Comments on Draft Export Criteria for Key Escrow Encryption

David L. Sobel, Legal Counsel
Electronic Privacy Information Center

National Institute of Standards of Technology
December 5, 1995

Last September, NIST convened a series of public meetings to solicit comments on a new Administration proposal for encryption policy. The initiative was the latest iteration of the Commerce Department's effort to prevent the development and use of robust security technologies necessary for the continued growth of the Internet. At the September meetings, participants expressed widespread dissatisfaction with the direction of government encryption policy. The clear message that came from those meetings was that any form of mandatory key-escrow technology would not be unacceptable. As was also clear from the September meeting, law enforcement and the intelligence community failed to make an adequate case that such a policy was necessary or even desirable.

On November 6, NIST released a revised version of its "Draft Software Key Escrow Encryption Export Criteria." Only minor changes were made to the earlier draft that was widely criticized at the earlier public meetings. NIST asserted that "the criteria have been revised with the intent of achieving commercial acceptance within the flexibility permitted by law enforcement and national security constraints." Unfortunately, the revised criteria again demonstrate that "commercial acceptance" and "flexibility" are impossible when encryption policy is driven by law enforcement and national security considerations.

It is time to reject clearly and finally the essence of the Clipper encryption scheme which is under consideration today. Stated simply, EPIC is opposed to any policy that requires the development of encryption products that mandate key escrow. Such initiatives are fundamentally at odds with the needs of the Internet community and the businesses that are developing Internet services. As long as the NIST continues to promote this policy it is acting against the better interests of the American people.

In addition to our underlying opposition to mandatory key-escrow technology, EPIC raises the following points in response to the current Administration proposal:

1. Public comment is frequently solicited but never heeded.

When NIST proposed the "Escrowed Encryption Standard," or Clipper, in 1993, the comments received were almost universally negative. As NIST acknowledged in its Federal Register notice adopting the standard,

Nearly all of the comments received from industry and individuals opposed the adoption of the standard, raising concerns about a variety of issues including privacy; the use of a secret algorithm; the security of the technology; restrictions on software implementation; impact on competitiveness; and lack of procedures for escrowing keys.
59 Fed. Reg. 5997 (February 9, 1994). The current process is yielding similar results; despite overwhelming opposition to the draft criteria, NIST continues to insist upon a key-escrow approach to encryption policy.

The hearing today represents a critical test for the future of NIST decision-making: whether the agency will continue to ignore public comment or whether it is now prepared to acknowledged and act upon widespread opposition to the proposed encryption export standard.

2. Relevant information has not been released.

Last year, the Administration agreed to conduct a study of foreign availability of encryption products. In its solicitation for public input into the study, the Commerce Department's Bureau of Export Administration stated that

[t]he results of this study, which will be finalized July 1, 1995, will be used by the Interagency Working Group on Encryption and Telecommunications Policy in evaluating the overall U.S. encryption policy, including export control regulations.
In Congressional testimony on October 12, Commerce Secretary Ron Brown indicated that the study was completed "in a timely fashion" and is now at the White House Office of Science and Technology Policy and at NSA. However, it has not been made a part of the public record, despite assurances that it would play a significant role in the development of the very policy that is now under consideration by the Administration.

Because EPIC believes that such information is vital to informed public participation in the policy process and because the Department has failed to meet the deadline mandated by statute for completion of the study, we have initiated litigation under the Freedom of Information Act to seek the release of the Commerce Department's study. Electronic Privacy Information Center v. Department of Commerce, C.A. 95-2228 (D.D.C.). Once again, we are forced to pursue through the courts information that should be made readily available to the public.

3. The proposal conceals the attempt to expand wiretapping capability

The current debate over mandatory key-escrow encryption cannot be considered in isolation. Key-escrow is about electronic surveillance. On October 16, the FBI published its proposed "capacity requirements" for wiretapping in the Federal Register. The Bureau is proposing that the nation's telecommunications network be designed to permit the simultaneous monitoring of up to one percent of all telephone calls at any given time. As the New York Times said in a strongly-worded editorial, the FBI's "request is an indefensible bid for vast new wiretapping capability."

No mistake should be made concerning the purpose and intent of the key-escrow initiative; it is part and parcel of a broader law enforcement initiative to monitor and intercept a greater number of personal communications. The public understands this and its distaste for wiretapping motivates its opposition to Clipper and key-escrow.

Policy Recommendations

At a presentation to the National Research Council earlier this year, EPIC made clear the steps that must be taken to develop a sensible, forward-looking proposal for encryption. The following seven principles should guide government consideration of this issue.

  1. Relax export controls on encryption and permit the free flow of encryption products across national borders

    The Export Administration Act unnecessarily inhibits the exchange of techniques for privacy and slows development of important tools for network users.
  2. Withdraw FIPS 185 (the Clipper standard for voice, fax, and low speed data networks in the federal government)

    Private industry, the technical community, and the public oppose the adoption of Clipper. The deployment of Clipper-based schemes in the federal government should be halted.
  3. Remove "cryptology" from items that may be classified under executive order

    The classification of cryptology has frustrated open government, permitted the development of sub-optimal technical standards, and slowed technological innovation.
  4. Do not fund the Telephone Carrier Compliance Program (the "Digital Telephony" proposal)

    The ill-considered proposal to mandate the development and use of technologies for the surveillance of the nation's telecommunications systems calls for the expenditure of $500 million over the next four years. Given the likelihood that this program will increase Internet vulnerabilities, all funding should be terminated. We are pleased to note that the Congress has recently rejected funding for the Digital Telephony proposal. We urge NIST to recommend against further support by the Administration for this effort.
  5. Do not permit the use of classified algorithms for public networks
    Increasingly, commercial firms and individual developers are making the algorithms for their program publicly reviewable. This practice promotes the development of better software and more robust security systems. By refusing to disclose the SKIPJACK algorithm the federal government not only undermines public confidence in encryption policy, it also results in less secure networks.
  6. Assess carefully the impact of Commercial Key Escrow on:
    Since the NRC meeting it has become clear that "Commercial Key Escrow" means, in fact "Mandatory Key Escrow." It is, therefore, even more urgent that NIST undertake a careful study of the three factors identified earlier by EPIC.
  7. Examine the activities of the National Security Agency since passage of the Computer Security Act of 1987.

    The National Security Agency continues to exert disproportionate influence in the development of federal technology policy, in violation of the Computer Security Act of 1987 and against the better interests of American citizens and American business. It is time for this to end.