U.S. said to violate global crypto policy

The U.S. government is failing to live up to an international agreement it signed only six months ago, two privacy advocate groups charged today at a global conference on encryption.

Specifically, the two groups said that legislative initiatives proposing mandatory controls on the domestic use of encryption violate terms of the international accord reached by the Organization for Economic Cooperation and Development in March.

The Cryptography Policy Guidelines are part of a nonbinding document, but because the document was signed by 29 of the wealthiest countries in the world it carries a certain amount of moral authority, according to Marc Rotenberg, director of the Electronic Privacy Information Center.

"It is the international agreement on encryption policy and it is taken very seriously," said Rotenberg, who leveled his charges at a conference in Brussels, Belgium, attended by representatives of 20 countries. "When you say that a country has failed to uphold its obligations under international agreement, that is a very serious statement." Washington-based EPIC was joined by Privacy International, headquartered in London.

The vague language in parts of the international agreement leaves it open to numerous interpretations. However, part of it calls on governments considering key recovery systems to "carefully weigh the benefits...as well as the risks of misuse, the additional expense of any supporting infrastructure, the prospects of technical failure, and other costs."

Over the past month, several legislative proposals regarding encryption have either circulated in Congress or been introduced in committees. Several would give law enforcers with valid search warrants immediate access to the keys that decode encrypted messages. Although the government has long restricted the export of strong encryption products, such mandatory "key recovery" requirements would be a first.

"There's been no consideration of the potential for misuse and the cost of key escrow proposals," Rotenberg added. "That's clearly at odds with the OECD guidelines."

Staffers from the Congress and the White House were not immediately available for comment.

Most of the proposals calling for mandatory key recovery systems are still in rough form. Most recently, a House of Representatives committee last week introduced a measure that would require key recovery systems to be built into all encryption products available in the United States. The House Intelligence Committee offered the proposal as a substitute to the Security and Freedom through Encryption Act, a widely supported bill that would loosen government controls on the of encryption exports.

A second house committee, the National Security Committee, also voted last week to gut the SAFE bill with a substitute.

The OECD accord does not take a firm stance on whether mandatory key recovery should be permitted. But it does provide guidelines for governments that require such schemes. It also encourages governments not to adopt policies that unduly threaten individuals' privacy.