by Stewart Baker
sbaker@steptoe.com

During the week of August 25, 1997, the Administration circulated a new encryption legislation proposal on the Hill. The proposal, which would amend S. 909 (the McCain/Kerrey bill), would regulate the domestic use of encryption by requiring a plaintext recovery feature in any encryption manufactured in, distributed in, or imported into the United States. The following summarizes the Administration's proposal.

THE LANGUAGE

The draft borrows heavily from the structure and content of the Kerrey/McCain legislation--it even retains the title, the "Secure Public Networks Act". In fact, the provisions in Titles IV through X of McCain/Kerrey regarding the registration of certificate authorities and key recovery agents, liability, criminal penalties, defenses, international negotiations, authority of the Secretary of Commerce to investigate compliance with the Act, and authority for the Attorney General to bring actions to enjoin violations of the Act are largely unchanged in this draft. The significant changes are:

  • gone is the section (102) that would prohibit mandatory third party escrow of keys. In its place is a new section (105) that would prohibit, after January 1, 1999, the provision of encryption services in the U.S., or the manufacture for sale or distribution in the U.S. of encryption products/systems, that do not have a plaintext recovery feature that may be turned on at the option of the user.
  • gone is the exclusive emphasis on key recovery as the technology for assuring plaintext recovery. Instead, this legislation would require products and systems that permit immediate decryption without the knowledge or cooperation of the user. The Attorney General is to issue regulations describing these functional criteria, but there is no provision requiring public notice and comment on such regulations.
  • gone is the language requiring key recovery agents to disclose recovery information when presented with a subpoena. In its place is language that indicates a court order or court authorized warrant is required before a key recovery agent may disclose recovery information.
  • added is export license exception treatment for products that are access or recovery enabled, regardless of algorithm, key length, or even whether the access feature is activated. This would be broader than McCain/Kerrey which would extend license exception treatment to products with over 56-bit key lengths only if the product includes an access feature and the access feature is turned on at the time of export.
  • retained is the provision to decontrol 56-bit encryption after one time review. However, the bill adds an Encryption Export Advisory Board, composed of industry and government representatives, to, among other things, recommend to the President whether the key length of encryption exports to be decontrolled should be raised beyond 56 bits. The President retains the final decision making authority, however.
  • gone is the McCain/Kerrey provision that would authorize the Secretary of Commerce to prohibit any exports that could be contrary to U.S. security interests.
  • added is a provision to permit license exceptions for voice products with encryption if the Secretary of Commerce determines that requiring an access feature would be a competitive disadvantage and permitting the export would be compatible with U.S. foreign and national security policies.
  • retained are the provisions that require the use of accessible encryption products and services on any system used or funded by the Government, but this draft sets a January 1, 1999 date of compliance.
  • Contrary to earlier indications, there is no requirement for certificate authorities registered under the Act to ensure recovery information is escrowed with a recovery agent registered under the Act.

ANALYSIS

Even though expected, the big news with this draft is the introduction of domestic control of encryption products and services available in the U.S. For many, the idea of such controls is simply an unacceptable infringement on privacy. But even for those who could be persuaded of the need for such controls, the implementation date provided (January 1, 1999) is unworkable. Industry must have the time to research and develop access technology appropriate to their products, particularly in the telecommunications industry where the demand for security is increasing, but there is little or no market for key recovery and its associated infrastructure. Likewise, manufacturers cannot afford to write off the investments they have made in existing security products or services by being compelled to implement new designs before technology turnover would normally be expected to occur.

A related concern would be to ensure new products with access features may interoperate with products or services that are already in use without such features. It is unreasonable to expect that users could afford to replace their existing systems with new products that include access features. The language of this draft would seem to permit such interoperability since the access feature is required only to be an option that may be turned on by the user, or not. But even if the legislation is understood as permitting such interoperability, the cost to manufacturers and consumers of meeting this new requirement could be substantial. We would expect that for some technologies, the only way to include an access feature and preserve interoperability with legacy systems is to include two encryption systems in the product--one with and one without an access feature. Inevitably, this will drive up the cost of the product and it is not at all clear that the market will be willing to bear that cost.

The other big news with this draft, which also was expected, is the proposal to further liberalize export controls by extending license exception treatment after one time review to products that include an access feature enabling law enforcement recovery of plaintext without the user's knowledge or cooperation. This liberalization is good news for companies that already have or are working to develop key recovery technology in their products. We suspect that this liberalization is also intended to relax controls for those products that encrypt information only while transiting vulnerable links and return the information to plaintext form that is available at the switch in a telecommunications system or from a server in computer networks. We are wary of assuming this to be true, however. The Administration has not always distinguished the technology which permits access from the user which may not. For example, the Administration has labored over export decisions regarding products implementing the Secure Socket Layer protocol if the user does not have a practice of storing the plaintext on their server. Thus, the intended scope of this provision should be clarified to make clear that the only review is to verify that the product or system is accessible technologically, not that the user or system operator will cooperate.

The provision establishing criteria to permit exports of inaccessible voice encryption products appears to recognize that there is little or no market for communications products with recovery features. But the provision sets up hurdles which the Government could use to make it extraordinarily difficult for companies to get licenses. Indeed, the hurdles actually may be intended to give the government some hooks on which to hang their hats when saying "no".

We understand an alternative approach may be recommended to the Hill staffers working this issue. Under this alternative, language would be written to require favorable consideration of requests to export inaccessible encryption to end users with no access requirement if there are products available from sources outside the U.S. that are advertised as having comparable encryption. The word "advertised" would be the key to assuring the Government approves such exports regardless of whether it suspects the actual performance of the overseas product is less than advertised. U.S. companies argue this standard of review is necessary since they must compete against the market's perceptions of products, not the U.S. government's. Historically, the Government has rejected such proposals, but they may be more flexible than in the past, particularly if they get most of what they want out of this draft.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For further information please contact L. Benjamin Ederington on Tel: +202-429-6411, fax: 202-429-3902 or E-mail: bedering@steptoe.com.