Donate to EFF

Congress of the United States
Washington, D.C. 20015

September 27, 1999

Janet Reno, Attorney General
US Department of Justice
950 Pennsylvania Avenue, NW
Washington, DC 20530-0001

Dear Attorney General Reno,

There have been several developments since I last wrote to you on July 30 to raise serious questions about Justice Department and Administration policy regarding its stance on encryption policy and new proposals for federal programs that some have seen as threats to personal privacy.

I am cautiously optimistic about the Administration's recently announced encryption export policy change. As one of the 258 bipartisan cosponsors of H.R. 850, the SAFE Act, I was pleased by early reports that the Administration was planning to implement many of the changes proposed in that bill.

As you may know, H.R. 850 was tentatively scheduled for floor consideration in the House of Representatives this week. To determine how best to proceed, I believe it is important to get a more detailed response from you about the Administration's new position on encryption export controls. While I understand that the new rules are not expected until December, Congress needs more specific guidance from the Administration about how the new encryption policy will be executed.

Questions remain about the Administration's commitment to personal privacy. I still have very serious concerns about the Justice Department's proposed "Cyberspace Electronic Security Act of 1999 (CESA)." National Journal's TechDaily had earlier reported that a previous draft of this legislation would, "grant new authority to federal agents armed with search warrants to break into homes and offices and secretly implant devices that could unlock the passwords to encrypted information on suspects' computers." While I understand that this provision has been dropped from the most recent draft, the fact that it was ever proposed at all raises concerns in Congress.

Similarly, while I was pleased to read in your response letter of September 24 that the FIDNet program is currently "being designed to monitor federal executive branch computersÉ not private networks or the Internet in general," I would like to know why FIDNet was ever envisioned to cover private networks. Page 58 of the draft copy of the FIDNet proposal clearly states, "the Plan also calls for the creation of a three pillar system of these netted and adaptive intrusion detection networks, covering critical government and (ultimately) private sector information systems." Are you willing now to state that neither FIDNet nor any similar Administration program will ever be expanded to monitor private networks or the Internet in general?

Answers to these questions would be very helpful in reassuring Americans that their government will not engage in cybersnooping. The lack of public discussion of these sweeping proposals has served only to foster these suspicions. The Justice Department and Administration should act now to clarify their intentions and restore the American people's confidence in the security of their personal communications.

In addition, it would be quite helpful if you would clarify some issues raised by the encryption press conference of September 16 and the proposed "Cyberspace Electronic Security Act of 1999" :

• After years of insisting on mandatory key escrow as necessary for law enforcement, why has that view suddenly changed?
• The latest White House proposal includes both administrative changes to the current export controls and legislative proposals to enhance the ability of law enforcement to read encrypted materials when necessary. In fact, Secretary Daley said "the export control liberalization is balanced by the additional tools for law enforcement and additional resources devoted to improving the privacy and security of government information services. As you know, it will be difficult to pass new legislation as complex as CESA in the time remaining this session before December 15. Are the administrative changes to current encryption export controls contingent on Congress passing CESA or are they separate proposals?
• What specifically do you expect the one-time technical review of encryption products to entail? What distinction is there, in your view, between a technical review process and the current licensing process?
• How long do you envision these reviews taking and how extensive do you expect them to be? What exactly is meant by the term "meaningful review"?
• Despite early reports that the Administration proposal largely reflected the reforms in the SAFE Act, it was clear from the press conference that the Administration still intends to veto the SAFE Act if passed as currently written. In light of the announced changes in encryption policy, how do you envision the December 15 regulations being different from the SAFE Act? What specifically are the remaining objections to HR 850?
• In your prepared remarks, you stated that "Today's announcement substantially relaxes export controls." Later, a reporter asked: "Would you consider this a relaxing of restrictions on encryption?" and you answered "No." Defense Deputy Secretary Hamre seemed to echo that answer, stating: "It's not relaxation, it's really a very different approach." Could you please explain the apparent contradiction between your prepared remarks and your answer to questions about whether the new Administration policy actually involves a relaxation of export controls?
• With regard to the proposed "Cyberspace Electronic Security Act of 1999," what exactly do you envision the role of the FBI's Technical Support Center being? Research and development on ways to defeat encryption controls for law enforcement purposes? How will the Technical Support Center be coordinated with the enforcement arm of the agency?
• You indicated that CESA will provide "special protections for decryption keys stored with third-party recovery agents." Protection from whom?
• When asked why the Administration dropped an earlier proposal to provide new authority for search warrants for encryption keys without contemporaneous notice to the subject, you answered "We have had further discussion, and feel like, that under existing authorities, with the technical support center funded by the existing authorities, that we can address the issue, and ensure our abilities to continue our law enforcement responsibilities." Does this mean that the Administration feels that it already has the authority to search for encryption keys without notifying the subject?
• Does that answer mean that funding the Technical Support Center will give you the ability to search for encryption keys without notifying the subject, or that it will enable you to read encrypted material without needing to search for the encryption key first?
• You further indicated that CESA will "protect the confidentiality of government techniques used to obtain usable evidence such as techniques developed by the Technical Support Center. Does that extend only to the exact technological means of breaking the encryption product, or do you envision confidentiality to include government efforts to search for encryption keys without notifying the subject?
• While not mentioning FIDNet specifically, there were several references to the need to "improve the privacy and security of government information services? In fact, Secretary Daley referred to that need as an important balance to export control liberalization. Does the Administration consider FIDNet a component of its new encryption policy?
• If so, explain how FIDNet, supposedly a warning system against outside hackers into government computers, is related to an export control policy on encryption products? Does this mean that the Administration is expecting support from Congress and industry for FIDNet as a component of the new encryption export control policy?
• The Washington Post on September 22 reported that the Administration had altered its original FIDNet proposal in response to criticism from civil libertarians and Congress. Is this a fair characterization of your motivations?
• What changes, specifically, have you made to the proposal?
• I was under the impression that FIDNet was not yet an official Administration proposal - that it was only a draft and had not been cleared by the White House. Have I been misinformed?
• What role, if any, will the FBI's Technical Support Center have in FIDNet and vice versa? If so, would that role also be covered by the confidentiality language you have included in CESA?
• In the press conference, you indicated that the Technical Support Center was first proposed by the industry. Could you please elaborate on that conversation? Did industry offer to support the creation of a Technical Support Center at the FBI in exchange for a change in the Administration's position on encryption export controls? If so, which industry representatives?

While recently announced changes to encryption export controls, CESA, and FIDNet are welcome, the fact that it took intense pressure from Congress and the public to force those changes remains a concern. Protecting personal privacy, especially from government cybersnooping, is too important to be done in the dark. I hope you take this opportunity to enlighten us all about the Administration's plans in these areas.

Given the short amount of time remaining in the legislative session, I would appreciate a response to this letter by October 15, 1999. If we are to help implement the Administration's new encryption export control policy Congress will need much more specificity on what that policy is before we adjourn. Thank you for your cooperation.

Sincerely,

Dick Armey
House Majority Leader

Cc: Secretary of Commerce, William M. Daley
Secretary of Defense, William S. Cohen
National Security Adviser, Samuel R. Berger
Chief Counselor for Privacy at OMB, Peter Swire