Crypto bill seeks domestic rules
Two senators introduce a bill that would for the first time impose domestic controls on encryption used by government-funded institutions.
The Secure Public Network Act is sponsored by Senators Bob Kerrey (D-Nebraska) and John McCain (R-Arizona).
The industry trade group Software Publishers Association has already released a statement that deems the bill "dead on arrival."
The bill mirrors a proposal originally floated by the White House this spring as an alternative to pending legislation in Congress that would lift most limitations on the export of encryption software.
The current measures--Pro-Code in the Senate and the SAFE Act in the House--have won the endorsement of many software companies and privacy advocates. These bills would prohibit the mandatory use of "key recovery," which gives law officials with a court order access to the secret keys to a user's encrypted message. This would reverse current federal export regulations on strong encryption, which require key recovery systems.
The Clinton administration and law enforcement officials have criticized both bills, arguing that agents should retain the right to have quick, confidential access to suspected criminals' electronic data.
Like the White House proposal, the McCain-Kerrey bill seeks to impose mandatory key recovery within the United States for the first time, on top of the current crypto export regulations.
The new bill calls for the implementation of key recovery in any product purchased by the U.S. government or with federal funds, as well as any network paid for by the government. This means public institutions and organizations might have to give the government a key to their private communication on the Internet.
But under the McCain-Kerrey bill, it is unclear if law enforcement would need a court order to obtain a user's decrypted information or if a simple subpoena would suffice.
The new bill also establishes a program for the government to hand out digital certificates. These certificates, which establish and verify the identity of the sender of an encrypted communication, are considered a key element of electronic commerce. However, users can't get a government certificate without storing their keys with a third party.
Despite implementing tight domestic controls on encryption, the bill leaves open a window for looser export controls. It gives the Commerce Department secretary leeway to approve the export of strong encryption software without key recovery if similar products already are or soon will be available in other countries.
The bill slams the door, however, on the possibility of challenging a crypto export denial: "The secretary's decision on the grounds for the grant or denial of licenses shall not be subject to judicial review."
Civil liberties groups have taken issue with similar language in the House SAFE bill and Senate Pro-Code bill as well, according to Jonah Seiger of the online rights advocacy group Center for Democracy and Technology.
There are two high-profile cases of cryptographers suing the government for denying them the right to publish their work. In one case, a federal judge has already ruled that the source code of a computer program is protected free speech and not subject to limitation.
Reporter Courtney Macavinta contributed to this report.