cr> EFF on Leahy/Burns/Murray Crypto Bill


Craig A. Johnson

New "Encrypted Communications Privacy Act" - Enabling Electronic Envelopes 

                                                             +1 415 436 9333
March 5, 1996                                   

The Electronic Frontier Foundation (EFF) is encouraged to see
Congressional support for lifting restrictions on encryption and
affirming privacy rights for U.S. citizens.  The bill introduced today
by Senators Pat Leahy (D-VT), Patricia Murray (D-WA) and Conrad Burns
(R-MT) is an important step in reclaiming privacy and encryption
rights for society and business.  The bill would legalize wide use of
"electronic envelopes" to protect private information.  Today this
information travels on "electronic postcards" which can easily be
altered or intercepted.  However, the bill also includes key escrow
and obstruction of justice provisions which would cause problems if

"The bill provides a new opportunity to bring reason into the crypto 
policy debate," said EFF co-founder John Gilmore.  "We support the 
Senators for bringing their energy into the process.  The bill is a
good start, and with healthy debate and modification, it could become
acceptable legislation."

Electronic privacy and encryption policy is extremely complex because
it intertwines our constitutional rights of free speech, publication,
association, and protection from self-incrimination and unreasonable
search, with issues of wiretapping, spying, military security,
personal privacy, and computer security.  This bill would pick a new
balance among these competing interests, with long-term impacts on our
society and economy.  EFF is committed to working with government,
industry and public interest organizations to raise the level of
understanding and debate in resolving these complex issues.

Export Control Liberalization

The Encrypted Communications Privacy bill would make long-overdue changes 
to the export restrictions currently hampering the deployment of privacy 
and security "envelopes" for Windows, Unix, the Mac, and the Internet.  

The bill:

  *  Moves export control of all non-military information security products,
     incuding encryption, to the Commerce Dept., whose rules protect 
     constitutional rights and reflect market realities.

  *  Requires that no license be required to export generally available
     mass-market software, public domain software, and computers that
     include such software.

  *  Requires that export be authorized for non-military encryption 
     software to any country where similar software is exportable from 
     the U.S. to foreign financial institutions.

  *  Requires that export be authorized for encryption hardware if a 
     comparable product is available overseas.

The above changes would significantly improve the nation's crypto
policy.  But they make detailed changes in a very complex section of
the law and regulations.  There is a significant risk that they will
be implemented by the Administration in a different fashion than
Congress intended.  This happened in 1987, for example, when
Congress tried to eliminate NSA meddling with civilian computers by
passing the Computer Security Act.  It was subverted by a series of
Presidential directives and agreements among Executive Branch
departments.  The result today is that NSA is still in control of
domestic security and privacy policy.

We would encourage futher deregulation as a simpler, more effective, 
and far more reliable solution.  The bill should simply eliminate all export 
controls on non-military encryption.

Criminalization of Encryption and Encouragement of Key Escrow

The following provisions raise serious concerns about the imbalance 
between the rights of the people and the desires of the goverment. EFF 
feels that the impact of these provisions must be closely considered, 
and will work to modify or remove them to better serve the public 
interest. The bill:

  *  Makes it a new crime to "use encryption to obstruct justice", with
     5-10 year sentences, plus fines.  In plain language, this is a
     extra criminal charge that can be applied when police are frustrated
     in an investigation but happen to catch someone breaking the law in 
     some other way. It's like  Adding an extra ten-year jail term if you 
     close your curtains while committing a crime.  Americans have the 
     right to protect their own privacy by any nonviolent means, and we 
     expect that encryption will soon be built into all computers, 
     phones, and networks.  

  *  Provides a legal infrastructure for key escrow, a system in which
     all users' keys are copied to permit government access.  The
     Clinton Administration has been pushing key escrow to replace its
     failed "Clipper chip", out of fear that if Americans have real
     privacy they will abuse it.  These provisions in the bill would
     encourage people to use the flawed key-copying system.

Clarification and Refinement

The are a number of areas of the bill that would benefit from additional
debate and clarification.  Specifically, where the bill:

  *  Explicitly does not mandate key escrow, but fails to prohibit
     the Administration from attempting to impose it with regulations.

  *  Outlaws disclosure of others' keys except to the government, with
     1-2 year sentences, plus fines, but includes a broad "good 
     faith" exemption for when the government does something illegal or 

  *  Requires disclosure of other peoples' keys to the government, under
     the same procedures currently used for wiretaps, searches of online
     records and backup tapes, and fishing expeditions in billing records.
     The provision does not always require adversary legal process, in
     which citizens can argue for their privacy before a judge, but instead
     relies solely on the integrity of prosecutors.

  *  Legalizes the use any encryption "except as provided in this 
     Act...or in any other law". 

EFF's Proposed Crypto-Privacy Principles

EFF's Cryptography and Privacy Policy Principles, which were
originally written during the Clipper Chip debate, are the touchstone
by which we measure privacy legislation and policy issues:

  * Private-sector access to encryption technology must not be hindered, 
    either by regulation of what crypto may be used domestically, or by 
    restriction on what may be exported.

  * Government policy on encryption usage and standards must be set in open 
    forums with proper attention paid to public input. Secret hearings and
    classified algorithms have no part to play in a democratic process.

  * Encryption must become part of the "information infrastructure" to 
    protect personal, commercial and governmental privacy and security.  
    Cryptographic tools must not be crippled or weakened for the convenience
    of government agents, and users must be free to choose what encryption
    they prefer and whether and to whom they will reveal encryption keys.
    Law enforcement must obtain court orders, not simply administrative 
    subpoenas to seize keys or decrypt and search encrypted information.

  * Government policy regarding emerging technologies like encryption
    must not erode Constitutional protections. In particular, any such
    policies must be compatible with the rights to freedom of speech,
    press and association, freedom from coerced self-incrimination,
    and freedom from unreasonable search and seizure.
  * Encryption will be built into all next-generation Internet, 
    communications and computer technology. There must be no government 
    policy equating use of encryption with evidence of criminal 
    behavior, nor the creation of any new crime category that holds 
    encryption users liable for making criminal investigation more

  * Government at all levels should explore cryptography's potential to
    replace identity-based or dossier-based systems - such as driver's
    licenses, credit cards, social security numbers, and passports - with 
    less invasive technology.

The Encrypted Communications Privacy bill at this time passes some of these
tests, and we are committed to working with industry, government, and public
interest organiations to address the remaining issues.

Background: EFF and Crypto-Privacy Policy

The Electronic Frontier Foundation (EFF) is a nonprofit public interest
organization devoted to the protection of online privacy and free 
expression.  EFF was founded in 1990, and is based in San Francisco, 

The International Traffic in Arms Regulations (ITARs), administered by 
the State Department, and in the background by the National Security 
Agency, unreasonably treat encryption software and hardware as if they 
were weapons of war, like rockets and bombs.  It has proven very difficult
to deploy U.S.-made encryption products in an increasingly important global
market due to these regulations, at a time when the need for online 
security systems for personal and commercial use has never been more 
keenly felt.

EFF has for several years led efforts to fend off governmental attempts 
to restrict the development and public availability of secure 
privacy technology.  In 1993-4, EFF and other civil liberties organizations 
successfully opposed implementation of the U.S. Administration's "Clipper" 
or "Skipjack" system - hardware encryption for voice and data 
communications in which all encryption keys are held by government for 
the convenience of law enforcement and intelligence agencies. In 1994, we 
helped ensure that crypto export became a major legislative topic, 
laying the groundwork for eventual liberalization of the ITARs. In 
1994 and 1995 EFF opposed implementation of and helped defeat funding for 
the FBI's "Digital Telephony" scheme, in which up to one person on every 
city block could be simultaneously wiretapped.  In 1995, we filed an ongoing
federal lawsuit with mathematician Daniel Bernstein, challenging the 
constitutionality of the export control laws.

Online Resources for More Information

Please see EFF's Internet archives for more details on this and other issues.

EFF Privacy & Encryption Archive:
EFF Legal Issues & Policy Archive:

Action Alerts:

Topical Index of the EFF Archive:

Contact Information

The Electronic Frontier Foundation
1550 Bryant St., Suite 725
San Francisco CA 94103 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Internet: •••@••.•••

John Gilmore, Co-founder and Member of the Board
•••@••.•••  +1 415 221 6524


Visit The Cyber-Rights Library,  accessible via FTP or WWW at:

You are encouraged to forward and cross-post list traffic,
pursuant to any contained copyright & redistribution restrictions.