Cyber-Rights & Cyber-Liberties (UK)
PhD Research student at the Criminal Justice Studies of the Law Faculty of University of Leeds, Leeds LS2 9JT.
E-mail: lawya@leeds.ac.uk. Copyright © 1996 Yaman Akdeniz.
Please cite as Yaman Akdeniz, "Recent Developments in the US" August 1996, Cyber-Rights & Cyber-Liberties (UK) at http://www.leeds.ac.uk/law/pgs/yaman/usrecent.htm.
Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1996 (Section 1726) was introduced by Senators Conrad Burns (R-MT) to encourage the use of strong easy to use privacy technologies on the Internet communications.
Senator Burn on the introduction of the bill stated that:
"Unfortunately, American businesses and computer users face a threat, and it's a threat from their own government, because the current administration won't let American companies export encryption at a level higher than 40 bits. That's a fancy word, but what I'm told it means is that it's a level of security that can be cracked by your basic supercomputer in about one-thousandth of a second at a cost of a tenth of a cent." (1)
Senator Dole stated that:
"The administration apparently thinks very little of the right to privacy-it presumes the government is entitled to all the so-called "keys" or secret passwords which protect computer generated information from prying eyes-like hackers." (2)
Senator Leahy stated that:
"I have read horror stories sent to me over the Internet about how human rights groups in the Balkans have had their computers confiscated during raids by security police seeking to find out the identities of people who have complained about abuses. The human rights groups have been able to get for free from the Internet, Pretty Good Privacy (PGP) to protect their computer communications and files. These encrypted files are undecipherable by the police and the names of the people who entrust their lives to the human rights groups are safe." (3)
"But U.S. export controls will not keep encryption out of the hands of criminals; these controls only hurt legitimate users and American business. ... Strong encryption has an important use as a crime prevention shield, to stop hackers, industrial spies and thieves from snooping into private computer files and stealing valuable proprietary information. We should be encouraging the use of strong encryption to prevent certain types of computer and online crime." (4)
The (Pro-CODE) Act of 1996 would prohibit the Federal government, or any State, from restricting or regulating the sale of encryption products in interstate commerce. The Bill will also restrict the Commerce Department standard-setting activities on encryption if enacted. It explicitly prohibits mandatory key escrow by the government.
The bill is similar to other bills recently introduced in the US. S.1726, the Pro-CODE, provides the electronic commerce equivalent to S.1587, the pro-privacy encryption bill introduced by Senator Leahy and Burns, in March 1996, and S.1587's House counterpart, H.R. 3011, introduced by Rep. Goodlatte. Pro-CODE would relax export controls in a roughly similar way, but contains none of the key holder provisions, and no new crime for using encryption to obstruct justice. Major areas for comparison include:
Encryption of stored information:
The definition of encryption in S.1587 applies only to "wire and electronic communications," while S.1726 includes "wire and electronic communications and information." S.1726 would thus appear to protect encryption hardware and software for non-communicated information, such as encryption of locally stored files or disk media.
Export provisions:
S.1587 and H.R.3011 have very similar export provisions to S.1726. In all three, encryption software and hardware that is generally available would be exportable, regardless of key lengths.
Key holder provisions:
S.1726 and H.R. 3011 contain none of the extensive provisions in S.1587 regarding the responsibilities of third-party encryption key holders, or standards for release of keys to law enforcement.
Use of encryption to obstruct justice:
S.1726 does not contain the provision found in S.1587 and H.R.3011 that would criminalise the use of encryption to obstruct communications from law enforcement officials in furtherance of an offence.
Commerce Department Standards activities:
S.1726 prohibits any actions by the Commerce Department that have the effect of imposing government designed encryption standards. S.1587 has no similar provisions.
New Findings:
S.1726 contains a broad new set of findings emphasizing the importance of encryption to the development of electronic commerce.
The report which came out in May 1996, highlights the need for strong, reliable encryption to protect individual privacy, to provide security for businesses, and maintain national security (5).
The study explicitly states that:
"Current national cryptography policy is not adequate to support the information security requirements of an information society.... Current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities." (6)
The report states that:
"widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography." (7)
The report finds that the current administration policy of limiting the export of strong encryption is impacting the domestic market and harming US business. The Committee recommends that export controls should be "progressively relaxed but not eliminated" at all (8).
The report also recognises that "cryptography is a two-edged sword" for law enforcement, providing both a tool to help prevent crime such as economic espionage, fraud, or destruction of the information infrastructure, and a potential impediment to law enforcement investigations and signals intelligence (9).
The study is without doubt the most comprehensive and balanced analysis of the complex encryption policy debate yet published. Although it does not directly support the recent proposals for reform it will be very important for the future US policy on encryption.
In the wake of the recent bombing at the Atlanta Olympics 1996 and the suspected terrorist involvement in the TWA crash, the Clinton Administration and members of US Congress are proposing a set of sweeping counter-terrorism initiatives. If enacted into law, these proposals will dramatically increase law enforcement surveillance authority over the Internet and other advanced communications technologies (10).