Prepared by the Electronic Frontier Foundation, May 1998

Introduction

The protection of privacy is one of the greatest challenges facing our country today. As one of the leading civil liberties organizations that has worked to safeguard this important right, the Electronic Frontier Foundation (EFF) has long recognized the importance of technologies such as encryption for the protection of personal privacy. Whether they seek security for communications about intimate personal matters, medical information, credit card transactions, human rights activities, or controversial political opinions, American citizens expect and deserve the right to communicate privately both within the United States and across national borders.

To protect citizens' basic civil liberties, EFF supports two principal goals that must be incorporated into our national encryption policy. First, existing U.S. controls on the export of encryption products and technology must be repealed for everyone, not simply mass-market producers of encryption software. Second, encryption policy must preserve the right of all Americans to use any encryption product or technique they wish, both domestically and abroad.

Furthermore, EFF opposes:

• Any government attempts to regulate the domestic use of encryption;
• Legal provisions that would criminalize the use of encryption;
• Requirements for "key-escrow" or "key-recovery" techniques that would enable government access to private communications or data; and
• Linkages between the issuance of a digital signature or other electronic authentication certificate and the escrowing or registration of an encryption key.

The E-PRIVACY Act: The Good News

EFF is pleased to say that the E-PRIVACY Act is the most thoughtful piece of encryption legislation to date. Introduced by Senators John Ashcroft (R-Mo.), Patrick J. Leahy (D-Vt.), and Conrad Burns (R-MT), the new bill sharply varies from proposals favored by the Clinton Administration and law enforcement/national security agencies by easing export controls on mass market encryption products, limiting government access to decryption keys, and prohibiting the government from requiring key recovery mechanisms.

Specifically, EFF commends the bill's sponsors for introducing a bill that would:

• Bolster the rights of Americans to use and sell "generally available" encryption products they want at whatever strength they desire;

• Prohibit government-compelled key escrow or key recovery encryption;

• Prohibit indirect controls or ties to encryption used for authentication or integrity purposes;

• Require a court order to obtain decryption keys/assistance held by a third party that will be used to decrypt communications subject to a wiretap;

• Extend to remotely stored electronic information the same protections as exist under existing law (e.g., ECPA) for information stored in your home, thereby requiring a court order or subpoena to obtain either the plaintext or a decryption key/assistance from third party; and
  
  
• Require a probable cause court order from a judge for law enforcement to get real time access to location information generated by mobile electronic services. [Source: Patrick Leahy, "Summary of the Ashcroft-Leahy E-PRIVACY Act," May 12, 1998]

Consistent with other legislative proposals currently circulating in the Senate and House of Representatives, the E-PRIVACY Act focuses on businesses and products and fails to mention the science of cryptography. Yet, if the science is not free, there will be no products. Remember, RSA stands for Rivest, Shamir, Adelman, none of whom worked for a company when they came up with the algorithm.

EFF represents academic cryptographer Daniel Bernstein in his thus-far-successful challenge to the constitutionality of the Clinton Administration's restrictions on strong encryption. EFF believes that existing U.S. controls on the export of encryption products and technology need to be repealed for everyone, not simply mass-market producers of encryption software. Legislators need to acknowledge that cryptography is a science in which the United States has always been a leader, and the science of cryptography needs to grow and develop through the free and open exchange of ideas among scientists, academics, and others around the world.

Under section 302(a) of the E-PRIVACY Act, cryptographers would continue to be required to submit their programming code to the government for technical review prior to export. This requirement of technical review, coupled with a lack of clear guidance for a reviewing agency, results in an unconstitutional prior restraint on speech under the First Amendment. The trial court in Bernstein v. U.S. Department of Justice case held that these constitutional concerns are real and that the current regime of export controls on encryption is a prior restraint on speech.

The government's stated purpose in requiring this submission, to verify "that an encryption product works as represented," does not overcome these constitutional problems. The government does not provide a technical review like this for any other technologies, and it is not appropriate for the government to make this condition here, especially where cryptographers are required by statute to participate in this review.

To be clear that the science is protected as well as the commercial uses and sales of cryptography, the bill should be amended to state that "American individuals and companies should be free…." This will directly include scientists and others who need to "exchange encryption technology." In addition, the bill should acknowledge that cryptography is a science in which the United States has always been a leader, and the science of cryptography needs to grow and develop through the free and open exchange of ideas, including computer software and related items, among scientists, academics and others around the world. It should also note that such exchanges are protected by the Constitution.

Similarly, the statute should specify that no license is required for software or related technology that is published or shared as part of the development of the science of cryptography. This should include any publication, discussion (such as conferences or face-to-face meetings) e-mail, fax or other form of correspondence among cryptographers, whether electronic or paper-based.

EFF's Other Concerns with the E-PRIVACY Act

There are a few other problems with the E-PRIVACY Act that EFF hopes the bill's sponsors will consider as it wends its way through Congress. These include:

• The bill specifically exempts from licensure only that encryption that is "generally available." But no new products are ever generally available as they are introduced, and the government should not be requiring licensure of speech if it is "new" speech. The exception for products where competitors will be releasing their products within 18 months puts government in the despicable role of interfering with free trade.
• The use of encryption in the commission of a crime should not trigger additional criminal penalties. The criminal activity itself is what needs to be punished; the use of a particular tool during its commission is not relevant and is creating additional punishments for individuals engaging in protected speech. Encryption is speech protected by the First Amendment. This added punishment will create a chilling effect on this speech.

• EFF has concerns about the National Electronic Technologies (NET) Center that would be established under Section 202. With the past as our guide, we are concerned that the creation of the NET Center may result in businesses being strong-armed by government agencies into weakening encryption. In one highly publicized example, the National Security Agency (NSA) pressured the wireless telephone industry to weaken the encryption protecting the privacy of digital cellular telephones. Furthermore, Freedom of Information Act (FOIA) requests obtained by the Electronic Privacy Information Center revealed NSA involvement in developing the Administration's current encryption policy, despite Congress's clear rejection of the NSA's playing such a determinative role in domestic computer policy in the Computer Security Act of 1987 and elsewhere. Although the National Institute of Standards and Technology (NIST) posed as the "front-man" for the United States' encryption control policy, it was the NSA that developed and dictated it.
  
  
• The bill extends the technical review requirement to all software, by requiring any software that includes programming interfaces to be submitted for a one-time review before export. This would include operating systems, servers, browsers, e-mail programs, word processors and spreadsheets. There has never been any regulatory or statutory basis for requiring agency approval of software that does not actually contain encryption. This requirement is overly broad and is not warranted.

• The bill does not provide for sufficient judicial review of agency actions under the scheme. While it does provide for judicial review of agency decisions of foreign availability, an improvement that EFF strongly applauds, there is still no judicial review provided for other agency decisions under the statute. This leaves broad discretion to the administering agencies, with no legal recourse when these agencies abuse this discretion. For example, in Section 307(b), the bill provides that the Secretary must demonstrate by "substantial evidence" that the software will be used for an improper purpose to restrict export. Without judicial review of agency decisions, there is no review of that "substantial evidence," and the agency can simply continue to ignore Congressional requirements, as it has in the past, leaving those affected with no recourse.

• The bill does not meet the requirements of a speech regulation in other substantial ways. Not only should this bill explicitly provide for judicial review of agency decisions, but it should require that all agency decisions be made quickly (i.e., within three to five days), that the government must bear the burden of going to court and proving that there is a reason for denying an export, and include any other requirements of regulation that places limitations on speech.

• Finally, electronic publication cannot be treated differently than paper publication. The Supreme Court, in Reno v. ACLU, No. 96-511 (June 26, 1997), held that electronic media should not be treated as a second-class citizen by the government. Yet, this bill sanctions the Administration's policy of restricting the export of computer code in electronic format while permitting the export of hardcopy books. Instead, the term "export" in the bill should be defined to expressly not include Internet publication of encryption software and related technical data or information.

Revised May 21, 1998.

Also available: