Just one day after a joint university-corporate team cracked the government's standard 56-bit encryption code, the Senate Commerce Committee on Thursday approved a bill that would write into law the current Clinton administration limits on crypto exports involving software stronger than 56 bits.
"This is the height of irony," said Robert Holleyman, president of the Business Software Alliance, an industry lobbying group that has expressed a strong preference for rival legislation that scraps the export limits. Holleyman said the committee "went ahead and voted without having a clear understanding of the issue."
In addition to the restrictive export provisions, the Secure Public Networks Act would also set up a system of domestic key recovery. The bill is co-sponsored by Senators Bob Kerrey (D-Nebraska), John McCain (R-Arizona), Ernest Hollings (D-South Carolina), and John Kerry (D-Massachusetts) and was introduced earlier this week.
"Privacy and security will not be achieved with this head-in-the-sand approach," Jerry Berman, executive director for the Center for Democracy and Technology, said after the committee vote. Berman cited a recent study by 11 encryption experts that a federal - or global - key recovery system is unreliable and unfeasible. "The key recovery concept is vaporware," he said.
In response to that study, one of five amendments to the bill accepted by the Commerce Committee called for the National Institute of Standards and Technology to study the feasibility of creating such a vast system of storing data on virtually every person involved in electronic transactions.
An amendment introduced by Kerry would create an advisory board on encryption export, made up of four government officials - from the FBI, CIA, National Security Council, and the Office of the President - and four industry representatives. The board would advise the president on changing technologies and to decide whether and when to change crypto-export policy.
"It would guarantee rapidly that we will not be disadvantaged in the market," Kerry said.
But at least one senator on the committee was not so sure.
"Let's deal with the reality of the business world," said Senator Conrad Burns (R-Montana), whose own data legislation, Pro-CODE, though widely supported by the high-tech industry and privacy groups, has been swept aside by the new bill. "You're going to be a day late and a dollar short."
And Senate Majority Leader Trent Lott of Mississippi expressed concerns over the new bill, saying that he doesn't think "we let this percolate quite enough."
Industry leaders said after the committee meeting that the idea of such an advisory panel showed how out of touch the government can be with the business world.
"Who are we kidding?" asked John Scheibel, vice president and general counsel for the Computer and Communications Industry Association. Last month, Scheibel, noted, Sun Microsystems announced a deal for overseas marketing of encryption software made by a Russian firm because of administration export controls.
The confusion among legislators over high-tech issues such as encryption became clear when, bizarrely, some senators started referring to the issue of online pornography in conjunction with encryption policy.
"I think Senator Burns' bill is the freest approach for us to compete on the open marketplace, but I do want to protect our children from pornography," Senator Kay Bailey Hutchinson (R-Texas) told the committee. McCain, who is chairman of the Commerce Committee, agreed. "I must do what I can to protect people from child pornography and illegal gambling" on the Internet, he said.
But it was perhaps Senator John Ashcroft (R-Missouri) who made the connection between safeguarding electronic commercial transactions from prying eyes and shielding children from porn on the Net most plausible: "We're not going to outlaw photography because someone takes dirty pictures. People use it for good things and bad things - and it's the same with encryption."
