From: Alan Davidson <abd@cdt.org>
Date: Fri, 2 May 1997 08:07:05 +0800
To: cypherpunks@cyberpass.net
Subject: SAFE Bill is a Good Thing--"Crypto For The Masses"
Message-ID: <v03020900af8e47bb1440@[207.226.3.11]>
MIME-Version: 1.0
Content-Type: text/plain



The SAFE encryption bill would put more non-escrow, strong encryption in
the hands of many more people -- and mark the death knell for government
regulation of encryption. That's why CDT supports it. That's why we hope
that people who care about privacy and security online will support it too.


1. The SAFE Bill Will Bring More Strong Crypto To More People

There is a right we don't have now: The right to export strong
cryptography. The result is that strong, easy-to-use encryption is not
seamlessly integrated into most popular products, and is not accessible to
most people (who are not as technically sophisticated as the members of
this list.)

SAFE would legalize the export (to all but a few countries such as Iran, N.
Korea, and Cuba) of non-escrow encryption *of unlimited strength* that is
designed for the mass market or is in the public domain, i.e.:

		   "(i) that is generally available, as is, and is
                    designed for installation by the purchaser; or

                    "(ii) that is in the public domain for which
                    copyright or other protection is not available
                    under title 17, United States Code, or that is
                    available to the public because it is generally
                    accessible to the interested public in any form;"
		    (See also Footnote below)

Translation:

	If it's sold in Egghead Software, it's exportable.
	If it's available on the Web: exportable.
	PGP: exportable.
	3DES, IDEA, or Blowfish in mass-market products or
		public domain toolkits: Exportable. Exportable. Exportable.

So the export control provisions in SAFE would put a lot more strong crypto
-- and the freedom to use it -- in the hands of a lot more people.

SAFE's export control relief is not unlimited. The bill does not allow
export to Iran, Iraq,  Cuba, or N. Korea (that's what the "Trading With The
Enemy" provision is about); Congress is not likely to pass a law saying you
can export strong crypto to Saddam Hussein.  Relief is also limited for
non-mass-market hardware and software (e.g., custom systems not available
to the public).  Non-mass-market  hardware is exportable if "commercially
available" in the destination country; such software is exportable
according to a hard-to-parse "financial institutions" standard that roughly
translates into DES.  Less than ideal -- but these provisions do not apply
to most of the hardware and software that most people use.

What SAFE does legalize is strong, non-escrow encryption in the products
that are most widely used, in almost all countries worldwide.  Once
*ordinary people* have strong crypto built in to the products they use
every day, it will be much harder for governments to take it away or
restrict it.

SAFE is "strong crypto for the masses." SAFE is a huge step forward.


2. CDT Does Not Support The Criminal Provision in SAFE

CDT is actively working to get the criminal provision taken out of the SAFE
bill. We are not alone: CDT signed a letter with other groups including
EPIC, EFF, ACLU, VTW, PGP, IEEE, and ACM, urging Congress to remove the
provisions -- "while expressing our support for the measure."

Contrary to reports, the SAFE bill does not say: "Use a cipher, go to
prison."  It does say: "Use cryptography TO COMMIT A CRIME, go to prison":

   2805. Unlawful use of encryption in furtherance of a criminal act

   	"Any person who willfully uses encryption in furtherance
	of the commission of a criminal offense for which the
	person may be prosecuted in a court of competent jurisdiction...
	[may be imprisoned or fined]"

The Leahy bill version is narrower. It says: "Use cryptography to willfully
obstruct justice in furtherance of a felony, go to prison."

       "Whoever willfully endeavors by means of encryption to
	obstruct, impede, or prevent the communication to an
	investigative or law enforcement officer of information
	in furtherance of a felony that may be prosecuted in
	a court of the United States shall...[may be imprisoned or fined]"

CDT opposes both these provisions because they are unnecessary and could
chill the use of encryption (especially by self-confessed felons like Tim
May!).  But they are not as sweeping as some on this list have said.

On balance, CDT believes that SAFE's giant step forward of export relief
and prohibitions on Executive Branch key escrow controls outweigh the
problems created by these criminal provision. That is why we will fight to
get criminal provisions removed, while we still support the bill.


Passage of the SAFE Bill would put strong security tools in the hands of
many more people.  That's why CDT supports SAFE, and why we think people
who care about privacy and security online should support it too.


	-- Alan Davidson, CDT



FOOTNOTE: The Export Provisions in SAFE

The export control provisions in SAFE differentiate between so-called
mass-market and non-mass-market hardware and software.

Mass-market software and hardware with non-escrow encryption of *unlimited
strength* may be exported under the Act to all but a few countries (such as
Iran, N. Korea, and Cuba):

	(2) ITEMS NOT REQUIRING LICENSES. -- No validated license
	 may be required, except pursuant to the Trading With the
	 Enemy Act or the International Emergency Economic Powers
	 Act (but only to the extent that the authority of such Act
	 is not exercised to extend controls imposed under this
	 Act), for the export or reexport of--

              "(A) any software, including software with encryption
              capabilities --

                    "(i) that is generally available, as is, and is
                    designed for installation by the purchaser; or

                    "(ii) that is in the public domain for which
                    copyright or other protection is not available
                    under title 17, United States Code, or that is
                    available to the public because it is generally
                    accessible to the interested public in any form;
                    or

		"(B) any computing device solely because it incorporates or
              employs in any form software (including software with
              encryption capabilities) exempted from any - requirement for a
              validated license under subparagraph (A).

[See http://www.cdt.org/crypto/legis_105/SAFE/hr695_text.html for the
Bill's definitions of "generally available," "as is", etc.]

Non-mass-market hardware and software -- suach as code not generally
available to the public via the Internet, or custom implementations not
generally available or sold "as is" -- receive less favorable treatment:

       "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary
       shall authorize the export or reexport of software with encryption
	capabilities for nonmilitary end-uses in any country to which
	 exports of software of similar capability are permitted for
	 use by financial institutions not controlled in fact by
	 United States persons, unless there is substantial evidence
	 that such software will be --

              "(A) diverted to a military end-use or an end-use supporting
              international terrorism;
              "(B) modified for military or terrorist end-use; or
              "(C) reexported without any authorization by the United States
              that may be required under this Act.

This "financial institutions" standard is supposed to roughly translate
into DES.

       "(4) HARDWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary
       shall authorize the export or reexport of computer hardware
	with encryption capabilities if the Secretary determines
	that a product offering comparable security is commercially
	 available outside the United States from a foreign supplier,
	without effective restrictions.

So non-mass-market hardware can be exported *with any encryption algorithm*
if a "comparable" product is available outside the U.S. from a foreign
supplier without restriction.