Just three days after it was introduced, a bill that seeks to impose restrictions on the domestic use of encryption sailed without hearings through the Senate Commerce Committee.
The bill, sponsored by Commerce Committee chairman John McCain (R-Arizona) and Bob Kerrey (D-Nebraska), originally was a proposal floated by the White House as an alternative to other bills that aim to lift most restrictions on the use and export of encryption software.
The Commerce Committee passed the bill on a voice vote. Unless it is diverted to another committee, the bill will be scheduled for a full Senate vote.
Privacy advocates viewed the progress of the McCain-Kerrey bill, known formally as the Secure Public Networks Act of 1997, with great concern. "This is majorly bad news," David Sobel, legal counsel for the Electronic Privacy Information Center, said today.
"It basically mandates use of key recovery encryption in any federally supported network, including universities. It also muddies the waters for the prospects of liberalizing encryption policy, and it's directly at odds with the SAFE bill that is moving through the House," he added.
Both the SAFE bill in the House and the Pro-Code bill in the Senate seek to ban federally mandated key recovery. Pro-Code had early success after its reintroduction this year but has stalled in the same committee that just passed the McCain-Kerrey bill.
The struggle over encryption policy has centered on law enforcement access to private information transmitted electronically or stored on computers. The government argues that criminals will use unregulated strong encryption to keep their plans secret. The use of key recovery requires users of encryption software, such as secure email programs, to store their keys in a place where the government can quickly access them without the users' knowledge.
Like the White House proposal, the McCain-Kerrey bill seeks to impose mandatory key recovery within the United States for the first time on top of the current crypto export regulations. It would make key recovery mandatory for all products purchased by the government and for any product used on a network that is even partially funded by the federal government. The bill also states that law enforcement would require only a subpoena to access private keys, whereas current federal regulations require a court order.
Despite implementing tight domestic controls on encryption, the bill leaves open a window for looser export controls. It gives the Commerce Department secretary leeway to approve the export of strong encryption software without key recovery if similar products already are or soon will be available in other countries.
Privacy advocates maintain that the legislation would codify the current 56-bit limit for cryptography without key recovery. Moreover, the bill also slams the door on the possibility of challenging a crypto export denial: "The secretary's decision on the grounds for the grant or denial of licenses shall not be subject to judicial review," it states.
In addition, the new bill would link digital certificates to key recovery and grant government the authority to license digital certificates. These certificates, which establish and verify the identity of the sender of an encrypted communication, are considered a critical element of electronic commerce. But if McCain-Kerrey becomes law, users won't be able to obtain a government-approved certificate without storing their keys with a third party.
Current regulations administered by the Commerce Department allow software makers to export encryption up to 56 bits in strength without a license or key recovery mechanisms. That limit seems less secure, however, after yesterday's announcement that thousands of people linked their computers over the Internet to crack a 56-bit DES code from RSA Data Security.
In a report released last year, a group of leading cryptographers recommended a minimum key length of 90 bits to ensure secure communications.
Senior writer Janet Kornblum and reporter Courtney Macavinta contributed to this report.