Internet privacy advocates are balking at a draft of encryption legislation that the Clinton administration plans to send to Congress, saying that it could give law enforcement officials unbridled access to keys to encrypted data and all but requires participation in domestic key recovery.
A draft of the legislation, obtained by the Center for Democracy and Technology and posted to its Web site Wednesday, states that domestic participation in the key management infrastructure is "voluntary." But opponents argue that the legislation is written in such a way that nonparticipation equals an inability to conduct electronic commerce.
"It gives users a choice of 100 doors, but 99 of them are locked and the one that's not says 'key management' on it," said Marc Rotenberg of the Electronic Privacy Information Center. "[The proposal] does everything but mandate key recovery."
Under the administration's draft proposal, the Electronic Data Security Act of 1997, trusted third parties would hold the keys to encrypted data, and law enforcement officials could obtain the keys. The administration maintains that law-enforcement officials need to have the ability to get encrypted data to prosecute criminal activity.
Though all parties agree that it may be too early to debate the legislation - it has not been introduced and has yet to find a sponsor - it raises serious concerns over who has access to private data within the United States.
Controversy is likely to focus on one provision in the bill that sets out the circumstances under which keys must be surrendered to police. The draft specifies a standard set of conditions that would require release of keys - a court order or warrant, a subpoena, or the US attorney general's certification under the Foreign Intelligence Surveillance Act.
However, the proposal provides another way to get at keys that the Center for Democracy and Technology attacked as giving "carte blanche" access to encrypted information. Keys must be turned over, the draft says, "upon receipt of written authorization in a form to be specified by the Attorney General."
"This is incorrect," said an aide to Vice President Al Gore who worked on the draft. "The authorities would only have access to information if it had proper court authority, like in wiretapping."
Jonah Seiger, communications director for the CDT, commented that terms like "written authority" are overly broad.
The administration's proposal was first announced last week by the Commerce Department's undersecretary of export administration, William Reinsch, who could not be reached for comment. Several other bills regarding encryption technologies, which do not put controls on domestic encryption or the export of such security technologies, have been introduced this year into Congress.
