EFF concerned with E-PRIVACY ActSubject: EFF concerned with E-PRIVACY Act (S. 6027)Analysis
of S. 6027, the "Encryption Promotes the Rights of Individuals in the Virtual
Arena Using Computers" (E-PRIVACY) Act
Prepared by the Electronic Frontier
Foundation, May 1998
Introduction
The protection of privacy is one
of the greatest challenges facing our country today. As one of the leading
civil liberties organizations that has worked to safeguard this important
right, the Electronic Frontier Foundation (EFF) has long recognized the
importance of technologies such as encryption for the protection of personal
privacy. Whether they seek security for communications about intimate personal
matters, medical information, credit card transactions, human rights
activities,
or controversial political opinions, American citizens expect and deserve
the right to communicate privately both within the United States and across
national borders.
To protect citizens' basic civil
liberties, EFF supports two principal goals that must be incorporated into
our national encryption policy. First, existing U.S. controls on the export
of encryption products and technology must be repealed for everyone, not
simply mass-market producers of encryption software. Second, encryption
policy must preserve the right of all Americans to use any encryption product
or technique they wish, both domestically and abroad.
Furthermore, EFF opposes:
Any government attempts to regulate
the domestic use of encryption;
Legal provisions that would criminalize
the use of encryption;
Requirements for "key-escrow" or
"key-recovery"
techniques that would enable government access to private communications
or data; and
Linkages between the issuance of a
digital signature or other electronic authentication certificate and the
escrowing or registration of an encryption key.
Legislation reflecting these above
goals would ensure the widespread availability of robust and secure encryption
products, a result that is critical for our nation's continued leadership
of the information industry and the protection of personal
privacy.
The E-PRIVACY Act: The Good
News
EFF is pleased to say that the E-PRIVACY
Act is the most thoughtful piece of encryption legislation to date. Introduced
by Senators John Ashcroft (R-Mo.), Patrick J. Leahy (D-Vt.), and Conrad
Burns (R-MT), the new
bill sharply varies from proposals favored by the Clinton Administration
and law enforcement/national security agencies by easing export controls
on mass market encryption products, limiting government access to decryption
keys, and prohibiting the government from requiring key recovery
mechanisms.
Specifically, EFF commends the bill's
sponsors for introducing a bill that would:
Bolster the rights of Americans to
use and sell "generally available" encryption products they want at
whatever strength
they desire;
Prohibit government-compelled key escrow
or key recovery encryption;
Prohibit indirect controls or ties
to encryption used for authentication or integrity purposes;
Require a court order to obtain decryption
keys/assistance held by a third party that will be used to decrypt
communications
subject to a wiretap;
Extend to remotely stored electronic
information the same protections as exist under existing law (e.g., ECPA)
for information stored in your home, thereby requiring a court order or
subpoena to obtain either the plaintext or a decryption key/assistance
from third party; and
Require a probable cause court order
from a judge for law enforcement to get real time access to location
information
generated by mobile electronic services. [Source: Patrick Leahy,
"Summary of the Ashcroft-Leahy E-PRIVACY Act," May 12, 1998]
The E-PRIVACY Act: The Rub for Academic
Cryptographers
Consistent with other legislative
proposals currently circulating in the Senate and House of Representatives,
the E-PRIVACY Act focuses on businesses and products and fails to mention
the science of cryptography. Yet, if the science is not free, there will
be no products. Remember, RSA stands for Rivest, Shamir, Adelman, none
of whom worked for a company when they came up with the
algorithm.
EFF represents academic cryptographer
Daniel Bernstein in his thus-far-successful challenge to the constitutionality
of the Clinton Administration's restrictions on strong encryption. EFF
believes that existing U.S. controls on the export of encryption products
and technology need to be repealed for everyone, not simply mass-market
producers of encryption software. Legislators need to acknowledge that
cryptography is a science in which the United States has always been a
leader, and the science of cryptography needs to grow and develop through
the free and open exchange of ideas among scientists, academics, and others
around the world.
Under section 302(a) of the E-PRIVACY
Act, cryptographers would continue to be required to submit their programming
code to the government for technical review prior to export. This requirement
of technical review, coupled with a lack of clear guidance for a reviewing
agency, results in an unconstitutional prior restraint on speech under
the First Amendment. The trial court in Bernstein v. U.S. Department
of Justice case held that these constitutional concerns are real and
that the current regime of export controls on encryption is a prior restraint
on speech.
The government's stated purpose
in requiring this submission, to verify "that an encryption product works
as represented," does not overcome these constitutional problems. The
government
does not provide a technical review like this for any other technologies,
and it is not appropriate for the government to make this condition here,
especially where cryptographers are required by statute to participate
in this review.
To be clear that the science is
protected as well as the commercial uses and sales of cryptography, the
bill should be amended to state that "American individuals and companies
should be free…." This will directly include scientists and others who
need to "exchange encryption technology." In addition, the bill should
acknowledge that cryptography is a science in which the United States has
always been a leader, and the science of cryptography needs to grow and
develop through the free and open exchange of ideas, including computer
software and related items, among scientists, academics and others around
the world. It should also note that such exchanges are protected by the
Constitution.
Similarly, the statute should specify
that no license is required for software or related technology that is
published or shared as part of the development of the science of cryptography.
This should include any publication, discussion (such as conferences or
face-to-face meetings) e-mail, fax or other form of correspondence among
cryptographers, whether electronic or paper-based.
EFF's Other Concerns
with the E-PRIVACY Act
There are a few other problems with
the E-PRIVACY Act that EFF hopes the bill's sponsors will consider as it
wends its way through Congress. These include:
The bill specifically exempts from licensure only that encryption
that is "generally available." But no new products are ever generally
available as they are introduced, and the government should not be
requiring licensure of speech if it is "new" speech. The exception for
products where competitors will be releasing their products within 18
months puts government in the despicable role of interfering with free
trade.
The use of encryption in the commission
of a crime should not trigger additional criminal penalties. The criminal
activity itself is what needs to be punished; the use of a particular tool
during its commission is not relevant and is creating additional punishments
for individuals engaging in protected speech. Encryption is speech protected
by the First Amendment. This added punishment will create a chilling effect
on this speech.
EFF has concerns about the National
Electronic Technologies (NET) Center that would be established under Section
202. With the past as our guide, we are concerned that the creation of
the NET Center may result in businesses being strong-armed by government
agencies into weakening encryption. In one highly publicized example, the
National Security Agency (NSA) pressured the wireless telephone industry
to weaken the encryption protecting the privacy of digital cellular telephones.
Furthermore, Freedom of Information Act (FOIA) requests obtained by the
Electronic Privacy Information Center revealed NSA involvement in developing
the Administration's current encryption policy, despite Congress's clear
rejection of the NSA's playing such a determinative role in domestic computer
policy in the Computer Security Act of 1987 and elsewhere. Although the
National Institute of Standards and Technology (NIST) posed as the "front-man"
for the United States' encryption control policy, it was the NSA that developed
and dictated it.
The bill extends the technical review
requirement to all software, by requiring any software that includes
programming
interfaces to be submitted for a one-time review before export. This would
include operating systems, servers, browsers, e-mail programs, word processors
and spreadsheets. There has never been any regulatory or statutory basis
for requiring agency approval of software that does not actually contain
encryption. This requirement is overly broad and is not
warranted.
The bill does not provide for sufficient
judicial review of agency actions under the scheme. While it does provide
for judicial review of agency decisions of foreign availability, an improvement
that EFF strongly applauds, there is still no judicial review provided
for other agency decisions under the statute. This leaves broad discretion
to the administering agencies, with no legal recourse when these agencies
abuse this discretion. For example, in Section 307(b), the bill provides
that the Secretary must demonstrate by "substantial evidence" that the
software will be used for an improper purpose to restrict export. Without
judicial review of agency decisions, there is no review of that "substantial
evidence," and the agency can simply continue to ignore Congressional
requirements,
as it has in the past, leaving those affected with no
recourse.
The bill does not meet the requirements
of a speech regulation in other substantial ways. Not only should this
bill explicitly provide for judicial review of agency decisions, but it
should require that all agency decisions be made quickly (i.e., within
three to five days), that the government must bear the burden of going
to court and proving that there is a reason for denying an export, and
include any other requirements of regulation that places limitations on
speech.
Finally, electronic publication cannot
be treated differently than paper publication. The Supreme Court, in Reno
v. ACLU, No. 96-511 (June 26, 1997), held that electronic media should
not be treated as a second-class citizen by the government. Yet, this bill
sanctions the Administration's policy of restricting the export of computer
code in electronic format while permitting the export of hardcopy books.
Instead, the term "export" in the bill should be defined to expressly not
include Internet publication of encryption software and related technical
data or information.
For more information, the Electronic
Frontier Foundation provides an extensive archive of resources on encryption,
privacy, and free speech at its Web site http://www.eff.org.
EFF press release regarding S. 6027, the
"Encryption Promotes the Rights of Individuals in the Virtual
Arena
Using Computers" (E-PRIVACY) bill introduced in May 1998 by
Senators
Ashcroft and Leahy.
![[*]](/Icons/home_blue_icon.gif){kind=icon}
EFF Welcome Page
