Testimony of William A. Reinsch

Under Secretary for Export Administration

Security and Freedom Through Encryption Act -- H.R. 850

Thank you, Mr. Chairman, for the opportunity to testify on the direction of the Administration's

encryption policy. We have made a great deal of progress since my last testimony before this

Committee on this subject.

Even so, encryption remains a hotly debated issue. The Administration continues to support a

balanced approach which considers privacy and commerce as well as protecting important law

enforcement and national security equities. We have been consulting closely with industry and its

customers to develop a policy that provides that balance in a way that also reflects the evolving

realities of the market place.

The Internet and other digital media are becoming increasingly important to the conduct of

international business. There were 43.2 million Internet hosts worldwide last January compared to

only 5.8 million in January 1995. One of the many uses of the Internet which will have a

significant effect on our everyday lives is electronic commerce. According to a recent study, the

value of e-commerce transactions in 1996 was $12 million. The projected value of e-commerce in

2000 is $2.16 billion. To cite one example, travel booked on Microsoft's Website has doubled

every year since 1997, going from 500,000 to an estimated 2.2 million this year. Many service

industries which traditionally required face-to-face interaction such as banks, financial institutions

and retail merchants are now providing cyber service. Customers can now sit at their home

computers and access their banking and investment accounts or buy a winter jacket with a few

strokes of their keyboard.

Furthermore, most businesses maintain their records and other proprietary information

electronically. They now conduct many of their day-to-day communications and business

transactions via the Internet and E-mail. An inevitable byproduct of this growth of electronic

commerce is the need for strong encryption to provide the necessary secure infrastructure for

digital communications, transactions and networks. The disturbing increase in computer crime and

electronic espionage has made people and businesses wary of posting their private and company

proprietary information on electronic networks if they believe the infrastructure may not be

secure. A robust secure infrastructure can help allay these fears, and allow electronic commerce

to continue its explosive growth.

Developing a new encryption policy has been complicated because we do not want to hinder its

legitimate use -- particularly for electronic commerce; yet at the same time we want to protect

our vital national security, foreign policy and law enforcement interests. We have concluded that

the best way to accomplish this is to continue a balanced approach: to promote the development

of strong encryption products that would allow lawful government access to plaintext under

carefully defined circumstances; to promote the legitimate uses of strong encryption to protect

confidentiality; and continue looking for additional ways to protect important law enforcement

and national security interests.

During the past three years, we have learned that there are many ways to assist in lawful access.

There is no one-size-fits-all solution. The plans for recovery encryption products we received

from more than sixty companies showed that a number of different technical approaches to

recovery exist. In licensing exports of encryption products under individual licenses, we also

learned that, while some products may not meet the strict technical criteria of our regulations,

they are nevertheless consistent with our policy goals.

Additionally, we learned that the use of strong non-recovery encryption within certain trusted

industry sectors is an important component of our policy in order to protect private consumer

information and allow our US high tech industry to maintain its lead in the information security

market while minimizing risk to national security and law enforcement equities. Taking into

account all that we have learned and reviewing international market trends and realities, in 1998

we made several changes to our encryption policy that I will summarize for you.

On September 22, 1998, we published a regulation implementing our decision to allow the export,

under a license exception, of unlimited strength encryption to banks and financial institutions

located in countries that are members of the Financial Action Task Force or which have effective

anti-money laundering laws. This regulation also allows exports, under a license exception, of

encryption products that are specially designed for financial transactions. This policy recognizes

the need to secure and safeguard our financial networks, and that the banking and financial

communities have a history of cooperation with government authorities when information is

required to combat financial and other crimes.

As I mentioned earlier, we have been looking for ways to make our policy consistent with both

market realities and national security and law enforcement concerns. For more than a year, the

Administration has been engaged in a dialogue with U.S. industry, law enforcement, and privacy

groups on how our policy might be improved to find technical solutions, in addition to key

recovery, that can assist law enforcement in its efforts to combat crime. At the same time, we

wanted to find ways to assure continued U.S. technology leadership, promote secure electronic

commerce, and protect important privacy concerns. The purpose of this dialogue was to find

cooperative solutions that could assist law enforcement while protecting national security, plus

assuring continued U.S. technology leadership and promoting the privacy and security of U.S.

firms and citizens in electronic commerce. We believed then and now that the best way to make

progress on this issue is through a constructive, cooperative dialogue, rather than seeking

legislative solutions. Through our dialogue, there has been increased understanding among the

parties, and we have made progress.

The result of this dialogue was an update to our encryption policy which Vice President Gore

unveiled last September 16. The regulations implementing the update were published on

December 31. This will not end the debate over encryption controls, but we believe the regulation

addresses some private sector concerns by opening large markets and further streamlining

exports.

The update reduced controls on exports of 56-bit products and, for certain industry sectors, on

exports of products of unlimited bit length, whether or not they contain recovery features. In

developing our policy we identified key sectors that can form the basis of a secure infrastructure

for communicating and storing information: banks, a broad range of financial institutions,

insurance companies, on-line merchants, and health facilities. Many of the updates permit the

export of encryption to these end-users under a license exception. That is, after the product

receives a technical review, it can be exported by manufacturers, resellers and distributors without

the need for a license or other additional review. Specifically, the new policy allows for:

exports of 56-bit software and most hardware to any end user under a license exception;

exports of strong encryption, including technology, to U.S. companies and their

subsidiaries under a license exception to protect important business proprietary

information;

exports of strong encryption to the insurance and medical/health sectors in 46 countries

under a license exception for use in securing proprietary medical and health information;

exports of strong encryption to secure on-line transactions between on-line merchants and

their customers in 46 countries under a license exception.

"recovery capable" or "recoverable" encryption products of any key length, such as the

"Doorbell" products developed by a number of companies, can now be approved under a

kind of bulk license called an "encryption licensing arrangement" to recipients in located in

46 countries. Such products include systems that are managed by a network or corporate

security administrator.

I would note that these provisions apply to exports of products with or without key recovery

features. One of the aspects of our policy update is to permit exports of strong encryption with or

without key recovery to protect electronic commerce while also minimizing the risk to national

security and law enforcement. For example, in some cases we have limited our approval policy to

a list of countries or a set of end users, rather than permit exports on a global basis, to help

protect national security interests.

We have also expanded our policy to encourage the marketing of a wider variety of "recoverable"

products that may not be key recovery in a narrow sense but which may be helpful to law

enforcement acting pursuant to strict legal authorities. Again, these are typically systems

managed by a network or corporate administrator. We also further streamlined exports of key

recovery products by no longer requiring a review of foreign key recovery agents and no longer

requiring companies to submit business plans.

This past year, we also made progress on developing a common international approach to

encryption controls through the Wassenaar Arrangement. Established in 1996 as the successor to

COCOM, it is a multilateral export control arrangement among 33 countries whose purpose is to

prevent destabilizing accumulations of arms and civilian items with military uses in countries or

regions of concern. Wassenaar provides the basis for many of our export controls.

In December, through the hard work of Ambassador David Aaron, the President's special envoy

on encryption, the Wassenaar Arrangement members agreed on several changes relating to

encryption controls. These changes go a long way toward increasing international security and

public safety by providing countries with a stronger regulatory framework for managing the

spread of robust encryption.

Specific changes to multilateral encryption controls include removing multilateral controls on all

encryption products at or below 56 bit and certain consumer items regardless of key length, such

as entertainment TV systems, DVD products, and on cordless telephone systems designed for

home or office use.

Most importantly, the Wassenaar members agreed to remove encryption software from

Wassenaar's General Software Note and replace it with a new cryptography note. Drafted in

1991, when banks, government and militaries were the primary users of encryption, the General

Software Note allowed countries to permit the export of mass market encryption software

without restriction. The GSN was created to release general purpose software used on personal

computers, but it inadvertently encouraged some signatory countries to permit the unrestricted

export of encryption software. It was essential to modernize the GSN and close the loophole that

permitted the uncontrolled export of encryption with unlimited key length. Under the new

cryptography note, mass market hardware has been added and a 64-bit key length or below has

been set as an appropriate threshold. This will result in government review of the dissemination of

mass market software of up to 64 bits.

I want to be clear that this does not mean encryption products of more than 64 bits cannot be

exported. Our own policy permits that, as does the policy of most other Wassenaar members. It

does mean, however, that such exports must be reviewed by governments consistent with their

national export control procedures.

Export control policies without a multilateral approach have little chance of success. Agreement,

by the Wassenaar members, to close the loophole for mass market encryption products is a strong

indication that other countries are beginning to share our public safety and national security

concerns. Contrary to what many people thought two years ago, we have found that most major

encryption producing countries are interested in developing a harmonized international approach

to encryption controls.

At the same time, we recognize that this is an evolutionary process, and we intend to continue our

dialogue with industry. Our policy should continue to adapt to technology and market changes.

We will review our policy again this year with a view toward making further changes. An

important component of our review is input from industry, which we are receiving through our

continuing dialogue.

With respect to H.R.850, the Administration opposes this legislation as we did its predecessor in

the last Congress. The bill proposes export liberalization far beyond what the Administration can

entertain and which would be contrary to our international export control obligations. Despite

some cosmetic changes the authors have made, the bill in letter and spirit would destroy the

balance we have worked so hard to achieve and would jeopardize our law enforcement and

national security interests. I defer to other witnesses to describe the impact of the bill on their

equities, but let me describe two of its other problems

First, I want to reiterate that this Administration does not seek controls or restraints on domestic

manufacture or use of encryption. We continue to believe the best way to make progress on ways

to assist law enforcement is through a constructive dialogue. As a result, we see no need for the

statutory prohibitions contained in the bill. Second, once again we must take exception to the

bill's export control provisions. In particular, the references to IEEPA as I understand them

might have the effect of precluding controls under current circumstances and in any future

situation where the EAA had expired, and the definition of general availability, as in the past,

would preclude export controls over most software.

In addition, whether intended or not, we believe the bill as drafted could inhibit the development

of key recovery even as a viable commercial option for those corporations and end users that

want it in order to guarantee access to their data. The Administration has repeatedly stated that it

does not support mandatory key recovery, but we endorse and encourage development of

voluntary key recovery systems, and, based on industry input, we see growing demand for them,

especially corporate key recovery, that we do not want to cut off.

The Administration does not seek encryption export control legislation, nor do we believe such

legislation is needed. The current regulatory structure provides for balanced oversight of export

controls and the flexibility needed so that it can continue to promote our economic, foreign policy

and national security interests while adjusting to advances in technology. This is the best

approach to an encryption policy that promotes secure electronic commerce, maintains U.S. lead

in information technology, protects privacy, and protects public safety and national security

interests.

As this Committee knows better than most, public debate over encryption policy has been

spirited. Many in the debate have had difficulty grasping different views or realizing that there is a

middle ground. Our dialogue with industry has gone a long way toward bridging that gap and

finding common ground. We will continue this policy of cooperative exchange, which is clearly

the best way to pursue our policy objectives of balancing public safety, national security, and the