Science & Technology in Congress
Just before the end of the year, the Clinton Administration announced that it would change the focus of its encryption proposals from requiring the use of a commercial "key escrow" system, often referred to as the Clipper Chip, to a new "key recovery" approach. In addition, it transferred regulatory oversight from the State Department to the Department of Commerce. However, the Administration continues to encounter strong resistance among Internet users, privacy advocates, members of Congress, and computer companies.
Introduced in 1993, the Clipper Chip proposal was intended to address the concerns of U.S. law enforcement and national security officials regarding access to encrypted communications and stored data that threatened national security or that are related to investigations of criminal activities. The Administration argued that widespread use of the Clipper Chip would ensure the government had the keys to access most of these communications or data. Due largely to concerns raised over the past several years by industry executives and privacy advocates, the Clipper Chip proposal was revised twice - first in 1995 to ease restrictions on the export of encryption products, and then again in 1996 to introduce this latest idea of developing a key management infrastructure.
Central to this new proposal is the recovery of the keys to encrypted material. According to the key recovery plan, a trusted third party "could recover a secret key for the user or for law enforcement officials acting under the proper court authority," whereas the Clipper Chip plans required that encryption products include a special chip that would function as a backdoor and make it unnecessary to break a user's secret key to access the information in question.
On November 15, President Clinton issued an executive order, "Administration of Export Control on Encryption Products," that would:
· shift oversight of encryption product exportation from the State Department's U.S. Munitions List to the Commerce Department's Commerce Control List; · relax current export controls on 56-bit encryption products for the next two years as long as "industry [commits] to build and market future products that support key recovery;" · transfer jurisdiction over encryption export licensing from the State Department to the Department of Commerce, with the Department of Justice having a formal vote in the process; and · require that after these two years, all exportable products greater than 40-bits have key escrow capabilities.
In addition, the executive order named Ambassador David L. Aaron Special Envoy for Cryptography and made him responsible for promoting "the growth of international electronic commerce and robust, secure global communications in a manner that protects the public safety and national security." Ambassador Aaron is currently the U.S. Permanent Representative to the Organization for Economic Cooperation and Development (OECD) in Paris.
As of December 30, 1996, these changes had gone into effect with the Department of Commerce Bureau of Export Administration's issuance of a call for public comment on a set of new combined national security and foreign policy regulations (Federal Register, December 30, 1996, Vol. 61, Num. 251, pp. 68572-68587).
The Administration believes these new regulations will "support the growth of electronic commerce; increase the security of the global information infrastructure; protect privacy, intellectual property and other valuable information; and sustain the economic competitiveness of U.S. encryption product manufacturers during the transition to a key management infrastructure" (Federal Register, p. 68573).
Others outside the government remain skeptical of this latest plan and the Clinton Administration is facing an uphill battle to convince its critics that a compromise is still feasible between making it easier for Americans to use strong encryption products and providing the technological means for law enforcement officials to access encrypted data with proper court authorization.
Users of the Internet are beginning to realize just how vulnerable their electronic communications and data are to various kinds of attacks and the need for strong encryption products. The Center for Democracy and Technology reported that surveys conducted by Georgia Tech and Louis Harris poll "point to a growing public concern with the loss of personal privacy in the online world" (CDT Policy Post, November 5, 1996). Privacy advocates continue to reject any government proposal that guarantees access to personal electronic communications for law enforcement purposes and they have attacked this recent initiative on the grounds that it fails to protect the privacy and security of Internet users here and abroad. Numerous leaders of America's high-technology companies continue to argue that the government's role in regulating the exportation of encryption products is still too restrictive and hinders their ability to market sophisticated data-security products overseas.
The most crucial people whose backing the Clinton Administration needs, however, are members of the 105thCongress. Following the announcement of the latest Clinton proposal, 21 members of the 104th Congress sent a letter to Secretary of Commerce Michael Kantor expressing their "serious" concerns that top-down, government-imposed restrictions are "doomed to defeat." Senator Conrad Burns (R-MT) has promised to reintroduce his "Pro-CODE" bill from the last session which would have allowed for the unrestricted export of "mass market" or "public domain" encryption programs and would have prohibited the government from imposing mandatory key-escrow encryption policies (see Science & Technology in Congress, July 1996, p. 1). Also, it will be interesting to see whether the fledgling Internet Caucus, founded by Representative Rick White (R-WA) and Senator Patrick Leahy (D-VT), which now includes over 100 members, will become more active in opposing the Administration's crypto policies.
- Alexander Fowler, AAAS