National Institute of Standards of Technology
December 5, 1995
Last September, NIST convened a series of public meetings to solicit comments on a new Administration proposal for encryption policy. The initiative was the latest iteration of the Commerce Department's effort to prevent the development and use of robust security technologies necessary for the continued growth of the Internet. At the September meetings, participants expressed widespread dissatisfaction with the direction of government encryption policy. The clear message that came from those meetings was that any form of mandatory key-escrow technology would not be unacceptable. As was also clear from the September meeting, law enforcement and the intelligence community failed to make an adequate case that such a policy was necessary or even desirable.
On November 6, NIST released a revised version of its "Draft Software Key Escrow Encryption Export Criteria." Only minor changes were made to the earlier draft that was widely criticized at the earlier public meetings. NIST asserted that "the criteria have been revised with the intent of achieving commercial acceptance within the flexibility permitted by law enforcement and national security constraints." Unfortunately, the revised criteria again demonstrate that "commercial acceptance" and "flexibility" are impossible when encryption policy is driven by law enforcement and national security considerations.
It is time to reject clearly and finally the essence of the Clipper encryption scheme which is under consideration today. Stated simply, EPIC is opposed to any policy that requires the development of encryption products that mandate key escrow. Such initiatives are fundamentally at odds with the needs of the Internet community and the businesses that are developing Internet services. As long as the NIST continues to promote this policy it is acting against the better interests of the American people.
In addition to our underlying opposition to mandatory key-escrow technology, EPIC raises the following points in response to the current Administration proposal:
Nearly all of the comments received from industry and individuals opposed the adoption of the standard, raising concerns about a variety of issues including privacy; the use of a secret algorithm; the security of the technology; restrictions on software implementation; impact on competitiveness; and lack of procedures for escrowing keys.59 Fed. Reg. 5997 (February 9, 1994). The current process is yielding similar results; despite overwhelming opposition to the draft criteria, NIST continues to insist upon a key-escrow approach to encryption policy.
The hearing today represents a critical test for the future of NIST decision-making: whether the agency will continue to ignore public comment or whether it is now prepared to acknowledged and act upon widespread opposition to the proposed encryption export standard.
[t]he results of this study, which will be finalized July 1, 1995, will be used by the Interagency Working Group on Encryption and Telecommunications Policy in evaluating the overall U.S. encryption policy, including export control regulations.In Congressional testimony on October 12, Commerce Secretary Ron Brown indicated that the study was completed "in a timely fashion" and is now at the White House Office of Science and Technology Policy and at NSA. However, it has not been made a part of the public record, despite assurances that it would play a significant role in the development of the very policy that is now under consideration by the Administration.
Because EPIC believes that such information is vital to informed public participation in the policy process and because the Department has failed to meet the deadline mandated by statute for completion of the study, we have initiated litigation under the Freedom of Information Act to seek the release of the Commerce Department's study. Electronic Privacy Information Center v. Department of Commerce, C.A. 95-2228 (D.D.C.). Once again, we are forced to pursue through the courts information that should be made readily available to the public.
No mistake should be made concerning the purpose and intent of the key-escrow initiative; it is part and parcel of a broader law enforcement initiative to monitor and intercept a greater number of personal communications. The public understands this and its distaste for wiretapping motivates its opposition to Clipper and key-escrow.
The Export Administration Act unnecessarily inhibits the exchange of techniques for privacy and slows development of important tools for network users.
Private industry, the technical community, and the public oppose the adoption of Clipper. The deployment of Clipper-based schemes in the federal government should be halted.
The classification of cryptology has frustrated open government, permitted the development of sub-optimal technical standards, and slowed technological innovation.
The ill-considered proposal to mandate the development and use of technologies for the surveillance of the nation's telecommunications systems calls for the expenditure of $500 million over the next four years. Given the likelihood that this program will increase Internet vulnerabilities, all funding should be terminated. We are pleased to note that the Congress has recently rejected funding for the Digital Telephony proposal. We urge NIST to recommend against further support by the Administration for this effort.
Increasingly, commercial firms and individual developers are making the algorithms for their program publicly reviewable. This practice promotes the development of better software and more robust security systems. By refusing to disclose the SKIPJACK algorithm the federal government not only undermines public confidence in encryption policy, it also results in less secure networks.
Since the NRC meeting it has become clear that "Commercial Key Escrow" means, in fact "Mandatory Key Escrow." It is, therefore, even more urgent that NIST undertake a careful study of the three factors identified earlier by EPIC.
The National Security Agency continues to exert disproportionate influence in the development of federal technology policy, in violation of the Computer Security Act of 1987 and against the better interests of American citizens and American business. It is time for this to end.