From: Danny Weitzner Newsgroups: comp.org.eff.talk,sci.crypt.alt.politics.datahighway.alt.privacy.clipper Subject: New Clipper Legislative Proposal From House Science Committee Date: 14 Jul 1994 21:07:38 GMT Organization: Electronic Frontier Foundation Distribution: world NNTP-Posting-Host: danny.eff.org X-UserAgent: Version 1.1.3 X-XXMessage-ID: X-XXDate: Thu, 14 Jul 94 23:07:36 GMT The staff of the House Science, Space, and Technology Committee has just released a draft bill which would create a somewhat more public process for establishment of Clipper-like escrowed encryption systems. Entry of the congress into this policy debate is a welcome change after 18 months of one-sided Executive Branch edicts. However, considerable changes would be required before the legislation would meet EFF's goals for a truly open federal encryption policy which preserves the right of private individuals to use any form of encryption, without restriction or penalty. Despite its promise of an open process, this bill is by no means a repudiation of the Clipper program, In fact, it enshrines in legislation several key aspects of the Clipper policy. However, inasmuch as the bill seeks to establish NIST authority to develop escrow encryption systems, it raises real questions about whether NIST or other agencies have any authority now to spend federal funds on escrow encryption systems. Overview of the bill The bill directs the Department of Commerce, through the National Institute of Standards, to escrowed encryption standards. The standards issued would be subject to public comment and afford the opportunity for judicial review under the terms of the Administrative Procedures Act. Similar procedures created for the designation of government key escrow agents. Several aspects of the Clinton Administration's approach to cryptography policy are accepted by this bill: 1. Absolute preservation of law enforcement and national security access By this bill, any encryption standards adopted must "preserve the functional ability of the government to interpret, in a timely manner, electronic information that has been obtained pursuant to an electronic surveillance permitted by law." Sec 31(b)(2)(E). 2. Weak privacy protection The bill specifies that standards adopted should advance the development of the NII, but offers only qualified support for privacy. Standards should are only required to go so far as to not "diminish existing privacy rights...." Sec 31(b)(2)(D). 3. Increased role for National Security Agency in civilian privacy and security matters The bill establishes a permanent role for the National Security Agency in the creation of privacy and security standards for use by the private sector. Currently, under the Computer Security Act, NIST is encouraged to consult with the NSA on matters of federal systems security and to draw "computer system technical security guidelines developed by the National Security Agency to the extent that the National Bureau of Standards determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems." This would explicitly extend the NSA role from federal systems to systems intended for public, civilian use. As such, this is a major change in the Computer Security Act. Issues to be addressed in draft To create a truly open policy process, to protect privacy, and to ensure the development of the best privacy-protecting technology possible, the bill should be augmented with the following provisions: 1. Voluntary standards Any legislation on encryption standards must guaranty that no one will be required to use such standards, nor will use of other encryption standards be curtailed by law. Furthermore, federal encryption policy should guaranty that access to government programs, opportunities, or even the ability to communicate with the government, should never be conditioned on the use of any escrowed encryption standard. From the first announcement of the Clipper program, the Clinton Administration has assured the public that escrowed encryption would remain voluntary. This promise must be included in legislation. 2. Open design process The draft bill does call for an open process for formation of encryption standards. Legislation should make explicit that an open process means that no classified algorithms or technologies may be included. Though there was public comment on the Escrowed Encryption FIPS, public process in that case was meaningless because the core technology remained behind a veil of secrecy. 3. Remedies for negligence or abuse by escrow agents As drafted, the proposal drastically limits the liability of federal escrow agents for any all but "willful" abuse by federal employees. The escrow agents must also be responsible for unauthorized release of keys because of the actions of private individuals or because of negligent practices by government agents. 4. Exploration of voluntary, private sector escrow agents Finally, if the government is going to adopt a government-based escrow system, it should also be required to explore the possibility of private party escrow systems based on open standards. ===TEXT OF BILL=============================================== (Cover letter & Summary) COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY U.S. House of Representatives Washington, DC 20515 July 13, 1994 MEMORANDUM To: ALL INTERESTED PARTIES From: Tony Clark Professional Staff Member Subject: Encryption Standards and Procedures Act Attached for your review and comment is a staff discussion draft of legislation to authorize the Administration to develop and issue, by regulation, federal encryption standards for ensuring the privacy, security, and authenticity of domestic and international electronic communications in a way that preserves privacy rights and maintains the government's authority and ability to conduct electronic surveillance. The bill has been drafted as a means to facilitate debate and resolve differences on the controversial "Clipper Chip" encryption standard that the Administration formally adopted in February. The proposed legislation would allow the Administration to issue voluntary encryption standards for public and private use, but only under a rulemaking process where all stakeholders would have an opportunity to influence the final program. With respect to policy, it would permit wider use of encryption technology while reasserting Fourth Amendment privacy rights and the government's authority to conduct electronic surveillance. To ensure those rights are preserved, the bill would impose new legal requirements on escrow agents that may be part of an encryption standard established under the legislation. It would also establish an R&D program at NIST to develop next generation encryption technology, and would authorize funding to implement the legislation. I would welcome your views and comments on the draft bill. You can reach me by phone at 202-225-9662 or by fax at 202-225-8057. Attachment: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _STAFF DISCUSSION DRAFT__ July 12, 1994 103D CONGRES H.R. ___________ 2D SESSION IN THE HOUSE OF REPRESENTATIVES Mr. __________________ introduced the following bill; which was referred to the Committee on ______________________ A BILL To amend the National Institute of Standards and Technology Act to provide for the establishment and management of voluntary encryption standards to protect the privacy and security of electronic information, and for other purposes. Be it enacted by the Senate and House of Representa - tives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the "Encryption Standards and Procedures Act of 1994". SEC. 2. FINDINGS AND PURPOSES. (a) FINDINGS.-The Congress finds the following: (1) Advancements in communications and information technology and the widespread use of that technology have enhanced the volume and value of domestic and international communication of electronic information as well as the ability to secure the privacy and authenticate the origin of that information. (2) The proliferation of communications and information technology has made it increasingly difficult for the government to obtain and interpret, in a timely manner, electronic information that is necessary to provide for public safety and national security- (3) The development of the Nation's information infrastructure and the realization of the full benefits of that infrastructure require that electronic information resident in, or communicated over, that infrastructure is sufficiently secure, private, and authentic. (4) Security, privacy, and authentication of electronic information resident in, or communicated over, the Nation's information infrastructure are enhanced with the use of encryption technology. (5) The rights of individuals and other persons to security, privacy, and protection in their communications and in the dissemination and receipt of electronic information should be preserved and protected. (6) The authority and ability of the government to obtain and interpret, in a timely manner, electronic information necessary to provide for public safety and national security should also be preserved. (7) There is a national need to develop, adopt, and use encryption methods and procedures that advance the development of the Nation's information infrastructure and that preserve the personal rights referred to in paragraph (5) and the governmental authority and ability referred to in paragraph (6). (b) PURPOSES.-It is the purpose of this Act- (1) to promote the development of the Nation's information infrastructure consistent with public welfare and safety, national security, and the privacy and protection of personal property; (2) to encourage and facilitate the development, adoption, and use of encryption standards and procedures that provide sufficient privacy, protection, and authentication of electronic information and that reasonably satisfy the needs of government to provide for public safety and national security; and (3) to establish federal policy governing the development, adoption, and use of encryption standards and procedures and a federal program to carry out that policy. SEC. 3. ENCRYPTION STANDARDS AND PROCEDURES. The National Institute of Standards and Technology Act is amended- (1) by redesigning section 31 as section 32; and (2) by inserting after section 30 the following new section 31: "SEC. 31. ENCRYPTION STANDARDS AND PROCEDURES. "(a) ESTABLISHMENT AND AUTHORITY.-The Secretary, acting through the Director, shall establish an Encryption Standards and Procedures Program to carry out this section. In carrying out this section, the Secretary, acting through the Director, may (in addition to the authority provided under section 2) conduct research and development on encryption standards and procedures, make grants, and enter into contracts, cooperative agreements, joint ventures, royalty arrangements, and licensing agreements on such terms and conditions the Secretary considers appropriate. (b) FEDERAL ENCRYPTION STANDARDS.- "(1) IN GENERAL.-The Secretary, acting through the Director and after providing notice to the public and an opportunity for comment, may by regulation develop encryption standards as part of the program established under subsection (a) "(2) REQUIREMENTS.-Any encryption standard developed under paragraph(1)- "(A) shall seek to ensure and verify, to the maximum extent practicable, the confidentiality, integrity, or authenticity of electronic information; "(B) shall advance the development of the Nation's information infrastructure; "(C) shall contribute to public safety and national security; " (D) shall not diminish existing privacy rights of individuals and other persons; "(E) shall preserve the functional ability of the government to interpret, in a timely manner, electronic information that has been obtained pursuant to an electronic surveillance permitted by law; " (F) may be implemented in software, firmware, hardware, or any combination thereof; and " (G) shall include a validation program to determine the extent to which such standards have been implemented in conformance with the requirements set forth in this paragraph. " (3 ) PROCEDURES.-Standards developed under paragraph (1) shall be developed in colsulta- tion with the Attorney General, the Director of the Federal Bureau of Investigation, the Director of the National Security Agency, and the heads of other appropriate federal agencies. The Computer Systems and Privacy Advisory Board established in section shall review any such standards before such standards are issued and submit recommendations and advice regarding such standards to the See- retary. "(e) PERMITTED USE OF STANDARDS.-The federal Government shall make available for public use any standard established under subsection (b), except that nothing in this Act may be construed to require such use by any individual or other person. "(d) ESCROW AGENTS.- "(1) DESIGNATION.-If a key escrow encryption standard is established under subsection (b), the President shall designate at least 2, but not more than 3, Federal agencies that satisfy the qualifications referred to in paragraph (2) to act as key escrow agents for that standard. " (2) QUALIFICATIONS-A key escrow agent designated under paragraph (1) shall be a Federal agency that- "(A) possesses the capability, competency, and resources to administer the key escrow encryption standard, to safeguard sensitive information related to it, and to carry out the responsibilities set forth in paragraph (3) in a timely manner; and "(B) is not a Federal agency that is authorized by law to conduct electronic surveillance. "(3) RESPONSIBILITIES.-A key escrow agent designated under paragraph (1) shall, by regulation and in consultation with the Secretary and any other key escrow agent designated under such paragraph, establish procedures and take other appropriate steps- " (A) to safeguard the confidentiality of keys or components thereof held by the agent pursuant to this subsection; "(B) to preserve the integrity of the key escrow encryption standard established under subsection (b) for which the agent holds the keys or components thereof; "(C) to hold and manage the keys or components thereof consistent with the requirements of this section and the encryption standard established under subsection (b); and "(D) to carry out the responsibilities set forth in this paragraph in the most effective and efficient manner practicable. " (4) AUTHORITY.-A key escrow agent designated under paragraph (1) may enter into contracts, cooperative agreements, and joint ventures and take other appropriate steps to carry out its responsibilities. (e) LIMITATIONS ON ACCESS AND USE.- " (1) RELEASE O* KEY TO CERTAIN AGENCIES.-A key escrow agent designated under subsection (d) may release a key or component thereof held by the agent pursuant to that subsection only to a government agency, instrumentality, or political subdivision thereof that is authorized by law to conduct electronic surveillance and that is authorized to obtain and use the key or component by court order or other provision of law. An entity to whom a key or component thereof has been released under this paragraph may use the key or component thereof only in the manner and for the purpose and duration that is expressly provided for in the court order or other provision of law authorizing such release and use. "(2) LIMITATION ON USE BY PRIVATE PERSONS AND FOREIGN CITIZENS.- "(A) IN GENERAL.-Except as provided in subparagraph (B), a person (including a person not a citizen or permanent resident of the United States) that is not an agency of the federal Government or a State or local government shall not have access to or use keys associated with an encryption standard established under subsection (b). "(B) EXCEPTION.-A representative of a foreign government may have access to and use a key associated with an encryption standard established under subsection (b) only if the President determines that such access and use is in the national security and foreign policy interests of the United States. The President shall prescribe the manner and conditions of any such access and use. "(3) LIMIT ON USE BY GOVERNMENT AGENCIES.-A government agency, instrumentality, or political subdivision thereof shall not have access to or use a key or component thereof associated with an encryption standard established under subsection (b) that is held by a key escrow agent under subsection (d) unless such access or use is authorized by this title, by court order, or by other law. " (f) REVIEW AND REPORT.- "(1) IN GENERAL.-Within 3 years after the date of the enactment of this Act and at least once every 3 years thereafter, the Secretary shall conduct a hearing on the record in which all interested parties shall have an opportunity to comment on the extent to which encryption standards, procedures, and requirements established under this section have succeeded in fulfilling the purposes of this section and the manner and extent to which such standards, procedures, and requirements can be improved. "(2) REPORT.-Upon completion of a hearing conducted under paragraph (1), the Secretary shall submit to the Congress a report containing a statement of the Secretary's findings pursuant to the hearing along with recommendations and a plan for correcting any deficiencies in achieving the purposes of this section that are identified as a result of the hearing. " [ (g) VIOLATIONS, ENFORCEMENT, AND PEN PENALTIES.- "[(1) CIVIL PENALTIES.- "[(A) IN GENERAL.-The Attorney General may impose a civil penalty against any individual or other person (including an officer or employee of government) who commits any of the violations described in paragraph (2). The amount of a civil penalty imposed under this paragraph may not exceed $1,000 per day for each such violation. "[(B) PROCEDURES FOR IMPOSITION O* CIVIL PENALTIES.-The Attorney General shall establish standards and procedures governing the imposition of civil penalties under subparagraph (A). The standards and procedures shall provide for the imposition of a penalty only after the individual or other person has been given an opportunity for a hearing on the record in accordance with section 554 of title 5, United States Code. "[(2) VIOLATIONS.-It shall be a violation of this section for- "[(A) any individual or other person (except an officer or employee of government authorized by this section to hold or use a key or component thereof) to hold or use a key or component thereof other than a key or component thereof that corresponds to a device which is the property of that individual or person; or "[(B) any officer or employee of government, including a key escrow agent- "[(i) to intentionally make available a key or component thereof to any person not authorized to have access to or use such key or component thereof under this section; or "[(ii) to use a key or component thereof in a manner or for a purpose not authorized under this section. "[(3) INJUNCTION.-The Attorney General may enjoin any individual or other person (including an officer or employee of government) from committing a violation of this section. The district courts of the United States shall have jurisdiction of any action brought by the Attorney General under this paragraph. ] "(h) REGULATIONS.-Within one year after the date of the enactment of this Act, the Secretary and each key escrow agent designated by the President under subsection (d) shall, after notice to the public and opportunity for comment, issue any regulations necessary to carry out this section. "(i) LIABILITY-The United States shall not be liable for any loss incurred by any individual or other person resulting from any compromise or security breach of any encryption standard established under subsection (b) or 14 any violation of this section or any regulation or procedure established by or under this section by- "(1) any person who is not an official or employee of the United States; or "(2) any person who is an official of the United States, unless such compromise, breach, or violation is willful. "(j) SEVERABILITY.-If any provision of this section, or the application thereof, to any person or circumstance, is held invalid, the remainder of this section, and the application thereof, to other persons or circumstances shall not be affected thereby. "(k) DEFINITIONS.-For purposes of this section: "(1) The term 'content', when used with respect to electronic information, includes the substance, purport, or meaning of that information. "(2) The term 'electronic communications system' has the meaning given such term in section 2510(14) of title 18, United States Code. "(3) The term 'encryption' means a method- "(A) to encipher and decipher the content of electronic information to protect the privacy and security of such information; or " (B) to authenticate the origin of electronic information. "(4) The term 'encryption standard' means a technical, management, physical, or administrative standard or associated guideline or procedure for conducting encryption, including key escrow encryption, to ensure or verify the integrity, authenticity, or confidentiality of electronic information that, regardless of application or purpose, is stored, processed, transmitted, or otherwise communicated domestically or internationally in any public or private electronic communications system. "(5) The term 'key escrow encryption' means an encryption method that allows the government, pursuant to court order or other provision of law, to decipher electronic information that has been encrypted with that method by using a unique secret code or key that is, in whole or in part, held by and obtained from a key escrow agent. "(6) The term 'key escrow agent' means an entity designated by the President under subsection (d) to hold and manage keys associated with an encryption standard established under subsection (b) "(7) The term 'key' means a unique secret code that enables a party other than the sender, holder, or intended recipient of electronic information to decipher such information that has be enciphered with a corresponding encryption standard established under subsection (b). " (8) The term 'electronic information' means the content, source, or destination of any information in any electronic form and in any medium which has not been specifically authorized by a Federal statute or an Executive Order to be kept secret in the interest of national defense or foreign policy and which is stored, processed, transmitted or otherwise communicated, domestically or internationally, in an electronic communications system, and "(A) electronic communication within the meaning of section 2510(12) of title 18, United States Code; or "(B) wire communication within the mean- ing of section 2510(1) of such title. "(9) The term 'government' means the Federal Government, a State or political subdivision of a State, the District of Columbia, or a commonwealth, territory, or possession of the United States. " (l) AUTHORIZATION OF APPROPRIATIONS.- "(1) IN GENERAL.-There is hereby authorized to be appropriated to the Secretary, to carry out this section, $50,000,000 for fiscal years 1995 through 1997, to remain available until e*pended. Of the amount authorized by this paragraph, $1,000,000 shall be available for the National Research Council study on national cryptography policy authorized under section 267 of the National Defense Authorization Act for Fiscal Year 1994 (10 U.S.C 421 note). "(2) TRANSFER AUTHORITY.-The Secretary may transfer funds appropriated pursuant to paragraph (1) to a key escrow agent other than the Secretary in amounts sufficient to cover the cost of carrying out the responsibilities of the agent under this section. Funds so transferred shall remain available until expended.". Danny Weitzner Deputy Policy Director, EFF +1 202 347-5400