[Moderator: There have been several articles on this. I am only forwarding this as it provides the most details.] Forwarded From: "Jay D. Dyson" <jdysonat_private> Originally From: Alan Davidson <abdat_private> Attached is CDT's initial analysis of the new Administration encryption rules (available on our Web site at http://www.cdt.org/crypto). As always with crypto regs, the devil is in the details; we won't know the real impact until we get to read the fine print. We're told the final regulations won't be released until later this Fall. -- Alan Alan Davidson, Staff Counsel 202.637.9800 (v) Center for Democracy and Technology 202.637.0968 (f) 1634 Eye St. NW, Suite 1100 <abdat_private> Washington, DC 20006 PGP key via finger - ---------- New Administration Encryption Controls Leave Individual Privacy Concerns Unanswered The White House today announced revised controls on the export of encryption products used to protect security online. While a step in the right direction, the new policy leaves major individual privacy concerns unanswered. The revisions released today would allow export of moderately stronger encryption and allow certain industry segments to use even more secure products. However, the Administration policy does not address the security needs of individuals online, human rights groups, or other non-commercial users. Moreover, it continues to use export controls as a club to force the adoption of risky "key recovery" systems without addressing the privacy concerns raised by backdoor government access to our most sensitive data. According to CDT Executive Director Jerry Berman, "The Administration has given us half a loaf in the encryption debate. Unfortunately, the other half a loaf is the part that deals with individual privacy." The Administration statement is available on CDT's Web site at http://www.cdt.org/crypto. Major features of today's announcement include: * Decontrol of 56-bit (DES-level) encryption -- would permit export of 56-bit products and their equivalent (including 1024-bit asymmetric systems) to most countries, after a one-time governmental review . * Export relief for specific industry segments -- would permit export of stronger products to subsidiaries of U.S companies, health and insurance industries, and unspecified "electronic commerce" users. * Exemptions for "recoverable" products -- would permit export of encryption products of unlimited strength if those products include backdoor access to plaintext, use key recovery, or allow access to plaintext through a system administrator or other person independent of the user. CDT welcomes these efforts to address the concerns raised about current U.S policy. However, the new regulations leave significant privacy concerns unanswered: * 56 bit (DES level) encryption will not adequately protect online privacy and security. Expert cryptographers have argued for years that 56-bit encryption is not sufficient to protect privacy online. Just this summer, a group of California researchers created a "DES Cracker" that broke a 56 bit-length encrypted message in just 56 hours, using minimal resources. * Granting export relief for industry groups leaves the little guy out. Individuals, human rights workers, or other non-commercial groups who have a compelling interest in using strong encryption, without backdoor access built-in, will not get relief under the new proposal. * Administration policy continues to use export controls to force the adoption of vulnerable key recovery systems. The new regulations would continue the Administration's efforts to require "key recovery" or other plaintext access features in the encryption products that most individuals use. An experts report on "The Risks of Key Recovery" (http://www.crypto.com/key_study) recently argued that such recovery technologies introduce new security risks. * Standards for government access are not specified. Privacy cannot be protected under a "recovery" system without a clear understanding of the legal protection governing access to plaintext -- a discussion that is absent from this proposal. The extent to which the proposed new regulations will actually provide export relief will depend a great deal on the fine print. The new regulations are expected to be published in the late fall, and CDT will be monitoring these rules as they are published to ensure that they protect privacy. CDT believes that the only way to protect individual security online as well as the nation's critical infrastructure is through the widespread availability of strong encryption, without backdoors. We will continue to work with members of Congress to push for reforms that preserve the rights of individuals and businesses to protect sensitive personal information. For more information on how to get involved in the crypto debate, sign up for CDT's "Adopt Your Legislator" campaign to be informed when your representative is voting on encryption issues. Visit CDT's crypto policy web site at http://www.crypto.com/adopt -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:41 PDT