THE WHITE HOUSE: Briefing on encryption ( X-files ?? )

[Robert Hettinga <rah@shipwright.com>]

--- begin forwarded text


From: "Blair Anderson" <blair@technologist.com>
To: "Robert Hettinga" <rah@shipwright.com>
Date: Fri, 18 Sep 98 11:07:29 +1300
Reply-To: "Blair Anderson" <blair@technologist.com>
Priority: Normal
MIME-Version: 1.0
Subject: THE WHITE HOUSE: Briefing on encryption ( X-files ?? )

THE WHITE HOUSE: Briefing on encryption

M2 PRESSWIRE-17 September 1998-THE WHITE HOUSE: Office of the Press
Secretary -- Briefing on encryption
(C)1994-98 M2 COMMUNICATIONS LTD

* Briefing by the Vice President, Deputy Chief of Staff John Podesta,
Principal Associate Deputy Attorney General
Robert Litt, Assistant Director of the FBI Carolyn Morris, Under Secretary
of Commerce William Reinsch, Deputy
Secretary of Defense John Hamre, and Deputy National Security Advisor Jim
Steinberg

* The Briefing Room

THE VICE PRESIDENT: Good morning. While my colleagues are coming in here,
let me acknowledge them. John
Podesta is going to take over the podium after I complete my statement, and
he is joined by Bob Litt of the Justice
Department, Bill Reinsch of the Commerce Department -- Under Secretary for
the Export Administration -- and John
Hamre, Deputy Secretary of Defense.

I also want to acknowledge Carolyn Morris of the FBI; Barbara McNamara of
the National Security Agency; John
Gordon, Deputy Director of the CIA. And you all should know that this
process, the results of -- the interim results of
which I'm announcing here, is a process that has been run principally by
John Podesta and Jim Steinberg, Deputy at the
National Security Council. And I also want to thank Sally Katzen at the NEC
and David Beier on my staff for the work
that they and many others have done on this.

Some of you who have followed this issue know that it is probably one of
the single, most difficult and complex issues
that you can possibly imagine. But we've made progress, and we're here this
morning to announce an important new
action that will protect our national security and our safety, and advance
our economic interests and safeguard our basic
rights and values in this new Information Age.

The Information Age has brought us the Internet, an inter-connected global
economy and the promise of connecting us
all to the same vast world of knowledge. But with that exciting promise
comes new challenges. We must make sure that
in the Information Age you get information about the rest of the world and
not the other way around. We must ensure
that new technology does not mean new and sophisticated criminal and
terrorist activity which leaves law enforcement
outmatched -- we can't allow that to happen. And we must ensure that the
sensitive financial and business transactions
that now cruise along the information superhighway are 100 percent safe in
cyberspace.

Balancing these needs is no simple task, to say the least. That is why, in
taking the next step toward meeting these
complex goals, we worked very closely with members of Congress from both
parties, House and Senate; with industry;
with our law enforcement community and with our national security
community. And as we move forward we want to
keep working closely with all who share a stake in this issue -- especially
law enforcement -- to constantly assess and
reassess the effectiveness of our actions in this fast changing medium.

Today I'm pleased to announce a new federal policy for the encryption and
protection of electronic communication, a
policy that dramatically increases privacy and security for families and
businesses without endangering out national
security.

Beginning today, American companies will be able to use encryption programs
of unlimited strength when
communicating between most countries. Health, medical, and insurance
companies will be able to use far stronger
electronic protection for personal records and information. Law enforcement
will still have access to criminally-related
information under strict and appropriate legal procedures. And we will
maintain our full ability to fight terrorism and
monitor terrorist activity that poses a grave danger to American citizens.

With this new announcement, we will protect the privacy of average
Americans, because privacy is a basic value in the
Information Age, indeed in any age. We will give industry the full
protection that it needs to enable electronic
commerce to grow and to thrive. And we will give law enforcement the
ability to fight 21st century crimes with 21st
century technology, so our families and businesses are safe, but on-line
outlaws are not safe.

In just a moment you will hear more of the details of this new policy, but
I want to conclude by saying that this policy
does reflect one of the greatest challenges of these new times. And to
state it broadly, it's a challenge of how we can
harness powerful new technology while protecting our oldest and most
cherished values, such as privacy and safety.

I'm grateful to those who have worked so hard to reach this balance. And
with today's announcement I believe that all
families and businesses have reason to feel safer, more secure and more
confident as we approach the 21st century.

And now I'd like to turn things over to White House Deputy Chief of Staff
John Podesta.

Q Mr. Vice President, before you go, can you tell us what you say to
Democratic lawmakers who say the President
ought to resign?

THE VICE PRESIDENT: I disagree.

Q How about the release of that tape? What do you think --

THE VICE PRESIDENT: The President is going to have a press conference
shortly and I'm sure that you will not miss
the opportunity at this national security press conference with the leader
of a foreign country to raise all these questions.

Q What about the videotape, should it be released?

Q It was staged by the White House -- you know that, don't you?

MR. PODESTA: Guess what? I'm here to talk about encryption. Okay. I can see
the front row leaving here. (Laughter.)
As the Vice President noted, Jim Steinberg and I have co-chaired our
process in this matter. I volunteered for that duty
because of my well-known fascination with The X Files, which most of you
know about.

As you know, this is an important and challenging issue that affects many
of our interests in our society. And over the
past year we've promoted a balanced approach to the issue, working with all
segments of our government and working
with industry to find a policy that promotes electronic commerce, preserves
privacy, protects national security and law
enforcement interests, and permits U.S. industry to secure global markets.

Recognizing the importance of moving this issue forward, last March the
Vice President asked us to intensify our
dialogue with U.S. industry, to bring industry's technical expertise to
bear on this issue with the hope of finding more
innovative ways that we might assist law enforcement. We appreciate the
efforts of Congress, the law enforcement
community and particularly the industry groups.

I would note the Computer Systems Policy Project and the Americans for
Computer Privacy, who have been in an
intensive dialogue with us over the past many months to foster an
environment that has allowed us to come up with a
policy which we believe has balanced the elements that are necessary in
this regard.

I think all the stakeholders in this process, on our side, as well as on
private industry's side, now have a greater
appreciation of the issues and intend to continue the dialogue, which I
think we're most pleased by. Again, I think some
of the people here from industry will be available at the stakeout later to
take some comment.

Based on the ideas discussed among the various stakeholders, today we're
proposing an update to our policies that
we've announced in the past. I'm going to serve kind of as M.C. We're going
to start off with Bob Litt from the Justice
Department and Carol Morris, who I asked to join us, from the FBI, to talk
about the law enforcement-FBI concerns.
Then we're going to turn to Bill Reinsch from the Commerce Department to
talk about export control and electronic
commerce. And finally you'll hear from Dr. Hamre from the Defense
Department. I might ask Jim also to join us up
here.

Before I give up the floor to Bob and Carol, though, I want to stress that
encryption policy is an ongoing process. It's
one of adaptation; it's an evolutionary process. We intend to continue the
dialogue, and over the course of the next
year, determine what further updates are necessary as we work with industry
to try to, again, come up with a policy that
balances national security, law enforcement, and the real needs for privacy
and security in electronic commerce.

Thank you. Let me turn it over to Bob.

MR. LITT: Thank you, John. Good afternoon. The Justice Department and the
FBI and law enforcement in general is
supportive, very supportive of today's announcement on the updating of our
export controls on encryption products,
particularly with respect to those products that allow law enforcement to
obtain lawful access to the plain text of
encrypted information.

We have been very encouraged over the last few months by industry's efforts
to work with us to develop and market
strong encryption products that provide law-abiding citizens with the
ability to protect the privacy of their
communications and their electronically-stored data, while at the same time
maintaining law enforcement's ability to
ensure public safety when these products, when they become commercially
available, are used in furtherance of
serious criminal activity.

Our goal is through whatever means to ensure that when we have the lawful
authority to take steps to protect public
safety, we have the ability to do so. And we have been working
cooperatively with industry for many months to
develop approaches that will deal with that.

Carolyn Morris will now talk a little bit about the technical support
center that is being proposed.

MS. MORRIS: Thank you very much, Bob.

Good afternoon, ladies and gentlemen. We in federal, state, and local law
enforcement, are pleased with the
administration's support to establish a technical support center. This
center will provide federal, state, and local law
enforcement with the resources and the technical capabilities we need to
fulfill our investigative responsibilities.

In light of strong, commercially available encryption products that are
being proliferated within the United States, and
when such products are used in the furtherance of serious criminal
activity, this center becomes very, very critical to
solving the encryption issues that we need to make cases. As a matter of
fact, the FBI has already begun planning
activities of this critical technical support center in anticipation of the
availability of funds.

The United States federal, local and state law enforcement community looks
forward to a cooperative partnership with
American industry, the Congress and the administration to ensure that this
technical support center becomes a reality in
the near future. With this center the American people can be assured that
federal, state, and local law enforcement has
the necessary resources and tools we need to fulfill our public safety
mission.

Thank you very much.

UNDER SECRETARY REINSCH: With respect to export controls, the
administration is updating its policy in three
areas: Our existing policy and some revisions there, an expansion with
respect to certain sectors, and an expansion with
respect to so-called recoverable products. And let me address each of these
separately. In keeping with the
administration's reinvention initiatives, I'm going to try to do it in
plain language -- or plain English, So that those of you
that speak the vocabulary of encryption may find it to elementary, but we
can go back and do it again in another
language, if you want, later on in questions.

With respect to our existing policy, we have for two years ending this
December, permitted the export of 56-bit
products after an initial one-time review without further review by the
government. What we're announcing today is the
maintenance of that window permanently. And so 56-bit products will be
freed from export controls after a one-time
review, in perpetuity, not ending at the end of this year. We are, however,
removing the requirement for key recovery
plans or key recovery commitments to be provided in return for that change,
which was the initial condition that we
extracted.

In addition, we are continuing to permit the export of key recovery
products -- products that contain those features --
without restraint worldwide. We are, however, going to simplify
significantly our regulations that relate to those
exports. In particular, we're going to eliminate the need for six-month
progress reports for the plans that have been
submitted, and we're going to eliminate the requirement for any prior
reporting of key recovery agent information. For
those of you that follow the regulations in detail, that means we're going
to eliminate Supplement Five of our
regulations on these matters.

Now, with respect to sectors, we're making some new innovations in four
areas. Some of you may be familiar with the
fact that some time ago we announced expanded treatment of encryption
products for export to banks and financial
institutions. And what we did at that time, briefly, was to permit the
export of encryption products of any length, any bit
length, with or without key recovery features to banks and financial
institutions in a list of 45 countries.

What we are announcing today is, first, that we are adding insurance
companies to the definition of financial institutions,
so insurance companies will be treated the same way under this policy as
banks and other financial institutions are now.
In addition, we are providing the same kind of treatment for exports of
these encryption products to the health and
medical sector operating in the same set of countries. We are excluding
from that biochemical and pharmaceutical
producers. But the rest of the health and medical sector will be the
beneficiary of the same kind of treatment.

In addition, we are providing also this expanded treatment for that country
group to on-line merchants that are operating
in those countries. That means that for products that are like
client-server applications, like SSL, will be able to be
exported to those destinations.

All these things will take place under what we call license exception,
which means after initial one-time review to
determine whether or not your product is, in fact, what you say it is, they
can then go without any further review or
intervention by the government to those locations. In addition, there is
always the option in the export control system of
coming in with an application to export these kinds of products to other
destinations beyond the ones that I'm talking
about right now, and those will be reviewed one by one on their merits.

Finally, with respect to what we have come to refer to as a class of
so-called recovery capable or recoverable products,
and these are the products that, among others, include what has become
known as the doorbell products, which are
products that, among other things, will deal with the development of local
area or wide area networks and the
transmission of e-mail and other data over networks -- we are going to
permit the export of those products under a
presumption of approval and an export licensing arrangement to a list of 42
countries. And within those countries we are
going to permit that export to commercial firms only within those
countries. And both in that case and in the case of the
on-line merchants that I referred to a few minutes ago, we are going to
exclude manufacturers or distributors of
munitions items, I think for obvious reasons.

We can go into further details later, if you would like. I think for those
of you that are interested in the nitty-gritty of all
this stuff, BXA intends to post all the details, including the country
lists, on its website and we should have that up later
today.

Thank you.

DEPUTY SECRETARY HAMRE: Good morning. I'm here to speak on behalf of the
national security community. I'm
joined today by my enormously capable counterparts and colleagues, Deputy
Director Barbara McNamara for the
National Security Agency; and Deputy Director John Gordon from the Central
Intelligence Agency.

The national security establishment strongly supports this step forward. We
think this is a very important advance in a
crucial area for our security in the future.

We in DOD had four goals when we entered these discussions. First was to
strengthen our ability to do electronic
commerce. We're the largest company in the world. Every month we write
about 10 million paychecks. We write about
800,000 travel vouchers. One of our finance centers disburses $45 million
an hour. We are a major, major force in
business. And for that reason, we can't be efficient unless we can become
fully electronic, and electronic commerce is
essential for us. And this is an enormous step forward.

Second, we must have strong encryption and a security structure for that in
order to protect ourselves in cyberspace.
Many of you know that we have experienced a number of cyber attacks during
the last year. This will undoubtedly
increase in the future. We need to have strong encryption because we're
operating over public networks; 95 percent of
all of our communications now go over public infrastructure -- public
telephone lines, telephone switches, computer
systems, et cetera. To protect ourselves in that public environment, we
must have encryption and we must have a key
recovery system for ourselves.

The third goal that we had was to help protect America's infrastructure.
One of the emerging national security
challenges of the next decade is to protect this country, the homeland
defense of this country, against attack. We must
have strong encryption in order to do that, because most of this
infrastructure now is being managed through distributed
computer-based management systems, and this is an important step forward.

Finally, it is very important that the Department of Defense and our
colleagues in the national security establishment
have the ability to prosecute our national security interests overseas.
Terrorists and rogue nations are increasingly using
these tools to communicate with each other and to lay their plans. We must
have the ability to deal with that. And so this
policy, it's a balanced and structured approach to be able to deal with all
four of those problems.

UNDER SECRETARY REINSCH: I apologize -- in listing my changes, I neglected
one very important item that I want
to go back to, and that is, in the sector area we are also announcing today
the ability to export strong encryption of any
bit length, with or without key recovery features, to subsidiaries of U.S.
companies to all destinations in the world with
the exception of the seven terrorist nations.

MR. PODESTA: Okay, I think we're happy to take your questions now. If you
could identify whom you're addressing,
because there is a variety of expertise. And I would like to introduce one
other person, Charlotte Knepper from the
NSC staff, who has been instrumental in pulling this all together.

Q John, this is a question for you. In October '96 and other White House
statements on encryption, there has usually
been a line also addressing the domestic side, saying that all Americans
remain free to use any strength encryption. I
didn't notice anything like that in today's announcement. Are there any
conditions under which the White House would
back domestic restrictions on encryption?

MR. PODESTA: We haven't changed our policy, and the previous statements are
certainly intact. We have made a
number of policy statements in the past, since this administration came
into office, and I think that you should view this
as a step forward, building on the policies that we have put before the
American public in the past.

Q John, could I ask you one question about an un-encrypted matter?

MR. PODESTA: Maybe. (Laughter.)

Q Democrats on the Hill are now saying, and John Kerry is saying that the
President's actions absolutely call for some
sort of punishment. What are Democrats telling you about what they feel
must be done at this point?

MR. PODESTA: Well, I think I'm not going to stand here and take a lot of
questions, but I'm going to give special
dispensation, as a Catholic, today -- which is I'm going to return your
phone calls later. But in deference to the people
up here I think we'll handle it that way.

But in specific response, I'll take one, which is that I think that we had
a number of productive meetings with
Democrats on both sides of the Hill yesterday. They view the President as a
person who has led on the issues that are
important to them, and I think what they want to do is get back to having
him speak out and be a leader on the issues of
education and the health care bill of rights, on saving Social Security.
And I think they pointed at that and wanted to
work with us on that.

I think with regard to the question that you posed with regard to Senator
Kerry, I think that's a matter that they are
debating amongst themselves more than they are debating with the White
House. I think it's probably presumptuous for
us at this point to offer them assistance or guidance. I mean, the
President has said that what he has done was wrong;
he's apologized for it; he's asked for forgiveness. He is moving forward.
And I think that this debate is going on, on
Capitol Hill, but it's largely going on amongst members themselves.

Q We haven't heard many of them say they want to get back to the work at hand.

MR. STEINBERG: You heard John, and I'm going to leave it there.

Let me just add a word in response, in connection with the domestic
controls issue. I think one of the lessons that we've
learned from this exercise is that -- actually, two lessons -- one, that
trying to balance the various interests and equities
in this is much less of a zero sum gain than I think some began to look at
the question. That is, you heard from Dr.
Hamre and others that many of the interests involved have common interests
in making sure that we have secure and
effective means of dealing with communications and stored data.

And so we found, by looking in a very pragmatic way, that there were ways
to solve these problems without very, kind
of, broad-based solutions. In particular, I think the idea that there's no
one-size-fits-all answer to the problems of
meeting the various needs informs the decisions that we reached -- that
there are a variety of different techniques that
respond to the different aspects of the industry, the different aspects of
the technology. I think that's what made the
progress possible today, is that industry, agencies and Congress sat down
together, pulled the problem apart, began to
look at its different components and began to fashion very pragmatic
solutions.

And so I think we came to this discussion with a spirit of not looking for
a kind of single or simple solution to the
problem but, rather, how do you tackle and meet the various needs. And I
think that's what led to this resolve.

Q Could you talk a little more about the on-line merchants part of it? I
mean, what do you have to do to qualify as an
on-line merchant? Do you have to register or can anybody sort of set
themselves up in business?

UNDER SECRETARY REINSCH: I think the simplest way to respond to that right
now is we'll have a definition in the
reg that will be very clear as to what the criteria are for qualification.
And those definitions have already been dealt with
and agreed to, so we should have them up on the web site this afternoon.

Q A question for Bill Reinsch. How do you handle, then, 128-bit, to which
the Department has given export -- or has
allowed to be exported after going through this review? Will 128 or things
above 56-bit, will they require a license or
will they still have to go through plans --

UNDER SECRETARY REINSCH: Well, with respect to the subsidiaries, the health
sector, the banks, the financial
institutions, the insurance companies, the on-line merchants, and the
recoverable products as in the universe defined --
no. In the case of all but the recoverable products, they will all go on
license exception, which means one-time review
and then out the door. With respect to recoverable products, they will come
in and go out pursuant to an export
licensing arrangement, where we'll have to do a little tailoring depending
upon the nature of the product. But there is a
presumption of approval for the 42 countries that I indicated.

And that's without reference to bit length -- 128 or more is all covered by
that. Now, if you want to export an 128-bit
product that is beyond any of those universes, then you would have to come
in for an individual license application.

Q A question for Mr. Litt. With regard to the technical support center,
when do you expect that to be in operation?

MR. LITT: I don't think we have a specific timetable yet. Obviously, it
would be helpful for us to have it up and
operational as soon as possible, but there are planning and budgetary
issues that have to be dealt with.

Q This is probably a question for Under Secretary Reinsch. The export
exceptions now are essentially going to U.S.
subsidiaries -- foreign subsidiaries of U.S. companies. I was wondering,
could you be a little more specific -- what size
company, what kind of company will be allowed to export powerful crypto to
its foreign subsidiaries?

UNDER SECRETARY REINSCH: That doesn't make any difference. The universe is
determined by the end user, not
by the nature of the American company. But it is not -- while part of this
relates to subsidiaries of U.S. companies, that is
correct, we also intend, on a case-by-case basis, to provide for favorable
treatment for export of the same kind of thing
to strategic partners of U.S. companies -- those foreign companies that are
engaged in a closer, say, joint venture, that
kind of relationship.

Well, I think that's it.

Q What about foreign companies that have U.S. subsidiaries, like Seaman's
or -- or Chrysler -- can they get this
encryption?

UNDER SECRETARY REINSCH: Well, keep in mind, there are multiple universes
here. If you're talking about the
financial institutions, the banks and the insurance companies, those aren't
necessarily American financial institutions.
That's for export to any financial institution, and for their use in any of
their branches, aside from the terrorist countries.
This is true for the health sector; this is true for on-line merchants as
well. Those are not restricted to U.S. companies.

Obviously, if we're going to have a requirement for U.S. subs, it relates
to U.S. subs, and wouldn't affect the examples
you've described. Now, with respect to recoverable products, which actually
is one of the areas where the companies
you mentioned would probably be looking because they'd be looking to build
a network among their various offices,
affiliates of subsidiaries, dealers if necessary, worldwide, the
recoverable provisions that I described could be exported
to those companies within the territorial universe I described -- the 42
countries.

Thank you very much.
Blair Anderson  (Blair@technologist.com)

International Consultant in Electronic Commerce,
Encryption and Electronic Rights Management

   "Techno Junk and Grey Matter"  (HTTP://WWW.NOW.CO.NZ [moving servers,
currently inactive])
   50 Wainoni Road, Christchurch, New Zealand

          phone 64 3 3894065
          fax     64 3 3894065

Member 	Digital Commerce Society of Boston

---------------------------- Caught in the Net for 25 years
----------------------------

--- end forwarded text


-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'