Encryption Exports: Small Step Forward, Big Step Back

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back

by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Back doors

Key point: by removing the requirement to show in court how they found an encryption key, and by still requiring software companies to get encryption software approved, they allow the government to strong-arm companies into building backdoors into encryption products--backdoors which will not be revealed in court when the government uses them to break encryption.

Re:How's that again?

What this legislation seems to demand is a total war by the community against commercial crypto packages. This means, for instance, that if MS gets a license to export a crypto package for IE and NT, then there must be an effort to 1. crack it, and 2. look very hard for any backdoor. The saaame goes for crypto from IBM, SUN, Apple, and the rest of the commercial world.

If anybody finds a backdoor in any commercial product, then commercial crypto from the US is d-e-a-d. Nobody anywhere in the world will ever trust any crypto software emerging from the US ever ever again. Then, there will only be open source software from the community and there will be untrustoworthy crap.

another slap in the face to U.S. citizens

This is one of those cases where special interests converge to work against the interests of the American public. Bob Goodlatte (and also Sen. Slade Gorton) are really pushing to remove some of the silly restrictions that we have right now. This would be good for both businesses AND the average citizen.

However, we keep running into the situation where powerful people in Washington D.C. decide that widespread strong cryptography is not in their best interest. Often these people are not even ELECTED officials (e.g. Louis Freeh). Yet their voice manages to drown out the little guy.

Worse yet, they wrap it in a nice little story about protecting YOU from terrorists. We are your officials, and we know (better than you) what is in your best interest.

What's scary is that these people know damn well that a key escrow system would be swiftly denounced by foreign nations. They aren't concerned about protecting Americans from terrorists. They are concerned about protecting their ability to eavesdrop on Americans.

The kicker here is that the White House says one thing and does another. Gore vows to reduce crypto restrictions, and yet everytime something remotely similar to SAFE is discussed, Clinton vows to veto it. I'm pretty sure he would too. Clinton isn't running for office...

What can I say. Yeah I'm a bit cynical. But all the newsgroup heckling and grumbling isn't going to do a bit of good. I hope everyone who reads this will consider focusing their energy by:

- writing or calling your senator or representative. Explain how important this is to you.

- joining/helping an organization that works to support your view, such as the EFF.

Just don't be silent.

Thanks,
SEAL

Re:Solution

Sadly there's a good chance that that isn't the status quo for commercial products. With any sort of review process imposed by the government you can bet that the goal of the review is to have some way of recovering encrypted data. It may be as simple as a back door or it may be as subtle as reducing entropy during the encryption process. The measuring stick for passing the review process won't be: Is this software package protecting the interests of the consumer? It'll be: Can we recover encrypted data in an amount of time less than 'X', where 'X' is some duration which the various law enforcement agencies agree is acceptable.

The review process boils down to the ability of the government to hold a companies software for ransom until they deliver a product insecure enough to please the government but secure enough not to raise too many eyebrows among users.

Consumers will feel secure because they'll see "128 bit encryption" on the box and think "128 bits, thats pretty strong stuff" not realizing that it has somehow been compromised. It's a bit like allowing PGP for export without key length restrictions so long as any digits in the key beyond 128 are 0.

The other problem is that it will probably result in the weakening of security we already have. Right now for online banking you can use 128 bit encryption because browsers with that level of encryption are not allowed to be exported. Under the new legislation browsers will be allowed to be exported after the review process. If part of the review process is sufficiently weakening the encryption so that it isn't 'too difficult' to break then there will be a browser with the strength of 56 bits of encryption masquerading as 128 bits. Having two identical products both supporting 128 bit encryption wouldn't work (one with the real deal, one with the watered down version) since interoperability is required and something that crude could be easily discerned. Either the companies won't release '128 bit' encryption to foreign countries and lose potential revenue or they'll weaken the encryption and release the weakened version in both the US and overseas. Loyalty to stock holders implies that the ultimate decision won't be favorable for privacy.

Pandora's box is open...

...if the US government doesn't move quickly, it will seriously lose market- and mind-share in encryption products, without gaining any advantage in doing so (GPG and PGPi being freely importable).

To paraphrase a well-known comment:

"You have no access to our private communications anyway... get over it"

Hamish

Stupid Laws

What always bothers me about these export laws is that if a Terrorist group really wanted to get a copy of some encryption software, they could have someone buy it in the US and mail a copy overseas, perhaps on a copied CD (or 10 different copies). I could think of a million other ways to do this. Mail it from Canada! Mexico! You can drive over without a thought. FTP it. XModem transfer it. How the hell is anyone going to know what is on it and that someone is breaking the law. Laws like this do not stop criminal elements from using the products, they just make it a tiny bit harder for them to get their hands on them.

This is the same with modern gun control legislation. Making guns illegal doesn't stop criminals from getting guns, only law-abiding citizens. There are now more guns in the US than their are people, and there is no stoping anyone from getting one. The same with weed, Same with computers, powerful microprocessors, and strong encryption. They can't be stopped!

Some are more equal than others

If corporations are individuals, why do they get preferential treatment under the law, and effectively cast way more political influence than one vote? This "solution", a crypto review process not likely to be practicable for individuals or small businesses, or open source projects, is just the latest example.

This country seems to be falling into a dangerous mindset, optimizing law for corporations rather than individuals. Corporations need privacy. Individuals can't be allowed privacy (for their own good.)

Unfortunately, corporations are focused on making money in the short term no matter how expensive it proves to be for everyone else in the long term. Very little fundamental research is occurring in corporations as it once did at Bell Labs. Corporation mergers, acquisitions, and outsourcing have degraded our quality of life. A society organized for the sole benefit of the balance sheets of its corporations is not an optimal solution for individuals.

We should fight for equal rights for all under the law, individuals and corporations alike. One entity, one vote.

The true failure...

Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

That the US government's muddled encryption policy has made US encryption products something to be wary of is the true failure of that policy.

Re:WTF? Confidentiality of method of decryption?

That is a good point. I can assure you that the NSA doesn't care about J. Random Hacker. They only appeared on their radar screens in the early 80s. I know. I was one of them and had an ongoing relationship with them for several years because, frankly, I feel a lot more at home with them that with three-bong-hit revolutionaries who never bathe. I was struck then by a fact that made me grow up a lot, quickly. That is the fact that most people are, by definition, normal (yeah, really profound, I know), and that the curve that defines the vast majority of behavior is quite often steep and has very thin tails. This never varies. Never. Not across nations, cultures, or any other normal distribution. Never. The NSA, the FBI, the DPS -- whomever -- just don't care about 96-99% of all people because they don't and won't (ever) do anything really weird. Hackers fit into that same area, albeit with fatter tails on the curves. The NSA doesn't care because they know damned well that they don't have to. The CIA doesn't care because ... well, the CIA has its own problems, many of which they are having a hard time getting themselves out of. Suffice it to say that they aren't bugging your house either. That mathematical immutability of human behavior, apart from making the isolation of adolescence earier to cope with (I realized that I wasn't special, and that perverse fact made me feel much less isolated), is very well known to the spook community at large. They depend on it. They know it well. They also fear it because they know damned well that when they have a whole lot of people moving in one direction they are close to impossible to stop unless you use napalm. And that isn't very spooky.

The average cop on the beat (J. Random Officer), on the other hand, is not a math PhD. He probably has some college courses, possibly an undergraduate degree, limited classical education, and quite a bit of continuing education as a cop. The smart ones tend to move up -- the average cop has an IQ of 100-115, the average detective 130+, so most cops, generally, aren't too dumb, at leas these days, in larger departments, in larger cities. That does not, however, include cops who have been cops for twenty years, cops in many large cities who were hired for reasons other than competence (the old boy network, racial quotas, sex quotas, or the fact that the department needed people when they were out of work as a fry cook), cops in small town who never passed any formal screening, county/sherrif/constanble personnel, and that is still a lot of cops who will be in the system for years. That load of people for whom concepts like encryption are foreign will be much more of an issue because that, coupled with the fact that cops tend not to spend a lot of time learning (they are trying not to get killed or sued) and that they deeply mistrust anything new and complex due to years of experience with a liberal legal system screwing cops every chance it gets means that you are highly likely to run into someone who considers an encrypted partition to be prima facia evidence of wrongdoing should you ever run afoul of the law. I see this as a far greater issue than Ft. Mead listening to you talking to your love-muffin on your cell phone. The local PD and prosecutor are still easily able to out-spend most people, and defending your rights into bankruptcy is a real problem -- you should be able to, but suing people who have ruined you is hard if they work for the government is pretty tough. And most hackers aren't rich.

It will be interesting to see how this plays out. I would encourage all of you civic-minded hackers to offer to help your local police department. I have offered to help mine and give regular lectures on handling computers that are evidence, how not to handle hackers, and so on. It definitely has changed the attitude of a lot of the more senior and mossybacked cops who now see computers as less of a menace, and that is a good thing. Spread the information widely and offer to take the time to help and you will do a lot more good than if you complain bitterly and use 500000 bit keys, because the more people using encryption then the more chaff to sift, the more messages to log and batch, the more stuff to worry about -- and I can assure you that every cop I have lectured to is using PGP right now. Spread a little sunshine, like Linus did a few years back. It can only help.

Contains no meaningful penalties against misuse

Reading through the bill, I see no meaningful penalties for misconduct on the government's part. I'd like to suggest a slashdot write-in suggestion to amend the bill to add a new section 2713(d) which states that for each improper disclosure of recovery information, of information obtained thereby, or for fraudulent testimony pursuant to the obtaining of an order under section 1712, all parties involved shall be individually liable for civil damages of $50,000 or treble damages, whichever is greater, plus court costs.

See how the Administration likes the bill then. As it stands, do you really expect the DOJ to slap its own hand when it breaks the law on this point?

WTF? Confidentiality of method of decryption?

I smell a rat here too. I mean, if I, as the prosecution, don't have to reveal to the court how I decrypted the "evidence", doesn't that give me just a wee bit too much power?

Testimony: "Your honor, as you can plainly see, the {kiddie porn, bombmaking instructions, drugmaking instructions, nuclear secrets} is on the client's hard drive. We just can't tell you how we decrypted it."

Reality: "Hey, Officer Crypto-Dude, can you XOR the suspect's scramdisk file of random noise with some {kiddie porn, bombmaking instructions, drugmaking instructions, nuclear secrets}? I really need a conviction, man!"

Hell, why bother creating a bogus one-time pad if you don't have to reveal the method? How about "Hey, Officer Crypto-Dude, gimme the files off the hard drive from the other guy we convicted last month."

If the prosecution doesn't have to disclose how it decrypted your files, the only defence you have against fabricated evidence is to give up your keys and divulge what was really on your hard drive. Damned if you do, damned if you don't.

As I wrote yesterday [slashdot.org], I'm far more worried about corrupt cops than corrupt spooks. NSA knows it has better things to do with its time than invade your privacy. I'm not so convinced the same is true of Ms. Reno and Mr. Freeh.

Crytpo as munitions

Does anyone know how crypto's classification as a munition interacts with our constitutional granted right to bear arms?

How's that again?

"The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."
"Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved"

What bothers me most about comments like these is that they are based on the assumption that 'law enforcement' has an implicit right to have access to your information, as long as they feel the need. This is not so. A relevant passage:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated"

Since when does building a back door into all communications qualify as secure? And a promise from law enforcement not to use it improperly is not security, even if they could make such a promise honestly; what happens when someone else figures out how to use the back door (and someone will)?

Another thing that I don't see being brought up much when statements like the above are being thrown about is history. People have been using various types of codes to encrypt sensitive communications for hundreds of years. Has law enforcement been 'useless' for all this time?

I find it (almost) amusing that one of the agencies screaming loudest about their need for this (the FBI) touts as their greatest victory the incarceration of a man who was convicted based on evidence they couldn't decipher. So what did they do? They offered the guy who knew what it meant a deal, and he did it for them. Is there some reason this doesn't work anymore?

This is going to be just as expensive

I work in crypto QA for a major, evil software company. Guess which one. We've been crossing our fingers for legislation like this due to the extreme cost and instability of shipping both a 128 and a 40/56 bit version of every crypto product. Apart from the effort of testing everything four times (once for hi, once for low, once for interactions, once for upgrades) there is the simple fact that as test matrices grow, bugs proliferate. And some are not found.

We used to say, "If only some bolt of light would strike Clinton upside the head and get him to liberate export policies!" Our premise was that the cost and difficulty of testing would drop, and we would be better situated to promote our client overseas.

NOPE. Even if this law passes, the labor of testing may just go up. Implementing a "backdoor" or a key escrow mechanism necessitates cracking the CSP's (oops - gave away which company) and re-writing practically the entire code structure that selects and manages algorithms. Easy? No. In addition, what foreign company would be interested in purchasing a product they know the US Government can abuse like a bitch at its will? I certainly wouldn't tolerate it.

The upshot? My (uninformed) prediction is this: There will still be 40-bit non-escrowed versions of the product going out the door. These will be shipped primarily to other countries and to paranoid individuals like slashdotters. Everyone else will run 128, but it will be a compromised breed of 128.

In other words, this will accomplish nothing other than weakening crypto for US citizens.

This bill is bullshit! Call or email your congressional office today. I'm about to do that very thing.
-konstant

Key escrow by definition is unsafe

Yet another lovely step back in time by the Clinton administration. I wonder if any of the candidates for the next presidential election have gone on record for crypto policy.

The primary reason that the concept key escrow absolutely petrifies me is that the to be useful, the keys need to travel in one form or another from their central repository (which I would hope would be as tightly locked up as the NSA) to the law enforcement agency responsible for unlocking the message. With the repeated demonstrations by the U.S. Government that they don't understand crypto, what's even going to guarantee the safety of my key (and therefore my data) in transit?

Don't make me hand over my keys. I have them because they protect me. And you can bet that if key escrow becomes a requirement, I will not surrender my stock of open-source crypto software, but only begin to use it more.