Crypto bill lightens up

Two senators who drafted legislation that would give law enforcement quick access to secured electronic messages are now trying to water down their own proposal.

Yesterday, Sen. John McCain (R-Arizona) and Sen. Robert Kerrey (D-Nebraska) said they are revising their controversial Secure Public Networks Act. The revision would forbid U.S. investigators from accessing the keys that unlock encrypted messages without a court order--a guarantee that is mandated by current law.

Other changes were laid out with the goal of moving the legislation to a floor vote in May, and to meet a challenge set forth by Vice President Al Gore in a letter to Senate Democratic leader Tom Daschle (South Dakota) yesterday.

Encryption renders digital messages unreadable if intercepted. On one side of the encryption debate are federal criminal investigators, who argue that they need access to the "keys" that unlock encrypted data to bust sophisticated criminals around the world.

On the other side are consumer groups and high-tech industry executives, who say that such provisions inhibit U.S. software makers' ability to compete with foreign manufacturers and constitute an invasion of privacy.

Gore encouraged the Senate to find a balanced solution to the ongoing battle over encryption that would promote electronic commerce and privacy while assisting law enforcement. The vice president discouraged domestic controls, moving away from last year's administration push for such laws.

"In particular, the administration remains committed to finding ways to preserve the ability of the nation's law enforcement community to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information," Gore wrote. "The administration believes the best approach is to pursue a good-faith dialogue over the coming months between industry and law enforcement, which can produce cooperative solutions, rather than seeking to legislate domestic controls."

The Secure Public Networks Act establishes a program for the government to hand out digital certificates, which establish and verify the identity of the sender of an encrypted communication and are considered a key element of electronic commerce.

Under the first bill, however, users couldn't get a government certificate without storing their encryption keys with a third party that would allow authorities to unlock their identity. The revised legislation lifts that stipulation.

"The compromises announced today are yet another example of the efforts to bring all of the interested parties together to solve the five-year debate that has been raging over encryption exports, and moves us one step closer to enacting legislation," Kerrey said in a statement.

The senators also said they will increase industry representation on a so-called U.S. Encryption Advisory Board to eight members. The proposed board would have four federal agency representatives as well, with the task of approving levels of encryption for export.

The president, however, has the power to veto any board decision based on "national security" concerns.

Civil liberties groups were not applauding the changes, saying the modified McCain-Kerrey legislation reinforces the status quo and is not helping their mission to overturn the Clinton administration's export limits on strong encryption.

Forces such as the newly anointed Americans for Computer Privacy (ACP) are working to change the nation's crypto policy on grounds that only "weak" products that have been cracked can be exported, making U.S. products less effective for protecting online communication than those of foreign competitors.

The McCain-Kerrey concessions don't eliminate the possible creation of a domestic "key-recovery" system, in which copies of the keys that unlock protected communication are stored so they can be accessed during criminal investigation or if lost by the owner, Jim Dempsey, senior staff counsel for the Center for Democracy and Technology, said today.

"It doesn't constitute the type of meaningful export relief that we have long supported," he said. "[The senators] always said that they were not mandating key recovery domestically. Instead they were relying on incentives, as they called them, to encourage key recovery.

"What remains in this bill is largely the status quo: control on encryption exports, an attempt to use the export regulations to promote key recovery, and the use of the government procurement authority to create a domestic market for key recovery," he added.

The Secure Public Networks Act still offers incentives to data security software makers who agree to build key recovery into their products.

When it was introduced last summer, the McCain-Kerrey bill called for the implementation of key recovery in any product purchased by the U.S. government or with federal funds, as well as any network paid for by the government. It is unclear if this condition will be scrapped as well.

As of January 1997, the export regulations stated that any encryption product shipped overseas must have key recovery. The revised McCain-Kerrey bill will allow for the export of products with optional key recovery, but only to end users that have been approved by the Commerce Department. There were no details available about how this system would work.

"The main news from yesterday is that leaders [Trent] Lott [(R-Mississippi)] and [Tom] Daschle had given them the thumbs up to pursue a legislative solution to the export debate. They will go over the bill line by line with industry to get the most acceptable piece of legislation for all sides," Mike Marinello, Kerrey's spokesman, said today.

Opponents of the Secure Public Networks Act are pulling for the passage of different legislation. Legislation known as the SAFE Act is the main vehicle for crypto export relief and prohibits domestic controls. But at least one version of the bill altered by the House Intelligence Committee would grant law enforcement access to encrypted communication in the United States.