A coalition of privacy and commercial interests endorsed legislation today that would undo restrictions on encryption, but said it might pull its support if a section in the bill, which would penalize the use of encryption in committing a crime, is not scrapped.
In a letter to Rep. Bob Goodlatte (R-Virginia), who authored the Security and Freedom through Encryption Act (SAFE), about 30 organizations encouraged Goodlatte to delete a portion of the bill that would make the use of encryption "in furtherance of a crime" punishable by up to five years in prison.
The Electronic Privacy Information Center drafted the letter, which was signed by the American Civil Liberties Union, Computer Professionals for Social Responsibility, Center for Democracy and Technology, Electronic Frontier Foundation, and others.
The coalition, which includes both civil rights groups and commercial interests, wants the bill revised before it is sent to the House Judiciary Committee on Wednesday.
Privacy advocates are worried that the SAFE bill might be passed with the criminal provision to appease government officials. Groups could yank their endorsement of SAFE as soon as Wednesday if the bill progresses with the provision, David Sobel, legal counsel to EPIC, said today.
But Marc Rotenberg, the director of EPIC, said he didn't know if his organization would pull its support of the bill. "We think it is a good bill, but that provision should be reconsidered...We'll continue to look for ways to have it pulled out."
The SAFE bill makes it legal for people in the United States to use or sell encryption with no limits on the key length. (The level of protection of data from encryption increases with longer keys.) SAFE also prohibits mandatory "key escrow," which requires exporters to build a system that would let law enforcement agents have access to encryption keys to decode data.
Although the coalition applauds the bill's goal to promote encryption by relaxing regulations, it said that the criminal provision is dangerous and should be reconsidered. "While well-intended, the provision could have a series of unintended consequences that would easily undermine the other desirable features of the bill," the coalition states.
"In the digital age, where techniques to protect privacy and security will be widely deployed, we cannot afford to view encryption as the instrumentality of a crime just as we would not view the use of a typewriter in the current era [as aiding and abetting criminal activity]."
The provision could also hinder the widespread use of strong encryption to protect communication such as email, the group added. "The retention of this provision in the legislation will send a mixed message to users and businesses that we want people to be free to use encryption but will be suspicious when it is used."
The SAFE bill, along with the Promotion of Commerce On-Line in the Digital Era Act (Pro-Code) and the Encrypted Communications Privacy Act, were introduced in Congress this session in reaction to the Clinton administration's new crypto export rules that went into effect in January. The regulations allow for the export of 56-bit encryption as long as the exporter agrees to build a "key recovery" system that would let the government decode encrypted data within two years.
Law enforcement agencies, such as the FBI, testified during Senate hearings on Pro-Code in March that national security made it necessary to be able to unlock exported encryption.