- Email: [email protected]
Key escrow encryption Bill hits congress
Network Security
July 7997
Key Escrow Encryption Bill Hits Congress Wayne Madsen
After years of FBI Director Louis Freeh, White House operatives, and various National Security Agency (NSA) and Justice Department officials threats that failure by industry to voluntarily embrace government encryption key recovery schemes would result in mandatory programmes and legislation, such a forecast may have been realized. On 16 June 1997, Senators John McCain, Republican of Arizona, and Bob Kerrey, Democrat of Nebraska, introduced S. 909, the Secure Public Networks Act. Far from promoting voluntary key escrow/recovery, the Bill relies on several coercive tactics that number of would force a domestic and international users into an encryption scheme in which NSA would act as a de facto master key holder and certificate authority. Set-. McCain, the Chairman of Committee, Commerce the ordered the Bill to be rapidly heard. S. 909 was also supported Rockefeller Sens. Jay by (Democrat-West Virginia), Ernest (Democrat-South Hollings and John Kerrey Carolina), (Democrat-Massachusetts). Three days later, the Bill was approved Senate Commerce the by Committee on a voice vote and was launched on a fast track to a vote on the Senate floor. The Clinton administration viewed the affirmative vote as “a great victory” for its much-criticized encryption policies. The chief coercive tactic is the requirement that all direct and indirect Federal purchases of
0 Elsevier
Science
Ltd
encryption systems will include key recovery systems. Specifically, the bill requires key recovery for: Encryption products procured the United States by government for use in secure government networks; Encryption products purchased with Federal funds for use in secure public networks (including telephone companies that are required under the Communication Assistance for Law Enforcement Act (CALEA) to ensure that their networks are secure and will receive $500 million dollars of federal funds to retrofit their systems);
Bill The also requires that registered Certificate Authorities must hold an individual’s private encryption key before they can issue a user a certificate. Certificate authorities who fail to obtain private keys before issuing certificates would be subject to criminal and civil penalties. The bill specifically states: a\
a Certificate Authority for public Keys registered under this Act may issue to a person a public key certificate that certifies a public that can key be used for encryption only if the person... stores with a Recovery Agent Key registered under this Act sufficient information, as specified by the Secretary (of Commerce) in regulations, to allow timely recovery of the that plaintext of person’s encrypted data and communications.”
Communications networks established by the United States Government which use encryption products as part of the network;
Government access to keys would be broadly permitted and warrants would not be required in all cases. ‘Authorized’ Government officials could obtain access to keys using only a subpoena or a certification from the Attorney General that foreign intelligence is involved. The foreign intelligence angle of the Bill is disturbing to the international rights human community. The “International Agreements” title of the act gitle VI) states:
Encrypted communications networks established with the use of Federal funds including schools with Internet connectivity, state networks that receive Federal funding, and the new Internet II project due to be installed in over 100 universities around the country).
‘The President shall conduct negotiations with other countries for the purpose of mutual recognition of key recovery agents and certificate authorities. The President shall consider a country’s refusal to negotiate such mutual recognition
11
Network Security
agreements when considering the participation of the United States in any cooperation or assistance programme with that country.” Title VI enables the President to withhold foreign assistance and financial loans to countries that intend to act as cryptographic havens (similar to the tax havens established in some small nations). The mutual recognition agreements, if based on foreign intelligence links, could provide the means for the Chinese intelligence service to gain access to the encryption keys of Chinese, prodemocracy, Taiwanese, or Tibetan organizations operating in the United States and encrypting their mail on electronic networks covered by the act. Given the past propensity of the NSA and CIA in cooperating with the intelligence services of China, Russia, Turkey, Saudi Arabia, Indonesia, Pakistan, Peru and Mexico, such key sharing as a result of mutual key recognition agreements would chilling effect on have a rights international human campaigns that rely on encrypted Internet communications, The Chinese Ministry of Public conceivably could Security US Attorney the approach General and request keys to the encrypted communications of Chinese pro-democracy student groups in the United States by merely citing law enforcement concerns. The Attorney General would not have to obtain a court order for such access. Given the cozy relationship and money links Beijing and the between Clinton administration, such a mutual key sharing agreement,
12
July 7997
outside the normal judicial process, could have frightening consequences. In fact, the Clinton administration seems to be engaged in a secretive programme to entice foreign governments into mutual key sharing agreements. The United States, in cooperation with Australia’s Attorney General’s Department, arranged for a group of law enforcement officials to meet in Canberra from 9-l 1 July 1997. The main subject of the meeting - law enforcement access to encryption keys. In addition to countries like the United Kingdom, France and Japan, countries with less than stellar records on government surveillance were also invited to Canberra. These included Singapore, Brazil and South Africa. Another disturbing feature of S. 909 is its criminalization provision. The Bill makes it a criminal offence to use cryptography in the furtherance of any crime and includes a minimum one-year jail sentence. However, Government officials found guilty of misusing escrowed keys without a legal mandate would merely face civil penalties such as fines. Authors of the Bill attempted to gain the backing of industry by relaxing encryption exports for products up to 56-bit DES. However, the Bill provides broad discretionary authority to the Secretary of Commerce to prohibit any export with no provision for independent judicial review of the decision. There were also rumours in the Senate that the Clinton administration would seek at least one senator to offer a mandatory key escrow amendment to the proposed legislation.
While the Clinton White House was claiming a tactical victory in the Senate, its fortunes were not faring as well in the House of Representatives. Representative Bob Goodlatte (RepublicanVirginia) celebrated a victory of his own on 24 June 1997, when the House International Relations Subcommittee on Economic Policy and Trade, in a 14-to-1 vote, approved the congressman’s Security and Freedom through Encryption (SAFE) Act, The Bill, endorsed by 133 co-sponsors, was then sent on to the full International Relations Committee and a certain full vote on the floor of the House. The SAFE Act, unlike its draconian counterpart in the Senate, would relax US export limits on cryptography. The Software Publishers Association reacted to the vote by stating, “Today’s vote sends a strong signal to the administration that the House will not allow out-dated encryption restrictions to harm US interests in the digital age.” Subcommittee member Sam Gejdensdn (Democrat-Connecticut), strong supporter of SAFE, expressed his frustration with the encryption policies of the Clinton administration its and predecessor. “I have made more trips and attended more secret meetings and never got satisfactory answers to my questions about the administration’s policy.” One amendment to SAFE was adopted by the subcommittee. It would relax export controls on consumer items that included “encryption-ready software”. The sponsor of the amendment cited such products as customized software and Web TV as a reason for his amendment.
0 Elsevier Science
Ltd
July 7997
Key Escrow Encryption Bill Hits Congress Wayne Madsen
After years of FBI Director Louis Freeh, White House operatives, and various National Security Agency (NSA) and Justice Department officials threats that failure by industry to voluntarily embrace government encryption key recovery schemes would result in mandatory programmes and legislation, such a forecast may have been realized. On 16 June 1997, Senators John McCain, Republican of Arizona, and Bob Kerrey, Democrat of Nebraska, introduced S. 909, the Secure Public Networks Act. Far from promoting voluntary key escrow/recovery, the Bill relies on several coercive tactics that number of would force a domestic and international users into an encryption scheme in which NSA would act as a de facto master key holder and certificate authority. Set-. McCain, the Chairman of Committee, Commerce the ordered the Bill to be rapidly heard. S. 909 was also supported Rockefeller Sens. Jay by (Democrat-West Virginia), Ernest (Democrat-South Hollings and John Kerrey Carolina), (Democrat-Massachusetts). Three days later, the Bill was approved Senate Commerce the by Committee on a voice vote and was launched on a fast track to a vote on the Senate floor. The Clinton administration viewed the affirmative vote as “a great victory” for its much-criticized encryption policies. The chief coercive tactic is the requirement that all direct and indirect Federal purchases of
0 Elsevier
Science
Ltd
encryption systems will include key recovery systems. Specifically, the bill requires key recovery for: Encryption products procured the United States by government for use in secure government networks; Encryption products purchased with Federal funds for use in secure public networks (including telephone companies that are required under the Communication Assistance for Law Enforcement Act (CALEA) to ensure that their networks are secure and will receive $500 million dollars of federal funds to retrofit their systems);
Bill The also requires that registered Certificate Authorities must hold an individual’s private encryption key before they can issue a user a certificate. Certificate authorities who fail to obtain private keys before issuing certificates would be subject to criminal and civil penalties. The bill specifically states: a\
a Certificate Authority for public Keys registered under this Act may issue to a person a public key certificate that certifies a public that can key be used for encryption only if the person... stores with a Recovery Agent Key registered under this Act sufficient information, as specified by the Secretary (of Commerce) in regulations, to allow timely recovery of the that plaintext of person’s encrypted data and communications.”
Communications networks established by the United States Government which use encryption products as part of the network;
Government access to keys would be broadly permitted and warrants would not be required in all cases. ‘Authorized’ Government officials could obtain access to keys using only a subpoena or a certification from the Attorney General that foreign intelligence is involved. The foreign intelligence angle of the Bill is disturbing to the international rights human community. The “International Agreements” title of the act gitle VI) states:
Encrypted communications networks established with the use of Federal funds including schools with Internet connectivity, state networks that receive Federal funding, and the new Internet II project due to be installed in over 100 universities around the country).
‘The President shall conduct negotiations with other countries for the purpose of mutual recognition of key recovery agents and certificate authorities. The President shall consider a country’s refusal to negotiate such mutual recognition
11
Network Security
agreements when considering the participation of the United States in any cooperation or assistance programme with that country.” Title VI enables the President to withhold foreign assistance and financial loans to countries that intend to act as cryptographic havens (similar to the tax havens established in some small nations). The mutual recognition agreements, if based on foreign intelligence links, could provide the means for the Chinese intelligence service to gain access to the encryption keys of Chinese, prodemocracy, Taiwanese, or Tibetan organizations operating in the United States and encrypting their mail on electronic networks covered by the act. Given the past propensity of the NSA and CIA in cooperating with the intelligence services of China, Russia, Turkey, Saudi Arabia, Indonesia, Pakistan, Peru and Mexico, such key sharing as a result of mutual key recognition agreements would chilling effect on have a rights international human campaigns that rely on encrypted Internet communications, The Chinese Ministry of Public conceivably could Security US Attorney the approach General and request keys to the encrypted communications of Chinese pro-democracy student groups in the United States by merely citing law enforcement concerns. The Attorney General would not have to obtain a court order for such access. Given the cozy relationship and money links Beijing and the between Clinton administration, such a mutual key sharing agreement,
12
July 7997
outside the normal judicial process, could have frightening consequences. In fact, the Clinton administration seems to be engaged in a secretive programme to entice foreign governments into mutual key sharing agreements. The United States, in cooperation with Australia’s Attorney General’s Department, arranged for a group of law enforcement officials to meet in Canberra from 9-l 1 July 1997. The main subject of the meeting - law enforcement access to encryption keys. In addition to countries like the United Kingdom, France and Japan, countries with less than stellar records on government surveillance were also invited to Canberra. These included Singapore, Brazil and South Africa. Another disturbing feature of S. 909 is its criminalization provision. The Bill makes it a criminal offence to use cryptography in the furtherance of any crime and includes a minimum one-year jail sentence. However, Government officials found guilty of misusing escrowed keys without a legal mandate would merely face civil penalties such as fines. Authors of the Bill attempted to gain the backing of industry by relaxing encryption exports for products up to 56-bit DES. However, the Bill provides broad discretionary authority to the Secretary of Commerce to prohibit any export with no provision for independent judicial review of the decision. There were also rumours in the Senate that the Clinton administration would seek at least one senator to offer a mandatory key escrow amendment to the proposed legislation.
While the Clinton White House was claiming a tactical victory in the Senate, its fortunes were not faring as well in the House of Representatives. Representative Bob Goodlatte (RepublicanVirginia) celebrated a victory of his own on 24 June 1997, when the House International Relations Subcommittee on Economic Policy and Trade, in a 14-to-1 vote, approved the congressman’s Security and Freedom through Encryption (SAFE) Act, The Bill, endorsed by 133 co-sponsors, was then sent on to the full International Relations Committee and a certain full vote on the floor of the House. The SAFE Act, unlike its draconian counterpart in the Senate, would relax US export limits on cryptography. The Software Publishers Association reacted to the vote by stating, “Today’s vote sends a strong signal to the administration that the House will not allow out-dated encryption restrictions to harm US interests in the digital age.” Subcommittee member Sam Gejdensdn (Democrat-Connecticut), strong supporter of SAFE, expressed his frustration with the encryption policies of the Clinton administration its and predecessor. “I have made more trips and attended more secret meetings and never got satisfactory answers to my questions about the administration’s policy.” One amendment to SAFE was adopted by the subcommittee. It would relax export controls on consumer items that included “encryption-ready software”. The sponsor of the amendment cited such products as customized software and Web TV as a reason for his amendment.
0 Elsevier Science
Ltd