16 September 1999
Source: Fax from John Gilmore
Office of the Secretary + Washington, D.C. 20230 +
www.doc.gov/opa
REMARKS BY
COMMERCE SECRETARY WILLIAM M. DALEY
WHITE HOUSE PRESS ROOM
WASHINGTON, D.C.
SEPTEMBER 16, 1999
(Text as prepared for delivery)
We can all welcome today's update of our encryption policy. It is a good example of a government process that worked.
The agencies involved, from national security, law enforcement and Commerce, had a common objective -- to provide the tools to keep our nation safe while taking technological advances and market changes into account.
This may have taken longer than some would have liked, but the outcome is a sound one. This new update continues to provide the balanced encryption policy the President wants. It is a policy that will continue to protect national security while letting us take advantage of substantial promise of electronic commerce.
In saying that, I want to be clear that the Commerce Department supports all three parts of this program. The export control liberalization is balanced by the additional tools for law enforcement and the additional resources being devoted to improving the privacy and security of government information systems.
The result will be a government with more secure systems, a law enforcement community better equipped to deal with the increased use of encryption by criminals and terrorists, and an industry able to compete effectively in the global marketplace.
We have said from the beginning our policy is intended to reflect market realities -- and there are few sectors where that reality is changing faster than computer hardware and software.
As electronic commerce grows in importance, the ability to conduct it securely and privately becomes more critical. For example, analysts estimate fraudulent Internet and e-commerce transactions now account for as much as half of all credit-card fraud. One study suggests privacy concerns among online shoppers could cut $18 billion off a projected $40 billion in total e-commerce revenues by 2002.
This is clearly not only an American problem. E-commerce totals in the U.S. will account for only 54 percent of the world's e-commerce spending by 2003, according to a report from International Data. The report also found that by the end of this year, 60 percent of all Web users will live outside the U.S.
Obviously, exports will be a key factor in our industry's ability to maintain its lead. Exporters should welcome today's announcement for precisely that reason.
At the same time, however, I want to make clear, the fundamental reason for this change is our national security. We are taking steps needed to allow us to protect vital national security functions and meet the defense requirements of the next century.
Today's update continues the three fundamental principles of our encryption export control policy:
First, the new regulations will permit any encryption product or software with a key length over 64 bits to be exported under a license exception to commercial firms and other nongovernment end users in any country except for the seven state supporters of terrorism. This means that exporters will be able to ship freely once Commerce has reviewed their products and classified them.
The seven state supporters of terrorism are Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. We've decided that encryption exports which we previously allowed only for a company's internal use can now be used for external purposes such as communication with other firms, supply chains and customers. This step will be very helpful in building electronic commerce.
Additionally, telecommunication and Internet service providers will now be able to use any encryption commodity or software to provide services to commercial firms and nongovernment end users.
Second, retail products with key lengths over 64 bits -- those that do not require substantial support, are sold in tangible form or have been specifically designed for individual consumer use -- may be exported under a license exception to all end users, including governments, except in the seven state supporters of terrorism.
These regulatory changes basically open the entire commercial sector as a market for strong U.S. encryption products. Exports to governments can be approved under a license.
Third, the new regulations will also implement our international commitments for encryption controls. Last year, the Wassenaar Arrangement -- thirty three countries which have common controls on exports, including encryption -- made a number of changes to modernize multilateral encryption controls.
Among these changes, the U.S. will decontrol exports of 56 bits DES and equivalent products, including toolkits and chips, to all users and destinations excepts the seven state supporters of terrorism after a technical review.
In addition, exports with key lengths of 64 bits or less, including chips, that fall under the Wassenaar Arrangement's definition of mass market will also be decontrolled.
As I have mentioned, post-export reporting is a fundamental part of our new export policy. Reporting will now be required for any export to a non-U.S. entity of any product above 64 bits.
Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. When we draft our regulations, we intend to consult with industry to ensure that the reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect.
We hope to have the implementing regulations published in the Federal Register before December 15. This approach will provide the framework for U.S. industry to help construct a new global network for electronic commerce while maintaining reasonable national security safeguards.
-30-
Date: Thu, 16 Sep 1999 16:49 -0400
From: The White House
<Publications-Admin@Pub.Pub.WhiteHouse.Gov>
To: Public-Distribution@pub.pub.whitehouse.gov
Subject: 1999-09-16 Letter to Congress on Cyberspace Electronic Security
Act
THE WHITE HOUSE
Office of the Press Secretary
________________________________________________________________________
For Immediate Release September 16, 1999
TO THE CONGRESS OF THE UNITED STATES:
I am pleased to transmit for your early consideration and speedy enactment a legislative proposal entitled the "Cyberspace Electronic Security Act of 1999" (CESA). Also transmitted herewith is a section-by-section analysis.
There is little question that continuing advances in technology are changing forever the way in which people live, the way they communicate with each other, and the manner in which they work and conduct commerce. In just a few years, the Internet has shown the world a glimpse of what is attainable in the information age. As a result, the demand for more and better access to information and electronic commerce continues to grow -- among not just individuals and consumers, but also among financial, medical, and educational institutions, manufacturers and merchants, and State and local governments. This increased reliance on information and communications raises important privacy issues because Americans want assurance that their sensitive personal and business information is protected from unauthorized access as it resides on and traverses national and international communications networks. For Americans to trust this new electronic environment, and for the promise of electronic commerce and the global information infrastructure to be fully realized, information systems must provide methods to protect the data and communications of legitimate users. Encryption can address this need because encryption can be used to protect the confidentiality of both stored data and communications. Therefore, my Administration continues to support the development, adoption, and use of robust encryption by legitimate users.
At the same time, however, the same encryption products that help facilitate confidential communications between law-abiding citizens also pose a significant and undeniable public safety risk when used to facilitate and mask illegal and criminal activity. Although cryptography has many legitimate and important uses, it is also increasingly used as a means to promote criminal activity, such as drug trafficking, terrorism, white collar crime, and the distribution of child pornography.
The advent and eventual widespread use of encryption poses significant and heretofore unseen challenges to law enforcement and public safety. Under existing statutory and constitutional law, law enforcement is provided with different means to collect evidence of illegal activity in such forms as communications or stored data on computers. These means are rendered wholly insufficient when encryption is utilized to scramble the information in such a manner that law enforcement, acting pursuant to lawful authority, cannot decipher the evidence in a timely manner, if at all. In the context of law enforcement operations, time is of the essence and may mean the difference between success and catastrophic failure.
A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. This requires an approach that properly balances critical privacy interests with the need to preserve public safety. As is explained more fully in the sectional analysis that accompanies this proposed legislation, the CESA provides such a balance by simultaneously creating significant new privacy protections for lawful users of encryption, while assisting law enforcement's efforts to preserve existing and constitutionally supported means of responding to criminal activity.
The CESA establishes limitations on government use and disclosure of decryption keys obtained by court process and provides special protections for decryption keys stored with third party "recovery agents." CESA authorizes a recovery agent to disclose stored recovery information to the government, or to use stored recovery information on behalf of the government, in a narrow range of circumstances (e.g., pursuant to a search warrant or in accordance with a court order under the Act). In addition, CESA would authorize appropriations for the Technical Support Center in the Federal Bureau of Investigation, which will serve as a centralized technical resource for Federal, State, and local law enforcement in responding to the increasing use of encryption by criminals.
I look forward to working with the Congress on this important national issue.
WILLIAM J. CLINTON
THE WHITE HOUSE,
September 16, 1999.
# # #
Date: Thu, 16 Sep 1999 17:04:40 -0700
From: John Gilmore <gnu@toad.com>
------- Forwarded Message
Date: Thu, 16 Sep 1999 19:45:58 -0400
To: gnu@toad.com, ellis@epic.org, afowler@eff.org, mech@eff.org
From: Declan McCullagh <declan@well.com>
Subject: Transcript of White House crypto-briefing this afternoon
ATTORNEY GENERAL JANET RENO
SECRETARY OF COMMERCE WILLIAM DALEY
DEPUTY SECRETARY OF DEFENSE JOHN HAMRE
OMB CHIEF COUNSELOR FOR PRIVACY PETER SWIRE
PRESIDENT'S DEPUTY ASSISTANT FOR NATL SECURITY AFFAIRS JAMES STEINBERG
WHITE HOUSE
WASHINGTON, D.C.
MR. STEINBERG: Good afternoon. As you all know, we're here today to talk about encryption. I want to begin by acknowledging and thanking some of my colleagues who are with us today: the attorney general, Janet Reno; Secretary Daley; Deputy Secretary of Defense John Hamre; and Peter Swire, who is the chief counselor for privacy at OMB.
I also want to thank John Podesta, who has been my coair in working this interagency process over the last several years; Barbara McNamara, the deputy director of NSA, who has made an important contribution to the work that we're going to be discussing today; Bill Reinsch, undersecretary of Commerce; Sally Katzen, from OMB. And I want to pay a particular thanks to Charlotte Nepper (sp) and Bruce McConnell (sp), who are the two staff people who really made this all possible and have done an extraordinary amount of work on an extraordinarily difficult and technically complex subject.
We're here today to announce a series of actions that will bring new balance to the four pillars on which our encryption policy rests -- national security, public safety, privacy and commerce. For two years, John Podesta and I have chaired a high-level interagency process to fashion policies to achieve these goals. A year ago today, the vice president announced significant new steps we were taking to balance these competing tasks and called for a review of our policy in a year. Since then, we have worked closely with members of Congress from both parties, with industry groups, like the Computer Assistance Policy Project and Americans for Computer Privacy, with members of our law enforcement community and with our national security community.
We found that there is no "one size fits all" solution to the issue of encryption, that there are a variety of different solutions that respond to the different aspects of this challenge. By taking a pragmatic approach, we have crafted a new strategy that allows industry to compete effectively with foreign competitors while protecting our national defense, security and law enforcement interests.
This strategy is outlined in a report to the president authored by Secretary Cohen, Attorney General Reno, Secretary Daley and OMB Director Jack Lew. And a copy of that report we're releasing to you today. There are three parts to the strategy that we are launching.
First, the federal government is taking new steps to protect our vital national security systems from unauthorized access. We will be securing our own systems with encryption and other security tools, and we will be partnering with the private sector to develop more tools to protect our nation's communication infrastructure.
In doing so, we hope to serve as a model for the private sector. In a moment, Deputy Secretary Hamre will describe this effort in more detail. Second, we are launching a new framework for export controls that will allow American companies to export encryption hardware and software more broadly, while still protecting our vital national security needs. We will implement this new framework by December 15th, after we have had an opportunity to consult with U.S. industry, the public and Congress. Secretary Daley will discuss these changes in detail in a moment.
Finally, we are taking new steps to ensure the public safety by helping our law enforcement community stay one step ahead of the growing sophistication of encryption technology. Given the growing use of encryption among criminal elements, we must update law enforcement's legal tools to ensure that it can lawfully access information during investigations. Today we will be submitting new legislation to the Congress, called the Cyberspace Electronic Security Act, that will provide a legal framework for both privacy protections and legal access to encryption keys. The attorney general will describe our effort in this area in more detail.
Finally, we will hear from Peter Swire, who will speak more specifically about how all the steps we are taking today will address America's concerns for privacy.
Before I turn to my colleagues, let me say a word about the pending encryption decontrol legislation in Congress. We believe that the new strategy we are presenting today provides a more balanced approach to the issue than the proposals that are now before Congress. We look forward to working with Congress to implement a solution that meets the needs of all those involved. However, the president will not sign any encryption legislation that does not protect national security and law enforcement interests.
With that, let me turn to Deputy Secretary Hamre.
MR. HAMRE: Good afternoon. I had a little prepared speech to give, but I got thrown off here. I was just handed a wire clipping that basically says that the White House threw national security and law enforcement overboard in order to give a concession to the high- tech industry. And I've got to tell you, that's just completely wrong. The national security establishment -- the Department of Defense, the intelligence community -- strongly supports this strategy.
Indeed, we created the first draft of the strategy and presented it to our colleagues in the interagency process. We in the Defense Department did it because I think we feel the problem more intensively than does anyone else in the United States. We are the largest-single entity that operates in cyberspace. No one is as large as we are. We are just as vulnerable in cyberspace as is anybody, and we strongly need the sorts of protections that come with strong encryption and a key infrastructure that we're calling for in this strategy.
We also have a responsibility to provide to the president and to senior decision-makers timely information, so that they can protect this country. And for that reason, we needed a very integrated approach. And these three pillars, which you have heard about -- we'll -- can answer any further questions -- are absolutely essential if we're going to be able to protect this country in the future. We strongly agree with this and think it's exactly the right thing to do.
This is a balanced program. But I've got to tell you, it's going to require significant investment on the part of the Department of Defense and the intelligence community to put all the pieces in place. We will have to develop new tools to be able to do our job. We will resource that appropriately in the budget that we've prepared, that will be submitted next January. All three elements of this strategy are essential. And I may highlight -- it's very crucial -- that the law enforcement element of this is essential for national security. You cannot distinguish in cyberspace whether an attack comes inside the United States or from outside of the United States, and only the law enforcement community is allowed to act inside the United States. We must have that part of this strategy enacted, and we ask for help in doing that from the Congress.
I too would like to say that there are -- there continues to be pressure for legislation in the Congress that would strip away any controls over encryption products. One of the bills is called the SAFE (sp) Act. The only person who would be safe, if that were passed, would be spies, who would be free to export anything of national security interest, without any surveillance at all. We cannot support that, and the department would ask the president to veto it, if it were passed.
We strongly support this strategy. The entire establishment within the national security establishment was instrumental in crafting it. We would ask for -- the Congress for its help. And I'd also like to thank my colleagues who were so instrumental in helping us work through these problems, and for our colleagues that worked out the fine details when we went to finalize the strategy.
Q What's the push behind the loosening up, then? I mean, what is --
MR. : Helen, let's get everyone -- get everybody's opening statements, and then we'll take questions.
SEC. DALEY: We can all welcome today's update of our encryption policy. It is a good example of government process that has worked.
The agencies involved, from national security, law enforcement, and commerce, all had a common objective: to provide the tools to keep our nation safe, while taking technological advances and market changes into account. This may have taken a little longer than some would have liked, but in our opinion this outcome is a sound one.
This new update continues to provide the balanced encryption policy that the president wants and is a policy that will continue to protect our national security while letting us take advantage of the substantial promise of electronic commerce.
In saying that, I want to be clear that the Commerce Department supports all three parts of this program -- the export control liberalization is balanced by the additional tools for law enforcement and additional resources being devoted to improving the privacy and security of government information systems.
Today's update continues the three fundamental principles of our policy -- one-time tactical review, post-export reporting, and the ability to deny exports to governments and military end-users.
First, the new regulations will permit any encryption product or software with a key length of 64 bits to be exported under a license exception to commercial firms and other non-government end-users in any country, except for the seven state supporters of terrorism. This means that exporters will be able to ship freely once Commerce has reviewed their products and classified them. We've decided that encryption exports which we previously allowed only for a company's internal use can now be used for external purposes such as communication with other firms, supply chains and customers. This step will be very helpful in building electronic commerce.
Additionally, telecommunication and Internet service providers will now be able to use any encryption commodity or software to provide services to commercial firms and nongovernment end-users.
Second, retail products with key lengths over 64 bits, those that do not require substantial support, are sold in tangible form, or have been specifically designed for individual customer use, may be exported under a license exception to all end-users, including governments, except in the seven state supporters of terrorism.
These regulatory changes basically open the entire commercial sector as a market for strong U.S. encryption products. Exports to governments can be approved under a license.
Third, the new regulations will also implement our international commitments for encryption controls. Last year, the Wassenaar arrangement -- 33 countries which have common controls on exports, including encryption -- made a number of changes to modernize the multilateral encryption controls.
Among these changes, the U.S. will decontrol exports of 56 bits DES and equivalent products, including tool kits and chips, to all users and destinations, except the seven state supporters of terrorism, after a technical review. In addition, exports with key lengths of 64 bits or less, including chips that fall under the Wassenaar arrangement's definition of mass market loss, will be decontrolled.
As I mentioned, post-export reporting is a fundamental part of our new export policy. Reporting will now be required for any export to a non-U.S. entity of any product above 64 bits. Reporting helps ensure compliance with our regulations and also allows us to reduce licensing requirements.
When we draft our regulations, we intend to consult with industry to ensure that the reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect. We hope to have the implementing regulations published in the Federal Register before December 15th. This approach will provide the framework for U.S. industry to construct a new global network for electronic commerce, while maintaining reasonable national security safeguards.
ATTY GEN. RENO: The president today is transmitting to the Congress a legislative proposal entitled, "The Cyberspace Electronic Security Act of 1999," better known as CESA. The Department of Justice Developed this legislation with the assistance of numerous agencies within government.
The legislation would support the use of encryption by legitimate citizens to protect their privacy, and address the growing use of encryption by criminals using it to hide evidence. In brief, the advent and eventual widespread use of encryption poses significant challenges to law enforcement and to public safety.
Under existing law, investigators have a variety of legal tools to collect evidence of crime in such forms as communications or stored data on computers. These tools are rendered useless when encryption is used to scramble the evidence so that law enforcement cannot decode it in a timely manner, if at all.
When stopping a terrorist attack or seeking to recover a kidnapped child, encountering encryption may mean the difference between success and catastrophic failures.
At the same time, encryption is critically important for protecting our privacy and our security. And the administration, the Department of Justice, and the FBI strongly support the use of encryption by our law-abiding citizens for these purposes.
CESA, therefore, balances the needs of privacy and public safety. It establishes significant new protections for the privacy of persons who use encryption legally, but it also assists law enforcement's efforts to maintain its current ability to obtain useable evidence as encryption becomes more common. CESA contains a number of key provisions. First, it provides special protections for decryption keys stored with third-party recovery agents, and it establishes limitations on government use and disclosure of decryption keys obtained by court processes. These new provisions significantly protect privacy. However, CESA does not limit in any way an individual's choice about whether to use a recovery agent.
A person may use a recovery agent or not, as he or she chooses. CESA also authorizes appropriations for the Technical Support Center and the FBI, a center which will serve as a centralized technical force for federal, state and local law enforcement in responding to increasing use of encryption by criminals. Law enforcement throughout our nation will depend upon this center to find ways to obtain usable evidence under existing law, despite the use of encryption by criminals and terrorists.
Finally, CESA protects the confidentiality of government techniques used to obtain usable evidence, such as techniques developed by the Technical Support Center, and ensures that industry proprietary information can be protected in criminal trials. Open disclosure of law enforcement techniques, for example, can jeopardize future investigations and severely hamper law enforcement.
I believe that in adopting this policy, the administration has fundamentally altered the encryption debate. The administration is working towards a number of important goals, ensuring that American industry remains competitive, that our citizens have the strongest protection available for their data and their communications, and that law enforcement maintains its ability to protect public safety from criminals and terrorists.
Of course, we continue to be concerned that criminals and terrorists will benefit from the widespread use of strong encryption, which will allow them to cloak their communications and other evidence of illicit activities from authorized law enforcement investigations.
We must recognize that the policy the administration is announcing today will result in greater availability of encryption, which will mean that more terrorists and criminals will use encryption. We must deal responsibly with that result by attempting to assist law enforcement in its efforts to protect the public safety through the passage of CESA.
That said, this legislation does not provide any new authority for law enforcement to be able to obtain usable evidence from criminals. Instead, we will continue to operate under our existing authorities and attempt to meet the threat of the criminal use of encryption. We are hopeful that these existing authorities will prove sufficient.
In conclusion, we must have a balanced policy that reflects the needs of privacy, electronic commerce, national security and public safety. Today's announcement substantially relaxes export controls, allowing American industry to compete fairly in the international marketplace, while maintaining those minimal controls that are essential for national security. At the same time, by transmitting CESA to Congress and urging its enactment, the president is addressing the needs of public safety; thus, the administration is taking a substantial step, a very substantial step, to address the needs of all stakeholders.
MR. SWIRE: My name's Peter Swire. I'm the chief counselor for privacy at OMB. I'm here to underscore that today's announcement reflects the Clinton administration's full support for the use of encryption and other new technologies to provide privacy and security to law-abiding citizens in the digital age. The encryption measures announced today properly balance all of the competing interests, including privacy, electronic commerce, and public safety.
Encryption itself is a privacy- and security-enhancing technology. Especially for open networks, such as the Internet, encryption is needed to make sure that the intendant recipients can read a message, but that hackers and other third parties cannot. Today's announcement will broaden the use of strong mass-market encryption for individuals and businesses.
In the part of today's announcement that updates the rules for law enforcement, the Cyberspace Electronic Security Act retains all of the existing legal protections for information in a home or business. It goes beyond current law and provides new privacy protections for individuals and businesses who choose to store key information with an outside company. Think of your bank ATM card.
What would it be like if you forgot your password and could not obtain access to the money in your account? That is precisely what can happen with strong encryption. If you lose the password, then all that encrypted material is scrambled forever and lost.
Because encryption has become so unbreakable, prudent people need backups. Under CESA, if you decide to give your key or password to an outside company, then law enforcement has to meet strict new judicially supervised standards to get that information. With this proposed legislation, it would be a civil and criminal violation for the company to release the information improperly, and also a violation for law enforcement officers to try to get that information without a court order.
Similarly, for added security, and to prevent misuse of your private key information, if this proposal becomes law, there would be restrictions on selling information regarding encryption customers to other private parties. With that said, I want to be clear about what CESA does not do. CESA is technology-neutral and does not regulate the hardware or software used for encryption. CESA does not require anyone to use key escrow, nor does it regulate how key escrow might develop in the private sector. The only effect of CESA on key escrow is to provide privacy assurances for those who freely choose to give their backups or their key information to others. Some information stored outside of your home deserves to be carefully protected.
In sum, the announcement today shows the commitment of the administration to real protection for privacy in the information age while balancing with the important other public interests we have all been discussing.
Q Ms. Reno, you said just a moment ago that you hoped that this legislation would give existing authorities -- that the existing authorities will be sufficient in getting access to the decryption keys. Seems to me there's a big space between "hope" and "will".
ATTY GEN. RENO: Based on our experience, our conversations with industry, with all concerned, we think the existing authorities will be sufficient, and we look forward to working with industry in that effort.
Q Mr. Hamre, you've testified on the Hill and others in the administration many times opposing the SAFE Act. At those times you laid out the exact scenario that the attorney general says will now come to pass. You said they were unspeakable dangers that should be avoided. Now this policy is called a balanced policy. What shifted in the last few months?
MR. HAMRE: Well, maybe you should go back and look at the testimony, because what was objectionable to us in the SAFE Act and in the PROTECT Act, these two bills, was that it stripped away the things that are essential for national security: a meaningful technical review of encryption products before they're exported and reporting about where they have gone and how they've been installed after the fact. That was essential if we're going to be able to protect the country, and that was stripped away by the PROTECT Act and the SAFE Act. So they're very different.
Q Will the policy include end user reporting for where a mass market product is sold?
MR. HAMRE: We're still in the final stages of working through the details. I can defer to Secretary Daley or to Undersecretary Reinsch to talk about the specifics. We will promulgate those regulations later here within weeks. And then you'll see it at that time. We are going to try very much to follow the industry norm for software, for example, between mass market and non-mass market products.
Q And what is the big push behind this? Is it the market? I mean is it these corporations have pressured -- put pressure on the administration?
MR. HAMRE: No, I -- when you raised the question earlier you talked about the big push for relaxation. We don't -- first of all, that's only taking --
Q It isn't relaxation?
MR. HAMRE: Actually, I don't think so. I think it's a very different approach to the export problem. The path that we were on before was a very complex path. There were certain countries that were allowed; certain countries weren't. Certain sectors were allowed; certain sectors weren't. Certain strength levels, and above one strength level it had a different set of rules than others. Certain trading partners were allowed, and certain trading partners weren't. It was enormously complex, and in that kind of environment lots of mistakes are made. And frankly, security risks abound in that sort of an environment. We decided we needed to promote a very different approach with very, very simple rules that everyone could understand, that would give us a chance -- we're still going to have to do a lot of work, we in the national security establishment, to live in this kind of an environment. It's going to take a good deal of research. We'll have to develop new tools and techniques. This is part of the job. But we were going to have to do that anyway, and we think this is going to be a much better process for us. It's not a relaxation. It's really a very different approach.
Q Have you talked to Chairman Spence or Chairman Goss about this yet? And if so, what kind of reaction did you get from them?
MR. HAMRE: I have spoken with both Chairman Goss and Chairman Spence. Both of them were very strong in agreeing with us in our request to protect us from legislation that would have really stripped away any national security protection against strong encryption. Both of them support what we're doing. Both of them have very specific questions that we're going to need to answer. They, too, want to know a lot of the details that the rest of you are interested in. We believe that we will be able to demonstrate to them we can protect the country with this new framework. But let me again emphasize, all three parts of this framework are essential. We must have a strong commitment to security products, security infrastructure. We need to buy that. We have to have a new regime for export control. And we also need to have stronger tools for law enforcement.
Q Where are the stronger tools? I mean, Ms. Reno was saying in her comments this legislation does not provide any new authority for law enforcement. We've got some extra funding. Where are the stronger tools?
ATTY GEN. RENO: The stronger tools lie in the technical support center, because what we're trying to do is not create a new authority; we're trying to match technology to the existing authority. And we think, after conversation with industry and the working relationship that we've developed with them, that through this technical support center, we will be able to do so.
Q Beyond the extra funding, is there anything specific you can point to in here that's --
ATTY GEN. RENO: One, for example, is the protection of methods used so that as we -- we will not have to reveal them in one matter and be prevented, therefore, from using them in the next matter that comes along.
Q Ms. Reno, would you describe this as a relaxing of restrictions? And if so, how can you possibly support it after having opposed it for all this time?
ATTY GEN. RENO: What we did approximately a year ago is to meet with industry. We talked to them in a very full and frank way. We said, together let's look at it. They sympathized with our law enforcement responsibilities. And they said, if we can work together, they suggested the concept of a technical support center; we can, I think, according to the people that were there, address the problem. In the interim, we have had the opportunity to have those discussions, to expand on that dialogue, and I think we will be able to.
Q How closely was the vice president involved in this effort? Did he meet with you regularly, you know, receive drts, that sort of thing?
ATTY GEN. RENO: I would have to let his office speak for it. But I can remember approximately two meetings with the vice president.
Q Why wouldn't you consider this a relaxing of restrictions on encryption?
ATTY GEN. RENO: No.
Q Mr. Daley, why the decision to maintain export licenses for government sales? Assuming that a lot of governments still own telecommunication companies and high-tech agencies.
SEC. DALEY: Well, we want to make sure that the foreign policy considerations are taken into impact as we move forward.
MR. HAMRE: Because we insisted on it.
SEC. DALEY: That was a simpler answer! (Laughter.)
Q How does this comply with Wassenaar?
SEC. DALEY: Bill? Bill, why don't you just come up here.
WILLIAM REINSCH (Undersecretary of Commerce for Export Administration): What the Wassenaar partners decided to do last December was set up certain rules that said in some cases encryption was decontrolled, and in other cases it had to be controlled via the national laws and systems of each of the individual partners. This action is consistent with that because we are decontrolling, that is removing from our system lower-level encryption, consistent with the Wassenaar levels, which are 56 or 54 bits, depending upon what you're talking about. Above that level, we are permitting the encryption to be exported following a technical review and subject to a license exception, which is a process that we use that's consistent with international licensing regimes and the Wassenaar standards.
Q So below (64 ?), you don't need a technical review?
MR. REINSCH: No, I didn't say that. Technical reviews are required, but it's a one-time technical review. When we reviewed the product once, we don't need to review it every time. And for the low- level products, which are primarily the older products, many of those reviews have already been conducted, and I don't think that we're necessarily going to have to do that all over again.
Q So what's the difference in a technical review between the higher encryption products and the lower? I guess I'm thinking --
MR. REINSCH: I don't think there's a difference in the review. I'm saying there's some cases where we've already done it. And this is a very fast-moving sector; there's, you know, new products every week. And we're going to have to review each of the products as they come up and as people want to export them.
###
------- End of Forwarded Message from Declan McCullagh
[18 September 1999: Add missing part of the transcript.]
Q: What do you look for in a technical review?
UNDER SECRETARY REINSCH: There's a number of things that we look for. I think the main one that I mentioned in this forum is that Secretary Daley said we are putting products essentially into two categories: retail products, and he provided a definition of what that was, and essentially custom products, if you will, the other kind of product. One of the most important elements of the technical review is simply deciding which it is, because there are differences in the way it's going to be treated, and it's not immediately obvious simply from looking at the external product which, in the case of software, is just a diskette, what it is.
So one of the purposes of the review is to study it, to examine it, and to find out into which category it falls.
Q: In other words, if it's in a box that you get at CompUSA, you can pretty much assume that it's like a retail thing?
UNDER SECRETARY REINSCH: You can make that assumption, but it's going to be more complicated than that. One of the things we're going to do in our consultation process with industry is to discuss that definition and try to get a better handle on exactly what constitutes a retail product and what does not.
We're trying to get out your sort of shrink-wrapped products, but one of the things we've learned in the process of learning more about the market over the last year is that these products take many different forms. They're marketed in many different ways, and we want to make sure we have a clear understanding from industry as to what those different models are before we finish drafting the regulation.
Q: Does law enforcement and the intelligence community believe that it can, if it needs to, say, decode a terrorist message that's encrypted in something higher than 64-bit? And if not, then how could you support this?
ATTORNEY GENERAL RENO: I'm obviously not going to tell you how I think I can obtain evidence under existing authorities, but I -- we have carefully looked at this, and think that it is going to be possible.
DEPUTY SECRETARY HAMRE: But we are going to have a fairly significant research and development program that lies ahead of us. This is a very complex environment; it's going to change every day. It's going to take us a fair amount of effort to stay ahead of the problem.
Q: Mr. Hamre or perhaps Mr. Reinsch, can you tell us, what's the main point of a post-export review? If the company's sent something out, why do you care where it's gone if it's already out of the country? What do you hope to learn from that?
DEPUTY SECRETARY HAMRE: Again, we need to have some understanding of the environment, both technically and operationally, so that we're able then to undertake the research and development it takes to develop the tools for us to be able to stay ahead of the problem.
Q: -- cost to do this encryption at the Defense Department?
DEPUTY SECRETARY HAMRE: We're just in the process of building our budget. Some parts of the budget, of which you may be interested, I can't discuss.
Q: Were the President's Export Council Subcommittee on Encryption, which came up with a list of recommendations, I guess it was at the beginning of this month -- were taken into consideration?
SECRETARY DALEY: We have a meeting next week.
Q: Mr. Daley, will there be a time deadline for the technical review?
SECRETARY DALEY: We hope to complete them, probably, within a month of when they're submitted.
DEPUTY SECRETARY HAMRE: But did you ask about when this regulation comes out, or the normal technical review?
SECRETARY DALEY: Technical review.
Q: The technical review of each of --
DEPUTY SECRETARY HAMRE: Can I just say, we obviously don't -- we're not interested in a lengthy process. But it does require good insights. And this does mean that companies have to come in with more than just a brochure. I mean, too much of what we get is simply marketing proposals, not real technical information.
Q: What else are you looking for in the technical review, aside from the distinction between commercial product and non-mass-market product?
SECRETARY DALEY: That will be developed over the next number of weeks.
Q: What sort of reaction have you gotten to the CESA legislation? And when information about that legislation was first revealed, there was a provision allowing for a delayed notice of a court order, along for a search. And why was that taken out?
ATTORNEY GENERAL RENO: That was an original draft. We have had further discussion, and feel like, that under existing authorities, with the technical support center funded by the existing authorities, that we can address the issue, and ensure our abilities to continue our law enforcement responsibilities.
MR. LEAVY: Okay, thank you. Appreciate it.
END 4:00 P.M. EDT
(end transcript)
16 September 1999
(Products of up to 64-bit length allowed to most countries) (640)
New guidelines, issued by the White House September 16, will allow exports of encryption commodities and software with up to 64-bits.
The new guidelines apply to individuals, companies or other non-governmental entities in any country except the seven state sponsors of terrorism. Exports to a government can be approved under a license, the fact sheet says.
The guidelines also do away with the need for foreign nationals working in the United States for U.S. encryption firms to obtain an export license, the fact sheet says.
Following is the fact sheet:
(begin fact sheet)
THE WHITE HOUSE
Office of the Press Secretary
September 16, 1999
Administration Updates Encryption Export Policy
Today, the Clinton Administration announced a new approach to encryption policy that includes updates and simplifies export controls. The major components of this update are as follows:
Global exports to individuals, commercial firms or other non-governmental entities
Any encryption commodity or software of any key length can now be exported under a license exception (i.e., without a license) after a technical review, to commercial firms and other non-government end users in any country except for the seven state supporters of terrorism. Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains and customers. Additionally, telecommunication and Internet service providers may use any encryption commodity or software to provide services to commercial firms and non-government end users. Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this Update. Exports to governments can be approved under a license.
Global exports of retail products
Retail encryption commodities and software of any key length may be exported under a license exception (i.e., without a license) after a technical review, to any recipient in any country except to the seven state supporters of terrorism. Retail encryption commodities and software are those products which do not require substantial support for installation and use and which are sold in tangible form through independent retail outlets, or products in tangible or intangible form, which have been specifically designed for individual consumer use. There is no restriction on the use of these products. Additionally, telecommunication and Internet service providers may use retail encryption commodities and software to provide services to any recipient.
Implementation of the December 1998 Wassenaar Arrangement Revisions
Last year, the Wassenaar Arrangement (33 countries which have common controls on exports, including encryption) made a number of changes to modernize multilateral encryption controls. As part of this update, the U.S. will allow exports without a license of 56 bits DES and equivalent products, including toolkits and chips, to all users and destinations (except the seven state supporters of terrorism) after a technical review. Encryption commodities and software with key lengths of 64-bits or less which meet the mass market requirements of Wassenaar's new cryptographic note will also be eligible for export without a license after a technical review.
U.S. Subsidiaries
Foreign nationals working in the United States no longer need an export license to work for U.S. firms on encryption. This extends the policy adopted in last year's update, which allowed foreign nationals to work for foreign subsidiaries of U.S. firms under a license exception (i.e., without a license).
Export Reporting
Post-export reporting will now be required for any export to a non-U.S. entity of any product above 64 bits. Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. The reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect. We intend to consult with industry on how best to implement this part of the update.
(end fact sheet)
16 September 1999
(Democrat praises administration proposal) (360)
Representative Richard Gephardt, the Democrats'leader in the U.S. House of Representatives, has praised the Clinton administration's proposal for further relaxing controls on U.S. exports of encryption software.
In a September 16 statement, Gephardt said the proposal appears to balance the interests of business on one side and law enforcement and national security on the other.
He said Congress should quickly examine the administration proposal, especially in regard to privacy rights.
Following is the text of the statement:
(begin text)
September 16, 1999 H-204, U.S. Capitol
I applaud President Clinton and Vice-President Gore for the Administration's proposal to relax export controls on encryption technology. This proposal goes a long way to address the concerns that I and other members of the Democratic Caucus have shared with the President -- as recently as earlier this week -- about the need to enact major changes in U.S. policy regarding the export of strong encryption products.
Sales of computer hardware and software containing strong encryption is a major growth area for the U.S. high-tech businesses, but it has been restricted by outdated, cold-war era regulations. The proposed changes will allow American businesses to compete with their overseas competitors for this valuable market, enhancing our leadership in the global marketplace.
This proposal appears to fairly balance the requirements of the high-tech industry with the strong national interest in ensuring criminals and terrorists can't use the tools of strong encryption to avoid prosecution for their unlawful acts. I hope that Congress will move quickly to hold hearings on the Administration's proposal on third-party key retrieval. This is an important privacy issue that must be thoroughly debated and reviewed to ensure the tools we give law enforcement are consistent with our constitutional protections.
I look forward to seeing the full details of this proposal and will continue to work with key members of my High-Tech Advisory Group to ensure the needs of the technology industry are addressed as the elements of today's announcement are fully implemented.
(end text)
HTML by JYA/Urban Deadline.