Pro-Code bill adds security board

The new version of the Pro-Code encryption bill would add a secretive board that would make secret policies, which worries watchdog groups.

CNET News staff
3 min read
The Pro-Code encryption bill was reintroduced to the Senate today, but new provisions aimed at finding a middle ground with opponents have met resistance from some privacy advocates.

Sen. Conrad Burns (R-Montana) reintroduced the bill, formally named the Promotion of Commerce On-Line in the Digital Era Act, which aims to remove most of the Clinton administration's restrictions on the export of software encryption, which are administered by the Commerce Department.

The regulations require software companies exporting strong encryption, which secures digital data like email, give up copies of the codes to a third party. This system, known as key recovery or key escrow, gives law enforcement officers access to the crypto keys with a court order.

Last month, Burns's office said the new bill would be unchanged from the version that died in the Senate last year. However, the new bill calls for the creation of an "Information Security Board," made up of representatives from federal agencies that are involved in developing information security policy and export controls on encryption.

Board members would keep their national security agencies informed about the latest information security and encryption technologies being exported. The board would learn about technologies in part from quarterly meetings with industry leaders, privacy experts, cryptographers, and engineers. It could also meet at any time with any person involved in the development of crypto technology.

The provision to create a board has alarmed privacy groups like the Electronic Privacy Information Center because the bill states that the Federal Advisory Committee Act (FACA) would not apply to the board. The FACA requires that "each advisory committee meeting shall be open to the public."

"This provision would create a secret policy-making process. We want crypto policy made in the bright light of day," said Marc Rotenberg, director of EPIC said last week of the drafted bill. "We think it should be a public process. The board was a bit of a concession to pick up some more sponsors, but I think they'll be giving away quite a bit."

EPIC would be in support of a board that included, for example, user groups and would like the meetings to be subject to the FACA.

However, other public-interest groups behind Pro-Code say that compromises such as the board have to be made or the bill could be killed again.

"This bill is necessary. The administration's crypto policy is not working," Jonah Seiger, a policy analyst at the Center for Democracy and Technology, which supports the bill, said today. "Strong encryption is available abroad, the U.S. software industry has its hands tied, and we're not getting the types of privacy tools we need in this country as a result of these encryption policies."

However, he said EPIC's concerns were legitimate. "The bill would be strengthened by being modified to address those issues. The CDT would support that, but the Pro-Code bill is the best shot we have of enacting real, meaningful encryption policy."

Matt Raymond, press secretary for Burns, also noted that the bill would have to go through committees and hearings and that changes could be made.

Even with the draft's efforts to find a middle ground with opponents, law enforcement officials may still fight the bill contending that access to encrypted data is necessary to stop criminals who may use email and other electronic means to communicate and store information about their crimes.