6 September 1997
Congressional Record: September 4, 1997: SECURITY AND FREEDOM THROUGH ENCRYPTION ACT Committee on Commerce: Subcommittee on Telecommunications, Trade, and Consumer Protection held a hearing on H.R. 695, Security and Freedom Through encryption (SAFE) Act. Testimony was heard from Representatives Goodlatte and Lofgren; William P. Cowell, Deputy Director, NSA, Department of Defense; William A. Reinsch, Under Secretary, Export Administration, Department of Commerce; Robert S. Litt, Deputy Assistant Attorney General, Criminal Division, Department of Justice; and public witnesses.
Before the House Subcommittee on
Trade and Consumer Protection
Committee on Commerce
Presented on September 4, 1997 on
Administration Encryption Policy
Encryption policy remains a topic of great interest and importance, and our work on this subject will have a considerable effect on the future of electronic commerce and information technology. We want that effect to be positive. To that end, the President has decided on an encryption policy and we are well on our way to implementing it. It balances all of the competing interests in this issue: privacy, electronic commerce, law enforcement, and national security.
Making strong commercial encryption widely available is in the best interest of the United States. Indeed, it is inevitable, as powerful computers and advanced telecommunications rapidly lead to the creation of broad electronic networks which will form the basis for communication and commerce in the future. The ability to encrypt electronic messages and data will be essential for electronic commerce and for the full development of information technology. Businesses and individuals need encrypted products to protect sensitive commercial information from fraud and industrial espionage and to preserve privacy, and their demand for those products will further facilitate the spread of encryption. We must shape our export control policies to allow American companies to take advantage of their strengths in information technology in their pursuit of global markets.
But the increased use of encryption carries with it serious risks for public safety and our national security. Any policy on encryption must address these risks as well if it is to be in the national interest. Our policy provides that balance, by working in close consultation with the private sector and by working with the market, not against it.
Some argue that sophisticated criminals and terrorists will never use recoverable encryption because they know the government can listen in. This is clearly wrong. Criminals and terrorists know that the government can listen in to phone conversations now, under proper authority, and this has not stopped them from using the telephone. That is why our goal is to help ensure that the infrastructures and networks that form the backbone of electronic commerce will be compatible with recovery and key management.
Beyond this, what we have discovered, seven months into the new policy, is that strong encryption alone is not enough to open the full economic potential of the Internet. To protect intellectual property and to address liability concerns, businesses and consumers are concluding that recoverable encryption within a key management infrastructure is the best way to secure electronic commerce on shared public networks.
The Administration's Policy
The President's policy of balance is based on trying to promote key recovery in the marketplace. By "key recovery" I refer to a range of technologies, some in existence, some under development, some still being conceived, designed to permit the plaintext recovery of encrypted data or communications. There has been a tendency in this debate to construe this term and others as narrowly focussed on a single technology, and I want to make clear that is not our intent. We expect the market to make those judgments. In order to facilitate the development and dissemination of these products, we have taken the following steps:
In addition, we have continued discussions with our major trading partners on a common approach to encryption policy and encryption exports. To head this effort, the President appointed David Aaron, Ambassador to the Organization for Economic Cooperation and Development as his Special Envoy on Encryption. We have found that many countries share our concerns about the effect of encryption on public safety.
Perhaps the best gauge of industry response to our efforts has been the flow of applications since the change in policy. In the first eight months, we have received over one thousand license applications for exports valued over five hundred million dollars. Thirty-seven companies have submitted commitment plans which lay out how thery will build and market key recovery products, and we know that others are preparing them. These companies include some of the largest software and hardware manufacturers in the country. We have approved thirty-two of these plans, and we expect to approve more very shortly. None have been rejected. Furthermore, eight companies have submitted requests for a one-time review of key recovery encryption items which will facilitate the establishment of a key management infrastructure (KMI). Three of these products have been approved for eligibility under License Exception KMI.
The flow of licenses and the company commitment plans tell us our policy is working. We want to make sure that our efforts to regulate the export of recoverable encryption are compatible with the larger structure for electronic commerce now beginning to take shape. In that regard, the Administration announced in May further liberalizations, consistent with our policy of recovery, which allowed banks and other financial institutions to receive strong encryption products to safeguard electronic commerce. This liberalization has helped ensure that the three trillion dollars a day transferred electronically remains safe from unwarranted intrusions and shows that the new encryption policy can allow U.S. software firms to compete effectively overseas.
We also support the development of ten pilot projects designed to demonstrate key recovery in such diverse applications as processing electronic grants and sharing international patent applications.
One issue that is repeatedly raised in the encryption debate is foreign availability. We often hear that encryption products are widely available overseas, that other countries do not control their export, and that American firms are suffering grievous losses. We have been hearing these dire predictions since at least 1990, but to date they do not seem to have come true. Commerce and NSA studied the foreign availability of encryption in 1995, and at that time we did not find that claims of widespread foreign availability of encryption products were accurate. While the pace of change and the market for information technology is rapid and a growing number of strong encryption products exist, we do not yet see widespread foreign use of encryption.
Precise figures are difficult to come by, and the estimates which one see's in the press tend to reflect more the estimator's desires than actual market share. What we do know is that only a few countries produce encryption products at this time. Some, like Switzerland, produce only specialized products for a small segment of the market. Others, like Japan, produce primarily hardware products. These countries all have export controls on encryption and Ambassador Aaron is engaged in regular discussions with them. We believe assertions of foreign availability are premature, but we all agree that it is something which the Administration must monitor closely as we implement our policy.
The Administration has stated on numerous occasions that we do not support mandatory key escrow or key recovery. Our objective is to enable the development and establishment of a voluntary key management system for public-key based encryption. We believe the Administration's policy is succeeding in bringing key recovery products to the marketplace. Our attention is now turning toward how we can best facilitate the development of the key management infrastructure that will support those products. To that end, we support legislation intended to do the following:
In that regard, I must tell you that legislation such as H.R. 695 would not be helpful, and the Administration cannot support it. The bill proposes export liberalization far beyond what the Administration can entertain and which would be contrary to our international export control obligations. We are sympathetic to some aspects of H.R. 695, such as penalties for unlawful use of encryption and access to encrypted information for law enforcement purposes, but the bill does not provide the balanced approach we are seeking and as a result would unnecessarily sacrifice our law enforcement and national security needs.
The bill appears to decontrol even the strongest encryption products, thus severely limiting government review of highly sensitive transactions. The Administration has a long-standing policy that the risks to national security and law enforcement which could arise from widespread decontrol of encryption justify continued restrictions on exports. In addition, whether intended or not, we believe the bill as drafted would inhibit the development of key recovery even as an option. The Administration has repeatedly stated that it does not support mandatory key recovery, but we most certainly endorse and encourage development of voluntary key recovery systems, and we see a strong and growing demand for them that we do not want to cut off.
In our view, S.909, the "Secure Public Networks Act," is the best vehicle for creating the legal framework the United States needs for electronic commerce. S.909 contains many elements we support, and its explicit recognition of the need to balance competing objectives will let industry, the law enforcement community and other interested parties work together to reach a satisfactory consensus. We need legislation this year to assure the confidence necessary for electronic commerce to move ahead and to preserve our leadership in information technology. We look forward to working with the Congress to reach a satisfactory consensus on this important issue.