Kerrey crypto bill to require keys

Universities and other online networks would have to give up keys to their encrypted data under a new bill by Sen. Bob Kerrey.

3 min read
Universities and other online networks funded by the federal government would have to give up keys to their encryption data, according to an outline of a new bill by Sen. Bob Kerrey (D-Nebraska)that is circulating on the Net.

A copy of the outline was posted on the popular "fight-censorship" mailing list's site today, but the final legislation, known as the Secure Public Network Act, has not been introduced.

Kerrey's bill could give law enforcement officials an edge when it comes to domestic encryption, an advantage that the White House also wants, by requiring a key system that would allow authorities access to software. The Clinton administration floated a similar bill in March that has yet to be sponsored in Congress.

The Secure Public Network Act flies in the face of other crypto legislation, such as the the SAFE and Pro-Code bills now working their way through Congress to relax export regulations. The draft has privacy advocates concerned because it could allow the government to peek at private data by university students, faculty, and federal workers.

"Kerrey hasn't talked to the civil liberties community at all while creating this bill," said Shari Steele, staff attorney for the Electronic Frontier Foundation. "If he wants this to be a compromise bill, then he has to talk to us, not just the administration. The administration has a history of creating unconstitutional encryption controls."

The draft doesn't set limits on the length of export encryption yet. It also allows for a "fast track review" for encryption used in financial transaction software, but this provision was already granted by the government this week. (See related story)

The White House's latest export rules for encryption require that "key-recovery" systems be built into software in the next two years, allowing federal agencies access to the keys to encrypted data under a court order.

But the bill released by the White House in March would create a voluntary "key management infrastructure" for domestic encryption. It would also register third-party authorities to store encryption keys, giving law enforcement a back door to the keys by only requiring written permission from the attorney general, not a court order.

Still, Kerrey's outline is beginning to mirror Clinton's bill to regulate domestic encryption.

"It's just an outline. But the framework tracks pretty close to what the administration is looking for key provisions," said Jonah Seiger a policy analyst for the Center for Democracy and Technology.

Kerrey's effort has one thing in common with the Pro-Code Act: It calls for the creation of an Information Security Board. The board proposal caused some privacy watchdogs to pull their endorsements of SAFE because it wouldn't have to comply with federal open-meeting act.

The board would consist of members of federal agencies that make recommendations to president and Congress on "measures to establish secure networks, protect intellectual property on computer networks, promote exports of software, protect national security and public safety."

Meanwhile, SAFE has already unanimously passed its first hurdle in a House Judiciary subcommittee and is expected to be marked up in the full committee tomorrow. SAFE could be passed or killed as soon as Wednesday.

In the Senate, the Pro-Code bill was scheduled for a Commerce Committee vote May 1 but has been pushed back a month.