From: r...@gnu.ai.mit.edu (Richard Stallman)
Subject: Clinton Administration trying to prohibit real encryption
Date: 1997/03/29
Message-ID: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu>
X-Deja-AN: 229331350
Sender: gnu-misc-dis...@prep.ai.mit.edu
x-gateway: relay2.UU.NET from gnu-misc-discuss to gnu.misc.discuss;
Sat, 29 Mar 1997 18:24:03 EST
Newsgroups: gnu.misc.discuss
Ever since the the Clinton administration proposed the "Clipper chip",
they have been saying "This is just voluntary", and privacy activists
have been saying "They are lying". Now the administration has proved
the privacy activists right, by proposing laws to *prohibit* using
encryption to keep secrets from the government.
The Free Software Foundation is reposting the announcement below to
express its support for the campaign led by Voters Telecommunications
Watch. We are not the leaders of this campaign, just spreading the
word; for more details or questions, or please contact VTW directly.
If you are a US citizen, we hope you will look at "Adopt Your
Legislator Cmapaign" web site (see below), and contact your
representatives in Congress, as the VTW suggests.
If you are not a US citizen, you can help in another way--by
volunteering to work on *free* public key encryption software for jobs
such as file transfer, login sessions and web commerce. There is no
free software for these jobs today--all is either proprietary of
semi-free, and neither kind can be used in a free operating system.
Americans are forbidden to contribute, so the job is up to you.
Please contact g...@prep.ai.mit.edu if you would like to volunteer.
Date: 29 Mar 1997 10:41:48 -0500
From: sha...@panix.com (Shabbir J. Safdar)
Organization: Voters Telecommunications Watch (v...@vtw.org)
Subject: ALERT: White House denigrates your right to privacy! (3/28/1997)
Message-ID: <5hjd7s$6...@panix3.panix.com>
Xref: ix.netcom.com alt.privacy:47050 talk.politics.crypto:23513
comp.org.eff.talk:94911 comp.org.cpsr.talk:12429 alt.wired:63562
alt.politics.datahighway:26778 alt.privacy.clipper:7537 alt.bbs.allsysop:28246
==============================================================================
___ _ _____ ____ _____ _
/ _ \| | | ____| _ \_ _| | THE CRYPTO BATTLE HAS BEGUN!
| |_| | | | _| | |_) || | | | CLINTON ADMINISTRATION PROPOSES CONTROL OF
| _ | |___| |___| _ < | | |_| ENCRYPTION FOR AMERICANS ON U.S. SOIL
|_| |_|_____|_____|_| \_\|_| (_) March 28, 1997
Do not forward this alert after May 1, 1997.
This alert brought to you by:
Center for Democracy and Technology
Eagle Forum
Electronic Frontier Foundation
Voters Telecommunications Watch
Wired Magazine
_____________________________________________________________________________
Table of Contents
What's Happening Right Now
What You Can Do Now
Background
What's At Stake
Supporting Organizations
_____________________________________________________________________________
WHAT'S HAPPENING RIGHT NOW
On March 26, 1997, the Clinton Administration proposed draft legislation
which would, for the first time, impose DOMESTIC RESTRICTIONS on the
ability of Americans to protect their privacy and security online.
In its current form, the draft bill seeks to impose a risky
"key-recovery" regime which would compel American citizens to ensure
government access to their private communications. Law enforcement and
national security agents would not even need a court order to access
private decryption keys.
Congress is currently considering three separate bills which would
prohibit the government from imposing "key-recovery" domestically, and
encourage the development of easy-to-use, privacy and security tools
for the Net.
As more and more Americans come online, the Administration's plan is a
giant step backwards and would open a huge window of vulnerability to
the private communications of Internet users. Americans expect more
when conducting private conversations with their doctors, families,
business partners, or lawyers.
Please read the Alert below to find out what you can do to protect your
privacy online.
________________________________________________________________________________
WHAT YOU CAN DO
1. Adopt Your Legislator
Now is the time to increase our ranks and prepare for the fight that lies
a head of us in Congress. The time to blast Congress or the White House
with phone calls and emails will come, but now is not the appropriate
moment.
Instead, please take a few minutes to learn more about this important
issue, and join the Adopt Your Legislator Campaign at
http://www.crypto.com/adopt/
This will produce a customized page, just for you with your own
legislator's telephone number and address.
In addition, you will receive the latest news and information on the
issue, as well as targeted alerts informing you when your
Representatives in Congress do something that could help or hinder
the future of the Internet.
Best of all, it's free. Do your part, Work the Network!
Visit http://www.crypto.com/adopt/ for details.
2. Beginning Monday March 31, call the White House
Internet public interest advocates continue to work the Hill in support
of the three true encryption reform bills in Congress, Pro-CODE, SAFE, &
ECPA II. If you still feel a need to voice your opinion, however, you can
call the White House to express your opinion.
Step 1 - Beginning Monday March 31, call the White House
Call 202-456-1111 9am-5pm EST. Ignore the voice mail survey and
press '0' to get a comment line operator.
Step 2 - Tell them what you think about intrusions into your privacy!
Operator: Hello, White House comment line!
SAY YOU: I'm calling to oppose president's Internet encryption bill.
THIS -> It infringes on the privacy of Americans. We need a solution
to the encryption issue that protects privacy, and this is not
it.
Operator: Thank you, I'll pass that along to the President.
3. Spread the Word!
Forward this Alert to your friends. Help educate the public about the
importance of this issue.
Please do not forward after May 1, 1997.
_____________________________________________________________________________
BACKGROUND
Complete background information, including:
* A down-to-earth explanation of why this debate is important to Internet users
* Analysis and background on the issue
* Text of the Administration draft legislation
* Text of Congressional proposals to reform US encryption policy
* Audio transcripts and written testimony from recent Congressional Hearings
on encryption policy reform
* And more!
Are all available at http://www.crypto.com/
________________________________________________________________________
WHAT'S AT STAKE
Encryption technologies are the locks and keys of the Information age
- -- enabling individuals and businesses to protect sensitive information
as it is transmitted over the Internet. As more and more individuals
and businesses come online, the need for strong, reliable, easy-to-use
encryption technologies has become a critical issue to the health and
viability of the Net.
Current US encryption policy, which limits the strength of encryption
products US companies can sell abroad, also limits the availability of
strong, easy-to-use encryption technologies in the United States. US
hardware and software manufacturers who wish to sell their products on
the global market must either conform to US encryption export limits or
produce two separate versions of the same product, a costly and
complicated alternative.
The export controls, which the NSA and FBI argue help to keep strong
encryption out of the hands of foreign adversaries, are having the
opposite effect. Strong encryption is available abroad, but because of
the export limits and the confusion created by nearly four years of
debate over US encryption policy, strong, easy-to-use privacy and
security technologies are not widely available off the shelf or "on the
net" here in the US.
A recently discovered flaw in the security of the new digital telephone
network exposed the worst aspects of the Administration's encryption
policy. Because the designers needed to be able to export their
products, the system's security was "dumbed down". Researchers subsequently
discovered that it is quite easy to break the security of the system and
intrude on what should be private conversations.
This incident underscores the larger policy problem: US companies are
at a competitive disadvantage in the global marketplace when competing
against companies that do not have such hindrances. And now, for the first
time in history, the Clinton Administration has DOMESTIC RESTRICTIONS on the
ability of Americans to protect their privacy and security online.
All of us care about our national security, and no one wants to make it
any easier for criminals and terrorists to commit criminal acts. But we
must also recognize encryption technologies can aid law enforcement
and protect national security by limiting the threat of industrial
espionage and foreign spying, promote electronic commerce and protecting
privacy.
What's at stake in this debate is nothing less than the future of
privacy and the fate of the Internet as a secure and trusted medium for
commerce, education, and political discourse.
______________________________________________________________________________
SUPPORTING ORGANIZATIONS
For more information, contact the following organizations who have signed onto
this effort at their web sites.
Center for Democracy and Technology http://www.cdt.org
Press contact: Jonah Seiger, +1.202.637.9800
Eagle Forum http://www.eagleforum.org
Press contact: Phyllis Schlafly, +1.314.721.1213
Electronic Frontier Foundation http://www.eff.org
Press contact: Stanton McCandlish, +1.415.436.9333
Voters Telecommunications Watch http://www.vtw.org
Press contact: Shabbir J. Safdar, +1.718.596.7234
Wired Magazine http://www.wired.com
Press contact: Todd Lappin, +1.415.276.5224
______________________________________________________________________________
end alert
==============================================================================
- ------- end of forwarded message -------
------- End of forwarded message -------
From: Al Petrofsky
Subject: Re: Clinton Administration trying to prohibit real encryption
Date: 1997/03/29
Message-ID: <87u3luot4d.fsf@albatros.wco.com>
X-Deja-AN: 229396710
Sender: a...@albatros.wco.com
References: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu>
X-Server-Date: 30 Mar 1997 05:18:12 GMT
Organization: The Vegetable Liberation Front
Newsgroups: gnu.misc.discuss
r...@gnu.ai.mit.edu (Richard Stallman) writes:
> Ever since the the Clinton administration proposed the "Clipper chip",
> they have been saying "This is just voluntary", and privacy activists
> have been saying "They are lying". Now the administration has proved
> the privacy activists right, by proposing laws to *prohibit* using
> encryption to keep secrets from the government.
After reading the draft legislation, I agree it's terrible, but I
don't see how you can say it prohibits using encryption to keep
secrets from the government. It sets up a government-endorsed key
management infrastructure with the feature that the government can see
all the keys, but it explicitly states that "Participation in the key
management infrastructure enabled by this Act is voluntary". What
section do you read as prohibiting real encryption?
Section 103 is definitely scary:
SEC. 103. LAWFUL USE OF ENCRYPTION.
It shall be lawful for any person within any State of the United States,
the District of Columbia, the Commonwealth of Puerto Rico, and any
territory or possession of the United States, to use any encryption,
regardless of the encryption algorithm selected, encryption key length
chosen, or implementation technique or medium used, except as provided
in this Act or in any other law. Participation in the key management
infrastructure enabled by this Act is voluntary.
It starts sounding like a proclamation of a universal right to use
encryption, but at the end of the sentence we realize the intent is to
establish that there is no such right and that the government will
feel free to restrict encryption as much as it likes. As bad as this
is, I can't find anything in the rest of the act that restricts using
encryption without giving keys to the government. All of the criminal
acts in section 403 involve misbehavior by people participating in the
infrastructure or trying to compromise it. Missing is anything
prohibiting the use of non-government-sanctioned certificate
authorities.
-al
To make sure we're all reading from the same text, here is the source
material I grabbed from www.crypto.com/clinton/970312_admin.html:
Text of Administration March 12 Key Recovery Draft Legislation:
105th CONGRESS DRAFT 3/12/97
1st Session H.R. _________________
________________________________________
Mr. _________________ of _________________ introduced the following
bill; which was referred to the Committee on _____________________
A BILL
To enable the development of a key management infrastructure for
public-key-based encryption and attendant encryption products that will
assure that individuals and businesses can transmit and receive
information electronically with confidence in the information's
confidentiality, integrity, availability, and authenticity, and that
will promote timely lawful government access.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
TITLE I -- GENERAL PROVISIONS
SEC. 101. SHORT TITLE
This Act may be cited as the "Electronic Data Security Act of 1997".
SEC. 102. FINDINGS
The Congress finds the following:
(A) The development of the information superhighway is fundamentally
changing the way we interact. The nation's commerce is moving to
networking. Individuals, government entities, and other institutions
are communicating across common links.
(B) The Internet has provided our society with a glimpse of what is
possible in the information age, and the demand for information access
and electronic commerce is rapidly increasing. The demands are arising
from all elements of society, including banks, manufacturers, service
providers, state and local governments, and educational institutions.
(C) Today, business and social interactions occur through face-to-face
discussions, telephone communications, and written correspondence. Each
of these methods for interacting enables us to recognize the face, or
voice, or written signature of the person with whom we are dealing. It
is this recognition that permits us to trust the communication.
(D) In the information age, however, those personal attributes will be
replaced with digital equivalents upon which we will rely. Electronic
digital transmissions, through which many businesses and social
interactions will occur, inherently separate the communication from the
person, forsaking confidence once derived from a handshake or a signed
document.
(E) At the same time, society's increasing reliance on information
systems in this new environment exposes U.S. citizens, institutions, and
their information to unprecedented risks.
(F) In order for the global information infrastructure and electronic
commerce to achieve their potential, information systems must e imbued
with the attributes that overcome these risks and must provide trusted
methods to identify users.
(G) Cryptography can meet these needs. Cryptography can be used to
digitally sign communications ore electronic documents such that a
recipient can be confident that any message he or she received could
only have come from the apparent sender. Moreover, cryptography is an
important tool in protecting the confidentially of wire and electronic
communications and stored data. Thus,. there is a national need to
encourage the development, adoption, and use of cryptographic products
that are consistent with the foregoing considerations and are
appropriate for use both in domestic and export markets by the United
States Government.
(H) The lack of a key management infrastructure impedes the use
cryptography and, there fore, the potential of electronic commerce.
Users cannot encrypt messages without keys, therefore, they need a
secure and standardized mechanism for the generation of keys, storage of
keys, and transfer of keys between users. There is currently no
standardized mechanism for the generation of keys, storage of keys, and
transfer of keys between users. There is currently no standardized
method in the private sector to accomplish all of these tasks, thus
users must individually assume these burdens or forego the use of
cryptography.
(I) Industry must work with government to develop a public-key-based
key management infrastructure and attendant products that will ensure
participants can transmit, receive, and use information electronically
with confidence in the information's integrity, confidentiality,
authenticity, and origin, while also allowing timely lawful government
access.
(J) To this end, the government should issue appropriate public key
encryption standards for federal systems and encourage the development
of interoperable private sector standards for use across border.
However, the architecture(s) the government endorses in its standards
must permit the use of any encryption algorithm.
(K) To effectively serve the public, such a key management
infrastructure must be founded upon a system of trusted service
providers to ensure acceptable standards of security, reliability, and
interoperability.
(L) While cryptographic products and services are useful for protecting
information and its authenticity, such products also can be sued by
terrorists, organized crime syndicates, drug trafficking organizations,
and other dangerous and violent criminals to avoid detection and to hide
evidence of criminal activity, thereby jeopardizing effective law
enforcement, public safety, and national security.
(M) Any effective key management infrastructure must not hinder the
ability of government agencies, pursuant to lawful authority, to
decipher in a timely manner and obtain the plaintext of communications
and stored data.
SEC. 103. LAWFUL USE OF ENCRYPTION.
It shall be lawful for any person within any State of the United States,
the District of Columbia, the Commonwealth of Puerto Rico, and any
territory or possession of the United States, to use any encryption,
regardless of the encryption algorithm selected, encryption key length
chosen, or implementation technique or medium used, except as provided
in this Act or in any other law. Participation in the key management
infrastructure enabled by this Act is voluntary.
TITLE II -- REGISTRATION OF CERTIFICATE AUTHORITIES AND KEY
RECOVERY AGENTS
SEC. 201. REGISTRATION OF CERTIFICATE AUTHORITIES
The Secretary may register any suitable private sector entity,
government agency, or foreign government agency to act as a Certificate
Authority in the Secretary determines that the entity or agency meets
minimum standards, as specified in regulations promulgated by the
Secretary. for security, performance, and practices in order to
accomplish the duties of a Certificate Authority registered under this
Act. The Secretary may condition, modify or revoke such a registration
if the registered entity or agency has violated any provision of this
Act or any rule, regulation, or requirement prescribed by the Secretary
under this Act, or for any other reasons specified by the Secretary in
rule or regulation.
SEC. 202. REGISTRATION OF KEY RECOVERY AGENTS.
(A) Registration by the Secretary. The Secretary may register a
suitable private sector entity or government agency to act as a Key
Recovery Agent if the Secretary determines that the entity or agency
possesses the capability, competency, trustworthiness and resources to
safeguard sensitive information entrusted to it, to carry out the
responsibilities set forth in subsection (B) of this section, and to
comply with the Secretary's regulations.
(B) Responsibilities of Key Recovery Agents. A Key Recovery Agent
registered under subsection (A) of this section shall, consistent with
regulations issued by the Secretary, establish procedures and take other
appropriate steps --
(1) to ensure the confidentiality, integrity, availability and
timely release of recovery information held by the Key Recovery
Agent;
(2) to protect the confidentiality of the identity of the person
or persons for whom such Key Recovery Agent holds recovery
information;
(3) to protect the confidentiality of lawful requests for recovery
information and the identity of the individual or government agency
requesting recovery information and all information concerning such
individual's or agency's access to and sue of recovery information;
(4) to carry out the responsibilities set forth in this Act and
implementing regulations.
(C) Revocation of Key Recovery Agent Registration. The Secretary may
condition, modify, or revoke a Key Recovery Agent's registration if the
registered entity or agency has violated nay provision of this Act or
any rule, regulation, or requirement prescribed by the Secretary under
this Act, or for any other reasons specified by the Secretary in rule or
regulation.
SEC. 203. PUBLIC KEY CERTIFICATES FOR ENCRYPTION KEYS.
The Secretary or a Certificate Authority registered under this Act may
issue to a person a public key certificate that certifies a public key
that can be used for encryption only if the person:
(A) stores with a Key Recovery Agent registered by the Secretary
under this Act sufficiently information, as specified by the
Secretary in regulations, to allow lawful recovery of the plaintext
of that person's encrypted data and communications; or
(B) makes other arrangements, approved by the Secretary pursuant
to regulations acceptable to the Attorney General, that assure that
lawful recovery of the plaintext of encrypted data and
communications can be accomplished confidentially when necessary.
TITLE III -- RELEASE OF RECOVERY INFORMATION
BY KEY RECOVERY AGENTS
SEC. 301. CIRCUMSTANCES IN WHICH INFORMATION MAY BE RELEASED
A Key Recovery Agent, whether or not registered by the Secretary under
this Act, is prohibited from disclosing recovery information stored by a
persons unless the disclosure is --
(A) to that person, or an authorized agent thereof;
(B) with the consent of that person, including pursuant to a
contract entered into with that person;
(C) pursuant to a court order upon a showing of compelling need
for the information that cannot be accommodated by any other
means, if --
(1) the person who stored the information is given reasonable
notice, by the person seeking the disclosure of the court
proceeding relevant to the issuance of the court order; and
(2) the person who stored the information is afforded the
opportunity to appear in the court proceeding and contest the
claim of the person seeking the
disclosure;
(D) pursuant to a determination by a court of competent
jurisdiction that another person is lawfully entitled to hold such
recovery information, particularly including determinations arising
from legal proceedings associated with the death or dissolution of
any person; or
(E) as otherwise permitted by this Act or other law, particularly
including release of recovery information pursuant to section 302
of this Act.
SEC. 302. RELEASE OF RECOVERY INFORMATION TO GOVERNMENT AGENCIES.
(A) A Key Recovery Agent, whether or not registered by the Secretary
under this Act, shall disclose recovery information stored by a person:
(1) to a government agency acting pursuant to a duly authorized
warrant or court order, a subpoena authorized by Federal or State
statute or rule, a certification issued by the Attorney General
under the Foreign Intelligence Surveillance Act, or other lawful
authority that allows access to recovery information by such
agency; or
(2) to a law enforcement or national security government agency
upon receipt of written authorization in a form to be specified by
the Attorney General/
(B) The Attorney General shall issue regulations governing the use of
written authorizations to require release of recovery information to law
enforcement and national security government agencies. Those
regulations shall permit the use of written authorizations only when the
government agency is lawfully entitled to determine the plaintext of
wire or electronic communications or of electronic information and will
use the recovery information for that purpose, to test products in the
agency�s possession, to prove facts in legal proceedings, or to comply
with a request from a duly authorized agency or a foreign government.
SEC. 303. USE AND DESTRUCTION OF RECOVERY INFORMATION RELEASE TO A
GOVERNMENT AGENCY.
A government agency to which recovery information has been release in
response to a written authorization issued under section 302()A)(2) or
the Act, by a Key Recovery Agent registered under this Act, may use the
recovery information only to determine the plaintext of any wire or
electronic communication or of any stored electronic information that
the agency lawfully acquires or intercepts, to test cryptographic
products in the agency�s possession, to prove facts in legal
proceedings, or to comply with the request of a duly authorized agency
of a foreign government. Once such lawful use is completed, the
government agency shall destroy the recovery information in its
possession and shall make a record documenting such destruction. The
government agency shall not use the recovery information to determine
that plaintext of any wire or electronic communication or of any stored
electronic information unless it has lawful authority to do so apart
from the Act.
SEC. 304. CONFIDENTIALITY OF RELEASE OF RECOVERY INFORMATION.
A Key Recovery Agent or other person shall not disclose to any person,
except as authorized by this Act or regulations promulgated thereunder
or except as ordered by a federal court of competent jurisdiction, the
facts or circumstances of any release of recovery information pursuant
to section 302(A)(2) of the Act or requests therefor.
TITLE IV -- LIABILITY
SEC. 401. CIVIL ENFORCEMENT
(A) Enforcement by the Secretary. The Secretary may, when appropriate
in fulfilling his or her duties under this Act or the regulations
promulgated thereunder, make investigations, obtain information, take
sworn testimony, and require reports or the keeping of records by, and
make inspection of the books, records, and other writings, premises or
property of registered entities.
(B) Civil Penalties. Any person who violates section 403 of this Act
shall be subject to a civil penalty in an amount assessed by a court in
a civil action.
(1) The amount of the civil penalty may not exceed $10,000 per
violation, unless the violation was willful, or was committed by a
Key Recovery Agent or a Certificate Authority not registered under
this Act. In determining the amount of the penalty the court shall
consider the risk of harm to law enforcement, public safety, and
national security the risk of harm to affected persons, the gross
receipts of the charged party, the judgment of the Attorney General
concerning the appropriate penalty, and the willfulness of the
violation.
(2) a civil action to recover such a civil penalty may be
commenced by the Attorney General.
(3) A civil action under this subsection may not be commenced
later than 5 years after the cause of the action accrues.
(C) Injunctions. The attorney General may bring an action to enjoin
any person from committing any violation of any provision of the Act or
regulations promulgated thereunder.
(D) Jurisdiction. The district courts of the Untied States shall have
original jurisdictions over any actions brought by the Attorney General
under this section.
SEC. 402. CIVIL CAUSE OF ACTION AGAINST THE UNITED STATES GOVERNMENT.
(A) Cause of Action. Except as otherwise provided in this Act, any
person whose recovery information is knowingly obtained without lawful
authority by an agent of the United States Government from a registered
Key Recovery Agent, or, if obtained by an agent of the United States
Government with lawful authority from a registered Key Recovery Agent,
is knowingly used or disclosed without lawful authority, may, in a civil
action, recover from the United States Government the actual damages
suffered by the plaintiff, and reasonable attorney�s fee and other
litigation costs reasonably incurred.
(B) Limitations. a civil action under this section may not be
commenced later than two years after the date upon which the claimant
first discovered or had a reasonable opportunity to discover the
violation.
SEC. 403. CRIMINAL ACTS.
It shall be unlawful for any person --
(A) if a Certificate Authority registered under this Act,
intentionally to issue a public key certificate in violation of
section 203 of this Act;
(B) intentionally to disclose recovery information in violation of
this Act;
(C) intentionally to obtain or use recovery information without
lawful authority, or, having received such information with lawful
authority, intentionally to exceed such authority for the purpose
of decrypting data or communications;
(D) if a Key Recovery Agent, or officer, employee, or agent
thereof, intentionally to disclose the facts or circumstances of
any release of recovery information or requests therefor in
violation of this Act;
(E) intentionally to issue a public key certificate under this
Act, or to fail to revoke such a certificate, knowing that the
person from whom the certificate is issued does not meet the
requirements of this Act or the regulations promulgated thereunder;
(F) intentionally to apply for or obtain a public key certificate
under this Act, knowing that the person to be identified in the
public key certificate does not meet the requirements of this Act
or the Regulations promulgated thereunder; or
(G) knowingly to issue a public key certificate in furtherance of
the commission of a criminal offense which may be prosecuted in a
court of competent jurisdiction.
Any person who violates this section shall be fined under title 18,
United States Code, or imprisoned not more than five years, or both.
SEC. 404. USE OF ENCRYPTION IN FURTHERANCE OF CRIME.
(A) Whoever knowingly encrypts data or communications in furtherance
of the commission of a criminal offense for which the person may be
prosecuted in a court of competent jurisdiction shall, in addition to
any penalties for the underlying criminal offense, be fined under title
18, United States Code, or imprisoned not more than five years, or both.
(B) It is an affirmative defense to a prosecution under this section
that the defendant stored sufficient information to decrypt the data or
communications with a Key Recovery Agent registered under Act if that
information is reasonable available to the government. The defendant
bears the burden of persuasion on this issue.
(C) The United States Sentencing Commission shall, pursuant to its
authority under section 9944(p) of title 28, United States Code, amend
the sentencing guidelines to ensure that any person convicted of a
violation of subsection (A) of this section is imprisoned for not less
than 6 months, and if convicted of other offenses at the same time, has
the offense level increased by at least three levels.
SEC. 405. NO CAUSE OF ACTION FOR COMPLYING WITH GOVERNMENT REQUESTS.
No civil or criminal liability under this Act or any other law shall
attach to ant Key Recovery Agent, its officers, employees, agents, or
any other persons specified by the Secretary in regulations, for
disclosing recovery information or providing other assistance to a
government agency in accordance with the terms of a court order,
warrant, subpoena, certification, written authorization or other legal
authority.
SEC. 406. COMPLIANCE DEFENSE.
Compliance with this Act and the regulations promulgated thereunder is a
complete defense, for Certificate Authorities registered under this Act
and Key Recovery Agents registered under this Act, to any noncontractual
civil action for damages based upon activities regulated by this Act.
SEC. 407. GOOD FAITH DEFENSE.
A good faith reliance on a court warrant or order subpoena, legislative
authorization, statutory authorization, a certification, a written
authorization, or other legal authority for access to recovery
information under this Act or its implementing regulations is a complete
defense to any civil or criminal action brought under this Act.
SEC. 408. FEDERAL GOVERNMENT LIABILITY.
Except as provided otherwise in this Act, the United States shall not be
liable for any loss incurred by any individual or entity resulting from
any violation of this Act or the failure to exercise reasonable care in
the performance of any duties under any regulation or procedure
established by or under this Act, nor resulting from any action by any
person who is not an official or employee of the United States.
TITLE V -- OTHER KEY RECOVERY PROVISIONS
SEC. 501. LABELING OF ENCRYPTION PRODUCTS.
(A) Any person engaged in manufacturing, importing, packaging,
distributing or labeling of encryption products for purposes of sale or
distribution in the United States shall package and label them so as to
inform the user whether the products use Key Recovery Agents registered
under this Act for storage of recovery information, and whether such
products are authorized for use in transactions with the United States
Government, as specified in regulations promulgated by the Secretary.
(B) The provisions contained in subsection (A) shall not apply to
persons engaged in business as wholesale or retail distributors of
encryption products to users except to the extent such persons are (1)
engaged in packaging or labeling of such products for sale to users, or
(2) prescribe or specify by any means the manner in which such products
are package or labeled.
SEC. 502. CONTRACTS, COOPERATIVE AGREEMENTS, JOINT VENTURES AND OTHER
TRANSACTIONS.
A Federal agency approved as a Key Recovery Agent under this Act may
enter into contracts, cooperative agreements, joint ventures and other
transactions and take other appropriate steps to carry out its
responsibilities.
SEC 503. NEGOTIATION WITH OTHER COUNTRIES.
The President shall conduct negotiations with other countries, on a
bilateral or multilateral basis, for the purpose of seeking and
concluding mutual recognition arrangements for Key Recovery Agents and
Certificate Authorities registered by the United States and other
countries.
TITLE VI -- MISCELLANEOUS PROVISIONS
SEC. 601. REGULATION AND FEES.
(A) Within one hundred and eighty days after the date of the enactment
of this Act, the Secretary shall, in coordination with the Secretary of
State, Secretary of Defense, and Attorney General, after notice to the
public and opportunity for comment, issue any regulations necessary to
carry out this Act.
(B) The Secretary may delay the date for compliance with the
regulations issued for up to one year if the Secretary determines that
the delay is necessary to allow for compliance with the regulations.
(C) The Secretary may charge such fees as are appropriate I order to
accomplish his or her duties under this Act.
SEC. 602. INTERPRETATION.
Nothing contained in this Title shall be deemed to preempt or otherwise
affect the applications of the Arms Export Control Act (22 U.S.C. 2751
et sec.) or any regulations promulgated thereunder. (Language
concerning the Export Administration Act and/or IEEPA is under
development.)
SEC. 603. SEVERABILITY.
If any provision of this Act, or the application thereof, to any person
or circumstance, is held invalid, the remainder of this Act, and the
application thereof, to other persons or circumstances shall not be
affected thereby.
SEC. 604. AUTHORIZATION OF APPROPRIATIONS.
[This section is reserved pending discussions to develop language that
is consistent with the President�s budget.]
SEC. 605. DEFINITIONS.
For purposes of this Act:
(1) The term "person" means any individual, corporation, company,
association, firm, partnership, society, or joint stock company.
(2) The term "Secretary" means the Secretary of Commerce of the
United States or his or her designee.
(3) The term "Secretary of State: means the Secretary of State of
the United States or his or her designee.
(4) The term "Secretary of Defense" means the Secretary of Defense
of the United States or his or her designee.
(5) The term "Attorney General" means the Attorney General of the
United States or his or her designee.
(6) The term "encryption" means the transformation of data
(including communications) in order to hide its information content. To
"encrypt" is to perform encryption.
(7) The term "decryption" means the retransformation of data
(including communications) that has been encrypted into the data�s
original form.
(8) The term "plaintext" refers to data (including communications)
that has not been encrypted, or if encrypted, has been decrypted.
(9) The term "ciphertext" refers to data (including
communications) that has been encrypted.
(10) the term "key" means a parameter, or a component thereof,
used with an algorithm to validate, authenticate, encrypt or decrypt a
message.
(11) The term "public key" means for cryptographic systems that
use different keys for encryption and decryption, the key that is
intended to be publicly known.
(12) The term "public key certificate" means information about a
public key and its user, particularly including information that
identifies that public key with its user, which has been digitally
signed by the person issuing the public key certificate, using a private
key of the issuer.
(13) The term "Certificate Authority" means a person trusted by
one or more persons to create and assign public key certificates.
(14) The term "Key Recovery Agent" means a person trusted by one
or more persons to hold and maintain sufficient information to allow
access to the data or communications of the person or persons for whom
that information is held, and who holds and maintains that information
as a business or governmental practice, whether or not for profit.
(15) The term "recovery information" means keys or other
information provided to a Key Recovery Agent by a person, that can be
used to decrypt that person�s data and communications.
(16) The term "electronic information" includes but is not
limited to voice communications, texts, messages, recordings, images or
documents, in any electronic, electromagnetic, photoelectronic,
photooptical, or digitally encoded computerreadable form.
(17) The term "electronic communication" has the meaning given
such term in section 2510 (12) of title 18, United States Code.
(18) The term "wire communications" has the meaning given such
term in section 2510(1) of title 18, United States Code.
(19) The term "government" means the government of the United
States and any agency or instrumentality thereof, a State or political
subdivision of a State, the District of Columbia, or commonwealth,
territory, or possession of the United States.
(20) The term "cryptographic product" means any product
(including, but not limited to, hardware, firmware, or software, or some
combination thereof), that is designed, adapted, or configured to use a
cryptographic algorithm to protect or assure the integrity,
confidentiality and/or authenticity of information.
(21) The term "encryption product" means a cryptographic product
that can be used to encrypt or decrypt data.
From: user@yellow.submarine.pla ()
Subject: Re: Clinton Administration trying to prohibit real encryption
Date: 1997/03/30
Message-ID: <5hm1lu$pn@camel1.mindspring.com>#1/1
X-Deja-AN: 229455628
References: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu>
<87u3luot4d.fsf@albatros.wco.com>
Organization: Yellow Brick Road
Newsgroups: gnu.misc.discuss
In article < 87u3luo...@albatros.wco.com>, Al Petrofsky wrote:
>r...@gnu.ai.mit.edu (Richard Stallman) writes:
>
>> Ever since the the Clinton administration proposed the "Clipper chip",
>> they have been saying "This is just voluntary", and privacy activists
>> have been saying "They are lying". Now the administration has proved
>> the privacy activists right, by proposing laws to *prohibit* using
>> encryption to keep secrets from the government.
>
>After reading the draft legislation, I agree it's terrible, but I
>don't see how you can say it prohibits using encryption to keep
>secrets from the government. It sets up a government-endorsed key
The legislation enumerates a number of vague authorized accesses for the
government to lawfully gain access to your encrypted stuff. It also
contains criminal penalties if the government encounters crytography
and requires you to prove you used the voluntary key escrow system as
essentially your only defense. Of course this defense has the result that
you give the government access to your stuff. I am not aware that the
government can force you to give up your keys upon demand currently so this
would be a radical change in the status quo. Note that this includes storage
on your hard drive, not just your communications.
Assuming that key escrow is a good idea from a business standpoint, who
would volunteer to set up a system without the indemnity guaranteed by the
by the bill? You'd still have to provide the keys
(2) to a law enforcement or national security government agency
upon receipt of written authorization in a form to be specified by
the Attorney General
You just wouldn't have the protections against liability given to the
certified agencies.
Isaac
From: Al Petrofsky <alba...@wco.com>
Subject: Re: Clinton Administration trying to prohibit real encryption
Date: 1997/03/31
Message-ID: <87pvwgpihv.fsf@albatros.wco.com>#1/1
X-Deja-AN: 229600267
Sender: a...@albatros.wco.com
References: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu>
X-Server-Date: 31 Mar 1997 08:34:37 GMT
Organization: The Vegetable Liberation Front
Newsgroups: gnu.misc.discuss
user@yellow.submarine.pla () writes:
>
> In article <87u3luo...@albatros.wco.com>, Al Petrofsky wrote:
> >r...@gnu.ai.mit.edu (Richard Stallman) writes:
> >
> >> Ever since the the Clinton administration proposed the "Clipper chip",
> >> they have been saying "This is just voluntary", and privacy activists
> >> have been saying "They are lying". Now the administration has proved
> >> the privacy activists right, by proposing laws to *prohibit* using
> >> encryption to keep secrets from the government.
> >
> >After reading the draft legislation, I agree it's terrible, but I
> >don't see how you can say it prohibits using encryption to keep
> >secrets from the government. It sets up a government-endorsed key
>
> The legislation enumerates a number of vague authorized accesses for the
> government to lawfully gain access to your encrypted stuff.
It allows the government to gain access to your private keys ***IF YOU
WERE STUPID ENOUGH TO GIVE YOUR PRIVATE KEYS TO AN ESCROW AGENT***.
This has no effect on intelligent encryption users. There is no good
reason for anyone to ever give his private key to anyone. A
legitimate Certificate Authority deals only in public keys, never
asking anyone for his private key, and therefore never even being in a
position to give away a private key to the government. The draft
legislation does not prohibit the operation of such Certificate
Authorities.
> Assuming that key escrow is a good idea from a business standpoint, who
> would volunteer to set up a system without the indemnity guaranteed by the
> by the bill? You'd still have to provide the keys
>
> (2) to a law enforcement or national security government agency
> upon receipt of written authorization in a form to be specified by
> the Attorney General
>
> You just wouldn't have the protections against liability given to the
> certified agencies.
Key escrow is a bad idea from every standpoint except that of J. Edgar
Hoover wannabes. The section you're quoting (302(A)) applies to "Key
Recovery Agents", not to Certificate Authorities. Again, a reputable
Certificate Authority does not even have anyones private keys anyway.
From a business standpoint, I think such a CA would attract a lot more
customers than one which asked for private keys and gave them to the
government on demand.
>
> Isaac
-al
From: r...@gnu.ai.mit.edu (Richard Stallman)
Subject: Clinton encryption proposal, take two
Date: 1997/04/03
Message-ID: < 199704030529.AAA03474@psilocin.gnu.ai.mit.edu>#1/1
X-Deja-AN: 230315697
Sender: gnu-misc-dis...@prep.ai.mit.edu
x-gateway: relay5.UU.NET from gnu-misc-discuss to gnu.misc.discuss;
Thu, 3 Apr 1997 00:27:45 EST
Newsgroups: gnu.misc.discuss
It looks like I was mistaken about the nature of the administration's
latest key escrow proposal. I saw the words "seeks to impose..." in
the VTW announcement, and took that as a clear statement that this was
a mandatory scheme, not another voluntary one.
Then Alabaster Petrofsky looked at the text of the law, and says that
it does not make key escrow mandatory. So it looks like I
misunderstood the situation. I am sorry for any confusion that I
caused, and I'm grateful for the correct information.
The law seems to be obnoxious for other reasons, so I hope people will
go ahead and follow the VTW's recommendations. And we still need free
software for public key encryption, to replace non-free programs such
as PGP and ssh.