FNCAC Encryption Policy Proposal

"Common Ground" FNCAC Encrytpion Policy Proposal

• Recognize several legitimate social objectives wrt encryption policy

• Endorse need for at least some forms of strong encryption to be available both domestically and internationally

• Endorse need for overhaul of legal regime to stricly define and enforce auditable system for government access to private encrytped data

• Endorse requirement that US system be part of common international system negotiated with at least minimal subset of other nations

• Export control regime consistent with above requirements acceptable if technically feasible, practical, and demonstrably useful.

Legitimate Social Objectives

• Privacy/civil liberties

• Secure commerce

• Law enforcement

• National security/foreign intelligence

• Regulation/oversight/audit international economic infrastructure
  - banking system/financial markets
  - trade data

• FNCAC should explicitly recognize that all of these are legitimate societal interests.

Strong Encryption

• No constraints on domestic use

• At least some forms of strong encryption available for international use

• May mean "key recovery" systems if practical, may mean something else, but must be acceptably strong.

New Legal Framework; Safeguards on Govt. Access

• Government access to encrypted data is to further interest of its citizens in legitimate social objectives

• Legal framework should be updated to reflect current and forseeable technological realities

• System must be auditable to safeguard against abuse

• Careful attention to checks and balances on government

• Tougher standards for private abuse of personal data; tougher penalties on illegal private access also worth considering.

Need for International System

• Law enforcement, intelligence, regulation of economic infrastructure are inherently international today

• Access across national boundaries required to achieve many social objectives

• Interoperability across national boundaries required for computer and communications systems, databases

• Level playing field, common rules of game needed to avoid giving economic rivals advantages over one another through differences in requirements imposed by policy.

Export Control Regime Acceptable if

• passes bar of technical feasibility, practicality

• applies to encryption technology that is not widely and reliably available internationally outside of core membership of new system, and has real potential downside for some societal interests

• distributed private "key recovery" system an interesting concept, still being refined and debated

• inherently international system in scope

• details of new system and phase-in should support, not block, rapid technical change

• is it useful to consider a distinction between offensive and defensive products?

The draft resolution language as assembled by Gage is as follows:

1. Stong encryption technology is a basic tool to enable information security, and must be available to all. Therefore, we recommend no restrictions on the use of cryptography. No law should bar the design, manufacture, sale, use, or research into any form of encryption.

2. Federal networks must implement a full range of information security technologies. Furthermore, Federal networks connect and interoperate with networks in the rest of the world. Federal networks should be able to use any form of encryption and information security used elsewhere in the world.

3. The Federal government has rights, under the law, to access and acquire various forms of data. Technology exists to allow complete audit trails of data access to be maintained, cryptographically signed, and authenticated. Technology exists, enabled by encryption technology, to maintain and guarantee the integrity of data acquired. Therefore, we recommend that such access and acquisition be accompanied by strict accountability: the integrity, authenticity, and no-repudiation of data acquired by the Federal government must be guaranteed, as far as possible, by the use of encryption technology.

4. Federal agencies with experience in the use of encryption technology for information security have an obligation to participate in the re-examination of national policy, and, in particular, support research into all aspects of encryption technology.

The full FNCAC endorses the privacy & security working group’s draft resultion, to be further developed by the working group. This draft resolution will be discussed and worked on on-line by members of the FNCAC privacy and security working group, and will be shared with the full FNCAC when a final draft is realized.