ENCRYPTION (Senate - June 17, 1998)

[Page: S6437]

Mr. LOTT. Mr. President, I rise today out of concern for our nation's computer and electronic industries. As you are well aware, the Administration's export policies prohibit American companies from selling state-of-the-art encryption technology abroad without recovery keys and back door access. Encryption is a series of mathematical formulas that scramble and unscramble data and communications. It is used to thwart computer hackers, industrial and foreign espionage agents, and criminals from gaining access to and reading sensitive personal, business, and military communications. The higher the bit-key length, the more difficult it is for unauthorized persons to break the code. Technically advanced encryption ensures that an individual's medical, financial, business, personal records and electronic-mail cannot be accessed without their consent. The Administration is now promoting the deployment of recovery keys so designated third parties would be able to access and share with law enforcement the computer data and communications of American citizens without their knowledge. Currently, government mandated key escrow is not required and is opposed by the computer industry, privacy advocates, legal scholars, and by many members of Congress.

[Page: S6438]

Mr. LEAHY. While current law does not mandate any key recovery, the current Administration, just as past Administrations, uses the export control regime to `dumb down' the encryption available for widespread integration into high-tech products intended for both domestic use and for export to foreign customers. Export regulations in place now are being used expressly to coerce the development and use of encryption products capable of giving law enforcement surreptitious access to plaintext by conditioning the export of 56-bit DES encryption on development of key recovery features.

These regulations are scheduled to sunset in December 1998, at which time export of even 56-bit strength encryption will no longer be permitted. I understand that the Administration is already undertaking discussions with industry on what will happen upon sunset of these regulations. I have long contended that taking unilateral steps will not resolve this issue, but instead could delay building the consensus we so urgently need. This issue simply cannot by resolved by Executive fiat.

Mr. ASHCROFT. Mr. President, I have been involved in the debate regarding encryption technology and privacy for more than three years now. In the course of that time I have not seen any real attempt by the White House to resolve this problem. In fact, over the course of that time the Administration has moved further from negotiation by taking increasingly extreme positions on this critical national issue.

Mr. CRAIG. Mr. President, as you have heard, current U.S. policy allows only encryption below the 56-bit key length to be sold abroad. For a long time now, software companies have argued that this level of encryption is so low it provides little security for the information being transmitted over the `super highway.' This policy also states that, in the production of encryption stronger than 56-bit, software companies must provide some type of `backdoor' access to ensure law enforcement can decode encrypted material.

Addressing this from an economic perspective, customers--especially foreign customers--are unwilling to purchase American encryption products with backdoors and third-party access. This is particularly true since they can buy stronger encryption overseas from either foreign-owned companies or American owned companies on foreign soil without these invasive features.

Mr. WYDEN. Since coming to the Senate, I have worked side-by-side with Senators Burns, Ashcroft, Leahy and others on the critical issue of encryption. Our common goal has been to craft a policy that puts the United States squarely out front of the crypto-curve, rather than locks us permanently behind it. A one-size-fits-all government policy simply won't work in this digital era. We all recognize and acknowledge the legitimate needs of law enforcement and the national security communities, but tying the hands of America's high technology industry in the process will serve neither those needs, nor the national interest in maintaining our competitive edge in the fiercely competitive global marketplace. It's time to move forward with comprehensive encryption reform legislation.

Mr. BURNS. I would like to point out that the government's plan for encryption--whether they call it `key escrow' or `key recovery' or `plaintext access'--simply won't work. Eleven of the world's most prominent computer security experts have told us government mandated key recovery won't work because it won't be secure, as explained in a study published this week by the Center for Democracy and Technology. Key escrow also won't work because it will cost billions, as revealed in a recent study published by the Business Software Alliance. We have also been told that the kind of system the Administration wants is not technically feasible. Additionally, constitutional scholars testified that government mandated key escrow, third party recovery probably violates the Bill of Rights.

Mr. LOTT. Even though a national recovery system would be technically unfeasible, costly, and violates an individual's privacy rights, the Administration continues to require key escrow as a precondition for relaxing America's encryption policy. Again, Mr. President, I would point out that state-of-the-art encryption is available in the international marketplace without key recovery and without backdoor access. This backdoor door requirement is simply backward thinking policy. It does not make sense to hold the computer industry hostage to force the creation of such an unworkable system.

Mr. BURNS. The Majority Leader is absolutely right. We do not need experts to tell us key recovery will not work. All that is needed is a little common sense to understand that no one will buy systems with backdoor access. Criminals will not escrow their keys and terrorists will find keyless systems from America's foreign competitors. There is nothing we can do to stop undesirables from using strong, unescrowed encryption.

Mr. LOTT. Even though advanced encryption products are widely available across the globe, the White House continues to stall Congressional and industry attempts to reach a sensible market oriented solution to the nation's outdated encryption export regime. This stonewalling tactic will only cede even more of our nation's technology market to foreign competitors and America will lose forever its ability to sell encryption technology at home and abroad.

It is time to change America's export policy before it is too late. If the Administration will not do what is right, reform its export regime, then Congress must enact encryption reform during this session.

Mr. LEAHY. The Majority Leader is correct that reform of our encryption policy is needed. The Attorney General came to the Hill in March and asked for a legislative moratorium on encryption matters. This request was made because the Administration wanted to talk with the information technology industry about developing means for law enforcement to gain surreptitious access to plaintext scrambled by strong encryption. According to eleven of the world's leading cryptographers in a report reissued on June 8, the technical risks and costs of such backdoors `will exacerbate, not alleviate, the potential for crime and information terrorism' for America's computer users and our critical infrastructures.

In the Senate we have a name for debate that delays action on legislative matters. We call it a filibuster. On encryption policy, the Administration has been willing to talk, but not to forge a real solution. That amounts to a filibuster. The longer we go without a sensible policy, the more jobs will be lost, the more we risk eroding our privacy rights on the Internet, and the more we leave our critical infrastructures vulnerable.

Mr. BURNS. We can readily see that the current U.S. policy on encryption jeopardizes the privacy of individuals, the security of the Internet, and the competitiveness of U.S. industry. We have been debating this issue since the Administration's introduction of the ill-fated Clipper chip proposal over five years ago. Yet no substantial change in Administration policy has taken place. It is time for us to take action.

I first introduced comprehensive encryption reform legislation in the form of the Pro-CODE bill over two years ago, then reintroduced it in this Congress with the cosponsorship of the Majority Leader, Senators Ashcroft, Leahy, Wyden, and others. Along with Senators Ashcroft, Leahy, and others, I am also an original cosponsor of the E-PRIVACY bill, which would foster the use of strong encryption and global competitiveness. We have held numerous hearings on the issue. Yet despite the increasingly desperate drumbeat of criticism from industry, individuals, and privacy groups, from across the political spectrum, the Administration's policy has remained fundamentally unchanged.

[Page: S6439]

Mr. LEAHY. Since the hearing I chaired in May 1994 on the Administration's `Clipper Chip' proposal, the Administration has taken some steps in the right direction. Clipper Chip is now dead, and the Administration has transferred authority over the export of encryption products from the State Department to the Commerce Department, as called for in legislation I introduced in the last Congress with Senators Burns, Wyden and others. Furthermore, the Administration has permitted the export of up to 56-bit DES encryption, at least until the end of this year. But these actions are simply not enough for our high-tech industries to maintain their leading edge in the global marketplace.

Mr. ASHCROFT. Our technology companies need to be able to compete effectively. Without reasonable export laws our technology sector will be seriously harmed. More encryption companies will leave

the country so they are free to sell their products around the globe as well as within the United States. Make no mistake, the market will not be denied. Today, robust encryption products from Canada, Japan, Germany and elsewhere are being sold on the world market. You have heard of the companies that are manufacturing and selling encryption. They are Nortel, Nippon and Seimens. These are not upstart companies. They are substantial players on the international scene, and they offer encryption products that are technically and financially competitive with those produced in the U.S.

Mr. LOTT. That's right. In fact, a recent survey conducted by Trusted Information Systems found that hundreds of foreign companies sell over 600 encryption products from 29 countries. It is even possible to download some of the strongest technology available, 128-bit key length encryption, off of the Internet. Clearly, America's policy of restricting the sale of American encryption software and hardware has not impacted the availability and use of this technology throughout the globe.

No one disputes the fact that the development and use of robust encryption worldwide will continue with or without U.S. business participation. What is particularly disturbing to me is that export controls, instead of achieving their intended purpose, have only served to deny America's premier computer industry the opportunity to compete on a level playing field with foreign competitors. Costing our economy and our nation billions of dollars and the loss of countless American jobs in the process. Given the wide availability of encryption technology, continuing to restrict U.S. access to foreign markets makes no sense.

Mr. ASHCROFT. That is absolutely correct. The Administration's encryption policy is, in effect, a tax on American consumers. We owe it to these customers and the innovators in the software industry to reform this encryption policy now. From the birth of the United States, this country has been a world leader in innovation, creativity, entrepreneurship, vision and opportunity. Today all of these American attributes are on display in our technology sector. Whether in telecommunications, or computer hardware or software, the United States has maintained a leadership position because of the opportunities afforded to people with the vision, determination and responsibility to reach for their highest and best. We must work diligently to ensure that ample opportunities are maintained in this country for our technology sector to continue to thrive and innovate. If companies are stifled and cannot compete, then the people, the ideas, the jobs, and the economic growth will simply go elsewhere.

Mr. BURNS. In the computer business these days, they talk about `Internet time.' In the Internet industry, where product life cycles can be as low as 6 months, the world changes rapidly. Yet we have been debating this issue for over five years now, while America's sensitive communications go unsecured, our critical information infrastructures go unprotected, and our electronic commerce jobs get shipped overseas. It is time for the Congress to act.

Mr. ASHCROFT. If this issue is not resolved, and resolved soon, we will lose this industry, we will lose our leadership position in technology, and our national security will suffer. We have a choice to make as policy makers--do we allow our companies to compete internationally or do we force them, by our antiquated and ill-conceived government policy, to move overseas. We cannot simply ignore the reality that robust encryption exists in the international marketplace now. Instead, we must allow our companies to compete, and do so now. We cannot allow extraneous issues to stand in the way of remedying the deficiencies with our current approach to encryption. We must recognize that keeping the encryption industry on American shores is the best way to ensure national security. We would not think of allowing all our defense industries to move abroad. By the same token, we should not force the encryption industry abroad through outdated policies. Simply put, strong encryption means a strong economy and a strong country. This concern is just one of the many reasons we need to pass effective encryption legislation this year and just one of the reasons that Senator Leahy and I recently drafted the E-PRIVACY bill, S. 2067.

Mr. LEAHY. I join with my colleagues from both sides of the aisle in calling for passage of good encryption legislation that promotes computer privacy, fosters the global competitiveness of our high-tech industries, and encourages the widespread use of strong encryption as an online crime prevention and anti-terrorism tool. The E-PRIVACY bill that I have sponsored with Senator Ashcroft, Senator Burns and others, satisfies these goals. Prompt Senate consideration of encryption legislation is sorely needed to protect America's economy and security.

Mr. CRAIG. Mr. President, the E-PRIVACY bill seeks to protect individual privacy, while at the same time addressing national security and law enforcement interests. It would also modernize export controls on commercial encryption products.

The E-Privacy Act specifically addresses the concerns of law enforcement. First and foremost, it makes it a crime to intentionally use encryption to conceal incriminating communications or information. It also provides that with an official subpoena, existing wiretap authority can be used to obtain communications decryption keys/assistance from third parties.

Mrs. MURRAY. Mr. President, I want to thank Senator Leahy, Senator Burns and Senator Ashcroft as well as Senator Lott and Senator Daschle for their work and leadership on the issue of encryption. I am proud to be an original cosponsor of S. 2067, the E-PRIVACY Act.

This is my sixth year as a member of the Senate and the sixth year I have advocated for reasonable legislation on encryption. Sadly, the Administration has not been a constructive player in this debate. It is time for the United States to acknowledge that we no longer exclusively control the pace of technology. Purchasers around the world can download software off of the Internet from any country by simply accessing a website. Foreign purchasers have turned to Russian, German, Swiss and other foreign vendors for their encryption needs.

Washington state and American companies deserve the opportunity to compete free from unreasonable government restrictions. Their role in the international marketplace should be determined by their ingenuity and creativity rather than an outdated, ineffectual system of export controls. The time to act is now. I urge the Senate to consider the E-PRIVACY Act at the earliest opportunity.

Mr. BURNS. The basic facts remain the same. People need strong, unescrowed encryption to protect themselves online in the information age. Law enforcement has legitimate concerns about the spread of this technology, and we must work to provide them the tools and expertise they need to keep up with advances in encryption technology. We cannot stop time, however. The genie is out of the bottle. As Bill Gates, the CEO of Microsoft, recently said, `Encryption technology is widely available outside the United States and inside the United States, and that's just a fact of life.'

[Page: S6440]

Mr. CRAIG. With the rapid expansion of the `super highway' and Internet commerce it is crucial we bring encryption legislation to the forefront. A secure, private and trusted national and global information infrastructure is essential to promote citizens' privacy and economic growth.

Mr. BURNS. As my colleagues recognize, technically advanced and unobtrusive encryption is fundamental to ensuring the kind of privacy Americans will need and desire in the years to come. Congress must choose a future where individuals and companies will have the tools they need to protect their privacy, not a future where people fear the use electronic commerce because they have no security.

I commend the Majority Leader, Senators Ashcroft, Leahy, Craig, Wyden, and Murray for their vision and bipartisan leadership on this issue. I hope that Congress will be able to move forward with real encryption reform legislation that protects the privacy and security of Americans in the Information Age, before it is too late.

Mr. LOTT. I think it is worth repeating to my colleagues that the Administration's approach to encryption makes no sense. It is not good policy. Continuing to restrict the foreign sale of American encryption technology that is already available abroad, or will soon be available, is anti-business, anti-consumer, anti-jobs, and anti-innovation.

The time for a change in America's export regime is long overdue. Unfortunately, the Administration continues to support its outmoded and competition-adverse encryption control policy. That is why this Congress needs to find a legislative solution to this issue.

If America's export controls are not relaxed now, then Congress places in peril our entire technology industry. Not just those companies that create and market encryption products and services, but virtually every company involved in the development and sale of computer hardware and software. Congress cannot and will not put America's entire technological base at risk for an ineffective and outmoded export policy on encryption.