The text of the proposed legislation is available at: http://www.epic.org/crypto/legislation/s1587.html

Analysis

The proposed Encrypted Communications Privacy Act addresses a number of unresolved issues concerning the use of encryption technology. The proposed legislation would:

Relax export controls by transferring authority for export decisions to the Secretary of Commerce, and mandate the removal of controls on "generally available" encryption software;

Create a legal framework for key escrow agents, including an obligation to disclose keys and assist law enforcement, and establish penalties for improper disclosure;

Affirm the freedom to use and sell encryption within the United States; and

Criminalize the use of encryption which may have the effect of obstructing a felony investigation.

Export Controls

The bill moves encryption policy in the right direction by placing export control authority in the Commerce Department, rather than the State Department and the National Security Agency (NSA) -- the agencies currently charged with that responsibility. However, the legislation would only remove export controls on encryption software to the extent that software with similar capabilities is "generally available," or in the "public domain or publicly available." Likewise, controls would be lifted on hardware with encryption capabilities only if "a product offering comparable security is commercially available from a foreign supplier." These limitations raise two concerns:

The Commerce Department historically has been dependent upon NSA for assessments of the worldwide availability of encryption technology. The Commerce Department recently released the results of a survey it conducted of foreign encryption products. Portions of the Department's report were classified by NSA and withheld from public disclosure (EPIC is currently seeking the release of the complete report in a lawsuit filed under the Freedom of Information Act; Electronic Privacy Information Center v. Department of Commerce, C.A. No. 95-2228 (D.D.C.)). By conditioning the relaxation of export controls on a finding that similar products are "generally available," the legislation will likely perpetuate NSA's ability to influence export determinations and to thwart public oversight of Commerce Department actions.

The "generally available" requirement will continue to hamper the development of innovative security technology by U.S. firms. Restricting exports to products comparable to those already "available from a foreign supplier" will ensure that foreign, and not domestic, firms will be on the leading edge of privacy-enhancing technology. This is necessarily a non-competitive trade policy that will continue to obstruct the development of strong encryption.

EPIC supports the efforts of the bill's sponsors to liberalize export control, but EPIC believes the bill should go further. EPIC supports the complete repeal of these out-dated barriers to the development and dissemination of software and hardware with encryption capabilities. This is a necessary step to ensure the development of a secure Global Information Infrastructure that promotes on-line commerce and preserves individual privacy.

Key Escrow Procedures

As currently drafted, the bill does little to roll back the deployment of Clipper-inspired key-escrow encryption within the federal government. Indeed, a significant portion of the legislation is devoted to establishing a legal framework for the management of key-escrow systems in the private sector.
The bill would restrict certain activities by key holders and impose criminal and civil penalties for the unauthorized disclosure of keys. Key holders could only release keys (1) with the consent of the person whose key is held; (2) as may be "necessarily incident to the holding of the key;" and (3) to law enforcement or investigative officers pursuant to federal wiretap law or the Foreign Intelligence Surveillance Act. Under the current bill, keys could be disclosed to law enforcement officials without satisfying a warrant requirement.

The legislation also establishes reporting requirements on the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance consistent with current reporting requirements in the federal wiretap statute.

Statutory protection for the privacy of encryption keys appears to be a worthy goal. The bill's key-escrow procedures, however, must be considered in the context of the larger policy debate concerning encryption. Beginning with Clipper and continuing with the more recent "commercial key-escrow" proposal, law enforcement agencies and the national security community have lobbied aggressively for the implementation of key-escrow systems that would provide government the ability to decrypt secure data. Such proposals have also been supported by companies that have received substantial government contracts or promises of special deals on export licenses.

Users and most businesses have remained firmly opposed to the key-escrow concept. Indeed, there is virtually no installed base for key-escrow encryption, while the number of users of non-escrowed encryption is in the millions. By placing a Congressional imprimatur on the key-escrow concept, the legislation will have the effect of supporting an escrow scheme that has already been rejected by users and businesses. A statutory scheme that creates a legal framework for key-escrow is contrary to the privacy interests of network users and the security needs required for network development.

EPIC recommends that the key escrow provisions of the bill be dropped.

Freedom to Use and Sell Encryption

The proposed legislation appears to affirm an absolute right to use and sell encryption, but a close reading of the bill shows otherwise. The proposed legislation provides that it "shall be lawful for any person within ... the United States ... to use any encryption ..." and "to sell in interstate commerce any encryption ..." It then modifies that language with the words "except as provided in this Act and the amendments made in this Act or in any other law."
As described below, the bill then sets out the first criminal penalties yet proposed for the domestic use of encryption. Other similar provisions could easily be added. Since there is currently no regulation of encryption in the United States, supporters of the bill must explain what will be accomplished by this effort to establish a government regulatory scheme for the use of encryption.

EPIC believes that there is a fundamental constitutional right to use encryption and would support only an unconditional articulation of that right. The current statutory framework clearly opens the door to further regulation of privacy-enhancing technologies.

"Unlawful Use of Encryption"

The proposed legislation contains the first explicit criminal penalties for the use of encryption within the United States. It would criminalize the use of encryption to "obstruct, impede, or prevent the communication of information in furtherance of a felony ... to an investigative or law enforcement officer." This provision is unlikely to add much to the existing legal arsenal available to law enforcement agencies or prosecutors. Use of encryption in furtherance of a crime could currently be prosecuted under existing conspiracy and obstruction of justice statutes. The effect of the proposed provision could be to discourage the deployment of encryption where it is appropriate and to raise unnecessary suspicion about the use of routine security procedures. The net result could be an increased risk to public safety and network security.

EPIC recommends that this provision be struck from the bill. As currently drafted, it is far too broad to serve any useful purpose.

Conclusion

The proposed Encrypted Communications Privacy Act provides an opportunity to revise outdated encryption policies that have undermined network security, jeopardized personal privacy and frustrated public accountability. Although the current draft of the bill does not go far enough in removing antiquated controls on the export of encryption technology, the proposal recognizes the need for sweeping changes to the export regime. Removal of export restrictions on encryption technology is a pressing need and Congress should address the issue expeditiously.

Less desirable is the bill's promotion of key-escrow encryption. This is the Clipper-like scheme that should finally be laid to rest. Congressional action on key-escrow management is unnecessary and the issue certainly need not be addressed in conjunction with a relaxation of export controls. Legislation concerning key-escrow will have a detrimental effect on the development of secure network technologies and necessary privacy safeguards. EPIC will remain opposed to this provision.

EPIC commends the sponsors of the proposed legislation for moving the public debate on the relaxation of export controls forward and recognizing the need for an overhaul of an out-dated policy. We are confident that further consideration of the unnecessary and potentially dangerous provisions contained in the current version will result in a legislative approach that best serves the needs of all concerned -- users, industry and government.