Renewing efforts to allow law enforcement agencies to access and read suspected criminals' encrypted electronic files, the Clinton administration has drafted a bill that would give those agencies access to the electronic "keys" held by third parties.
The Cyberspace Electronic Security Act, the drafting of which is being led by the Office of Management and Budget and the U.S. Department of Justice, "updates law enforcement and privacy rules for our emerging world of widespread cryptography," according to an analysis accompanying the bill obtained by Federal Computer Week.
Encryption technology, according to the draft, is "an important tool for protecting the privacy of legitimate communications and stored data" but also has been used "to facilitate and hide unlawful activity by terrorists, drug traffickers, child pornographers and other criminals." The new bill seeks to uncover that activity by letting law enforcement officials obtain the keys needed to decrypt messages by applying for search warrants or court orders, much as they might do to uncover other evidence.
The administration is concerned about the use of encryption technology because advances in recent years have made it extremely difficult for law enforcement officials to crack a code once they have intercepted a message.
The draft bill is the Clinton administration's latest effort to push for legislation that would make it easier for law enforcement agencies to intercept messages or data that they think would be helpful in criminal investigations.
In 1993, the administration introduced the Clipper Chip, a hardware-based encryption device designed to protect private communications but that would provide a "backdoor" for law enforcement officials to decrypt necessary data. The Clipper effort died after privacy groups and industry leaders warned that law enforcement agencies could abuse the power.
"All this is the Clipper Chip revisited in a different flavor but not as effective," says Michael Anderson, president of computer forensics firm New Technologies, Inc.
The administration also has blocked the export of certain advanced encryption technology that would defeat efforts to conduct digital wiretaps as part of its fight against international drug cartels and terrorists. But the software industry continues to fight for the lifting of export restrictions.
In the latest bill, the administration proposes that law enforcement agents have access - under limited circumstances - to decryption keys held by recovery agents, which are third-party warehouses of decryption keys that "unlock" complex codes that mask the readable form of the data. The proposed law also lets the government obtain search warrants to find decryption keys if they are not held by recovery agents.
The proposed bill would provide new protections for lawful users of encryption. Currently, according to a summary of the bill, that is part of a proposed letter to House Speaker Dennis Hastert (R-Ill.), there are few laws guiding how recovery agents treat the decryption keys they store. The bill would prohibit recovery agents from disclosing the keys or from using the keys to decrypt data except under certain circumstances, such as when a lawful heir of a deceased person wants decryption keys to the deceased's locked information.
The draft bill also prohibits recovery agents from selling or revealing in any way their customer lists to other parties.
The new protections, however, are not strong enough to avoid the erosion of privacy rights, says David Sobel, general counsel for the Electronic Privacy Information Center, an advocacy group based in Washington, D.C. "It is not a pro-encryption proposal," he says. "The bottom line is: This is legislation that would increase law enforcement's ability to access encrypted data."
It also would serve to lay the legal groundwork for eventually outlawing encryption that does not have decryption keys available to law enforcement, Sobel says. "They could say, 'We have established legal procedures in place, they have been used in several cases. Now our problem is not everybody is using encryption that provides us with . . . access,' " he said.
Barbara Simons, president of the California-based Association for Computing Machinery, says the proposed bill bodes poorly for citizens' privacy. "Our lives are moving more and more online," she says. "There's always the risk that some future government or administration might compromise the rights and freedoms we enjoy today and take advantage of this technology."
The proposed bill was not a surprise, she says, because FBI Director Louis Freeh "has been pushing to have access keys for a long time."
Fred Smith, an attorney in Santa Fe, N.M., who works as a special prosecutor in computer cases, says he does not believe the administration's motives are nefarious.
"I really believe that there's a serious and good faith concern about what we're going to do if encryption takes off the way it appears to be taking off at the moment," he says.
A spokesman for Justice Department described the proposal as "pending" and declined to comment on it.
One Capitol Hill staffer had some concerns. "I think they are really trying to hobble how people use encryption," says Ellen Stroud, spokeswoman for Rep. Bob Goodlatte (R-Va.), sponsor of the Security and Freedom through Encryption Act, which would relax controls on the export of encryption and prohibit the government from requiring a backdoor into people's e-mail and computer files.
Stroud says law enforcement officials examining electronic files as they pursue criminals in cyberspace could accidentally modify or destroy a company's legitimate files. "The proposal doesn't provide the needed protection for companies using encryption," she says. "You're putting yourself at greater liability [if you use a third-party firm to keep encryption keys.] It's easier for somebody to search you."
Stroud also says owners of information searched during a criminal investigation will not necessarily know what information law enforcement officials have been examining because the draft bill would allow law enforcement officials in some cases to delay issuing notice of the search warrant.
"If you want information from me, come to me and get it," Stroud says. "Why go to somewhere else? Why go to my neighbor? If you have a problem, hit it straight on."
For more information about technology in government, go to www.fcw.com.
Story copyright 1999 FCW Government Technology Group. All rights reserved.
RELATED LINKS
