[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Senators Challenge Crypto Policy



[Congressional Record: June 17, 1998 (Senate)]

                               ENCRYPTION

  Mr. LOTT. Mr. President, I rise today out of concern for our nation's
computer and electronic industries. As you are well aware, the
Administration's

[[Page S6438]]

export policies prohibit American companies from selling state-of-the-
art encryption technology abroad without recovery keys and back door
access. Encryption is a series of mathematical formulas that scramble
and unscramble data and communications. It is used to thwart computer
hackers, industrial and foreign espionage agents, and criminals from
gaining access to and reading sensitive personal, business, and
military communications. The higher the bit-key length, the more
difficult it is for unauthorized persons to break the code. Technically
advanced encryption ensures that an individual's medical, financial,
business, personal records and electronic-mail cannot be accessed
without their consent. The Administration is now promoting the
deployment of recovery keys so designated third parties would be able
to access and share with law enforcement the computer data and
communications of American citizens without their knowledge. Currently,
government mandated key escrow is not required and is opposed by the
computer industry, privacy advocates, legal scholars, and by many
members of Congress.

  Mr. LEAHY. While current law does not mandate any key recovery, the
current Administration, just as past Administrations, uses the export
control regime to ``dumb down'' the encryption available for widespread
integration into high-tech products intended for both domestic use and
for export to foreign customers. Export regulations in place now are
being used expressly to coerce the development and use of encryption
products capable of giving law enforcement surreptitious access to
plaintext by conditioning the export of 56-bit DES encryption on
development of key recovery features.

  These regulations are scheduled to sunset in December 1998, at which
time export of even 56-bit strength encryption will no longer be
permitted. I understand that the Administration is already undertaking
discussions with industry on what will happen upon sunset of these
regulations. I have long contended that taking unilateral steps will
not resolve this issue, but instead could delay building the consensus
we so urgently need. This issue simply cannot by resolved by Executive
fiat.

  Mr. ASHCROFT. Mr. President, I have been involved in the debate
regarding encryption technology and privacy for more than three years
now. In the course of that time I have not seen any real attempt by the
White House to resolve this problem. In fact, over the course of that
time the Administration has moved further from negotiation by taking
increasingly extreme positions on this critical national issue.

  Mr. CRAIG. Mr. President, as you have heard, current U.S. policy
allows only encryption below the 56-bit key length to be sold abroad.
For a long time now, software companies have argued that this level of
encryption is so low it provides little security for the information
being transmitted over the ``super highway.'' This policy also states
that, in the production of encryption stronger than 56-bit, software
companies must provide some type of ``backdoor'' access to ensure law
enforcement can decode encrypted material.

  Addressing this from an economic perspective, customers--especially
foreign customers--are unwilling to purchase American encryption
products with backdoors and third-party access. This is particularly
true since they can buy stronger encryption overseas from either
foreign-owned companies or American owned companies on foreign soil
without these invasive features.

  Mr. WYDEN. Since coming to the Senate, I have worked side-by-side
with Senators Burns, Ashcroft, Leahy and others on the critical issue
of encryption. Our common goal has been to craft a policy that puts the

United States squarely out front of the crypto-curve, rather than locks
us permanently behind it. A one-size-fits-all government policy simply
won't work in this digital era. We all recognize and acknowledge the
legitimate needs of law enforcement and the national security
communities, but tying the hands of America's high technology industry
in the process will serve neither those needs, nor the national
interest in maintaining our competitive edge in the fiercely
competitive global marketplace. It's time to move forward with
comprehensive encryption reform legislation.

  Mr. BURNS. I would like to point out that the government's plan for
encryption--whether they call it ``key escrow'' or ``key recovery'' or
``plaintext access''--simply won't work. Eleven of the world's most
prominent computer security experts have told us government mandated
key recovery won't work because it won't be secure, as explained in a
study published this week by the Center for Democracy and Technology.
Key escrow also won't work because it will cost billions, as revealed
in a recent study published by the Business Software Alliance. We have
also been told that the kind of system the Administration wants is not
technically feasible. Additionally, constitutional scholars testified
that government mandated key escrow, third party recovery probably
violates the Bill of Rights.

  Mr. LOTT. Even though a national recovery system would be technically
unfeasible, costly, and violates an individual's privacy rights, the
Administration continues to require key escrow as a precondition for
relaxing America's encryption policy. Again, Mr. President, I would
point out that state-of-the-art encryption is available in the
international marketplace without key recovery and without backdoor
access. This backdoor door requirement is simply backward thinking
policy. It does not make sense to hold the computer industry hostage to
force the creation of such an unworkable system.

  Mr. BURNS. The Majority Leader is absolutely right. We do not need
experts to tell us key recovery will not work. All that is needed is a
little common sense to understand that no one will buy systems with
backdoor access. Criminals will not escrow their keys and terrorists
will find keyless systems from America's foreign competitors. There is
nothing we can do to stop undesirables from using strong, unescrowed
encryption.

  Mr. LOTT. Even though advanced encryption products are widely
available across the globe, the White House continues to stall
Congressional and industry attempts to reach a sensible market oriented
solution to the nation's outdated encryption export regime. This
stonewalling tactic will only cede even more of our nation's technology
market to foreign competitors and America will lose forever its ability
to sell encryption technology at home and abroad.

  It is time to change America's export policy before it is too late.
If the Administration will not do what is right, reform its export
regime, then Congress must enact encryption reform during this session.

  Mr. LEAHY. The Majority Leader is correct that reform of our
encryption policy is needed. The Attorney General came to the Hill in
March and asked for a legislative moratorium on encryption matters.
This request was made because the Administration wanted to talk with
the information technology industry about developing means for law
enforcement to gain surreptitious access to plaintext scrambled by
strong encryption. According to eleven of the world's leading
cryptographers in a report reissued on June 8, the technical risks and
costs of such backdoors ``will exacerbate, not alleviate, the potential
for crime and information terrorism'' for America's computer users and
our critical infrastructures.

  In the Senate we have a name for debate that delays action on
legislative matters. We call it a filibuster. On encryption policy, the
Administration has been willing to talk, but not to forge a real

solution. That amounts to a filibuster. The longer we go without a
sensible policy, the more jobs will be lost, the more we risk eroding
our privacy rights on the Internet, and the more we leave our critical
infrastructures vulnerable.

  Mr. BURNS. We can readily see that the current U.S. policy on
encryption jeopardizes the privacy of individuals, the security of the
Internet, and the competitiveness of U.S. industry. We have been
debating this issue since the Administration's introduction of the ill-
fated Clipper chip proposal over five years ago. Yet no substantial
change in Administration policy has taken place. It is time for us to
take action.

  I first introduced comprehensive encryption reform legislation in the

[[Page S6439]]

form of the Pro-CODE bill over two years ago, then reintroduced it in
this Congress with the cosponsorship of the Majority Leader, Senators
Ashcroft, Leahy, Wyden, and others. Along with Senators Ashcroft,
Leahy, and others, I am also an original cosponsor of the E-PRIVACY
bill, which would foster the use of strong encryption and global
competitiveness. We have held numerous hearings on the issue. Yet
despite the increasingly desperate drumbeat of criticism from industry,
individuals, and privacy groups, from across the political spectrum,
the Administration's policy has remained fundamentally unchanged.

  Mr. LEAHY. Since the hearing I chaired in May 1994 on the
Administration's ``Clipper Chip'' proposal, the Administration has
taken some steps in the right direction. Clipper Chip is now dead, and
the Administration has transferred authority over the export of
encryption products from the State Department to the Commerce
Department, as called for in legislation I introduced in the last
Congress with Senators Burns, Wyden and others. Furthermore, the
Administration has permitted the export of up to 56-bit DES encryption,
at least until the end of this year. But these actions are simply not
enough for our high-tech industries to maintain their leading edge in
the global marketplace.

  Mr. ASHCROFT. Our technology companies need to be able to compete
effectively. Without reasonable export laws our technology sector will
be seriously harmed. More encryption companies will leave the country
so they are free to sell their products around the globe as well as
within the United States. Make no mistake, the market will not be
denied. Today, robust encryption products from Canada, Japan, Germany
and elsewhere are being sold on the world market. You have heard of the
companies that are manufacturing and selling encryption. They are
Nortel, Nippon and Seimens. These are not upstart companies. They are
substantial players on the international scene, and they offer
encryption products that are technically and financially competitive
with those produced in the U.S.

  Mr. LOTT. That's right. In fact, a recent survey conducted by Trusted
Information Systems found that hundreds of foreign companies sell over
600 encryption products from 29 countries. It is even possible to
download some of the strongest technology available, 128-bit key length
encryption, off of the Internet. Clearly, America's policy of
restricting the sale of American encryption software and hardware has
not impacted the availability and use of this technology throughout the
globe.

  No one disputes the fact that the development and use of robust
encryption worldwide will continue with or without U.S. business
participation. What is particularly disturbing to me is that export
controls, instead of achieving their intended purpose, have only served
to deny America's premier computer industry the opportunity to compete
on a level playing field with foreign competitors. Costing our economy
and our nation billions of dollars and the loss of countless American
jobs in the process. Given the wide availability of encryption
technology, continuing to restrict U.S. access to foreign markets makes
no sense.

  Mr. ASHCROFT. That is absolutely correct. The Administration's
encryption policy is, in effect, a tax on American consumers. We owe it

to these customers and the innovators in the software industry to
reform this encryption policy now. From the birth of the United States,
this country has been a world leader in innovation, creativity,
entrepreneurship, vision and opportunity. Today all of these American
attributes are on display in our technology sector. Whether in
telecommunications, or computer hardware or software, the United States
has maintained a leadership position because of the opportunities
afforded to people with the vision, determination and responsibility to
reach for their highest and best. We must work diligently to ensure
that ample opportunities are maintained in this country for our
technology sector to continue to thrive and innovate. If companies are
stifled and cannot compete, then the people, the ideas, the jobs, and
the economic growth will simply go elsewhere.

  Mr. BURNS. In the computer business these days, they talk about
``Internet time.'' In the Internet industry, where product life cycles
can be as low as 6 months, the world changes rapidly. Yet we have been
debating this issue for over five years now, while America's sensitive
communications go unsecured, our critical information infrastructures
go unprotected, and our electronic commerce jobs get shipped overseas.
It is time for the Congress to act.

  Mr. ASHCROFT. If this issue is not resolved, and resolved soon, we
will lose this industry, we will lose our leadership position in
technology, and our national security will suffer. We have a choice to
make as policy makers--do we allow our companies to compete
internationally or do we force them, by our antiquated and ill-
conceived government policy, to move overseas. We cannot simply ignore
the reality that robust encryption exists in the international
marketplace now. Instead, we must allow our companies to compete, and
do so now. We cannot allow extraneous issues to stand in the way of
remedying the deficiencies with our current approach to encryption. We
must recognize that keeping the encryption industry on American shores
is the best way to ensure national security. We would not think of
allowing all our defense industries to move abroad. By the same token,
we should not force the encryption industry abroad through outdated
policies. Simply put, strong encryption means a strong economy and a
strong country. This concern is just one of the many reasons we need to
pass effective encryption legislation this year and just one of the
reasons that Senator Leahy and I recently drafted the E-PRIVACY bill,
S. 2067.

  Mr. LEAHY. I join with my colleagues from both sides of the aisle in
calling for passage of good encryption legislation that promotes
computer privacy, fosters the global competitiveness of our high-tech
industries, and encourages the widespread use of strong encryption as
an online crime prevention and anti-terrorism tool. The E-PRIVACY bill
that I have sponsored with Senator Ashcroft, Senator Burns and others,
satisfies these goals. Prompt Senate consideration of encryption
legislation is sorely needed to protect America's economy and security.

  Mr. CRAIG. Mr. President, the E-PRIVACY bill seeks to protect
individual privacy, while at the same time addressing national security
and law enforcement interests. It would also modernize export controls
on commercial encryption products.

  The E-Privacy Act specifically addresses the concerns of law
enforcement. First and foremost, it makes it a crime to intentionally
use encryption to conceal incriminating communications or information.
It also provides that with an official subpoena, existing wiretap
authority can be used to obtain communications decryption keys/
assistance from third parties.

  Mrs. MURRAY. Mr. President, I want to thank Senator Leahy, Senator
Burns and Senator Ashcroft as well as Senator Lott and Senator Daschle
for their work and leadership on the issue of encryption. I am proud to
be an original cosponsor of S. 2067, the E-PRIVACY Act.


  This is my sixth year as a member of the Senate and the sixth year I
have advocated for reasonable legislation on encryption. Sadly, the
Administration has not been a constructive player in this debate. It is
time for the United States to acknowledge that we no longer exclusively
control the pace of technology. Purchasers around the world can
download software off of the Internet from any country by simply
accessing a website. Foreign purchasers have turned to Russian, German,
Swiss and other foreign vendors for their encryption needs.

  Washington state and American companies deserve the opportunity to
compete free from unreasonable government restrictions. Their role in
the international marketplace should be determined by their ingenuity
and creativity rather than an outdated, ineffectual system of export
controls. The time to act is now. I urge the Senate to consider the E-
PRIVACY Act at the earliest opportunity.

  Mr. BURNS. The basic facts remain the same. People need strong,
unescrowed encryption to protect themselves online in the information

[[Page S6440]]

age. Law enforcement has legitimate concerns about the spread of this
technology, and we must work to provide them the tools and expertise
they need to keep up with advances in encryption technology. We cannot
stop time, however. The genie is out of the bottle. As Bill Gates, the
CEO of Microsoft, recently said, ``Encryption technology is widely
available outside the United States and inside the United States, and
that's just a fact of life.''

  Mr. CRAIG. With the rapid expansion of the ``super highway'' and
Internet commerce it is crucial we bring encryption legislation to the
forefront. A secure, private and trusted national and global
information infrastructure is essential to promote citizens' privacy
and economic growth.

  Mr. BURNS. As my colleagues recognize, technically advanced and
unobtrusive encryption is fundamental to ensuring the kind of privacy
Americans will need and desire in the years to come. Congress must
choose a future where individuals and companies will have the tools
they need to protect their privacy, not a future where people fear the
use electronic commerce because they have no security.

  I commend the Majority Leader, Senators Ashcroft, Leahy, Craig,
Wyden, and Murray for their vision and bipartisan leadership on this
issue. I hope that Congress will be able to move forward with real
encryption reform legislation that protects the privacy and security of
Americans in the Information Age, before it is too late.

  Mr. LOTT. I think it is worth repeating to my colleagues that the
Administration's approach to encryption makes no sense. It is not good
policy. Continuing to restrict the foreign sale of American encryption
technology that is already available abroad, or will soon be available,
is anti-business, anti-consumer, anti-jobs, and anti-innovation.

  The time for a change in America's export regime is long overdue.
Unfortunately, the Administration continues to support its outmoded and
competition-adverse encryption control policy. That is why this
Congress needs to find a legislative solution to this issue.

  If America's export controls are not relaxed now, then Congress
places in peril our entire technology industry. Not just those
companies that create and market encryption products and services, but
virtually every company involved in the development and sale of
computer hardware and software. Congress cannot and will not put
America's entire technological base at risk for an ineffective and
outmoded export policy on encryption.

                          ____________________