On September 9, 1997, the House National Security Committee added an amendment from Reps. Dave Weldon and Ronald Dellums (http://www.cdt.org/crypto/legis_105/SAFE/970909_amd.html ) that drastically changed the bill, essentially reversing its intent, and then approved the amended bill. This version would increase export controls by giving the Dept. of Defense veto power over Commerce Dept. crypto export approvals. The amendment was so poorly and short-sightedly written it would undermine US competitiveness and even financial network security by providing no exceptions for limited crypto export by banks and foreign branches of US companies.
On September 11, 1997, the House Permanent Select Committee on Intelligence added an FBI-inspired amendment that drastically changed the bill again, even further away from the bill's purpose, and passed it (http://www.cdt.org/crypto/fbi_draft_text.html ). This version imposes severe and Orwellian *domestic* restrictions on use and availability of encryption, to ensure that police and spy agencies have "immediate decryption" capability over any encrypted message file, and that providers of encyrption or encrypting network service give law enforcement this access without the knowledge of the party being spied upon.
On September 24, 1997, the House Commerce Committee added an amendment that yet again changed the bill by calling for the creation of a National Electronic Technologies Center that would assist law enforcement in research and would provide assistance to federal, state, and local law enforcement agencies in coping with encryption encountered in the course of investigations. The amendment, by Reps. Markey and White, (http://www.cdt.org/crypto/legis_105/SAFE/Markey_White.html ) also would direct the National Telecommunications and Information Administration (NTIA) to conduct a study of the implications of mandatory key recovery, and the amendment increases the criminal penalties under SAFE for the use of encryption in the furtherance of a federal felony. This amendment was passed over an even more sinister one calling for "immediate access" by police to any encrypted message or other data, and strong criminal penalities for users or distributors of actually-secure encryption. The amendment represented an incredibly bold move by the FBI, grasping as it did for even more power than that the Intelligence Committee amendment - it essentially attempted to illegalize real encryption, since the only way to provide "immediate access" is to either give police "skeleton keys" to all encrypting products before they are released, or to reduced all security software's strenght so much that it can be instantly cracked by police - or anyone else. This, fortunately defeated, amendment (http://www.cdt.org/crypto/legis_105/SAFE/Oxley_Manton.html ) was introduced by Reps. Oxley and Manton.
These disparate versions of the bill - none of them good - must now be reconciled in the House Rules Committee before a final "compromise" version can be voted on the House floor. Late in Sept., Rules Committee leadership declared allegiance to the law enforcment and intelligence agencies' position, and vowed to kill SAFE if it did not grant government the powers it demanded.
It is likely that Rules will simply report out a version of SAFE with most or all of the police "wish list" intact if they cannot be convinced to kill the bill entirely. Such an "unSAFE" bill could pass the House. Even if it fails, the McCain-Kerrey bill (see below) may pass the Senate and enter the House for consideration. Neither eventuality is probable, but vigilance is necessary.
EFF believes that there are serious civil liberties problems with *all* versions of SAFE. First, SAFE creates a new crime (which calls for five years imprisonment for a first offense and ten years for subsequent offenses, on top of any other criminal penalities) for using encryption in furtherance of any criminal offense.
This short-sighted proposal would make anyone convicted of any crime, even a minor one, subject to life-wrecking prosecution and imprisonment simply because they did what we will all soon be doing - using an encrypting phone, email program or web browser - when they broke the law. This is like making it an extra crime to speak English or to wear shoes during the commission of a crime. Legislators hoped this farcical "crypto-in-a-crime" provision would mollify law enforcement, but it has not done so. FBI Dir. Louis Freeh has made it clear that investigative agencies want export and import controls, access to everyone's messages without a warrant and without our even knowing about it, and severe criminal penalties for all who try to keep Big Brother out of their computers.
The problems with SAFE do not stop with "crypto-in-a-crime". SAFE gives law enforcement officers the authority to gain access to encrypted information without notification to the owners of the information. And it does not legalize the export of encryption software that is not being mass-marketed or is not in the public domain.
Amended versions of SAFE are even worse. They would put new restrictions on the *domestic* use of encryption (requirements that go beyond the current limitations on the export of encryption), and/or even more severe penalties for use of encryption in a crime.
EFF believes that all limitations on encryption are in violation of the First Amendment, and domestic restrictions are an extreme power grab by law enforcement at a time when most citizens do not fully understand the implications of this action.
EFF is working to ensure that the SAFE bill is killed before it reaches the House floor for a vote.
YOU CAN HELP. Please see the "What You Can Do" section, below.
While its sponsors claim that it would not make key recovery mandatory, SPN would require the use of key recovery systems in order to obtain the "public key certificates" needed to participate in electronic commerce and would require key recovery for all secure networks built with any federal funds -- including the Internet II project and most university networks. It creates 15 new federal crimes dealing with the use of encryption and key recovery (not all of them bad from a privacy standpoint.)
In addition to the stated objectives of the bill, SPN is disturbing because of some of the things that it does *not* specify. SPN directs the President to negotiate with foreign countries to create a worldwide system for international government access to keys, but provides no limitations on the President's power. Even more disturbing, SPN gives the President the authority to disregard any or all of the provisions of the bill on the basis of a Presidential Executive Order - yet another way for "national security" concerns to be used as an excuse to undermine limits on the government's abilty to restrict encryption use and distribution. The bill also grants the Commerce Department sweeping new enforcement powers. The bill was referred to the Senate Commerce Committee, and may also be taken up by the Constitution Subcommittee of the Senate Committee on the Judiciary. Some form of the SPN stands a fair chance of passing the Senate (to be taken up and passed, possibly with amendments, or rejected by the House).