Letter To Commerce Committee On Oxley/Manton

By Stewart Baker (sbaker@steptoe.com)

Attached below is a copy of the letter I recently wrote to Chairman Tom Bliley (R-VA) of the House Commerce Committee. The letter raises several concerns with the Oxley/Manton amendment to the SAFE Act (H.R. 695) that was then being considered by the Committee. Rep. Karen McCarthy (D-MO) used the letter during the debate that led to the Committee rejecting Oxley/Manton.

September 23, 1997

The Honorable Tom Bliley
Chairman
Committee on Commerce
House of Representatives
Washington, D.C. 20515-6115

Dear Chairman Bliley:

I am writing to express concern about the Oxley/Manton amendment to the Committee's substitute for H.R. 695, the SAFE Act.

Because I come to my concerns by a different route than many of the others who have contacted you, my background may be relevant. I was the General Counsel of the National Security Agency until 1994. Since leaving the Agency, I have advised numerous private clients on encryption export controls, compliance with the Communications Assistance to Law Enforcement Act (CALEA), and other areas of the law where law enforcement and national security concerns interact with emerging technologies. (I should note at this point that my private clients don't share my views on encryption policy; in fact, some of them are no doubt appalled by my views.)

I was at the Agency when the Clipper chip was first introduced, and I publicly defended the then-novel concept of key escrow encryption. I thought then, and I think now, that key recovery is the most promising technical solution to what otherwise is a bitter and difficult policy choice. Key recovery at least offers the possibility that we can have our cake and eat it too - get good security for our data without doing grave harm to law enforcement.

The problem with key recovery and similar technologies is that they are still more promise than reality, at least at this time. So despite my sympathies for the goals that the Oxley/Manton amendment seeks to achieve, I have grave doubts about its wisdom as legislation. The Oxley/Manton amendment would require that by January 1, 1999 any encryption available for use in the United States include a feature that permits authorized officials to obtain immediate access to the plaintext of encrypted information without the knowledge or cooperation of the person whose information is encrypted. This means that industry and users would be allowed barely more than a year to put in place an entirely new encryption technology. There are a lot of problems with this rush to implement a new technology.

First, because key recovery remains novel - as do other technologies designed to provide the "immediate decryption" required by the Oxley/Manton amendment - there are a limited number of suppliers for such technology. And market forces have not led companies to develop key recovery or similar approaches in every case. Everyone agrees that there is a significant corporate market for key recovery whenever encrypted data is stored on a business user's hard drive. Perceiving this market, many suppliers of stored-data encryption are developing (or have developed) key recovery systems.

But encryption is probably most useful not for data storage but for communications, particularly communications over the air (wireless telecommunications) or over open networks such as the Internet. For access to real-time encrypted communications, businesses do not use key recovery. Typically, the communication is decrypted on the spot by the system and is provided to the user in the clear, whether the data is voice or a World Wide Web file. Since the user has the data in the clear, the user is likely to store it -- if he stores it at all -- in the clear. There's no need to save the keys that were used to encrypt the transmission. In this field, therefore, there is no private-market incentive to develop key recovery or other access technologies. The only reason to do so is government fiat. It is unrealistic to expect encryption producers to develop key recovery or similar solutions to real-time communications encryption, and then to deploy those solutions, all in a year or two.

Second, forcing them to do so is highly risky. The Oxley/Manton amendment regulates technology, and it contains a strong bias for what might be described as "complete" technical solutions. Encryption products must either contain a "built-in" access feature or a feature that prevents the product from being used in a system or network that does not include an access point. Unfortunately, it is probably wrong to assume that built-in technology is the only -- or even the best -- way to address the conflict between encryption and law enforcement access.

The banking industry, for example, can meet law enforcement access requirements without key recovery. Banks typically encrypt their information during transmission, when it is vulnerable to interception and possible corruption. Once the information reaches its destination it is typically decrypted, acted upon, and stored in unencrypted form. Government regulations assure the information is available for law enforcement to access upon demand. Requiring the banks to use accessible encryption would not only compel them to make a terribly costly transition, but it also would create a security hole that does not now exist.

The idea of building a vulnerability into our banking systems is troubling. No doubt any security holes that result can be closed eventually. But eliminating the risks will not be free. So far as has been determined, NSA was able to close those holes in the Clipper chip, but only by adopting a very costly infrastructure. To force banks and other institutions to scrap tested encryption technology and procedures and adopt new products that have been rushed to market to meet an early deadline is asking for trouble -- and trouble in our payment system would be serious trouble indeed.

(Banks, of course, are only at the start of the list of companies who cannot afford to discover security problems with their encryption after the fact. U.S. companies concerned about foreign commercial espionage need encryption without holes. So do nonbanks with heavy financial responsibilities - from credit card companies to mutual funds to companies engaged in electronic commerce.)

My third and final concern about Oxley/Manton is that it assigns the Attorney General and Federal Bureau of Investigation to administer an extraordinarily complex program of commercial regulation.

The suggestion by Bureau officials that this is just like CALEA is not reassuring. CALEA, which ordered telecommunications carriers to make their switches wiretap-capable by 1998, was far easier to implement than Oxley/Manton will be. First, CALEA gave industry four years to meet the deadline, not one. Second, unlike the largely unregulated computer industry, the industry covered by CALEA had been subject to extensive state and federal regulation since its birth. Third, unlike computer firms, telecommunications carriers had been carrying out wiretaps for 70 years as part of a long-standing relationship with law enforcement. Fourth, the technical challenge of CALEA was relatively limited - carriers were told to preserve law enforcement access to call contents; they were not told to design new forms of access not previously attempted. Fifth, and finally, the number of carriers and companies affected by CALEA is limited compared to the companies in the computer world that would be affected by Oxley/Manton. (When a criminal makes a call that should be tapped, he probably uses a local and perhaps a long-distance carrier; but if he sends a file over the Internet, he could be using encryption supplied by his Internet Service Provider or by his local network software or by his operating system or by his browser or by some additional application or hardware.)

Despite all of these advantages, three years after its passage CALEA is in a state of near paralysis. As things stand now, the wireless industry will be unable to meet the statutory deadline for compliance because industry and government could not agree on standards. The entire matter is the subject of contentious filings at the FCC, which is being called upon to umpire a host of technical and legal issues on which industry and the FBI are at loggerheads.

The Bureau is a magnificent crime-solving agency; it may be the best and most technically sophisticated law enforcement agency in the world. But it should not be asked to play a neutral, judicial role for which it is not suited, nor to assign its most technically adept agents to spend years understanding the relative merits of CDMA and TDMA wireless standards. The Bureau's unwillingness to do these things accounts in large part for the fact that CALEA is now pending before the FCC for resolution.

Unfortunately, the Oxley/Manton amendment would put the FBI in charge of regulating computer hardware and software without providing a technically sophisticated umpire like the FCC. Of course, there is no obvious neutral regulatory agency with experience in the computer industry. But to leave regulatory responsibility with one of the interested parties is asking for conflict and litigation.

I hope these views are useful to you. No doubt they will leave people on both sides of the debate unhappy with me. But I am concerned that continued polarization on the issue means that there has been too little consideration of the very real difficulties that the government would encounter in trying to administer the Oxley/Manton proposal. We cannot afford to make too many mistakes in this area. This is a sector in which we are the envy of the world, and we should step carefully in subjecting it to sweeping new regulation.

Very truly yours,

Stewart A. Baker

For further information please contact L. Benjamin Ederington on Tel: +202-429-6411, fax: 202-429-3902 or E-mail: bedering@steptoe.com.