Feds not seeking crypto law

In spite of a longstanding FBI campaign, a Justice Department official today said that for now, the agencies are not seeking a law requiring U.S. residents to give the government "keys" to unlock their private computer communications.

The remarks were made during a Senate Judiciary subcommittee hearing on the constitutional issues raised by government restrictions on the use of encryption, which secures computer users' digital messages or files by rendering them unreadable if intercepted.

The files can only be unscrambled with the user's private key.

"We are not looking for any mandatory controls domestically at this time," said Robert Litt, the Justice Department's deputy assistant attorney general of the criminal division. "We know we can't get everything we want in our wildest dreams. There are other interests involved...We need to balance those interests."

The conflicting interest to which he was referring is the right to privacy. Others who testified today argued that any domestic controls on encryption use--and the existing federal export limits on crypto products--are in clear violation of multiple constitutional amendments guaranteeing free speech and privacy as well as prohibiting unlawful searches.

In addition, U.S. software makers maintain they can't compete in the global market for encryption because their unrestricted competitors can offer unbreakable products.

Although Litt said he was speaking on behalf of the Clinton administration, FBI director Louis Freeh has been at odds with the White House over encryption.

Freeh has repeatedly testified before Congress that domestic investigators want legislation passed to create a so-called key-recovery system, in which all U.S. encryption users would be required to leave a copy of their key with a government-approved third party.

In the fall, however, Freeh softened his position, suggesting legislation that would require manufacturers to include key recovery features in their products but would not force customers to use them.

Last March, the Clinton administration floated a proposal that tied voluntary domestic storage of encryption keys to other incentives.

Now, a year later, Vice President Al Gore has discouraged such controls in a letter to Senate Democratic leader Tom Daschle (South Dakota).

But the Justice Department maintained today that it is difficult to bust criminals who use strong encryption to code messages about drug trafficking, for example.

The Justice Department and the FBI support the Clinton administration's current export restrictions on strong encryption, which, as of January, require manufacturers to build key-recovery capabilities into all products that are shipped overseas.

"There are cases where we have encountered unbreakable encryption," Litt told the committee. "We would still be required to meet traditional standards of probable cause in order to obtain any of the information that the person has."

Disputing the Justice Department's need for export regulations were technology companies, privacy advocates, and at least one former law enforcement official.

"Files that are not secure are ripe for theft and misuse," testified James Fotis, executive director of the Law Enforcement Alliance of America and a retired police officer. He also spoke on behalf of Americans for Computer Privacy.

"Encryption is the dead bolt that locks those files," he added. "More than 500 strong encryption products are readily available and in use around the world."

Witnesses argued that although the government has approved some licenses for the export of strong encryption to be used by financial services, other sectors need the same protection, such as those dealing with medical records or intellectual property sent over the Net or other computer networks.

Constitutional experts argued that a federally mandated key-recovery system is no different from law enforcement agencies installing a video camera in every U.S. home and then saying they wouldn't turn them on without a court order. Others questioned how much such a key-recovery system would cost and who would be forced to pay for it.

CNET Radio talks to MCI's Tim Casey

Tim Casey of MCI Communications added that if companies want to build in key recovery, doing so should be based on consumer demand and not law. Those customers then can voluntarily store their keys with a third party in case it gets lost, for example.

Also testifying was legal counsel to University of Illinois at Chicago math professor Daniel Bernstein, who has won three court battles stating he has a First Amendment right to post encryption code on the Net. Bernstein was restricted from "exporting" his code in 1992. His landmark case is now awaiting a decision from a three-judge panel for the Ninth Circuit U.S. Court of Appeals.

The Bernstein case could shield the international distribution of encryption under the First Amendment. Still, some foes of the export limits are pushing for passage of legislation know as the SAFE Act (Security and Freedom Through Encryption). The bill is the main vehicle for crypto export relief and prohibits domestic controls. But at least one version of the bill altered by the House Intelligence Committee would grant law enforcement access to encrypted communication in the United States.

Cindy Cohn, Bernstein's attorney, was quick to point out in her testimony that SAFE will not completely lift the export limits.

"Even the SAFE bill, which is well-intentioned, fails to contain an assurance of judicial review of any agency decision to prevent publication due to alleged national security concerns, a key element required by the Constitution," her written testimony states. "SAFE also does not clearly protect scientists such as Professor Bernstein, but only protects those who seek to distribute mass market software already available abroad."