The Clinton White House wants access to encrypted messages everywhere.
The administration has quietly drafted a bill that pushes domestic storage of encryption keys, despite frequent assertions in the past that it wouldn't try to control domestic use of encryption.
According to a March 12 draft of the "Electronic Data Security Act of 1997" obtained by online rights watchdog Center for Democracy and Technology and posted on its Web site, the administration wants to find a sponsor for a bill that would give law enforcement agencies the ability to intercept and encrypted communications and stored data.
The proposed bill is now circulating around Capitol Hill.
The government has already implemented such regulations for all encryption technology that is exported. But the White House had said it wouldn't fool with domestic software--such as browsers sold only in the United States that use very high-levels of encryption. Apparently it changed its mind.
The bill would create a "key management infrastructure" that would register third-party authorities to store encryption keys. The government wants to encourage--but not force--all software companies to cooperate with the plan by voluntarily registering their keys with these authorities. That way, any law enforcement agency could get access to encrypted messages.
The bill in fact gives law enforcement what appears to be a short cut around obtaining a court order. Instead of a court order, a government agent can procure "written authorization in a form to be specified by the Attorney General," the text reads. There is no mention of what such written authorization entails, a detail that critics find disturbing.
"I think this raises questions about standards of access to encrypted communciations," said Jonah Seiger, a policy analyst at the CDT. "Email communications are a much richer view of what you do and who you are, more analogous to your living room than to your phone. We don't allow secret searches of people's living rooms."
Officials in the Commerce Department and in the Vice President's office stressed today that the draft posted by the CDT is two weeks old and is still under constant revision. However, a comparison of the draft and the remarks of Commerce Undersecretary Bill Reinsch in front of a Congressional committee last week show no major deviations.
"Participation in the key management infrastructure enabled by this act is voluntary," the text of the bill reads.
Officials contacted today said that the proposed bill would create a reliable cryptography system that would promote the use of electronic commerce by increasing consumer and corporate confidence in encryption technology. Critics say the government is strong-arming companies into cooperation.
"It's the carrot-and-stick approach. They're trying to compel everyone into this infrastructure," said the CDT's Seiger.
The bill does have some teeth. The government is also authorizing what are called "certification authorities" that can hand out digital certificates, or the equivalent of electronic drivers' licenses to technology vendors. These certificates verify the identity of those who send encrypted communications.
Without the added security of a certificate, it is less likely that individuals and businesses will participate in electronic commerce and other transactions on the Internet, according to at least one software industry contact.
"Between the security benefits and the direction the industry is going, it's not practical to perform public key transactions without a certificate," said Win Treese, director of security at electronic commerce software maker Open Market.
But in the proposed bill, makers of encryption software who choose not to register their keys would not obtain a these certificates from government-approved certification authorities.
"There's nothing that says you have to have a public key certificate," said Sue Hofer of the Commerce Department's Bureau of Export Administration which administers the current rules on encryption export.
Seiger disagreed: "Certification is necessary to participate and to say which keys belong to whom. There is a need for a key management infrastructure, but there's no need for private keys or key recovery info to be stored there. It's just another way to ensure electronic surveillance."
Unlike the regulations that govern exported encryption technology, the draft of the new bill does not set a limit on the strength or type of encryption a user may employ.
The bill also offers an alternative that could allow companies to store their own keys, said the Commerce Department's Hofer. The text, however, only mentions "other arrangements, approved by the [Commerce] Secretary pursuant to regulations acceptable to the Attorney General" that allow government access to real-time communications and stored data.
The bill also details civil and criminal punishment for anyone using encryption to commit a crime as well as spelling out the penalty for certification authorities who abuse the information they store. Government-approved third parties would not be held liable for honoring government requests for information.