26 February 1997
Source:
http://www.bxa.doc.gov/25-.pdf
(340K)
Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List
Before the
Bureau of Export Administration
Department of Commerce
Washington, D.C. 20230
In the Matter of
Encryption Items Transferred From the
U.S. Munitions List to the Commerce
Control List
Docket No. 960918265-6366-03
RIN 0694-AB09
COMMENTS OF THE COMMERCIAL
INTERNET EXCHANGE ASSOCIATION
The Commercial Internet eXchange Association ("CIX"), by its attorneys, respectfully submits these comments in response to the Bureau of Export Administration's Notice of Interim Rule, Docket No. 960918265-6366-03, 61 Fed. Reg. 68572 (released December 30, 1996).
I. INTRODUCTION
The Commercial Internet eXchange Association ("CIX") is the largest trade association of Internet access and Internet service providers in the United States and throughout the world. CIX presently consists of approximately 170 domestic and international members, ranging from large providers of Internet backbone service, to small "dial-up" local providers. (A copy of a recent CIX membership list is attached hereto.)1 The organization's members carry over 75% of Internet traffic in the United States. As a non-profit organization representing the industry, CIX works to facilitate global connectivity among commercial ISPs, and to foster fair and open environments for Internet interconnection and commercialization.
__________________
1 These comments represent the views of CIX as a trade organization and are not necessarily those of individual members.
CIX members offer access to the Internet, and other information services, such as web site hosting and selection and provision of content. Internet access permits users to send and receive e-mail, and to obtain and make available information from the World Wide Web and other Internet sites. Internet service providers frequently bundle communications software with encryption capabilities as part of their service to end users. They also bundle encryption and other information security functions as part of corporate intranets and other private wide area networks. CIX members carry the Internet traffic known as "electronic commerce," and have a major interest in the development of government policies that promote, rather than impede, electronic commerce.
Regrettably, the latest iteration of the Administration's encryption policy fails to meet its stated goal of promoting electronic commerce, see 61 Fed. Reg. 68573, because it does not address the critical need for Internet communications software with robust encryption. BXA's new rules fail to take account of Internet communications software standards, or the level and type of encryption demanded by Internet users. While CIX recognizes the importance of national security concerns relating to exports of strong encryption, it is convinced that a more market-oriented approach focusing on self-escrow would better achieve the multiple goals that underlie the Administration's new regulations.
II. THE ADMINISTRATION'S KEY MANAGEMENT INITIATIVE IS ILL-SUITED TO THE NEED FOR STRONG INTERNET ENCRYPTION CAPABILITIES
Electronic commerce over the Internet holds enormous promise. As the White House recently recognized in its "Framework For Global Electronic Commerce," electronic commerce holds particular promise for the U.S. economy, in light of United States industry's leadership in the information economy. Id. at 1. In addition, as CIX's international members attest, electronic commerce offers great potential for the other parts of the world that enjoy significant Internet connectivity, bringing increased trade, lower prices, greater consumer choice, and other efficiencies.
Broad availability of Internet communications software with strong encryption is essential for global electronic commerce to achieve its potential. Internet communications, which travel over public networks, are perceived as particularly vulnerable to interception. Availability of robust encryption software at home and abroad is critical to overcoming fears of corporate espionage, interception of credit card numbers and other methods of payment, and the destructive activities of hackers that presently hold back electronic commerce. Widespread publicity regarding the cracking of 40 bit key length encryption has chilled Internet users' willingness to rely upon the network for sensitive transactions.
The interim relief set forth in the proposed regulations -- temporary, case-by-case review of requests to export 56 bit key length encryption conditioned upon progress developing key recovery products -- does little to address this concern. MIS administrators and Internet users, many of whom are aware of advances in parallel processing that exponentially increase computing power to crack encryption codes, demand Internet encryption far stronger than the 56 bit key length encryption offered as interim relief under the proposed regulations.
What is more, there is considerable doubt whether users abroad will accept key recovery products developed with the U.S. government's stamp of approval. As Administration witnesses have admitted in testimony to Congress, it is doubtful that terrorists and other hardened criminals who use encryption will opt for KMI products.2 Moreover, law abiding users abroad may also be reluctant to use these products, due to a perception -- right or wrong -- that the U.S. government will use "a backdoor" in such products to engage in economic espionage.
__________________
2 See Stenographic Transcript of Hearings of Senate Committee on Commerce, Science & Transportation on S. 1726, at 58-59 (July 25, 1996) (Testimony of Hon. Louis Freeh) (conceding that criminals may not use escrowed encryption); Hearings Before the House Committee on the Judiciary on H.R. 3011, 104th Cong., 2d Sess. Serial No. 100, at 50 (Sept. 25, 1996) (Testimony of Hon. William Crowell) (conceding that criminals "who agree in advance to exchange keys and carry on [an encrypted] communication" could do so outside of a key recovery regime.)
The 56-bit key length interim relief and relief for key escrow and key recovery products are unlikely to meet the needs of the Internet or of electronic commerce. Thus, the proposed regulations would continue to retard growth of global electronic commerce and other sensitive global Internet communications, such as transfer of medical records, until foreign manufacturers move to fill market demand for strong Internet encryption.
III. THE ADMINISTRATION'S KEY MANAGEMENT INITIATIVE POSES SIGNIFICANT TECHNICAL OBSTACLES TO THE DEVELOPMENT OF THE INTERNET
The KMI initiative represents the first government foray into Internet standard-setting since the commercialization of the Internet in the late 1980s. This new government intrusion into Internet standards causes CIX very real concerns. The Internet has flourished since NSF relaxed control over the network, and has gone through a remarkable period of technological progress until the Internet protocol is now viewed as the primary vehicle for the deployment of high bandwidth to the home.3 A cornerstone of this success is the extraordinary interoperability of the network, and its reliance upon open, voluntarily-adopted standards.4
__________________
3 See. e.g., Transcript of FCC Bandwidth Forum, at 8 (Jan. 23, 1997) (Statement of Stagg Newman, Bellcore) (despite debate in the early 1 990s as to the what technology should be the basis for the NII, the Internet has emerged to become the NII, and the only viable means for delivery of broadband to the home), available at http://www.fcc.gov/Reports/970123.txt.4 Id. at 10.
The proposed regulations adopt a different approach, imposing a restriction on interoperability of exportable products that threatens to balkanize the network. Supplement No. 4 to Part 742 (6)(ii) of the proposed interim rule provides that key recovery products:
may interoperate with .... [n]on-key recovery products only when the key recovery product permits access to the key(s) or other material/information needed to decrypt ciphertext generated or received ... by the key recovery product.
61 Fed. Reg. 68582. This restriction on interoperability may be acceptable to computer hardware manufacturers, who sell stationary systems. However, in the context of the Internet, the requirement has serious detrimental implications. OECD encryption negotiations to date indicate that it is likely that a variety of other nations will refuse to follow the United States' key recovery plans. Section (6)(ii) would effectively prohibit interoperability with those nations' software products unless they permitted recovery of communications sent to them. Moreover, by prohibiting interoperability, the regulations would set a very harmful precedent for dealings with other countries who may wish to use restrictions on interoperability as a tool to advance other national objectives. There can be no surer barrier to global electronic commerce than a restriction on interoperability.
Secondly, the Administration has never explained how its proposal would work in the Internet context, and, CIX fears, may have devoted insufficient attention to the proposal's effect on the Internet.5 Significant technical obstacles remain unaddressed. The enormous number of Internet communications (hundreds of millions every day) makes retaining records of these communications particularly onerous and complicated. Yet the Administration has not explained how escrow/key recovery agents would function in this environment and who will serve in this role.
____________________
5 Indeed, the proposal was developed after extended negotiations with hardware manufacturers, but without addressing the concerns of ISPs or most Internet software producers.
Moreover, Secure Sockets Layer ("SSL"), the most common Internet encryption standard, appears incompatible with key recovery because the SSL private encryption key and authentication key are the same. A key recovery agent with access to the user's privacy and authentication key could do enormous harm masquerading as the user. In fact, this technical problem would likely make prosecutions using evidence obtained through key recovery more, rather than less, difficult. The small minority of Internet users who are actually culpable of crimes could routinely claim as a defense to prosecution that they were framed by key recovery agents or government officials who initiated communications in the user's name. Changing this standard through the Internet Engineering Task Force is a lengthy process that may engender greater opposition precisely because the change is in effect coerced by the U.S. government.
CIX urges the Administration to consider a less intrusive approach that keeps government out of standard-setting and avoids the risk of balkanizing the Internet with conflicting national rules, standards and restrictions on interoperability.
IV. THE ADMINISTRATION SHOULD ADOPT A MORE DEREGULATORY APPROACH TO EXPORTS OF STRONG ENCRYPTION THAT FOCUSES UPON SELF-ESCROW
CIX appreciates the importance of the national security concerns that underlie the Administration's reluctance to relax export controls on strong encryption. As the President stated in Memorandum and Executive Order 13026, encryption productions "when used by international criminal organizations, can threaten the safety of U.S. citizens here and abroad, as well as the safety of the citizens of other countries." 61 Fed. Reg. 58767 (released Nov. 15, 1996). However, CIX suspects that the Administration's regulatory solution to this problem may ultimately prove less fruitful than a more market-based solution.
Policies to slow the deployment of strong encryption demanded by the global marketplace will not prevent the spread of strong encryption that does not include key recovery accessible to the U.S. government. Indeed, encryption technology may well have outstripped the government's ability to control it. The United States is far from having a monopoly on encryption capabilities. Unless prohibited by national laws, foreign manufacturers will move to meet demand abroad for such strong encryption, offering self-escrow and other capabilities that have not been approved by the U.S. officials. These products will likely be more difficult for U.S. intelligence agencies to decode than products manufactured by U.S. companies. Moreover, if key recovery is not widely accepted by the market, it is quite possible that U.S. companies will no longer be driving global encryption standards in coming years, thereby undermining the United States' current strategic advantage in encryption software. The result would be a net setback for the very U.S. intelligence interests that the proposed regulations are designed to protect. At the same time, the development of global electronic commerce would be delayed, and the interoperability of the Internet jeopardized.
CIX urges the Administration to rethink its encryption policy. Instead of mandating technical features in encryption products and unilaterally requiring that exported encryption contain government-approved key recovery, the Administration should seriously consider moving to a more market-oriented approach. Encryption technology is so easily transportable that it has outpaced the ability of governments to control. It is highly unlikely that terrorists and other criminals will buy the key recovery products contemplated by the proposed regulations, and doubtful that such products will achieve significant international market penetration. It is also far from clear that real-time recovery of e-mail communications is technically possible.
However, there will be significant market demand for truly voluntary key recovery chosen by and self-escrowed with the user. By subpoenaing such keys from banks, businesses and consumers, law enforcement entities throughout the world should be able to pursue most of their investigative functions without stunting development of Internet security and commerce. This market-based approach may in the long run yield better results for all stakeholders than the regulatory approach set forth in the proposed rules.
Respectfully submitted,
COMMERCIAL INTERNET EXCHANGE ASSOCIATION
Robert D. Collet
Chairman of the Board
Barbara A. Dooley
Executive Director
By: Ronald L. Plesser
James J. Halpert
Piper & Marbury L.L.P.
1200 19th Street, N.W.
Seventh Floor
Washington, D.C. 20036
(202) 861-3900
Its Attorneys
Date: February 12, 1997
Hypertext by DN and JYA/Urban Deadline