Shaken by a US Congressional committee's approval of a proposal to tighten US encryption policy, civil liberties and computer industry groups are bracing for additional proposals from two more Congressional committees.
The House National Security Committee adopted an amendment to the Security and Freedom through Encryption Act (SAFE) which would place greater restrictions on the encryption strength levels permitted for export and have those levels be determined by the president.
"What National Security [committee] did yesterday was a real setback from a civil liberties point of view," said Alan Davidson, staff counsel at the Center for Democracy and Technology (CDT), an online civil liberties group based in Washington, D.C.
A representative of the Business Software Alliance, a computer-industry group, also in Washington, agreed.
"The amendment itself is a disaster," said Diane Smiroldo, a BSA spokeswoman.
The amendment, called Weldon-Dellums, seeks to modify the SAFE bill, which was proposed last year and which civil liberties and computer industry groups support.
"From our point of view [SAFE] lets people get the privacy tools they need to use the Internet," Davidson said.
SAFE proposes that Congress set the encryption strength export level. But SAFE would also significantly loosen encryption export controls by allowing mass-market software or software available free over the Internet to be exported without controls, according to the CDT's Davidson.
"The [Weldon-Dellums] amendment removed the heart of the SAFE bill," Davidson said. "It's just silly not to be able to export [freely available software], because the stuff is already out there."
For example, one popular encryption option known as Pretty Good Privacy (PGP), which is available on the Internet, uses a 128-bit encryption algorithm, much stronger than any US vendor could legally ship overseas, Davidson said.
Currently, U.S. vendors are allowed to ship software containing encryption of up to 40 bits overseas without restriction. Software containing 56-bit encryption may be shipped overseas as long as vendors agree to "backdoor key recovery," whereby the U.S. government is provided with the keys to unlock the software for national security reasons. The policy is currently overseen by the US Commerce Department, which sometimes grants permission for the export of 128-bit encryption, most recently for the banking industry.
But the encryption battle is by no means over. SAFE must be reviewed by several House committees, which have until Friday to "mark up" the bill by inserting their own amendments.
The House Judiciary and House International Relations Committees have essentially passed SAFE without alterations.
However, two other committees are slated to deliver their opinions on SAFE this week, including the House Intelligence Committee, which both Davidson and Smiroldo said is expected to call for controlling encryption export even more tightly than the National Security Committee's Weldon-Dellums amendment. The Federal Bureau of Investigation (FBI) will have input into that bill.
"The FBI bill would make it illegal for anyone to distribute in the US any encryption without a backdoor key recovery program," Davidson said. The restrictions on what US citizens can send to other citizens is a "shift in this debate, and it's very frightening," he said.
The FBI was not immediately available for comment, but its formal position should be known tomorrow, when the House Intelligence Committee is expected to make its mark up public. Once the remaining committees have expressed their opinions, which are due by the end of the week, a Congressional rules committee and House leaders will decide which version will be put to a vote by the House. Similar discussions are underway in the US Senate. A single bill must be passed by both the House and the Senate and be signed by the president before becoming law.