1 August 1997
Administration Encryption Policy
July 30, 1997
Encryption policy remains a topic of great interest and importance, and our work on this subject will have a considerable effect on the future of electronic commerce and information technology. We want that effect to be positive. To that end, the President has decided on an encryption policy and we are well on our way to implementing it. It balances all of the competing interests in this issue: privacy, electronic commerce, law enforcement, and national security.
Making strong commercial encryption widely available is in the best interest of the United States. Indeed, it is inevitable, as powerful computers and advanced telecommunications rapidly lead to the creation of broad electronic networks which will form the basis for communication and commerce in the future. The ability to encrypt electronic messages and data will be essential for electronic commerce and for the full development of information technology. Businesses and individuals need encrypted products to protect sensitive commercial information from fraud and industrial espionage and to preserve privacy, and their demand for those products will further facilitate the spread of encryption. We must shape our export control policies to allow American companies to take advantage of their strengths in information technology in their pursuit of global markets.
But the increased use of encryption carries with it serious risks for public safety and our national security. Any policy on encryption must address these risks as well if it is to be in the national interest. Our policy provides that balance, by working in close consultation with the private sector and by working with the market, not against it.
Some argue that sophisticated criminals and terrorists will never use recoverable encryption because they know the government can listen in. This is clearly wrong. Criminals and terrorists know that the government can listen in to phone conversations now, under proper authority, and this has not stopped them from using the telephone. That is why our goal is to help ensure that the infrastructures and networks that form the backbone of electronic commerce will be compatible with recovery and key management.
Beyond this, what we have discovered, seven months into the new policy, is that strong encryption alone is not enough to open the full economic potential of the Internet. To protect intellectual property and to address liability concerns, businesses and consumers are concluding that recoverable encryption within a key management infrastructure is best for securing electronic commerce on shared public networks.
The Administration's Policy
The President's policy of balance is based on trying to promote key recovery in the marketplace. By "key recovery" I refer to a range of technologies, some in existence, some under development, some still being conceived, designed to permit the plaintext recovery of encrypted data or communications. There has been a tendency in this debate to construe this term and others as narrowly focussed on a single technology, and I want to make clear that is not our intent. We expect the market to make those judgments. In order to facilitate the development and dissemination of these products, we have taken the following steps:
On December 30, 1996, we published new regulations that transferred the licensing of commercial encryption products from the Department of State's Munitions List to the Department of Commerce's dual-use list. This change of jurisdiction emphasized the Administration's decision that strong encryption is no longer something used primarily by governments or military forces but is an accepted part of normal commercial activity.
The regulations set forth several procedures which support the development of a key management infrastructure. The most important is the creation of a license exemption which allows recoverable encryption products of any strength and key length to be exported freely after a single review by Commerce, Justice and the Department of Defense.
The new regulations also allow for self-escrow and escrowing of keys overseas, which have made key recovery products more attractive in export markets. Since the establishment of a key management infrastructure may take some time, the regulations make explicit that we will consider requests for self escrow and escrowing overseas even before there are government agreements on access or an established network of recovery agents in place.
To encourage the development of recoverable encryption products, we have also created a special, two year liberalization period during which companies may export 56 bit DES or equivalent products, provided they submit plans and show that they are working to develop the key management infrastructure envisioned by the Administration.
To help create standards which will guide the Federal Government in its own key management efforts, the National Institute of Standards and Technology has formed an industry advisory committee to develop requirements and standards for Federal key recovery. We have invited representatives of foreign governments to attend meetings of this advisory committee to help ensure coordination and compatibility on a multilateral basis.
In addition, we have continued discussions with our major trading partners on a common approach to encryption policy and encryption exports. To head this effort, the President appointed David Aaron, Ambassador to the Organization for Economic Cooperation and Development as his Special Envoy on Encryption. We have found that many countries share our concerns about the effect of encryption on public safety.
Perhaps the best gauge of industry response to our efforts has been the flow of applications since the change in policy. In the first seven months we have received over one thousand license applications for exports valued over five hundred million dollars. Thirty three companies have submitted commitment plans which lay out how they will build and market key recovery products, and we know that others are preparing them. These companies include some of the largest software and hardware manufacturers in the country. We have approved twenty-nine of these plans, and we expect to approve more very shortly. None have been rejected.
The flow of licenses and the company commitment plans tell us our policy is working. We want to make sure that our efforts to regulate the export of recoverable encryption are compatible with the larger structure for electronic commerce now beginning to take shape. In that regard, the Administration announced in May further liberalizations, consistent with our policy of recovery, which allowed banks and other financial institutions to receive strong encryption products to safeguard electronic commerce. This liberalization has helped ensure that the three trillion dollars a day transferred electronically remains safe from unwarranted intrusions and shows that the new encryption policy can allow U.S. software firms to compete effectively overseas.
We also support the development of ten pilot projects designed to demonstrate key recovery in such diverse applications as processing electronic grants and sharing international patent applications.
One issue that is repeatedly raised in the encryption debate is foreign availability. We often hear that encryption products are widely available overseas, that other countries do not control their export, and that American firms are suffering grievous losses. We have been hearing these dire predictions since at least 1990, but to date they do not seem to have come true. Commerce and NSA studied the foreign availability of encryption in 1995, and at that time we did not find that claims of widespread foreign availability of encryption products were accurate. While the pace of change and the market for information technology is rapid and a growing number of strong encryption products exist, we do not yet see widespread foreign use of encryption.
Precise figures are difficult to come by, and the estimates which one sees in the press tend to reflect more the estimator's desires than actual market share. What we do know is that only a few countries produce encryption products at this time. Some, like Switzerland, produce only specialized products for a small segment of the market. Others, like Japan, produce primarily hardware products. These countries all have export controls on encryption and Ambassador Aaron is engaged in regular discussions with them. We believe assertions of foreign availability are premature, but we all agree that it is something which the Administration must monitor closely as we implement our policy.
The Administration has stated on numerous occasions that we do not support mandatory key escrow or key recovery. Our objective is to enable the development and establishment of a voluntary key management system for public-key based encryption. We believe the Administration's policy is succeeding in bringing key recovery products to the marketplace. Our attention is now turning toward how we can best facilitate the development of the key management infrastructure that will support those products. To that end, we support legislation intended to do the following:
In that regard, I must tell you that legislation such as H.R. 695 would not be helpful, and the Administration cannot support it. The bill proposes export liberalization far beyond what the Administration can entertain and which would be contrary to our international export control obligations. We are sympathetic to some aspects of H.R. 695, such as penalties for unlawful use of encryption and access to encrypted information for law enforcement purposes, but the bill does not provide the balanced approach we are seeking and as a result would unnecessarily sacrifice our law enforcement and national security needs.
The bill appears to decontrol even the strongest encryption as well as other products, such as computers, thus severely limiting government review of highly sensitive transactions. The Administration has a long-standing policy that the risks to national security and law enforcement which could arise from widespread decontrol of encryption justify continued restrictions on exports. In addition, whether intended or not, we believe the bill as drafted would inhibit the development of key recovery even as an option. The Administration has repeatedly stated that it does not support mandatory key recovery, but we most certainly endorse and encourage development of voluntary key recovery systems, and we see a strong and growing demand for them that we do not want to cut off.
In our view, S.909, the "Secure Public Networks Act," is the best vehicle for creating the legal framework the United States needs for electronic commerce. S.909 contains many elements we support, and its explicit recognition of the need to balance competing objectives will let industry, the law enforcement community and other interested parties work together to reach a consensus. We need legislation this year to assure the confidence necessary for electronic commerce to move ahead and to preserve our leadership in information technology. We look forward to working with the Congress to reach a consensus on this important issue.