Senate panel passes new bill requiring key-recovery technology

A Senate committee last week quickly passed a bill that would require any encryption product purchased by the federal government or with federal funds for use in securing government networks be based on the controversial key-recovery technology.

Without holding any hearings the Senate Commerce Science and Transportation Committee passed by voice vote June 12 the Secure Public Networks Act which was introduced just two days before. As of late last week the bill had yet to be scheduled for a floor vote.

The bill is designed to foster the Clinton administration's disputed key-recovery technology which allows users who use a secret software key to receive and send encrypted data to recover the key in the event that it is lost or stolen. The bill also would allow law enforcement officials who have received a court-ordered subpoena to obtain the key to access information they could use in criminal investigations.

The bill which is co-sponsored by Sen. Bob Kerrey (D-Neb.) and Sen. John McCain (R-Ariz.) also would relax U.S. export controls on encryption products.Most federal agencies have not begun to install public-key cryptography but a few agencies are testing key-recovery mechanisms. An Energy Department official said that although an official policy has not yet been issued employees who are encrypting files are instructed to store passwords or keys in an agency depository to prevent the loss of information should the person who knows the passwords or keys becomes incapacitated.

Some privacy critics and industry representatives have opposed giving law enforcement agencies access to encrypted data and say the bill is yet another Clinton administration attempt to push mandatory key recovery instead of relying on free-market encryption development.

One particularly controversial aspect of the bill involves the licensing of a certificate authority who would verify the owner of the key needed to decode an encrypted message. Users keep their second key secret so that no one can impersonate them. But some users want a way to recover this secret key if it is lost or stolen so they give a copy to a trusted third party or "key-recovery agent " such as a bank.

Under the bill users could obtain validation of their public keys only if they register their secret keys with a government-certified key-recovery agent. These government-certified agents will be provided vital liability and legal protection that effectively will discourage any agents to participate in the market without being government certified said Jonah Seiger communications director for the Center for Democracy and Technology a nonprofit Internet policy organization.

Problematic Idea

"As a national policy there are very serious problems with this idea " Seiger said. "The bill is voluntary to the extent that no one is holding a gun to your head but the market isn't going to produce anything else. [Congress is] now taking a radical right turn that no one understands with only 48 hours' notice."A Senate staff member who worked on writing the bill said that it was designed to be a compromise between the administration and industry.

"You can't argue with the fact that the government needs to stop terrorists child pornographers drug dealers and other types of criminals " he said. "With non-key recovery encryption law enforcement agencies are basically shut out."

Two other encryption export bills are stalled in committee. This bill was designed as a compromise to prevent it from a similar fate the staff member said.

Still the Senate Judiciary Committee has asked the Secure Public Networks Act to be referred to it which could slow the bill's progress through the Senate.

The staff member said the federal government's mammoth purchasing power will be a significant factor in promoting key-recovery technology and industry has responded positively to the portion of the legislation that requires federal government purchasing of the technology he said.

"They love it they see dollar signs. The federal government buys a lot of software " he said.

But a spokeswoman for the Business Software Alliance a consortium that represents 65 software companies including Apple Computer Inc. Microsoft Corp. Compaq Computer Corp. and Lotus Development Corp. said the Senate Committee's passage of the legislation was a significant step backward for the software industry and its customers.

"It's really not technologically feasible " she said. "There's a concern that there's a real need for the education of Congress particularly members of the committee. What we are asking for and what we will not back off from is a voluntary market-driven solution that ensures the privacy and security of consumers."