The history here is non-intuitive; I'll try to explain it. I was living in DC during the Crypto Wars of the late 1990s and covering them as a reporter (I've since shifted to working on http://recent.io/, of course).

The SAFE Act as originally introduced in the House of Representatives was designed to be generally pro-crypto by relaxing export controls. But as it made its way through the various committees, the anti-crypto forces got their hands on it and turned it on its head. It became a ban-non-backdoored-crypto bill instead.

More precisely, in 1997, a House committee approved a ban on domestic encryption without backdoors for .gov access. Here's an excerpt from the amended anti-crypto version of the SAFE Act:

"After January 31, 2000, it shall be unlawful for any person to manufacture for distribution, distribute, or import encryption products intended for sale or use in the United States, unless that product [...] permits immediate decryption of the encrypted data..."

Here's how one of the anti-crypto politicos, Rep. Bill McCollum, who went on to be Florida's attorney general, justified it while debating the House Judiciary version of that bill:

"Because this bill will promote greater use of stronger encryption, law enforcement may not be able to gather evidence that it can use to investigate and prosecute cases. Imagine a situation where the police with a search warrant seize the computer of a terrorist but cannot decrypt the list of people and places that he intends to strike next. Or the situation where the police seize the computer of a purveyor of child pornography but cannot decrypt the files to download the images to prosecute him." http://www.techlawjournal.com/cong106/encrypt/19990324mcc.ht...

So yes, you're right that sec. 2804 in one version of SAFE eliminates mandated key escrow. But other versions, including the one approved by that House committee in 1997, went exactly in the opposite direction.

> Imagine a situation where the police with a search warrant seize the computer of a terrorist but cannot decrypt the list of people and places that he intends to strike next.

Imagine a situation where a corrupt totalitarian government decrypts and monitors all traffic in the name of terrorism and then uses that information against anybody that gets out of line.

We can play the imagination game all day. I like how it's always terrorists and child pornographers.

I love it how every time something like this comes up for discussion the reasons why we need this are trotted out and invariable those are 'terrorists and child pornographers'.

And then those ignore the law and everybody else has to live with the consequences.

I agree that this is non-intuitive, and we've arrived at another time in DC when time has looped back on itself, and wars have to be re-fought.

Your site, http://politechbot.com/, was one go-to source for information during the last crypto war. These days I could consult the EFF, EPIC or the ACLU, but I wonder if there's a place again for a cypherpunk-ish focus on DC policy, or if you've found sources covering the current policy with a politech-like mindset.

In either case, thanks for all those years of good reading.

<ipsin>: Thanks for your kind words! I've felt the urge to restart/resume the Politech mailing list a few times in the last few years but haven't been able to dedicate the time such an effort deserves. Also it works better if moderated by a practicing journalist, I think.

The short answer is I don't think there is such a source. EFF has good action alerts and blog posts (even if I may occasionally disagree with some of their legislative endorsements). EPIC and the ACLU are often more DC-centric, and Marc (who runs EPIC) is essentially an anti-cypherpunk in his views about the private sector.

Among advocacy groups, TechFreedom.org is a relatively new entrant with free-market, liberalize-crypto views. But Berin, who runs it, is a lawyer, not a technologist, and is spending a lot of time on topics like Net neutrality and telecom regulation nowadays.

If anyone is thinking of starting such a source of information with a cypherpunk-ish/politech-like focus on DC policy, I'd be happy to offer some advice, tips, and introductions.

Cheers.

If I could make a suggestion, I think this kind of history belongs with the bill text on a blog post; providing the 1997 version without commentary caused a bit of confusion.

It felt a wee bit misleading/alarmist because that text - again as far as I can tell, given the text of the later version that was approved - never actually made it into the final version. As presented it makes it seem like that's the law as it stands today.

Section 2804 refers to products manufactured and used in the US. But section 2803 is pretty clear:

"New section 2803 will make it unlawful after January 31, 2000, to sell in interstate or foreign commerce any encryption product that does not provide duly authorized persons an immediate access to plaintext capability, or immediate decryption capability."

and

"Sec. 2803. Unlawful sale of encryption

Whoever, after January 31, 2000, sells in interstate or foreign commerce any encryption product that does not include features or functions permitting duly authorized persons immediate access to plaintext or immediate decryption capabilities shall be imprisoned for not more than 5 years, fined under this title, or both."

I don't know what this document is, or what it's relevance is, but that was my reading.

The document seemed to be a report (suggestion) to alter the SAFE Act to include those provisions.

The GPO link I shared doesn't list those recommendations so it looked like they didn't make it in to the final draft. So I'm not sure what the purpose of the original linked document is either.I've edited my original comment to make it clear since it was ambiguous as to what I may have been "reading wrong".

Ah I see. Thanks! I guess one take away from this document is that there have been attempts to limit the availability of encryption for at least 20 years. But I think that's relatively well known.

This might be a bit of a stretch, but if you were to send in plain text just something meta-ish like datetime and the actual message would be sent as image for example, could we get around this?

E.g. when your-favorite-three-letter-agency comes asking for decryption you just decrypt the plaintext portion for them?

You still are thinking about technological measures where a vehement political response is needed.

In long run, you can't keep running and hiding. You stand up and stand your ground.

The GPO link is from the 106th Congress. The original link was from the 105th.