Crypto Law Crosses Industries
The White House's emerging encryption law could regulate more than encryption companies
Department of Justice officials are drafting legislation to impose criminal and civil penalties on companies that mishandle encryption keys.
"If you are in computers, banking or financial services, you will want to watch this closely to ensure it doesn't affect your current operations," said Stewart Baker, an attorney with the Washington-based law firm Steptoe & Johnson.
If Congress approves a broad version of the law sometime in 1997, it could regulate the activities of numerous companies engaging in electronic commerce, because transactions conducted via the Internet and the World Wide Web are frequently encrypted to defeat eavesdroppers and computer hackers. "It's a deep concern.... anyone who is interested in electronic commerce should be interested in this," said a lawyer for several Silicon Valley companies.
But "we're going to make sure that whatever happens is not vague," said Kawika Daguio, a lobbyist for the Washington-based American Bankers Association. "The regulations should be rational and sufficient [for law enforcement]. That's it," he said.
Several banks are using their expertise to win a share of the growing business of online commerce and don't want to be hamstrung by vague laws governing the use of encryption technology, he said.
The draft law is part of a White House effort to jump-start a nationwide market for key-recovery encryption technology. The technology is intended to shield data and conversations from eavesdroppers and hackers, yet also allow police to conduct court-ordered wiretaps of suspected criminal or terrorist activities.
Government officials say the key-recovery technology will be purchased by consumers and companies because it allows them to recover spare copies of electronic encryption keys that are lost, stolen or damaged. The spare copies of the keys would be stored by the companies, or by outside organizations, dubbed "trusted third parties."
The draft law will define the rights and responsibilities of the key holders, said Jamie Gorelick, the U.S. deputy attorney general. "Should that entity [wrongly] divulge the key... you would have a civil remedy against them, and there would be a criminal penalty," she said Sept. 25 at a hearing held by the House Committee on the Judiciary.
The law should be sent to Congress "sometime next year," said Gorelick's deputy, Michael Vatis.
The proposed law is needed to protect key-holding organizations from lawsuits when they hand over a customers' key to law enforcement officials who are conducting a court-ordered wiretap, said one government official.
Also, the law would include criminal penalties to deter key-holding organizations from covertly giving copies of a customer's key to criminals or business rivals.
Companies that hold their own encryption keys are already legally required to give encryption keys to law enforcement officials that are armed with a court order, said Greg Simon, domestic affairs adviser to Vice President Al Gore.
For the government's key-recovery plans to work, the new law must also provide protection from lawsuits for key-holding companies that accidentally release a company's private key, said Alan Davidson, counsel to the Center for Democracy and Technology, a Washington-based, industry-backed lobbying group. "Nobody wants to touch these things without some guarantee about key-holder liability.... There's got to be some sort of cap" on court-ordered damage awards, he said.
For industry executives, one crucial decision is the definition of a key holder, said Baker. "Whatever they write will have to be read very carefully to see what other industries are concerned, and the definition of key holder is critical," said Baker.
"To do what they want to do, they don't need a ton of stuff... [but] imposing this kind of system has the potential of making [banks and credit card companies] into key holders," said Davidson.
For example, the law must consider whether an executive's secretary is considered a trusted third party if the secretary has a copy of the executive's encryption key, Baker said.
Any proposed law should also exempt technologies that create a unique encryption key for each message, or encryption technologies that allow wiretaps without someone having to store a spare key, said Daguio. "We don't want anyone to be obligated to keep track of useless keys," he said.
"These are issues that are under review, and no decision has been made," said Justice Department spokesman Gregory King.
One possible definition of key holder was developed by staff working for Sen. Patrick Leahy, D-Vt. In March, Leahy allied with Sen. Conrad Burns, R-Mont., and Sen. Larry Pressler, R-S.D., and introduced a bill that relaxed government controls on encryption, but also set some ground rules for trusted third parties.
According to the definition, a key holder "means a person located within the United States... who is voluntarily entrusted by another independent person with the means to decrypt that person's wire or electronic communications for the purpose of subsequent decryption of such communications."
The Senate did not act on Leahy's bill, S 1587, in 1996.
However, this dispute over definitions won't affect mass-market transactions via the Internet, said Kenneth Bass, a lawyer with the Washington-based firm Venable. An alternative encryption technology, dubbed public key encryption, allows merchants, banks and customers to buy and sell via the Internet without having to share their secret keys with trusted third parties, he said.
One of Bass' clients is Netscape Communications Corp., Mountain View, Calif., which sells Web-browsing software equipped with public key technology, and which has lobbied hard against the White House's encryption policies.
But some companies, such as banks, will be holding some of the secret keys used in public key technology, perhaps extending the liability law to public key technology, said Daguio.
Also, some version of the liability law is needed to cover companies that set themselves up as "certification authorities," said Daguio. These authorities are intended to help people and companies electronically verify each others' encrypted identities when engaged in electronic commerce, said Daguio.
For the government, "the best way to handle this is to let the market work it out," by giving legal primacy to the contracts signed by trusted third-party organizations and their clients, Baker said.
The government could usefully create "rules of the road" for key holders, he said. By following these security rules, key-holding companies could be shielded from unreasonable lawsuits, he said.
However, Congress may not pass the proposed law, or even debate it, said government and industry officials.
In Congress, "there is a lot of opposition to the administration's approach" to encryption policy, said Davidson.
Several senators, including Leahy and Burns, have pushed proposals that would sharply limit government control over encryption technology.
"I don't have a lot of confidence that Congress can pass anything in the area [of encryption], unfortunately," said Alan Reinsch, the Commerce Department's undersecretary for export administration.
"At the end of the day, this might not work. But it is where we are going," said Reinsch.