RSA Data Security: Privacy advocates still fighting U.S. govt.
What's at stake?
San Francisco (January 13, 1998) -- Not only are computer users, software firms, and privacy advocates in the United States still fighting the U.S. government on its strict encryption export policy, but there continues to be strong opposition to the policy in Europe as well, speakers at the RSA Data Security Conference said here today.
Encryption policy "is nothing that one country or one region should decide. Communications are global and we need worldwide agreements," said Detlef Eckert of the European Commission (EC) in a panel discussion. "We're not envisioning any new [government] regulation," he said, adding that there should be more industry regulation and market pressure in the computer security market.
Most of the 15 member states in the European Union don't restrict technology and only one, France, places controls on domestic use of encryption, Eckert said. The United Kingdom even has backed off its plans to tighten restrictions. In addition, other EC countries are expected to follow Germany's lead in enacting legislation governing the use of digital signatures, he said.
Meanwhile, U.S. key recovery products, which the U.S. government is pushing, may conflict with national laws, said Ulrich Sandl, a representative of Germany's Ministry of Economic Affairs. "We don't plan to restrict use of U.S. [key recovery] products in Germany, but they may not be in accordance with German laws," he explained.
"Should foreign law enforcement and other foreign agencies have access to German users? The answer is no," Sandl said.
Deborah Hurley of the Kennedy School of Government at Harvard University said the U.S. government's "angry public" problem hasn't been ignored by other countries. "Other governments have learned from the U.S. experience" and realized that using the argument that strong encryption deters law enforcement doesn't work, she said. However, electronic commerce is a strong argument in the favor of loosening encryption regulations, Hurley added.
More than a year after the U.S. government announced changes in its encryption policy, there are no products conforming to the new rules, pointed out Ira Rubinstein, senior corporate attorney for Microsoft Corp. in an interview.
Where does the U.S. government stand?
The U.S. government modified its encryption export policy to temporarily allow U.S. software firms to export products with encryption greater than 40-bit strength if they agreed to develop products that allow for key escrow or key recovery, enabling the government to access keys to unlock encrypted data under specific circumstances. "There's no market for it," Rubinstein said of key recovery.
Rubinstein also criticized U.S. government efforts to link digital certification and authentication technology with key recovery issues, as well as to link key recovery of communicated data, such as e-mails, with stored data. If there is a market for key recovery, it is in corporations that may want to safeguard their vast stores of data, but still have access to that data, he said. "It's a policy with no tether to the world," Rubinstein added.
A panel of U.S. lawyers advocating privacy said the U.S. government has gone back on promises that its key recovery policy would be voluntary, market-driven, and not applied to domestic encrypted data. But they placed the blame mostly on the U.S. Federal Bureau of Investigation (FBI), which they accused of lying to the public and to lawmakers in order to maintain its surveillance authority under the guise of protecting national security.
The U.S. administration has "lost control over its national security establishment," said Jerry Berman, president of the Center for Democracy and Technology in Washington, D.C.
The FBI is "trying to hardwire wiretap capabilities" into digital technology, said Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), also based in Washington, D. C.
Earlier in the day during the keynote address, three U.S. lawmakers urged attendees to do what they could to get their local representatives in the U.S. Congress to support legislation that would allow for export of strong encryption and bar mandatory key recovery, which has failed in past years.
Speaking via satellite, Congressman Robert Goodlatte, a Virginia Republican, explained that his bill is an anti-crime measure. Congresswoman Zoe Lofgren, a California Democrat, attended the event in person and Senator John Ashcroft, a Missouri Republican, spoke via satellite.
Meanwhile, encryption proponents have had better success in the courts, said Cindy Cohn, a San Mateo, California-based attorney who represents math professor Daniel Bernstein who was prohibited from sending crypto source code over the Internet. The government has appealed a ruling in Bernstein's favor.
Two other cases -- one involving online distribution of encryption code and the other related to the export of computer disks with the contents of part of a book on cryptography -- are stalled in anticipation of the outcome in the Bernstein case, Cohn said in the panel discussion.
However, the gains earned in the courts could be erased with "compromise" legislation, she cautioned.
The sole representative from the U.S. government on the panel, Bruce McConnell, chief of the Information Policy and Technology Branch in the U.S. Office of Management and Budget, said little in defense of the U.S. administration's policy. He acknowledged that the Clinton administration does not support any of the pending legislation, even measures that would force domestic key recovery, which the FBI supports.
When asked if U.S. government pilot projects on key recovery assessed the risks from potential misuse with key escrow systems, McConnell responded: "It's clear that in any encryption system...there may be risks, there may be mistakes."
If you have technical problems with this magazine, contact firstname.lastname@example.org