[ISN] New Crypto Rules Leave Out Individual Privacy

From: mea culpa (jerichoat_private)
Date: Fri Sep 18 1998 - 02:43:54 PDT

  • Next message: mea culpa: "[ISN] 24,000 Domains Hacked in Japan"

    [Moderator: There have been several articles on this. I am only 
     forwarding this as it provides the most details.]
    
    
    Forwarded From: "Jay D. Dyson" <jdysonat_private>
    Originally From: Alan Davidson <abdat_private>
    
    Attached is CDT's initial analysis of the new Administration encryption
    rules (available on our Web site at http://www.cdt.org/crypto). As always
    with crypto regs, the devil is in the details; we won't know the real
    impact until we get to read the fine print. We're told the final
    regulations won't be released until later this Fall.
    
    	-- Alan
    
    Alan Davidson, Staff Counsel                 202.637.9800 (v)
    Center for Democracy and Technology          202.637.0968 (f)
    1634 Eye St. NW, Suite 1100                  <abdat_private>
    Washington, DC 20006                         PGP key via finger
    
    - ----------
    
    New Administration Encryption Controls Leave Individual Privacy Concerns
    Unanswered
    
    The White House today announced revised controls on the export of
    encryption products used to protect security online. While a step in the
    right direction, the new policy leaves major individual privacy concerns
    unanswered. 
    
    The revisions released today would allow export of moderately stronger
    encryption and allow certain industry segments to use even more secure
    products. However, the Administration policy does not address the security
    needs of individuals online, human rights groups, or other non-commercial
    users. Moreover, it continues to use export controls as a club to force
    the adoption of risky "key recovery" systems without addressing the
    privacy concerns raised by backdoor government access to our most
    sensitive data. 
    
    According to CDT Executive Director Jerry Berman, "The Administration has
    given us half a loaf in the encryption debate. Unfortunately, the other
    half a loaf is the part that deals with individual privacy." 
    
    The Administration statement is available on CDT's Web site at
    http://www.cdt.org/crypto. Major features of today's announcement include: 
    
    * Decontrol of 56-bit (DES-level) encryption -- would permit export of
    56-bit products and their equivalent (including 1024-bit asymmetric
    systems) to most countries, after a one-time governmental review . 
    
    * Export relief for specific industry segments -- would permit export of
    stronger products to subsidiaries of U.S companies, health and insurance
    industries, and unspecified "electronic commerce" users. 
    
    * Exemptions for "recoverable" products -- would permit export of
    encryption products of unlimited strength if those products include
    backdoor access to plaintext, use key recovery, or allow access to
    plaintext through a system administrator or other person independent of
    the user. 
    
    CDT welcomes these efforts to address the concerns raised about current
    U.S policy. However, the new regulations leave significant privacy
    concerns unanswered: 
    
    * 56 bit (DES level) encryption will not adequately protect online privacy
    and security.  Expert cryptographers have argued for years that 56-bit
    encryption is not sufficient to protect privacy online. Just this summer,
    a group of California researchers created a "DES Cracker" that broke a 56
    bit-length encrypted message in just 56 hours, using minimal resources. 
    
    * Granting export relief for industry groups leaves the little guy out. 
    Individuals, human rights workers, or other non-commercial groups who have
    a compelling interest in using strong encryption, without backdoor access
    built-in, will not get relief under the new proposal. 
    
    * Administration policy continues to use export controls to force the
    adoption of vulnerable key recovery systems. The new regulations would
    continue the Administration's efforts to require "key recovery" or other
    plaintext access features in the encryption products that most individuals
    use. An experts report on "The Risks of Key Recovery" 
    (http://www.crypto.com/key_study) recently argued that such recovery
    technologies introduce new security risks. 
    
    * Standards for government access are not specified. Privacy cannot be
    protected under a "recovery" system without a clear understanding of the
    legal protection governing access to plaintext -- a discussion that is
    absent from this proposal. 
    
    The extent to which the proposed new regulations will actually provide
    export relief will depend a great deal on the fine print. The new
    regulations are expected to be published in the late fall, and CDT will be
    monitoring these rules as they are published to ensure that they protect
    privacy. 
    
    CDT believes that the only way to protect individual security online as
    well as the nation's critical infrastructure is through the widespread
    availability of strong encryption, without backdoors.  We will continue to
    work with members of Congress to push for reforms that preserve the rights
    of individuals and businesses to protect sensitive personal information. 
    
    For more information on how to get involved in the crypto debate, sign up
    for CDT's "Adopt Your Legislator" campaign to be informed when your
    representative is voting on encryption issues. Visit CDT's crypto policy
    web site at http://www.crypto.com/adopt
    
    
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:41 PDT