Encryption Bills Considered By Congress in 1997

This summary was provided by the Electronic Frontier Foundation on October 10. Note that this is far from an ubiased summary, since the EFF is adamantly opposed to any regulations on encryption.


This year, both the United States House of Representatives and Senate considered encryption legislation. EFF believes that all of the bills introduced are flawed.

SAFE

The most talked-about bill introduced this Congress, the Security and Freedom through Encryption (SAFE) bill, H.R. 695 (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.695: ), was sponsored by Representatives Goodlatte and Eshoo and gathered over 250 co-sponsors. SAFE was unanimously approved by the House Judiciary Committee on May 14, 1997. On July 22, it was approved by the House International Relations Committee by a voice vote, rejecting an amendment offered by Committee Chairman Ben Gilman (http://www.cdt.org/crypto/legis_105/SAFE/970722_amd_Gilman.html ) that would have gutted the bill by allowing the Administration to override its provisions under ill-defined "national security" concerns, such as the very excuses now being used to justify export controls against encryption in the first place.

On September 9, 1997, the House National Security Committee added an amendment from Reps. Dave Weldon and Ronald Dellums (http://www.cdt.org/crypto/legis_105/SAFE/970909_amd.html ) that drastically changed the bill, essentially reversing its intent, and then approved the amended bill. This version would increase export controls by giving the Dept. of Defense veto power over Commerce Dept. crypto export approvals. The amendment was so poorly and short-sightedly written it would undermine US competitiveness and even financial network security by providing no exceptions for limited crypto export by banks and foreign branches of US companies.

On September 11, 1997, the House Permanent Select Committee on Intelligence added an FBI-inspired amendment that drastically changed the bill again, even further away from the bill's purpose, and passed it (http://www.cdt.org/crypto/fbi_draft_text.html ). This version imposes severe and Orwellian *domestic* restrictions on use and availability of encryption, to ensure that police and spy agencies have "immediate decryption" capability over any encrypted message file, and that providers of encyrption or encrypting network service give law enforcement this access without the knowledge of the party being spied upon.

On September 24, 1997, the House Commerce Committee added an amendment that yet again changed the bill by calling for the creation of a National Electronic Technologies Center that would assist law enforcement in research and would provide assistance to federal, state, and local law enforcement agencies in coping with encryption encountered in the course of investigations. The amendment, by Reps. Markey and White, (http://www.cdt.org/crypto/legis_105/SAFE/Markey_White.html ) also would direct the National Telecommunications and Information Administration (NTIA) to conduct a study of the implications of mandatory key recovery, and the amendment increases the criminal penalties under SAFE for the use of encryption in the furtherance of a federal felony. This amendment was passed over an even more sinister one calling for "immediate access" by police to any encrypted message or other data, and strong criminal penalities for users or distributors of actually-secure encryption. The amendment represented an incredibly bold move by the FBI, grasping as it did for even more power than that the Intelligence Committee amendment - it essentially attempted to illegalize real encryption, since the only way to provide "immediate access" is to either give police "skeleton keys" to all encrypting products before they are released, or to reduced all security software's strenght so much that it can be instantly cracked by police - or anyone else. This, fortunately defeated, amendment (http://www.cdt.org/crypto/legis_105/SAFE/Oxley_Manton.html ) was introduced by Reps. Oxley and Manton.

These disparate versions of the bill - none of them good - must now be reconciled in the House Rules Committee before a final "compromise" version can be voted on the House floor. Late in Sept., Rules Committee leadership declared allegiance to the law enforcment and intelligence agencies' position, and vowed to kill SAFE if it did not grant government the powers it demanded.

It is likely that Rules will simply report out a version of SAFE with most or all of the police "wish list" intact if they cannot be convinced to kill the bill entirely. Such an "unSAFE" bill could pass the House. Even if it fails, the McCain-Kerrey bill (see below) may pass the Senate and enter the House for consideration. Neither eventuality is probable, but vigilance is necessary.

EFF believes that there are serious civil liberties problems with *all* versions of SAFE. First, SAFE creates a new crime (which calls for five years imprisonment for a first offense and ten years for subsequent offenses, on top of any other criminal penalities) for using encryption in furtherance of any criminal offense.

This short-sighted proposal would make anyone convicted of any crime, even a minor one, subject to life-wrecking prosecution and imprisonment simply because they did what we will all soon be doing - using an encrypting phone, email program or web browser - when they broke the law. This is like making it an extra crime to speak English or to wear shoes during the commission of a crime. Legislators hoped this farcical "crypto-in-a-crime" provision would mollify law enforcement, but it has not done so. FBI Dir. Louis Freeh has made it clear that investigative agencies want export and import controls, access to everyone's messages without a warrant and without our even knowing about it, and severe criminal penalties for all who try to keep Big Brother out of their computers.

The problems with SAFE do not stop with "crypto-in-a-crime". SAFE gives law enforcement officers the authority to gain access to encrypted information without notification to the owners of the information. And it does not legalize the export of encryption software that is not being mass-marketed or is not in the public domain.

Amended versions of SAFE are even worse. They would put new restrictions on the *domestic* use of encryption (requirements that go beyond the current limitations on the export of encryption), and/or even more severe penalties for use of encryption in a crime.

EFF believes that all limitations on encryption are in violation of the First Amendment, and domestic restrictions are an extreme power grab by law enforcement at a time when most citizens do not fully understand the implications of this action.

EFF is working to ensure that the SAFE bill is killed before it reaches the House floor for a vote.

YOU CAN HELP. Please see the "What You Can Do" section, below.

Secure Public Networks Act

The misnamed Secure Public Networks (SPN) bill, S. 909 (http://thomas.loc.gov/cgi-bin/query/z?c105:S.909: ), is the Clinton Administration's bill. It was sponsored by Senators McCain and Kerrey. This bill is an anti-privacy measure, in that it would require third-parties holding decryption keys to surrender them in response to a mere subpoena, issued without judicial approval and without notice to the encryption user.

While its sponsors claim that it would not make key recovery mandatory, SPN would require the use of key recovery systems in order to obtain the "public key certificates" needed to participate in electronic commerce and would require key recovery for all secure networks built with any federal funds -- including the Internet II project and most university networks. It creates 15 new federal crimes dealing with the use of encryption and key recovery (not all of them bad from a privacy standpoint.)

In addition to the stated objectives of the bill, SPN is disturbing because of some of the things that it does *not* specify. SPN directs the President to negotiate with foreign countries to create a worldwide system for international government access to keys, but provides no limitations on the President's power. Even more disturbing, SPN gives the President the authority to disregard any or all of the provisions of the bill on the basis of a Presidential Executive Order - yet another way for "national security" concerns to be used as an excuse to undermine limits on the government's abilty to restrict encryption use and distribution. The bill also grants the Commerce Department sweeping new enforcement powers. The bill was referred to the Senate Commerce Committee, and may also be taken up by the Constitution Subcommittee of the Senate Committee on the Judiciary. Some form of the SPN stands a fair chance of passing the Senate (to be taken up and passed, possibly with amendments, or rejected by the House).

Pro-CODE

The Promotion of Commerce Online in the Digital Era (Pro-CODE) bill, S. 377 (http://thomas.loc.gov/cgi-bin/query/z?c105:S.377: ), was introduced by Senator Burns on February 27, 1997. Pro-CODE was considered one of the "better" encryption bills, in fact, the best bill introduced in the Senate, but it was still contained civil liberties concerns. Pro-CODE would have expanded the times encryption could be restricted and stated that nothing in the bill could be construed to affect any law intended to prevent the enforcement of federal or state law. The bill would have relaxed export restrictions on encryption more than either SAFE or EPCA II, discussed below). The Secure Public Networks Act was substituted for Pro-CODE, and passed over a shortlived "Pro-CODE II" compromise amendment offered by Burns, when it came for a vote in the Senate Commerce committee, March 19, 1997.

ECPA II

The Encrypted Communications Privacy Act (ECPA II, ECPA I being the Electronic Communications Privacy Act of 1986), S. 376 (http://thomas.loc.gov/cgi-bin/query/z?c105:S.376: ), was introduced by Senator Leahy on February 27, 1997. ECPA II would prohibit mandatory use of key recovery but would permit law enforcement to obtain keys if recovery were used. It would also make it a crime to use cryptography to obstruct justice, while offering partial deregulation of encryption export The bill was referred to the Senate Judiciary Committee, which held hearings on it on July 9, 1997. This bill is unexpected to pass but may influence the SPN legislation in the form of attempts at compromise.

Computer Security Enhancement Act

The Computer Security Enhancement Act of 1997, H.R. 1903, (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.1903: ) was introduced by Representative Sensenbrenner on June 17, 1997. It would amend and update the National Institute of Standards and Technology Act to: (1) upon request from the private sector, assist in establishing voluntary interoperable standards, guidelines, and associated methods and techniques to facilitate and expedite the establishment of non-Federal public key management infrastructures that can be used to communicate with and conduct transactions with the Federal Government; and (2) provide assistance to Federal agencies in the protection of computer networks, and coordinate Federal response efforts related to unauthorized access to Federal computer systems. The bill also would authorize NIST to perform evaluation and tests of: (1) information technologies to assess security vulnerabilities; and (2) commercially available security products for their suitability for use by Federal agencies for protecting sensitive information in computer systems. This bill was passed by the House on September 16, 1997, and was referred to the Senate Committee on Commerce, where it awaits consideration.

Communications Privacy and Consumer Empowerment Act

The Communications Privacy and Consumer Empowerment Act, H.R. 1964 (ftp://ftp.loc.gov/pub/thomas/c105/h1964.ih.txt ), was introduced by Representative Markey on June 19, 1997. This bill would codify existing domestic use policy, permitting unrestricted use of any encryption. It would also prohibit the government from requiring key recovery as a criteria for encryption licensing. The bill was referred to the House Committee on Commerce. Passage is considered unlikely.