13 May 1998
Date: Tue, 12 May 1998 19:13:08 -0400 To: John Young <jya@pipeline.com> From: Alan Davidson <abd@cdt.org> Subject: Links, etc. for Ashcroft-Leahy Fyi, as I know how you follow these things: * CDT's analysis of the new Ashcroft-Leahy crypto bill is enclosed below and on our site at: http://www.cdt.org/press/051298press.html * A section-by-section analysis of the bill as introduced is available on our site at: http://www.cdt.org/crypto/eprivsec.html * We are hoping to get real legislative language soon. -- Alan ------------------------------------------------------------------------------ _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/__/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ )/_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 4, Number11 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 4, Number 11 May 12, 1998 CONTENTS: (1) Senators Introduce Pro-Privacy Encryption Bill, In Stark Contrast to Administration Position (2) How to Subscribe/Unsubscribe (3) About CDT, Contacting us ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of gbrowning@cdt.org |PLEASE SEE END OF THIS DOCUMENT FOR INFORMATION ABOUT HOW TO SUBSCRIBE, AND HOW TO UN-SUBSCRIBE| _____________________________________________________________________________ (1) SENATORS INTRODUCE PRO-PRIVACY ENCRYPTION BILL, IN STARK CONTRAST TO ADMINISTRATION POSITION A new weapon in the arsenal against misguided U.S. encryption policy arrives today as Sens. John Ashcroft (R-Mo.) and Patrick J. Leahy (D-Vt.) introduce their new encryption bill , which lays out a pro-privacy approach to computer security that contrasts starkly with the Clinton Administration's approach. The new bill, the E-PRIVACY Act, protects the privacy of all Americans by: ** protecting the domestic use of strong encryption without "key recovery" back doors for government eavesdropping; ** easing export controls to allow U.S. companies to sell their encryption products overseas; ** strengthening protections from government access to decryption keys; and ** creating unprecedented new protections for data stored in networks and cell phone location information. A section-by-section analysis of the bill is available online at http://www.cdt.org/crypto CDT is concerned about several features in the E-PRIVACY Act that create new threats to privacy online. The bill establishes a new research center to assist federal, state and local police in dealing with encrypted data. The bill also makes it a crime to use encryption to obstruct justice. Implementing these provisions will require intensive oversight and public comment. Overall, the E-PRIVACY Act presents a strong pro-privacy approach to the encryption issue, in marked contrast to the export controls and mandatory backdoors embraced by the Clinton Administration. The bill makes more encryption, more accessible, to many more people. It also creates new privacy protections for data stored on networks - protections that will become increasingly important as more people go online. Major provisions of the new bill would: *** Prevent the federal government from requiring back door access to encrypted communications and files: The bill reaffirms the right to use strong encryption domestically without the 'key recovery' back doors supported by the Administration. It also prohibits the federal government from creating regulations or standards designed to coerce public use of key recovery. To further limit the government's ability to force people to use key recovery, the bill requires that government key recovery systems be interoperable with non-key-recovery systems. *** Ease export restrictions: The E-PRIVACY Act would remove most export controls on generally available and mass market encryption software and hardware. PGP, or 128-bit Netscape and Internet Explorer, would be readily exportable to all but a handful of countries. Custom encryption products would be exportable to countries where comparable products are commercially available. *** Establish privacy protections for encryption keys entrusted to third parties: Today, a decryption key entrusted to a third party receives little protection. Such keys can be demanded by the federal government with a mere subpoena, without the supervision of a judge or any notice to the key's owner. The bill would give decryption keys in the hands of third parties the same protections they would have if they were retained by the key owners. Such keys could only be retrieved by the government with a "probable cause" court order, or with a subpoena served on the key owner with a meaningful opportunity for the key owner to challenge it. This provision could prove extremely important if encryption users voluntarily choose to use key recovery, as many are expected to do. *** Strengthen privacy protections for data stored in networks: In the future world of networked computing people will increasingly store sensitive data outside of their homes. Under current law, data stored on computer networks outside of a person's possession may receive limited privacy protections. This data may be accessible to government officials without the owner's knowledge and without supervision by the courts. The E-PRIVACY Act would create new standards protecting networked data as if it were stored in an individual's possession. The act would require a court order based upon probable cause, or a subpoena that the information's owner has a meaningful opportunity to challenge. *** Strengthen privacy protections for cellular phone location information and other data: The bill would also strengthen protections for cellular phone location information,requiring a court order based upon probable cause before sensitive physical location data could be turned over to the government. The bill also gives judges more authority in reviewing government requests to install "trap and trace devices" and "pen registers," commonly used surveillance devices that record revealing data about a person's telephone usage. The new bill also contains provisions designed to address law enforcement concerns with encryption. An "obstruction of justice" encryption crime is included, similar to the narrow provision found in the House SAFE bill. The bill also establishes a new "Net Center" designed to improve federal, state, and local resources for dealing with encryption. CDT believes that both of these provisions are cause for concern and their implementation will need to be closely monitored to ensure that they do not create new burdens on the privacy of individuals using encryption. CDT applauds Senators Ashcroft, Leahy, Burns, Boxer, and the bill's other cosponsors for their forward-looking view of privacy and security online. The E-PRIVACY Act represents a milestone in the hard-fought congressional debate on encryption. While the Administration and some in the Senate have continued to push for key recovery, the bill presents a diametrically opposed approach, giving individuals and companies the technical tools and legal protections needed to protect their security. On balance, the E-PRIVACY Act would be a major step forward for individual privacy in the Information Age. More information about the encryption issue is available at CDT's Web site, at http://www.cdt.org/crypto If you're interested in becoming more involved in the encryption debate, please visit CDT's "Adopt Your Legislator" campaign at: http://www.crypto.com _____________________________________________________________________________ (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 13,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org in the BODY of the message (leave the SUBJECT LINE BLANK), type subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with NOTHING IN THE SUBJECT LINE AND a BODY TEXT of: unsubscribe policy-posts _____________________________________________________________________________ (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: http://www.cdt.org/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ---------------------------------------------------------------------------- End Policy Post 4.11 5/12 /98 ----------------------------------------------------------------------------