Date: Wed, 17 Jul 1991 14:47:33 EDT From: Dave Banisar Subject: File 6--Crypto-conference statement CRYPTO-CONFERANCE STATEMENT On July 10, 1991, the Computer Professionals for Social Responsibility, the Electronic Frontier Foundation, and RSA Data Security Inc. sponsored a conference on cryptography and privacy. The conference was organized in response to S-266, a Senate bill which mostly dealt with terrorism but had a provision which required telecommunications equipment manufacturers and service providers to provide a way for legally authorized law enforcement agencies to get "plaintext" transcriptions of messages sent by indviduals. The conference was attended by industry, congressional and agency staff, privacy advocates and experts in cryptography and computer security. The purpose of the conference was to inform the Congress and administration about the privacy concerns regarding of government control of cryptographic research, export controls of encryption systems and S-266. Conference materials are available for a nominal fee from CPSR. Contact Marc Rotenberg at mrotenberg@washofc.cpsr.org or (202) 544-9240 for more information. STATEMENT IN SUPPORT OF COMMUNICATIONS PRIVACY Washington, DC June 10, 1991 As representatives of leading computer and telecommunications companies, as members of national privacy and civil liberties organizations, as academics and researchers across the country, as computer users, as corporate users of computer networks, and as individuals interested in the protection of privacy and the promotion of liberty, we have joined together for the purpose of recommending that the United States government undertake a new approach to support communications privacy and to promote the availability of privacy-enhancing technologies. We believe that our effort will strengthen economic competitiveness, encourage technological innovation, and ensure that communications privacy will be carried forward into the next decade. In the past several months we have become aware that the federal government has failed to take advantage of opportunities to promote communications privacy. In some areas, it has considered proposals that would actually be a step backward. The area of cryptography is a prime example. Cryptography is the process of translating a communication into a code so that it can be understood only by the person who prepares the message and the person who is intended to receive the message. In the communications world, it is the technological equivalent of the seal on an envelope. In the security world, it is like a lock on a door. Cryptography also helps to ensure the authenticity of messages and promotes new forms of business in electronic environments. Cryptography makes possible the secure exchange of information through complex computer networks, and helps to prevent fraud and industrial espionage. For many years, the United States has sought to restrict the use of encryption technology, expressing concern that such restrictions were necessary for national security purposes. For the most part, computer systems were used by large organizations and military contractors. Computer policy was largely determined by the Department of Defense. Companies that tried to develop new encryption products confronted export control licensing, funding restrictions, and classification review. Little attention was paid to the importance of communications privacy for the general public. It is clear that our national needs are changing. Computers are ubiquitous. We also rely on communication networks to exchange messages daily. The national telephone system is in fact a large computer network. We have opportunities to reconsider and redirect our current policy on cryptography. Regrettably, our government has failed to move thus far in a direction that would make the benefits of cryptography available to a wider public. In late May, representatives of the State Department met in Europe with the leaders of the Committee for Multilateral Export Controls ("COCOM"). At the urging of the National Security Agency, our delegates blocked efforts to relax restrictions on cryptography and telecommunications technology, despite dramatic changes in Eastern Europe. Instead of focusing on specific national security needs, our delegates continued a blanket opposition to secure network communication technologies. While the State Department opposed efforts to promote technology overseas, the Department of Justice sought to restrict its use in the United States. A proposal was put forward by the Justice Department that would require telecommunications providers and manufacturers to redesign their services and products with weakened security. In effect, the proposal would have made communications networks less well protected so that the government could obtain access to all telephone communications. A Senate Committee Task Force Report on Privacy and Technology established by Senator Patrick Leahy noted that this proposal could undermine communications privacy. The public opposition to S. 266 was far-reaching. Many individuals wrote to Senator Biden and expressed their concern that cryptographic equipment and standards should not be designed to include a "trapdoor" to facilitate government eavesdropping. Designing in such trapdoors, they noted, is no more appropriate than giving the government the combination to every safe and a master key to every lock. We are pleased that the provision in S. 266 regarding government surveillance was withdrawn. We look forward to Senator Leahy's hearing on cryptography and communications privacy later this year. At the same time, we are aware that proposals like S. 266 may reemerge and that we will need to continue to oppose such efforts. We also hope that the export control issue will be revisited and the State Department will take advantage of the recent changes in East-West relations and relax the restrictions on cryptography and network communications technology. We believe that the government should promote communications privacy. We therefore recommend that the following steps be taken. First, proposals regarding cryptography should be moved beyond the domain of the intelligence and national security community. Today, we are increasingly dependent on computer communications. Policies regarding the appropriate use of cryptography should be subject to public review and public debate. Second, any policy proposal regarding government eavesdropping should be critically reviewed. Asking manufacturers and service providers to make their services less secure will ultimately undermine efforts to strengthen communications privacy. While these proposals may be based on sound concerns, there are less invasive ways to pursue legitimate government goals. Third, government agencies with appropriate expertise should work free of NSA influence to promote the availability of cryptography so as to ensure communications privacy for the general public. The National Academy of Science has recently completed two important studies on export controls and computer security. The Academy should now undertake a study specifically on the use of cryptography and communications privacy, and should also evaluate current obstacles to the widespread adoption of cryptographic protection. Fourth, the export control restrictions for computer network technology and cryptography should be relaxed. The cost of export control restrictions are enormous. Moreover, foreign companies are often able to obtain these products from other sources. And one result of export restrictions is that US manufacturers are less likely to develop privacy-protecting products for the domestic market. As our country becomes increasingly dependent on computer communications for all forms of business and personal communication, the need to ensure the privacy and security of these messages that travel along the networks grows. Cryptography is the most important technological safeguard for ensuring privacy and security. We believe that the general public should be able to use this technology free of government restrictions. There is a great opportunity today for the United States to play a leadership role in promoting communications privacy. We hope to begin this process by this call for a reevaluation of our national interest in cryptography and privacy. Mitchell Kapor, Electronic Frontier Foundation Marc Rotenberg, CPSR John Gilmore, EFF D. James Bidzos, RSA Phil Karn, BellCore Ron Rivest, MIT Jerry Berman, ACLU Whitfield Diffie, Northern Telecom David Peyton, ADAPSO Ronald Plesser, Information Industry Association Dorothy Denning, Georgetown University David Kahn, author *The Codebreakers* Ray Ozzie, IRIS Associates Evan D. Hendricks, US Privacy Council Priscella M. Regan, George Mason University Lance J. Hoffman, George Washington University David Bellin, Pratt University Eugene Spafford, Purdue University Steve Booth, Hewlett-Packard Steve Kent Dave Farber, University of Pennsylvania ------------------------------