Lisa S. Dean
Patrick S. Poole
Director
Deputy Director

June 15, 1998

Senator John Ashcroft
United States Senate
316 Hart Senate Office Building
Washington, D.C. 20510

Dear Senator Ashcroft,

We are writing to you to express our concern over the current debate relating to legislation on the encryption issue, which has excluded many voices concerned with the protection of our privacy and fundamental freedoms. We believe that the best defense that citizens have in the dawning age of electronic commerce is computer software and hardware that has strong encryption features. In light of the recent incidents of “hackers” penetrating sensitive government computer systems, the use of strong encryption by government agencies is the best national security defense we have against terrorists and other rogue elements that would try to disable and compromise the computer systems that are vital for our national defense.

And yet, with these very compelling arguments for broad use of strong encryption products, the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) are determined to derail any legislative proposal that would allow citizens to use encryption products that do not have “key recovery” features or that would prohibit a “key escrow” regime.

But these two approaches have proven to be failures. In May 1996, the National Research Council (NRC) released a comprehensive report entitled Cryptography’s Role in Securing the Information Society (the “CRISIS” report) that stressed that national policy should make cryptography broadly available to all segments of society - government, industry and the American public. The panel that published the CRISIS report included a former FBI Director and former head of the NSA. This panel concluded that the “key escrow” regime is an unproven technology and the government should not actively promote it.

A report re-issued just a few days ago by the top eleven cryptographers in the US also questioned the Clinton Administration’s key recovery proposal. This report, The Risks of Key Recovery, Key Escrow and Trusted Third Party Encryption, concluded: “The deployment of key recovery systems designed to facilitate surreptitious government access to encrypted data and communications introduces substantial risks and costs.”

Your previous leadership in opposing key recovery and key escrow proposals has been critical. However, we are concerned about your recently introduced “Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace” bill (S. 2067; “E-Privacy”). While the stated intent of the bill is to give citizens access to strong encryption products and to allow the software industry to export products featuring strong encryption, E-Privacy grants enormous new powers of surveillance and export control to the federal government. We find that these two goals are mutually exclusive: you cannot empower citizens with the capability to protect their online privacy while simultaneously providing law enforcement and intelligence agencies with the tools to render those protections moot. Of particular concern are these provisions of E-Privacy:

1. E-Privacy would allow the US to engage in crypto-recovery treaties that would allow the Attorney General to assist foreign governments in obtaining the plain text of our encrypted communications. This could subject both local and federal law enforcement agencies to act against its own citizens without the violation of any US law. This is a great breach of national sovereignty.

2. E-Privacy expands the authority of the Foreign Intelligence Surveillance Court, who conducts all proceedings in absolute secrecy and permanently seals all court records, to force phone companies and Internet Service Providers (ISP) to assist in conducting covert surveillance and physical searches without any probable cause. The meager oversight that Congress has given in the past to the FISC has allowed it to permit the FBI and NSA to use this covert power to conduct domestic surveillance for gathering evidence to be used in criminal trials, in blatant violation of the Fourth Amendment protections against general warrants and searches without probable cause.

3. E-Privacy subjects new software products using encryption to an eight-member export review panel that includes intelligence agency officials and the administration’s export chief. This provision would allow the NSA to subject the software to tests to determine the weaknesses of those programs, for the express intent of exploiting those vulnerabilities - making the use of those software products irrelevant. In addition, the bill extends the technical review requirement to all software!  It would require any software that includes programming interfaces to be submitted for a one-time review before export.  This would include operating systems, servers, browsers, e-mail programs, word processors and spreadsheets.  There has never been any regulatory or statutory basis for requiring agency approval of software that does not actually contain encryption.  This requirement would be overbroad and is not warranted.

4. E-Privacy could authorize the creation of a FBI ‘NET Center’, where US intelligence organizations - specifically the National Security Agency - will provide the resources and training to federal, state and local law enforcement agencies to help crack encrypted programs. The NET Center would have a broad mandate and very well could spawn a new domestic surveillance bureaucracy within the Department of Justice. We would caution you about the involvement of the NSA in domestic law enforcement. The 1987 House Report on the Computer Security Act noted that enabling the NSA to engage in law enforcement was “particularly troubling” since the NSA “has, on occasion, improperly targeted American citizens for surveillance.”

5. E-Privacy would create a new criminal offense for the use of encryption in the commission of a crime.  We believe it is a mistake to create criminal penalties for the use of a particular technique or device. Such a provision tends to draw attention away from the underlying criminal act and casts a shadow over a valuable technology that should not be criminalized. Given that the availability of strong encryption is one of the best ways to reduce the risk of crime and to promote public safety, the retention of this provision in the legislation will send a mixed message to users and businesses -- that we want people to be free to use encryption, but they are under suspicion when it is used.

The encryption issue is not about software exports: it is about a federal government that has developed a taste not just for vast amounts of detailed and personal information about every citizen, but also a hunger for increased surveillance powers.

While the E-Privacy bill may represent a "compromise" between the computer industry and law enforcement and intelligence agencies, it could potentially endanger our constitutional freedoms.  We would strongly urge you to reconsider your position on E-Privacy in light of the enormous power that it grants to the federal government to conduct surveillance on US citizens. We need legislation on encryption that will not only protect the privacy and electronic commerce of the American public, but will also protect them against the growing power of our government. E-Privacy fails to accomplish either of these goals.

We have few champions in the Senate. You have proven yourself to be not only courageous, but also considerate of the rights and freedoms of the American people that you swore to protect. We need a line drawn in the sand on encryption. Unfortunately, despite your best efforts, E-Privacy is not that line.

We will devote not only our time, but our efforts as well to fully support you to ensure that citizens have the tools to protect their privacy AND their freedoms. By giving us a piece of strong legislation, you will have our unqualified support in rallying grassroots America on this issue and your legislative efforts. While we cannot support E-Privacy as presently drafted, we look forward to working with you address the concerns we have raised and create an encryption bill that fully preserves our precious liberties.

Sincerely,