Battle lines drawn over fed role in key-recovery debate
- By Heather Harreld
- Jul 13, 1997
A bill designed to broker a compromise between law enforcement entities and private industry over the heated encryption technology policy debate is drawing familiar battle lines over the role of the government in the key-recovery policy arena.
The bill which would ease encryption export regulations requires that any encryption product purchased by the federal government or with federal funds be based upon the controversial key-recovery technology. The legislation drew praise from the FBI director but fire from private-sector opponents during a hearing last week before the Senate Judiciary Committee.
Called the Secure Public Networks Act (SPNA) the bill is designed to leverage the federal government's massive information technology buying power to foster key-recovery technology. Supported by the Clinton administration that technology would allow law enforcement officials who have received a court-ordered subpoena to obtain a key to decode encrypted data they could use in criminal investigations and prosecutions. The technology also allows users who have a secret software key to receive and send encrypted data to recover the key in the event that it is lost or stolen.
Sen. J. Robert Kerrey (D-Neb.) who introduced the bill along with Sen. John McCain (R-Ariz.) said the bill relies on market forces and incentives rather than government mandates to enhance security on public networks. It also creates harsh penalties for those who violate privacy or misuse encryption technology.
"Rather than using regulatory mandates the SPNA uses the buying power of the federal government and market-based incentives to encourage the deployment of a network infrastructure which provides users [with] total confidence in the security of their communications without compromising the limited lawful and legitimate needs of law enforcement and national security " Kerrey said.
Despite law enforcement's strong support for a 1994 Clinton administration proposal that would require all users to register keys with the federal government FBI director Louis Freeh expressed his support for the pending legislation which only mandates use of the technology for federal agencies. Freeh described the legislation as a balanced approach that would provide law enforcement with pockets of access or "windows " that would grow as private-sector use increases.
"It goes very far in meeting law enforcement needs " Freeh said. "I do not believe that we can leave this issue solely to market forces...with all the public safety concerns that are brought to the table. Nobody ever contended that a key-recovery system is going to prevent all criminals at all times from committing crimes. There is not anything in the proposed bill...which does any damage to the Constitution or the Bill of Rights. It simply allows law enforcement to keep pace [with technology]. We're just looking for some windows in the network available to us."
Peter Neumann principal scientist at Menlo Park Calif.-based SRI International is an author of a May report compiled by several of the nation's leading cryptographers that criticized the administration's key-recovery plan saying its design was extremely risky and would be cost-prohibitive.
At the hearing Neumann pointed to several failed large-scale information technology initiatives undertaken by the federal government such as the Internal Revenue Service's botched attempts to allow for electronic tax filing and the Federal Aviation Administration's problems with air traffic control systems.
"Their problems could be child's play compared to the problems that could result from the key-recovery infrastructure " Neumann said. "The risk issues are enormous the cost issues are hidden and no one knows what they will amount to. Let the government be its own guinea pig...[and] design experiments that not only look at whether you can build something like this...but [address whether] you can build it safely securely and reliably."
The risks of large-scale key-recovery systems also were presented at the hearing by Raymond Ozzie chairman of Iris Associates a wholly owned subsidiary of Lotus Development Corp. and IBM Corp. Ozzie who created Lotus Notes was speaking on behalf of the Business Software Alliance a group that represents many of the country's largest software developers.
"Large-scale key-management and recovery systems are inherently imperfect and if they're mandated [it] will likely result in an increase in crime " Ozzie said. "We will have created significant new opportunities for abuses and crimes that don't exist today."
In addition to the SPNA legislation another encryption bill is pending before the Judiciary Committee. Introduced by Sen. Patrick Leahy (D-Vt.) the Encrypted Communications Privacy Act would ease encryption export controls but does not seek to prescribe a particular type of encryption technology. Leahy is a member of the Judiciary Committee.