Don't count on Congress for crypto reform.
In September 1997, Net users came within a hairbreadth of losing the encryption wars. Although cyberactivists managed to turn back the FBI's latest effort to impose strict controls on the use of strong crypto within the US, the victory has brought little cause for celebration. This battle may have been won, but a larger struggle was lost, as Congress has become hostile turf for campaigns to relax the US government's encryption export controls.
Throughout the summer, the FBI lobbied Capitol Hill relentlessly to convince Congress that drug kingpins, terrorists, and pedophiles are using strong encryption to thwart law enforcement. These scare tactics proved effective, as several members of the House emerged as new foes of HR 695, the SAFE bill, a measure introduced by Representative Bob Goodlatte (R-Virginia) to liberalize crypto export restrictions and prohibit the government from mandating the use of encryption key recovery systems within the US. Even worse, when SAFE arrived in the House National Security and Intelligence Committees in mid-September, it was effectively gutted after the committees passed amendments that reversed the bill's original intent.
Under the amended version of the SAFE bill (dubbed "unSAFE" by online wags), all encryption products sold or distributed in the US after January 31, 2000, would include a "back door" that enables police to obtain immediate access to the unscrambled text of an encrypted message. To do this, Internet users would be required to turn over a copy of their encryption keys to a government-certified "key recovery agent." Courts would then be authorized to issue sealed orders granting law enforcement access to encryption keys with only a demonstration of "a factual basis establishing the relevance of the plaintext" to an investigation.
In the wake of this legislative fiasco, the action shifted to the House Commerce Committee, where Representatives Michael Oxley (R-Ohio) and Thomas Manton (D-New York) introduced yet another unSAFE amendment, this one designed to grant law enforcement immediate access to any encrypted material within the US. The move prompted civil liberties groups and industry lobbyists to launch an all-out campaign to draw attention to the proposal's Big Brother implications. As thousands of Internet users took to the phones to call members of Congress, high tech organizations, law professors, and scientific groups released letters that blasted the Oxley-Manton amendment's potentially devastating impact on Internet privacy and security, the balance of constitutional rights, and academic research.
Miraculously, these efforts paid off on September 24, when the Commerce Committee voted 35-16 to reject Oxley-Manton. But the short-term victory over the FBI has come at a long-term cost, as the House is now considering "compromise" amendments that would retain the export-liberalization provisions of the original SAFE bill in exchange for new laws governing the use of encryption within the United States.
Given that no laws currently apply to the use of encryption within the US, that hardly seems like a worthwhile trade. But as the inexorable drive for compromise gathers steam in the House, future versions of SAFE are likely to propose still more domestic controls on the use of encryption. Meanwhile, over in the Senate, another time bomb is ticking in the form of S 909, the McCain/Kerrey bill, which contains both encryption export restrictions and domestic key recovery provisions.
Taken together, the stage has been set for Congress to enter a protracted phase of encryption gridlock. The only hope for export relief now lies in the judiciary, where a district court in San Francisco has found the crypto export rules to be unconstitutional on First Amendment grounds. American encryption policy is a shaky house of cards, but Congress clearly doesn't have the gusto to knock it down.
