From: Bruce Schneier <schneier@counterpane.com>
Date: Tue, 14 Oct 1997 23:54:47 +0800
To: cypherpunks@cyberpass.net
Subject: PGP Key Escrow and Congress
Message-ID: <v03007801b0693c7b984c@[209.98.13.35]>
MIME-Version: 1.0
Content-Type: text/plain



The attached is from Barbara Simons of the U.S. ACM.  Note item 4, where
Congressional staffers point to PGP as an example of key escrow software
being possible.  To those of us fighing the government control of
cryptography, this is not helpful.

Bruce

--------------------------------------------------------------------------

Date:         Mon, 13 Oct 1997 13:27:03 PDT
Reply-To: "Barbara Simons" <simons@VNET.IBM.COM>
Sender: ACM US Public Policy Committee <USACM@ACM.ORG>
From: "Barbara Simons" <simons@VNET.IBM.COM>
Subject:      Hill ... Blues
To: USACM@ACM.ORG

On Thursday and Friday of last week I met with Hill staffers of the
following Congresspeople: Sen. Feinstein, Sen. Boxer, Rep. Eshoo,
Rep. Campbell, and Sen. Kerrey.  As you may have noticed, there was a Ca.
theme to the group, with the exception of Nebraska's Kerrey, of S909 fame.

Both Feinstein's and Boxer's staffer suggested that I speak with Kerrey's
staff, which is how I ended up meeting with Christopher McLean, Kerrey's
Legislative Counsel, and Lorenzo Goco, who is Special Assistant to the
Vice Chairman of the Senate Select Committee on Intelligence.

My discussion with them was very interesting and somewhat lively.  I don't
know whether or not they had noticed our letter in opposition to S909,
but they at least appeared to be surprised when I said that we had written
such a letter, a copy of which was given to each at the meeting.
I had the strong impression that McLean and Goco had had a hand in the
writing of S909.  They certainly were well versed in the arguments.

Here is some of what they said:

1.  S909 impacts only the government, NOT universities that receive
    government funding for networks.  This is not our interpretation of
    the bill, and I'd be interested in hearing from some of the lawyers
    who are on USACM as to whether or not they agree with McLean and Goco.

2.  If we are concerned about the well being of the computer industry in
    the U.S., we should be supporting S909, since the alternatives are
    either a more draconian bill or no bill at all, with the maintenance
    of the status quo export restrictions.  They claim that Clinton will
    veto any bill that does not contain provisions that address some of
    law enforcement's concerns.

3.  If we are concerned about inappropriate behavior vis-a-vis key escrow
    or recovery, we should be supporting S909, since it includes strong
    penalties for unlawfully revealing or obtaining others' keys.

4.  The NSA states that key recovery is doable and will not jeopardize
    national security.  And there is an existence proof for key recovery
    software in the new PGP release.

5.  Yes, they would like to see widespread use of key recovery, but their
    idea is to encourage the development of encryption with key recovery
    by using the buying power of the government to cause widespread and
    inexpensive key recovery encryption to come into being.

6.  They are simply doing what the NRC report recommended, namely "testing"
    key recovery on the government without imposing it on the citizenry.

7.  Key recovery or key escrow are simply attempts at maintaining the
    status quo for law enforcement, who are now able to wiretap at will.


Some of these are old arguments that we've been hearing for a while,
but some are newer.  In particular, points 4 and 6 are difficult to
refute without getting into some technical details.  Both points also
undercut the argument that a key recovery infrastructure potentially
weakens security.  After all, the NSA thinks it's secure enough that it
can be used by the government.

Barbara