The following mail is a mail I received from COAST which I think is
VERY relevant to firewall vendors particularly those whose firewalls
support VPN (Firewall-firewall & User-firewall encrypted session)
----------------------- 8< cut here 8< ----------------------------------
>Resent-Date: Fri, 12 Sep 1997 17:19:18 -0500 (EST)
>X-Authentication-Warning: arthur.cs.purdue.edu: smrtlist set sender to
edu using -f
>To: coastwatch @
edu (COAST Mailing list)
>Subject: Special Notice: News on Pending US Legislation
>Reply-To: spaf @
>Organization: COAST, Department of Computer Sciences, Purdue Univ.
>Approved: spaf @
>Date: Fri, 12 Sep 1997 11:58:47 -0500
>From: spaf @
edu (Gene Spafford)
>Resent-From: coastwatch @
>X-Mailing-List: <coastwatch @
>X-Loop: coastwatch @
>Resent-Sender: coastwatch-request @
>[If you get the multiple times, our apologies. Our mailer got
>the hiccups, and we had to resend this.]
>The last week has produced some incredible events in the U.S. House of
>Representatives as regards cryptography.
>Enclosed is a story about one such event that may soon result in U.S.
>law. If you do business in the U.S. or live in the U.S. and expect to
>use computer systems and networks, this issue should be of major
>concern to you. Most mainstream media seems to be avoiding this issue,
>perhaps because it is difficult to present to the lay reader. Thus,
>you may not have heard about this. We think you should. The
>implications are huge for our security and privacy, and for the ability
>to conduct unhindered research and education on information security
>issues in the U.S.
>I will not editorialize on this issue here. However, I urge you to seek out
>information on what is happening and convey your opinions, whatever they may
>be, to your elected representatives (if you are in the US). You should act
>soon, as there may be little time before a final bill is crafted to go to
>floor of the House.
>>---------- Forwarded message ----------
>>Date: Thu, 11 Sep 1997 23:37:39 -0700 (PDT)
>>From: Declan McCullagh <declan @
>>To: fight-censorship-announce @
>>Subject: House panel votes behind closed doors to build in Big Brother
>>Software that protects your privacy is a controlled substance that may no
>>longer be sold, a Congressional committee decided today.
>>Meeting behind closed doors this morning, the House Intelligence committee
>>voted to replace a generally pro-encryption bill with an entirely
>>rewritten draft that builds in Big Brother into all future encryption
>>products. (The Senate appears to be moving in a similar direction.)
>>The new SAFE bill -- titled in a wonderfully Orwellian manner the
>>"Security and Freedom through Encryption" act even though it provides
>>neither -- includes these provisions:
>>SELLING CRYPTO: Selling unapproved encryption products (that do not
>>include "immediate access to plaintext") becomes a federal crime,
>>immediately after this bill becomes law. Five years in jail plus
>>fines. Distributing, importing, or manufacturing such products
>>after January 31, 2000 is another crime.
>>NETWORK PROVIDERS: Anyone offering scrambled "network service"
>>including encrypted web servers or even "ssh" would be required to
>>build in a backdoor for the government by January 31, 2000. This
>>backdoor must provide for "immediate decryption or access to
>>plaintext of the data."
>>TECHNICAL STANDARDS: The Attorney General will publish technical
>>requirements for such backdoors in network service and encryption
>>products, within five months after the president signs this bill.
>>LEGAL TO USE CRYPTO: "After January 31, 2000, it shall not be
>>unlawful to use any encryption product purchased or in use prior to
>>GOVERNMENT POWERS: If prosecutors think you may be selling,
>>importing, or distributing non-backdoor'd crypto or are "about" to
>>do so, they can sue. "Upon the filing of the complaint seeking
>>injunctive relief by the Attorney General, the court shall
>>automatically issue a temporary restraining order against the party
>>being sued." Also, there are provisions for holding secret
>>hearings, and "public disclosure of the proceedings shall be
>>treated as contempt of court." You can request an advisory opinion
>>from the government to see if the program you're about to publish
>>violates the law.
>>ACCESS TO PLAINTEXT: Courts can issue orders, ex parte, granting
>>police access to your encrypted data. But all the government has to
>>do to get one is to provide "a factual basis establishing the
>>relevance of the plaintext" to an investigation. They don't have to
>>demonstrate probable cause, which is currently required for a
>>search warrant. More interestingly, this explicitly gives the FISA
>>court jurisdiction (yes, the secret court that has never denied a
>>request for a wiretap). If they decode your messages, they'll tell
>>you within 90 days.
>>GOVERNMENT PURCHASING: Federal government computer purchases must
>>use a key escrow "immediate decryption" backdoor after 1998. Same
>>with networks "purchased directly with Federal funds to provide the
>>security service of data confidentially." Such products can be
>>labeled "authorized for sale to U.S. government"
>>ENCRYPTION EXPORTS: The Defense & Commerce departments will control
>>exports of crypto. Software "without regard to strength" can be
>>exported if it includes a key escrow backdoor and is first
>>submitted to the government. Export decisions aren't subject to
>>judicial review, and the "president may by executive order waive
>>any provision of this act" if he thinks it's a threat to national
>>security. Within 15 days, he must send a classified briefing to
>>ADVISORY PANEL: Creates the Encryption Industry and Information
>>Security Board, with seven members from Justice, State, FBI, CIA,
>>White House, and six from the industry.
>>INTERNATIONAL: The president can negotiate international agreements
>>and perhaps punish noncompliant governments. Can you say "trade
>>(Other provisions barring the use of crypto in a crime and
>>some forms of cryptanalysis are also in the bill.)
>>Next the Commerce Committee will vote on SAFE, and a former FBI
>>agent-turned-Congressman is vowing to ensure that similar language to this
>>is included. (The committees are voting on the bill in parallel, and a
>>four-person team of Congressmen is working to forge a compromise before
>>Commerce votes.) Then the heads of the five committees that have rewritten
>>the legislation will sit down and work out another compromise. If it's
>>acceptable to the House Rules committee -- and if the FBI/NSA get what
>>they want it will be -- the bill can move to the floor for a vote.
>>That's why the encryption outlook in Congress is abysmal. Crypto-advocates
>>have lost, and lost miserably. A month ago, the debate was about export
>>controls. Now the battle is over how strict the //domestic// controls will
>>be. It's sad, really, that so many millions of lobbyist-dollars were not
>>only wasted, but used to advance legislation that has been morphed into a
>>truly awful proposal.
>>I wrote more about this at:
>------- End of Forwarded Message