Encryption. Echoing Daley's conclusions, witnesses at a recent hearing before the Senate Judiciary Committee's Subcommittee on the Constitution, Federalism, and Property Rights voiced concerns over encryption regulations. At issue was whether the government or other law enforcement agencies should have access to encrypted information through key recovery systems that allow agents to decrypt messages. (Key recovery requires that senders turn over their decryption keys or codes to trusted third parties, who under court order would have to release them to law enforcement.)
At the hearing, lawmakers considered legislation circulating through both houses as a backdrop for discussion. One such bill (H.R. 695) seeks to increase the privacy of communications among businesses and individuals while relaxing current export controls on encryption products to bolster U.S. business competitiveness in the global marketplace. A separate bill, S. 909, calls for mandatory key recovery for any encryption product stronger than 56 bits.
Eight of the nine experts on the panel sent a resounding message that key recovery violates privacy rights and engenders security weaknesses. Many of the witnesses represented privacy and special interest groups such as the Americans for Computer Privacy, a coalition of companies and organizations that are joining efforts to reduce government regulation of encryption.
Some panelists, such as Kathleen Sullivan of Stanford Law School, argued that the administration's suggested regulation of domestic and exported encryption products violates constitutional rights. Others noted that the Clinton policy hurts the economy and weakens the security of electronic communications. Export controls, for example, limit businesses to selling encryption products of 40-bit strength or lower both in the United States and abroad.
American companies are losing market share to foreign companies, panelists argued. Some companies are finding it difficult to manage two different versions of their product - one for domestic sale and one for abroad. The restrictions also make it difficult for U.S.-based companies that want to secure business overseas.
Finally, panelists argued that a key recovery system introduces unnecessary weaknesses and defeats the purpose of encryption.
Challengers to the arrangement say that concentrating too much power in the key recovery centers would make the country vulnerable to terrorist attack and abuse by those entrusted with the power of safeguarding keys. A new bureaucracy would be needed to manage the system. And at present, the technology does not exist to create and smoothly operate a reliable system. Perhaps most crucial is the belief that foreign companies and criminals won't agree to abide by the proposed system's rules.
Selected excerpts from the testimony are available through SM Online.
Privacy. When asked by members of the House Judiciary Committee's Subcommittee on Courts and Intellectual Property to evaluate the need for additional privacy legislation to protect electronically transmitted information, witnesses expressed a number of different opinions. Some proclaimed an urgent need for new legislation while others insisted that existing laws are sufficient. Yet another contingent proposed that self-regulation rather than government intervention is the key to information privacy.
Two witnesses, Deirdre Mulligan, staff counsel for the Center for Democracy and Technology, and Marc Rotenberg, director of the Electronic Privacy Information Center and communications privacy professor at Georgetown University Law Center, urged the subcommittee to consider additional legislation to ensure the security of electronically transmitted data.
Rotenberg proposed specifically that Congress amend the Electronic Communications Privacy Act. Currently the act prohibits disclosure of information to the government. The act should be amended, said Rotenberg, to exclude disclosure to any third party. …