[comp.org.eff.talk] Senate Bill 266 would require trapdoors in encryption gear

gnu@hoptoad.uucp (John Gilmore) (04/13/91)

I just heard this from two sources today.  The Senator's staffers
couldn't identify the bill from the rumor I'd heard, but the person who
posted to Risks 11.43 gave the actual bill number (thanks!!!) and part
of the text.  Here it is, with the poster's comments.  I note that this
bill would outlaw the Privacy Enhanced Mail system that DARPA itself is
developing and deploying, since there is no trapdoor designed into it
(unless there is one in the underlying cryptosystems).

I encourage everyone to contact Senator Joseph R. Biden Jr.'s staff
directly and make your opinion known.  Their phone number is +1 202 224 5042.
They can also mail you a copy of the bill.  Calling your own home-state
senators, if you are from the U.S., would help, too.

==> If you called Lotus to have your name taken off of Marketplace, call
this Senator! <==  This bill is much more of a threat to your privacy than
Lotus Marketplace, since it means that even when technical means for
protecting your privacy exist, (such as secure cellular phones, or
email that can't be tapped), it will be illegal to provide you this
privacy.

"If privacy is outlawed, only outlaws will have privacy"...

	John

Date:  Wed, 10 Apr 91 17:23 EDT
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: U.S. Senate S. 266

Senate 266 introduced by Mr. Biden (for himself and Mr. DeConcini)
contains the following section:

SEC. 2201. COOPERATION OF TELECOMMUNICATIONS PROVIDERS WITH LAW ENFORCEMENT

It is the sense of Congress that providers of electronic communications
services and manufacturers of electronic communications service equipment shall
ensure that communications systems permit the government to obtain the plain
text contents of voice, data, and other communications when appropriately
authorized by law.

------------------------------

Date:  Wed, 10 Apr 91 18:20 EDT
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject:  U.S. Senate 266, Section 2201 (cryptographics)

The referenced language requires that manufacturers build trap-doors
into all cryptographic equipment and that providers of cconfidential
channels reserve to themselves, their agents, and assigns the ability to
read all traffic.  

Are there readers of this list that believe that it is possible for
manufacturers of crypto gear to include such a mechanism and also to reserve
its use to those "appropriately authorized by law" to employ it?

Are there readers of this list who believe that providers of electronic
communications services can reserve to themselves the ability to read all the
traffic and still keep the traffic "confidential" in any meaningful sense?

Is there anybody out there who would buy crypto gear or confidential services
from vendors who were subject to such a law?

David Kahn asserts that the sovereign always attempts to reserve the use of
cryptography to himself.  Nonetheless, if this language were to be enacted into
law, it would represent a major departure.  An earlier Senate went to great
pains to assure itself that there were no trapdoors in the DES. Mr. Biden and
Mr. DeConcini want to mandate them.  The historical justification of such
reservation has been "national security;" just when that justification begins
to wane, Mr. Biden wants to use "law enforcement."  Both justifications rest
upon appeals to fear.

In the United States the people, not the Congress, are sovereign; it should not
be illegal for the people to have access tto communications that the government
cannot read.  We should be free from unreasonable search and seizure; we should
be free from self-incrimination.  The government already has powerful tools of
investigation at its disposal; it has demonstrated precious little restraint in
their use.

Any assertion that all use of any such trap-doors would be only
"when appropriately authorized by law" is absurd on its face.  It is not
humanly possible to construct a mechanism that could meet that
requirement;  any such mechanism would be subject to abuse.

I suggest that you begin to stock up on crypto gear while you can still get it.
Watch the progress of this law carefully.  Begin to identify vendors across the
pond.

William Hugh Murray, Executive Consultant, Information System Security 21
Locust Avenue, Suite 2D, New Canaan, Connecticut 06840       203 966 4769

-- 
John Gilmore   {sun,uunet,pyramid}!hoptoad!gnu   gnu@toad.com   gnu@cygnus.com
*  Truth :  the most deadly weapon ever discovered by humanity. Capable of   *
*  destroying entire perceptual sets, cultures, and realities. Outlawed by   *
*  all governments everywhere. Possession is normally punishable by death.   *
*      ..{amdahl|decwrl|octopus|pyramid|ucbvax}!avsd!childers@tycho          *

gordon@sneaky.lonestar.org (Gordon Burditt) (04/15/91)

>It is the sense of Congress that providers of electronic communications
>services and manufacturers of electronic communications service equipment shall
>ensure that communications systems permit the government to obtain the plain
>text contents of voice, data, and other communications when appropriately
>authorized by law.

I interpret this to mean, in the case of Privacy-Enhanced Mail and 
crypto hardware that has to have keys supplied by the manufacturer:

"Key distribution centers shall keep logs of who is issued what keys,
and make such logs and duplicate key hardware available to law enforcement 
personnel and any Drug Dealers(tm) with enough cash to bribe officers 
of the key distribution center".

It doesn't seem to require a backdoor.

						Gordon L. Burditt
						sneaky.lonestar.org!gordon