Washington, D.C. - The Clinton administration's encryption policies came under fire today as members of the Senate unveiled legislation aimed at making it easier to export products with encryption while also prohibiting government-mandated key-recovery systems.
If the legislation, dubbed the E-Privacy Act, wins congressional approval and survives a death-dealing presidential veto, software vendors and users could be spared from having to get special licenses from the U.S. Department of Commerce for exporting U.S.-made products with strong encryption to most overseas countries.
"This country has labored under antiquated export restrictions that have threatened the U.S. technology industry, and it's time for that to end," said Sen. John Ashcroft (R-Mo.), who along with Sen. Patrick Leahy (D-Vt.), unveiled the bill today on Capitol Hill.
The bill's full name is "Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace," but it's unlikely you'll ever hear it referred to it as anything but the "E-Privacy Act."
Holding up a box of Lotus Notes software during the press conference, Ashcroft pointed out that the back of the box tells us "that it is not meant for use outside the U.S." because it contains strong encryption.
"We stand to lose significant market share if we don't pass E-Privacy," he added. The bill makes it easy for mass-market software to get blanket export approvals.
"I hate to say it, but the administration's encryption policy is a confused mess," Leahy said. He pointed out that the administration has relied on the National Security Agency and the FBI to recommend encryption policy.
"With all due respect to the FBI, they can't set our commercial policy of our export policy or the policy that determines innovation in this country," Leahy said.
The E-Privacy Act calls for the establishment of an Encryption Export Advisory Board, to be chaired by the Undersecretary of Commerce for Export Administration, that would be composed of seven presidential appointees - three from government and four from private-sector industry.
To decide whether customized hardware or software should also get export approval, the board would determine if comparable encryption products are commercially available outside the U.S., or will be in 18 months.
After the board votes, the secretary of the Commerce Department must publish the department's approval or disapproval within 30 days with an explanation for the decision. Judicial review of the decision would be permitted.
In addition to liberalizing export rules, the E-Privacy Act also seeks to establish new laws in other, related areas where encryption use is at issue.
Specifically, E-Privacy also prohibits the U.S. government from making key-escrow or key-recovery encryption mandatory in encryption products or as a requirement to do business with the government.
From its start, the Clinton administration has struggled to get the high-tech industry to build products that would let law enforcement decrypt the user's encrypted data without the user's permission.
The E-Privacy bill also tries to assist law enforcement, though, in several ways. First, it would establish a "National Technology Center" (NET Center) where local, state and federal law enforcement could go to get help when confronted with encrypted data during a criminal investigation.
At the NET Center, officials could find help in tackling difficult technical problems related to getting the "plaintext" version of data when dealing with scrambled data; steganography, a technique for hiding information within images or text; or compression.
Also, the bill makes it a crime to willfully use encryption to conceal incriminating information. It clarifies that existing wiretap authority can be used to obtain decryption keys for communications that are a source of a wiretap.
For the sake of privacy, though, the bill sets new boundaries on how easy it might be for law enforcement to decrypt data. The bill makes it necessary for a government entity to present a state or federal warrant with probable cause to both the holders and the owners of encrypted documents in order to obtain decryption keys or decryption assistance.
In addition, the U.S. government would not be allowed to provide decryption assistance to foreign governments except under order of the attorney general or a designated appointee. Even then, this assistance would only be allowed if the foreign government in question is authorized to intercept data under foreign law, and the foreign country's laws "provide adequate protection against arbitrary interference with respect to privacy rights."
The assistance must be sought for a criminal investigation of conduct that would violate U.S. criminal law if committed in the U.S.
While the fate of the bill remains uncertain, several senators last week stepped up to voice support for it. "We can't allow law enforcement to dictate to the U.S. electronics industry," said Sen. Conrad Burns (R-Mt.) as he endorsed the bill.
The E-Privacy Act also won endorsement from the Business Software Alliance as well as a broad-based coalition called the Americans for Computer Privacy.
