White will also answer questions from Netizens.

DETAILS ON THE EVENT

* Wednesday June 5, 9 - 10 pm ET (6 pm Pacific) on HotWired

   URL: http://www.hotwired.com/wiredside/

To participate, you must be a registered HotWired member (there
is no charge for registration).  You must also have RealAudio(tm) and
a telnet application properly configured to work with your browser.

Please visit http://www.hotwired.com/wiredside/ for information on how
you can easily register for Hotwired and obtain RealAudio.

Wednesday's forum is another in a series of planned events, and is part
of a broader project coordinated by CDT and the Voters Telecommunications
Watch (VTW) designed to bring the Internet Community into the debate and
encourage members of Congress to work with the Net.community on vital
Internet policy issues.

Transcripts from last week's discussion with Senator Leahy are available at
http://www.cdt.org/crypto/.  Events with other members of Congress working
on Internet Policy Issues are currently being planned. Please check
http://www.cdt.org/ for announcements of future events

------------------------------------------------------------------------
(3) SUBSCRIPTION INFORMATION

Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 9,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

     policy-posts-request@cdt.org

with a subject:

     subscribe policy-posts

If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:

     unsubscribe policy-posts

-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.

Contacting us:

General information:  info@cdt.org
World Wide Web:       URL:http://www.cdt.org/
FTP                   URL:ftp://ftp.cdt.org/pub/cdt/

Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968

-----------------------------------------------------------------------
End Policy Post 2.22                                           5/30/96
-----------------------------------------------------------------------