Lobbying on Capitol Hill is hard work. Unsuccessfully mounting an attempt to lobby is even harder. In my case, it required getting up at 4:00 a.m., taking two trains to reach Manhattan because of track work, and catching the 5:30 Metroliner in to D.C. in order to make the House Judiciary Committee hearing scheduled for 9:30 a.m. The topic: HR 695, also known as the Security And Freedom through Encryption Act, or "SAFE", which goes to show that Republicans don't have a lock on cute acronyms.
Signs directing you to Committee rooms are virtually non-existent, so I trolled around the corridors of the Rayburn House Office Building, hoping I'd recognize a visitor, or perhaps a speaker. Instead, I recognized an attitude; the people waiting to get in, wearing everything from suits to ragged jeans, were seated on the floor.
Once inside, we picked up our free handouts, took our places, and waited for the show to begin. The room was full but not completely packed when the opening gavel fell.
I've gotten to the point where I can recite the arguments about the crypto policy issue in my sleep, so listening to the witnesses was much like running through a mental checklist. "Did he mention the child pornographer yet? There he goes. Check. How about the 'criminals are dumb' argument? Hmm, he must be waiting on that one." And so on.
I was able to avoid dozing off though by listening to the rich array of metaphors presented by the witnesses, as each one sought in turn to find the most memorable sound byte. These included the rather standard "cat is out of the bag", "the genie is out of the bottle", the somewhat more farfetched "toothpaste is out of the tube" and the completely outlandish "horse is out of the barn and has gone on a world-wide tour". The best one I heard though was from yesterday's Web simulcast of the hearings of the Senate bill on this issue (SB 377, the so-called "Pro-CODE" bill), in which someone mixed metaphors to get "the genie's out of the bag". At which point one of the senators said, "Now if we can just get the cat out of the bottle, we'd really have something."
To mind, that's the perfect metaphor for the current mess; if we could just get encryption out of the Administration's regulatory bottleneck, we'd really have something.
Panel 1 was the government's shot at fame and propaganda. I heard the following claims:
Strong encryption without key escrow provisions will greatly hamper law enforcement efforts.Strong encryption without key escrow is a serious threat to public safety.
Criminals are dumb and will use what is easy and convenient. If key escrow products are widely available, they'll use them.
Criminals are smart and will protect themselves, but sooner or later they'll deal with a bank or other institution that uses key escrow software and then we'll catch 'em.
The regulations are aimed at international terrorism.
The regulations are aimed at aiding general law enforcement efforts.
The regulations are by no means aimed at domestic use of cryptography by American citizens.
The Administration will never mandate the domestic use of key escrow. We do however support and encourage it.
Our goal is a uniform global key management infrastructure with key escrow in all products.
Our goal is that a standard form of encryption be in use in all computers and electronic devices which provides strong crypto with key escrow.
Encryption is widely available but not widely used because customers can't it. They can't trust it because there is no uniform key management infrastructure in place. The Administration's policy encourages the development of such an infrastructure.
Most businesses and users will not trust free software downloaded from the Internet for encryption, to which the source is widely available. Code that is widely available this way has little impact on actual use of encryption.
There is a growing demand by customers for key escrow, so that loss of a key does not mean loss of access to their data.
[Said during yesterday's hearing] The US is at the least restrictive end of the spectrum as far as crypto regulations go.
The other governments we've talked to all support the US government position on key escrow.
If we lift export restrictions, most other countries will impose import restrictions or regulate the domestic use of encryption in their countries.
Industry likes our solution, as is evidenced by the over 400 applications we've gotten for export licenses under the December 30th regulations.
US industry is not hampered by the Administration regulations in its ability to compete with foreign corporations which sell encryption products.
Any individual or corporation will be able to hold his or her own keys under our regulations.
The SAFE bill would preclude the development of key recovery software even as an option.
I am not making any of these up! As absurd or self-contradictory as some of these claims may seem, they were all voiced, even reiterated, by the government panel: William Reinsch, Undersecretary of the Bureau of Export Administration, Department of Commerce; William Crowell, Deputy Director of the NSA; and < href="litt-march20.html">Robert Litt, Deputy Assistant Attorney General, Criminal Advisory Division, Department of Justice. Congresswoman Zoe Lofgren stated her hope at the beginning of the hearings that the government's rationale behind its policy would finally be made understandable to her. Care to place any bets?
Panel 2 was an entry in the "Strange Bedfellows" department. Along with folks from industry, a representative from PGP, Mr. Morehouse from SourceFile, the only company licensed by the government to hold keys for escrow under the current regulations, we also got Phyllis Schlafly. I was afraid she was going to do us more harm than good, but I had to give her credit for a couple of good points: first, that the government regulations are aimed at accomplishing something -- universal use of key escrow products -- that they don't dare do by direct legislation; and second, a comment about the provision in HR 695 that makes knowing use of encryption in the commission of a crime a felony; this provision could be problematic when most electronic devices have encryption built in and a user would have to go to special effort to disable it (or might not be able to, in the case of a digital phone, say). As she put it in her written testimony, we don't want every state misdemeanor to become a federal felony "merely because a computer, telephone, or other electronic device is used."
Seybold from PGP likewise made a very good point: this legislation does not try to gain for use more freedoms than we are entitled to; it does not attempt to drastically shift the balance of interests between law enforcement ond privacy rights, to move the fulcrum to a position that it has never had. Rather, as new technology has become more widely used, our privacy rights have been being slowly eroded; this legislation attempts to give us the same rights we used to have.
Panel 3, held after lunch, was the civil liberties panel, with Jerry Berman, the director of CDT and Mark Rotenberg, the director of EPIC (Electronic Privacy Information Center), among others. I was disappointed by the low turnout of observers for this session; does this indicate a lack of commitment to civil liberties in the industry sector?
In any case, here is a summary of points raised by the opposition:
If real-time wiretaps (which might be made more difficult by strong encryption) are our first line of defense against crime, we are in trouble, because only 1100 (legal) wiretaps are conducted each year.If you can't intercept the middle of a conversation, go to the sender sned (a bug in the room with the telephone) or the receiver end (subpoena the bank records of the financial transactions; no matter how they were encrypted en route they will be decrypted at the end), use informants, or other traditional means.
Don't criminalize encryption when it's used to commit a crime; use existing provisions. For example, refusal to turn over keys when legally demanded is obstruction of justice, and so on. Criminalizing encryption might stigmatize it, leading to the attitude that only people with something to hide use it; i.e. its very use alone might be considered suspicious. Mere assertion of privacy rights should *not* be suspect (like using an envelope to send a letter).
There is a developing key management infrastructure which includes 10 top-level Certification Authorities, among them the U.S. Postal Service. The web of trust model for PGP is also widely used. The main obstacle to widespread use of encryption is not the lack of a KMI, but rather lack of ease of use; this is being addressed in the latest round of products to hit the market.
Customers demand key escrow for stored data but not for real-time communications, which generally use ephemeral session keys. No good workable mechanism has been provided for escrowing these, (and there might potentially be billions of them).
As long as products are available that don't provide built-in access to keys or data by the U.S. government, people and especially foreign individuals or corporations will by such products and not the products provided by U.S. companies; thus, the Administration's vision of a uniform global key management infrastructure is unworkable.
Free source is used for the FBI's web server (apache?); presumably they have some faith in it, then. PGP, also available freely off the Internet, is widely used including by Fortune 500 companies.
Not one of the OECD member countries supported the Administration's key escrow initiative except for the *one* which already has a legal requirement for key escrow with domestic use of encryption.
Industry has already lost contracts to foreign companies either while waiting for the export license application to wind its way through the Commerce Department or because other companies could offer stronger encryption.
Current regulations allow a company to ship 56-bit DES but only if within two years they build in key escrow, and the method has to be approved by the government; there is no guarantee of a license in the future because a company gets one now. This means that the buyer would be buying a product that might not be available in two years, not a workable means of doing business.
I could go on (and on and on) but you get the idea.
Thanks to Phil Karn (see also his written testimony) for mentioning the "floppy as munitions" concept, and for pointing out a recent development in crypto; it seems that in order to meet export regulations, cellular phone companies "dumbed down" their algorithms; today's NYT discusses David Wagner et al's breakthrough that allows this algorithm to be cracked in a matter of seconds. Time to switch to PGPphone, I guess.
Thanks also to Mark Rotenberg for introducing the text of the OECD guidelines into the record, so that no one can claim they say something they don't, and also for bringing to the fore once again documents from FBI and NSA officials that demonstrate their commitment to mandatory key escrow use domestically, whether by legislation or by 'encouraging' industry.
After the hearings, I tried to talk to Mark Rotenberg who was busy, got a contact in Rep. Goodlatte's office so that I can lobby for getting someone from academia to speak on the next panel of witnesses, and went by Carol Mahoney's office (my representative) but no one was in that I could talk to. They were all busy wrapping things up before the spring break. Mahoney, at that instant, was on the House floor, passionately defending a woman's right to choose. (CSPAN is ubiquitous in those offices.)
Got lost trying to find Union Station, missed two trains, bought some really expensive train station food, and gonna get home late. But I'll be glad to be back home in New York; things here are a lot quieter!
We'll go through this all again soon. The Administration promises to produce a draft of its own legislation within the next week to get the cat out of the bottle; stay tuned!
P.S. If you every decide to do this yourself, bring your own food. The House cafeteria food is just this side of miserable.
Ariel Glenn / AcIS R&D / Columbia University
#include <stddisclaimer.h>
List of witnesses with links to testimony where available:
(If you don't have a link in the list, you can find a version of the testimony from the Subcommittee on Courts & Intellectual Property hearings page.)
William Reinsch, Undersecretary of Commerce, Bureau of Export Administration
William Crowell, Deputy Director of the National Security Agency (NSA)
Bob Litt, Deputy Assistant Attorney General, Department of Justice Criminal Division
Ira Rubinstein, Senior Corporate Attorney, Microsoft
Roberta Katz, General Counsel, Netscape Commmuniactions
Jonathan Seybold, Chairman of the Executive Committee and Director of PGP
Tom Morehouse, Source File
Phyllis Schlafly, Eagle Forum
Jerry Berman, Executive Director, Center for Democracy and Technology
Marc Rotenberg, Director, Electronic Privacy Information Center
Phil Karn, Cryptographer, Qualcomm Inc.
Grover Norquist, Executive Director, Americans for Tax Reform