1996 Congressional Hearings
Intelligence and Security


PREPARED TESTIMONY OF
ROBERTA R. KATZ
SENIOR VICE PRESIDENT, GENERAL COUNSEL & SECRETARY
NETSCAPE COMMUNICATIONS CORPORATION
BEFORE THE
HOUSE JUDICIARY COMMITTEE
ON
H.R. 3011 SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
25 SEPTEMBER 1996

SUMMARY OF TESTIMONY

U.S. export controls on encryption are outdated and do not accomplish their stated objectives. Netscape believes H.R. 3011 will bring much needed reform and strongly supports this legislation.

Encryption is essential for electronic commerce and for continued U.S. leadership in the information economy. Interconnected computers and networks fire an important new reality. The security of data flowing over those networks is essential, and citizens and businesses must be able to use available technologies to protect valuable information.

Netscape will lose tens of millions of dollars in sales this year because of U.S. export controls. Industry-wide, the impact is already enormous, and growing exponentially. Foreign competitors and governments have recognized the opportunity to displace U.S. industry as the world leaders in this field. Congress must address this issue now so that the U.S. does not lose its leadership position in Internet markets, a result which would be disastrous not just for U.S. software manufacturers, but for numerous other companies and businesses in the information economy.

U.S. leadership in encryption technologies is good for national security and law enforcement because it prevents economic crimes, prevents cyber terrorist attacks on critical civilian infrastructure and prevents foreign encryption standards from dominating the world marketplace.

H.R. 3011 appropriately recognizes that mandatory key escrow will not work. Key escrow will not work with SSL, the Internet communication security standard, and risks making prosecutions more rather than less difficult because an individual's privacy key is the same as his or her authentication key. Criminals will certainly not use key escrow, and a mandatory U.S. scheme will cause law abiding foreign customers to buy products from non-U.S. suppliers.

We anticipate commercial demand for self-escrow or third-party escrow products and schemes, and we will endeavor to meet that need. These systems, if developed and used voluntarily, could provide benefits to law enforcement officials.

The Internet has flourished because of unfettered user choice and open, interoperable standards. Giving the government partial control over the standard-setting process is likely to threaten the interoperability and usefulness of the network, and to balkanize the Internet as individual governments impose conflicting law enforcement access requirements on it. Recent experience with CALEA suggests government involvement in standard setting will increase.

H.R. 3011 would provide much needed streamlining of export licensing procedures, which are burdensome, slow, deter innovation and are particularly onerous for smaller competitors.

*****

I. INTRODUCTION

Good morning and thank you, Mr. Chairman. My name is Roberta Katz and I am the Senior Vice President, General Counsel, and Secretary of Netscape Communications Corporation of Mountain View, California. I am also here on behalf of two trade organizations, the Information Technology Association of America ("ITAA") and the Software Publishers Association ("SPA"), whose collective memberships represent thousands of companies worldwide. Mr. Chairman, I want to thank you for the privilege of testifying on this important issue. It is a pleasure to be here. Netscape enthusiastically supports H.R. 3011. We want to work with all members of the Committee so that together we can reform outdated export controls on encryption.

Mr. Chairman, I'd like to start by talking about the history of export controls on encryption and bring some context to today's urgent need for change to a Cold War era policy. Export controls are being used inappropriately to drive domestic consumer behavior, industrial planning and investment, and the information economy.

II. THE INTERNET CHANGES EVERYTHING: NEW PRODUCTS & NEW USES FOR ENCRYPTION

For many years, encryption policy was set as quietly as possible by the National Security Agency ("NSA"). Elected and politically appointed officials in Washington scarcely knew there was an encryption policy, let alone what it was. Occasionally, issues relating to encryption would surface briefly. These hearings and this year's heightened discussion mark a sea change in encryption policymaking -- that it is occurring out in the open, in public, and is being widely discussed and debated.

This democratization of the issue reflects important social changes in the use of encryption. In a short time, encryption has come a very long way from being chiefly a tool for preserving secrecy of diplomatic and military communications to being an integral part of contemporary computer communications. These social changes are largely the result of theadvent of the Internet transforming computers and other devices into global communications tools for all individuals. As more and more people access the Internet and appreciate its possibilities and riches, this debate becomes a proper subject for public discussion and should be shaped significantly by the needs of individual Americans and American jobs, rather than simply by traditional national security and law enforcement interests.

Soon, 100 million people will be connected to each other over the Internet. Because interconnected computers and networks are an important new reality, it is imperative that we assess -- now -- the security of the data flowing over those networks. That's what this debate is all about. Some members have suggested, and perhaps even still hope, that encryption should remain an esoteric issue well below the Congressional radar screen. We respectfully suggest that those days are over. This issue has profound consequences, and must be addressed by Congress.

The last twenty years of encryption policy seems like centuries when compared to the hyper-speed at which the Internet industry has emerged and grown. Marc Andreessen created Mosaic, the first Internet browser, just three years ago, while a college student in Illinois. It gave the average computer user the ability to access with point and click simplicity a sprawling collection of computer networks around the world that is now famous and known as the Internet. Jim Clark, founder of Silicon Graphics, teamed up with Andreessen in 1994 to form what became Netscape Communications Corporation. Since I joined Netscape in May of 1995, the company has grown from 150 employees to nearly 1500. We have offices in over 15 countries. We are the fastest growing software company in history.

I know from my friend Rep. Rick White (R-WA) that many of you have office e-mail systems and web sites. So it may not surprise you that many businesses are eager to do commerce on the World Wide Web, reaching consumers around the world.

But what you may not know is that without strong encryption, electronic commerce on the web cannot flourish. For example, Omaha Steaks sells its products on the web, but will not sell to customers without a 128 bit SSL Internet communications link. (For more on SSL, see p.14 below). Because of therisk of computer hackers and other criminals intercepting their electronic communications, companies face real risks in taking advantage of electronic commerce without the security afforded by strong encryption. Internet users are likewise reluctant to use their credit cards or engage in other commercial transactions over the Internet unless 128 bit encryption is in place. Without strong encryption, electronic commerce cannot advance beyond where it is today -- a nascent industry with less than approximately $500 million in total sales.

I'd like to give you some other examples of networked computing that our customers want, and that require strong encryption. Corporate "Intranets" are private networks built on Internet-based technology. They permit rapid, company-wide access to information. Through an Intranet, enterprises can run all of their information and communication needs seamlessly across borders, through departments, from the bottom up. Instead of wondering who the appropriate person to contact is and having to call a dozen people, custom directories, catalogs, search engines, libraries, newsgroups, personal pages, all internally hyperlinked and indexed, collectively exploit the intellectual resources of the company and make them easily available to all. The Intranet is the ultimate team building tool. But information on the Intranet must not be accessible to outsiders seeking to steal trade secrets.

Another example is groupware that allows team collaboration on projects. In the world of networked computing, groupware allows engineers all over the world to work together. A team of engineers in Chicago can complete their shift, then a crew of engineers in Kuala Lumpur can work the next shift without any time lag. They might be working on the next supersonic airplane design, the next car, or the next suspension bridge. But the information transmitted between multiple sites must be secure. Companies are especially sensitive to the ability of dedicated computer hackers and foreign intelligence agencies to gain access to this information. They need to protect that information, and they will find encryption products -- whether produced by U.S. companies or our foreign competitors -- that offer them security. Have international espionage agents penetrated those networks and stolen the fruits of billions ofdollars of research, development, and design work? The answer is undeniably yes. It is our job to provide solutions to this problem, and strong encryption is the best solution to this growing problem.

Secure, networked computing offers enormous potential benefits to America's information economy. Small companies have the chance to market themselves and sell products as a global company to customers that come to their home page. Large companies can better manage their far-flung operations and offices that are scattered around the world.

Similarly, the Internet lowers barriers to entry for individuals. For example, high school students in depressed urban areas or isolated rural areas can obtain access to the best libraries in the world easily and without having to make an expensive, long or difficult trip.

It is important to understand that the growth of the Internet is a global phenomenon. Societies around the world recognize the value of the Internet, are seizing its potential, and are driving its growth in their own countries and in this country. Although the Internet may have started in this country, we are wise to take note that the majority of its growth is occurring outside the U.S.

III. ENCRYPTION HELPS LAW ENFORCEMENT AND NATIONAL SECURITY

On balance, encryption advances, rather than detracts from law enforcement and national security interests because: (1) encryption prevents economic crimes, including corporate espionage; (2) encryption helps to prevent "cyber terrorist" attacks on our critical civilian infrastructure, and (3) U.S. leadership in encryption applications ensures that U.S. technology, rather than foreign technology, is the world standard.

In the Defense Authorization Bill of 1994, Congress directed the National Academy of Sciences to study and report on the advisability of reforming export controls on encryption. That study was released May 31, 1996 by the National Research Council and has become known as the "NRC report." This study reflects some of the new realities of the Internet and the world ofnetworked computing. Critically, the NRC study reported that the use of cryptography can help law enforcement and national security.

In many policy discussions widespread use of strong cryptography is presented as a threat to law enforcement and national security interests. Perhaps the most important insight that comes from the NRC's report is its conclusion that wide availability of encryption in fact promotes national security. The report explains that "export controls have a number of potentially negative effects on national security that policy makers must weigh against the positive effects of reducing the use of cryptography by hostile parties." (NRC Report, Cryptography's Role in Securing the Information Society, May 30, 1996, at 4-25.)

Computer fraud and computer-related crime rank high among law enforcement concerns. Wide deployment of strong cryptography would provide substantial and effective defenses against those hostile intelligence and criminal forces. Indeed, if all commercial text and voice communications were encrypted, at least when they passed over publicly-accessible communications links, we would significantly reduce the risk of compromise of commercial and other information. We have often been told by the F.B.I. that foreign governments have shifted much of their intelligence focus to the business sector. Hostile intelligence efforts to pry secrets from corporate America is a genuine national security threat. Indeed, the F.B.I. strongly supported the Economic Espionage Act which passed both Houses this Congress. Yet the key escrow proposal advanced by the Bureau, the N.S.A., and others appears to offer the very same foreign governments we fear are spying upon us ex parte access to the corporate communications and trade secrets of U.S. companies.

If the present impasse between the policies proposed by law enforcement and by industry continue, the GII will not be secure and will be ripe for exploitation by malicious forces. Hearings organized this summer by Senator Sam Nunn (D-GA) before the Senate Governmental Affairs Committee's Subcommittee on Investigations revealed that government computer systems, including the Pentagon's, have been repeatedly penetrated. Our power grid, gas and oilpipelines, and stock exchanges are among potential civilian targets. In these hearings, computer security expert Peter Neumann testified that "[g]ood cryptography that is properly embedded within the infrastructure is absolutely essential" for both national security and economic competitiveness.

Finally, relaxing controls of encryption to law-abiding foreign purchasers would permit U.S. firms to continue to lead the world marketplace, rather than losing control to foreign competitors. Because of the significance of encryption applications in the information economy, this is an important element of national economic security. But it is also of benefit to agencies like the N.S.A., which agree that U.S. leadership in encryption standards advances other elements of national security as well.

Paradoxically, however, current U.S. encryption policy undermines all three goals, and produces unintended consequences diametrically opposed to the intent of current policy. So in our view, the core assumptions of export controls on encryption are flawed. Marketplace solutions are more attractive to consumers and better serve long term law enforcement and national security interests than having government-set standards whose purpose is to afford governments ex parte access to communications.

Many in Congress, including members of the Committee, to whom I express my particular appreciation, recognize these flaws and support major reform of existing encryption policy. They agree that strong encryption is out there and growing in prominence as U.S. export controls grant non-US firms a critical, artificial advantage in the global marketplace. Nonetheless, there are some who are hesitant to act because they have heard encryption linked with terrorism by opponents of reform.

I believe it is both illogical and unfair to make that connection. Terrorists will obtain strong, non-escrowed encryption regardless of our export control policy, and plans for a key escrow infrastructure will not change this. The Administration have acknowledged freely -- for example, at briefings held at the National Institute of Standards and Technology within the lastyear -- that drug cartels, enemy states and terrorist cells will not use escrowed encryption, and instead will obtain unescrowed encryption from other sources. They are right: these entities will not use key escrow. Even if the Administration's plan prevailed, they could "super-encrypt" their material over an escrowed system, making it indecipherable. (See p. 19 below) A third-party escrow encryption infrastructure would do little to aid in investigating such activity.

To this, many in the Administration respond that terrorists and other criminals will communicate with commercial enterprises such as banks and that obtaining these communications will be helpful for investigations. This access is likely to be of far more limited value in the context of computer communications than the access that a telephone wiretap affords the government to a suspect's telephone communications. But what is more, providing law enforcement access to such communications may not require the intervention of U.S. export controls. Consumers from other countries are highly unlikely to buy a product that they know is exportable solely because its keys are readily accessible by a U.S. Government agent. Yet, for reasons discussed more fully in the conclusion of my testimony, banks and other large users of computer communications technologies will likely choose voluntarily to keep an extra encryption key for purposes of data recovery. But they will want to decide on their own where to escrow the keys to enormously valuable information (in-house or somewhere else), rather than giving the key to a government-approved agent.

We all need to work with law enforcement and the intelligence agencies to better respond to these threats. But while Netscape supports development of an infrastructure of voluntary key recovery, we simply do not see relaxing controls on exports of encryption to friendly countries as in any way increasing the threat of terrorism, drug trafficking or other illegal activity. There will be demand for self- escrow services and supporting products and tools, and law enforcement officials will be able to subpoena these keys. However, with the marketplace being chilled and damaged by U.S. export controls, this natural demand for devices that allow emergency access or recovery at the choice of the individual user is quashed.

IV. SECURITY STRENGTH IS THE BASIS FOR PURCHASING DECISIONS

Netscape can sell 128 bit key length encrypted products in the U.S. and Canada. So can any other company or individual, foreign or domestic. But while our foreign competitors can compete with us freely in the U.S., they can sell their 128 bit encryption in most any market, whereas we cannot. They know this and they use it to their advantage. At present, U.S. export laws only permit ready export of products of no more than 40 bit keys for all but a narrow category of products for financial transactions.

U.S. export restrictions on encryption impede American competitiveness in the highwage information economy. When I use the term "information economy," I don't mean only the software and hardware industries, where current policy costs job growth and revenue. I also mean the businesses of manufacturers of U.S. export products, who cannot take advantage of electronic commerce, home banking, health care networking and Intranets to do business in foreign markets because they cannot establish secure communications links overseas. And I mean our prospective customers, whose valuable and private information is at risk from corporate espionage, hacking and other crimes. These losses, which a survey by the Senate Permanent Investigations Subcommittee estimated at $800 million last year, represent not just more lost business and employment opportunities, but damage to key sectors of our civilian infrastructure.

Customers abroad recognize the importance of encryption in the information economy. As Netscape has learned first-hand, foreign customers want the same level of encryption strength that U.S.-based firms use: 128 bit, or more. In addition, U.S. firms with officers, vendors and customers overseas want to have the same level of security across their entire network. They can't have their U.S. executives communicating in a secure manner using 128 bit encryption between two U.S. locations, then have to build a separate network to communicate between theirhome office in the U.S. and their overseas offices in which only vulnerable 40 bit encryption is used.

This means lost sales and lost job growth for U.S. companies. For example, because Netscape cannot sell 128 bit encryption products abroad we are losing customers and multimillion dollar deals in Germany, the U.K., France, Switzerland, and Japan. Companies are understandably reluctant to talk about lost sales, but I'll give you a specific example from our own experience. Deutsche Telekom, a large, corporate customer in Germany wanted to use Netscape's 128 bit key software to run a national health care information network. Each user would have a smart card carrying a chip containing their complete medical records and health care information in encrypted format. The patient could go from doctor, to employer, to government agency for treatment, benefits, and other assistance without having to keep track of paper, forms, and files. Because this network would have used encryption, the patient's information would have remained private. Privacy laws are extremely important in countries like Germany, and are much more stringent than here in the U.S. German customers and users not only want a secure system, they are required to implement and use one under the law.

This lost deal not only hurts one software company. I am sure our competitors also bid on this deal or at least considered doing so. In addition and less readily apparent, there are secondary losses to U.S. citizens and the U.S. economy. It is worth noting that telemedicine networks like this one are critical for U.S. citizens in rural areas if they are to get the same level of health care that citizens in urban areas enjoy. Transferring private medical records via overnight

delivery or by fax can be too slow, and faxed records can be illegible. The forms are often different and information has to be retyped, a wasteful and error-prone process that adds risk, time and expense. Digital transmission via the Internet would be direct, fast, private and secure. Encryption could save time, cut through logistical difficulties, and on occasion help save a life.Unfortunately for Netscape, because of U.S. export controls, Germany will build its telemedicine network by having a German company build the software from scratch. This not only means a loss of a sale for Netscape. It also means that a new competitor has been created where one did not exist before, setting standards and establishing itself as a technology leader. Some firms are making millions of dollars providing re-encryption mechanisms based on SSL or Java applets. One such firm is Brokat in Germany. They got their start in large part due to our inability to provide Deutsche Bank with the desired level of security. Brokat is now reencrypting Netscape's 40 bit SSL product with Java applets with stronger levels of encryption. Some customers used to have the patience to see if a U.S. firm could move a one-off license through the export control requirements. Today, they do not have to put up with the wait, expense, conditions, and uncertainty. They can go to companies like Brokat and get the products and solutions they want straight away.

Security is a feature that drives the market. Just as U.S. consumers bought fuel-efficient cars from Japan during the energy crisis of the 1970s, consumers are turning to securityproficient software products from non-U.S. firms during the Internet explosion of the 1990s. Perception matters -- like it or not. A customer will buy a 128 bit product assuming that it is stronger than 40 bits. Bit length is one of many important factors in determining the integrity of a product and its security methodology. However, the average user of computers today does not want to bother with the subtler details of how one cryptography scheme is tighter than another.

What is the bottom dollar? Recent sales forecasts indicate that for Europe alone, we are on track to lose at least $40 million in sales this year for non-mass market products (security deals for banks, payment mechanisms for consumer electronic commerce, and Intranet systems for corporations), due to U.S. export controls. It's clear to us that unless something changes, we may risk losing over a billion dollars in sales by the year 2000. And that's just for our company alone. Please bear in mind that such market loss data will include losses on deals with customersbased in the U.S. who wish to use strong encryption outside the U.S. Since they would face similar licensing difficulties or barriers, they will begin to import the solutions they need.

The most fundamental point to understand about foreign availability is that the U.S. does not have a monopoly on the world's cryptographers. Hundreds of people all over the world have the ability to create the mathematical algorithms that underlie encryption. Many are in Europe, Israel, Russia, China, South Africa, The Netherlands, Germany, the U.K., and Japan. Cryptographers working in those nations can create the code to meet the demand that U.S. firms are denied from meeting.

Thawte Consulting, Inc., of South Africa, for example, produces Internet software called Sioux (based on SSL open standards), and offers the same encryption strength as our domestic product -- 128 bits. Thawte Consulting targets corporate customers, the high end of the communications software market, selling server software, which yields the highest profits. Thawte Consulting distributes its Sioux software to the world via the Internet at extremely low cost. Also, because they distribute their product on the Internet, bugs in their product are fixed after being identified by beta testers -- the same type of interested users that help American companies improve their products.

Thawte even uses U.S. export control laws as an explicit part of its marketing strategy, playing off concerns about the inadequacy of U.S. export quality encryption, advertising on the Web that:

Sioux offers full 128 bit encryption around the world, unencumbered by US ITAR regulations .... The US ITAR regulations prohibit the export of strong encryption technology from North America. This means that companies such as Netscape, Microsoft and Open Market have to ship "Export Versions" of their software which have limited encryption capability -- using 40 bit keys which can be trivially deciphered. Since Sioux was developed outside of the ITAR framework it ships with full encryption enabled all over the world. Why limit your security?http://www.thawte.com/products/sioux/about.html. The threat from Sioux is in no way hypothetical. It functions as an add-on to Apache server software (an American-based flee-ware product), which in the first quarter of this year achieved greater market share than Netscape, Microsoft, Oracle and Open Market combined. Just as Netscape burst quickly onto the scene, so can companies like Sioux. Other competitors will not be far behind.

We have all seen what can happen when the Japanese government, in partnership with industry, decides to pursue strategic markets. They are now targeting the Internet and cryptography. If Japanese government and industry may have been a bit slow to recognize the phenomenon of network-centric computing, they are devoting plenty of attention to it today. The Japanese government is spending more than $200 million directly on research and development in cryptography through the Ministry of International Trade and Industry (MITI) and the Ministry of Posts and Telecommunications (MPT). Japanese companies will doubtless be tough competitors in the world marketplace, and unless export control laws are reformed, they will receive a critical advantage over their U.S. competitors.

As an exporter, I stress that the very existence of U.S. export control bit key limits creates a serious customer perception problem abroad. Customers are aware that U.S. export controls block export of strong encryption. As you can see from the Sioux web site, our foreign competitors are even beginning to advertise on this basis. Until U.S. export control laws are relaxed, our potential foreign customers will be suspicious of an important feature of our product.

Finally, I want to stress that export controls pose a very real short- term danger to American competitiveness and leadership in computer hardware and software. Without immediate relief overseas, competitors will gain substantial footholds in valuable and strategically important markets in industrialized countries. Once these footholds are established, foreign technical standards will drive the rules of the marketplace.V. WHY MANDATORY KEY ESCROW WILL NOT WORK

A. What Is "Mandatory" Key Escrow?

H.R. 3011 has it right. Our export control laws should not restrict exports of generally available strong encryption products to friendly countries because the products do not implement third-party key escrow. This form of key escrow is mandatory -- mandatory on U.S. producers, who are forced to produce third-party key escrow products in order to be able to export robust encryption, and mandatory on foreign customers, who must place a copy of the encryption key with a government-approved third party agent in order to buy products with robust encryption. Tying export relief to adoption of a government escrow regime is not a voluntary policy, no matter how it is packaged and repackaged. A true "voluntary" approach would be to unbundle export controls from mandatory escrow, thus allowing companies to invest in new products and compete freely.

Netscape supports voluntary self-escrow and the freedom of user choice, and welcomes the Administration's increasing interest in self- escrow as a feature of key management. However, we continue to have a major, overriding concern about the Administration's insistence on third-party key escrow as a condition for exporting stronger encryption. We fear that key escrow will not work in the Internet market.

The National Research Council panel which did an exhaustive analysis of this issue concluded that "aggressive promotion of [key escrow] is not appropriate at this time." The panel cautioned about: (1) the significant operational complexities of a key escrow infrastructure, (2) its "significant negative impact on the natural market development of information services and technologies," (3) the need to "learn more about how the market will respond before adopting a specific solution driven by the needs of government," and (4) the risk that key escrow will yield meager benefits because criminals and other targets of surveillance will circumvent escrowed technologies and because government will be able to obtain access to much encrypted ' information through search warrants and subpoenas against self- escrowing entities.The government's third party key escrow proposal is totally untested and leaves major questions about effectiveness, security breaches by escrow agents and government employees, and even technical feasibility unanswered.

B. Why Mandatory Key Escrow Will Not Work

(1) Key Escrow Is Technologically Incompatible With Internet Standards:

Key escrow will not work with the existing Secure Sockets Layer ("SSL") Internet communications standard that is open to the public and interoperable with other standards. SSL is the industry standard for securing Internet communication -- we use it, Microsoft uses it, and many other competitors at home and abroad use it. It provides a reliable level of confidentiality and integrity to high-speed transactions for general information fields. For those of you who use our browser, SSL can be recognized by the locked key icon in the lower left hand comer of the browser screen.

SSL creates a unique "session key" for each communication session. The government's key escrow proposal simply will not work with this technology. There are too many session keys being created and discarded each time tens of millions of people communicate with each other for escrow agents to have the keys in advance and keep track of them. By generating a neutral session key, SSL permits unacquainted parties to communicate and conduct business securely without having to establish a prior relationship of trust. The key for the session is negotiated only when the secure session is initiated and ends when the transaction or communication is completed or terminated by one or both of the parties. Without the ability to utilize dynamic security systems such as SSL, many of the speed, efficiency, and convenience gains of the Internet will be overwhelmed by pre-transaction requirements and support.

The only key escrow alternative -- to escrow the user's "private communication key" that is used each time the user communicates -- does not work either for SSL. With SSL, the user's private key is the same as the key that authenticates the user's identity. Giving this identity keyto a third-party agent would make prosecutions more difficult and open the door to enormous mischief because it would allow others to masquerade as a user, potentially stealing the user's assets, changing critical passwords necessary to access files, etc. One's identity could be permanently altered. Individuals could be accused of committing acts or making commitments of which they had no knowledge.

Netscape has explained to the Administration these serious technical and legal difficulties with implementing third-party key escrow for SSL. We have yet to receive an answer.

Recent experience with CALEA suggests that government involvement in the Internet standards setting process is likely to be much more burdensome and more intrusive than is suggested in the government's descriptions of its escrow plans. The F.B.I. has engaged in significant overreaching in its involvement in CALEA standards for wireless telephone providers, prompting C.T.I.A. last week to announce its opposition to some of the F.B.I.'s demands. The F.B.I. asked Congress to pass CALEA on the ground that the legislation was necessary to continue meaningfully to execute warrants in the digital age -- a message quite similar to the government's defense of mandatory key escrow. However, with CALEA now law, the F.B.I. is claiming, in contravention of the statute itself, that CALEA requires the wireless telephone industry to provide location information for every mobile phone within very close proximity.

There is a further technical and legal problem with key escrow of significance to our users. 18 U.S.C.  2518(5) sets forth an important requirement for minimization of intrusion: The interception of communication not otherwise subject to interception is not permissible and must be actively minimized. There is a serious question whether it is possible to minimize the interception of Internet communications data when it resembles a few hundred party lines all in the same room (virtually).

Reasons for this include: (i) the access cannot be limited to the time period for which the lawful access has been granted; (ii) all encrypted information for that user can be accessed; and (iii) at the end of the lawful access the distribution key has to be changed.(2) Unproven Technology: Key escrow with third party agents approved by the government and offering rapid ex parte government access is a totally untested technology. A few countries are moving in the direction of encouraging or requiring use of such escrow agents, but there are no products on the market that do what our government wants done. While our government has indicated interest in running pilot projects testing key escrow for government uses and narrow segments of industry may respond to this invitation, no product has demonstrated private sector market demand at home or abroad for such escrow products. For this reason alone, policymakers should heed the NRC study's warnings about requiring key escrow. Moreover, key escrow regimes are subject to heightened vulnerability to computer attacks, as Peter Neumann warned in his testimony this summer before the Senate Investigations Subcommittee, because they require an extensive infrastructure that itself presents an additional target for attackers.

(3) Market Acceptance: There is serious doubt that users will purchase products with keys escrowed with government-chosen agents unless they have no other palatable choice. Remember that under the government's proposal, our customers will be asked to entrust some of their most valuable and most private information to a third party they do not choose. For example, individual firms in the securities industry, which is represented here today, must protect access to securities portfolios of enormous value. Escrow with any third party not freely selected by the user will be viewed as undesirable because of concern that third parties may breach user security or mishandle keys.

Furthermore, the government goal of ready ex parte access to encrypted information runs counter to making U.S. product a success in international markets. Imagine the reaction of a foreign customer if offered a product to which the U.S. government has immediate, ex parte access. Just think about it. If a Japanese company came to you with a terrific communications product, but the Japanese government had ready access to the key and could listen in at will,would you buy it? Our U.S. customers wouldn't buy from a Japanese company either if the Japanese government had ready access to the key.

You may have heard about an "emerging consensus" on key escrow at the OECD that might yield a market for third-party escrow products. While discussions toward a global cryptography policy move forward at the Organization for Economic Cooperation and Development ("OECD"), they are likely to yield only a set of loose and somewhat contradictory policy guidelines that are far from an endorsement of the Administration's third-party escrow approach. Moreover, these guidelines will not have the force of law, but must instead be interpreted by each OECD country that decides to pass legislation on this issue. To date, many of our important allies and trading partners have declined to come out in favor of a Trusted Third Party ("TTP") system for escrowing keys. These include: Germany, Japan, Canada, Australia, Sweden, Finland, and Denmark. In addition, most countries, including several with major cryptographic resources and market size, are not represented at the OECD.

Even if the Administration's predictions of an OECD agreement endorsing mandatory key escrow were realized, that would not mean that there would be significant demand abroad for key escrow products of the variety favored by our government. Instead, countries would likely adopt conflicting law enforcement access and escrow standards reflecting their policy and privacy preferences. This would likely spell the balkanization of the Internet, undermining the interoperability of the entire network and complicating, rather than simplifying, F.B.I. and N.S.A. access.

To understand this problem, it is important to remember that the Internet has flourished based upon two core principles -- open, interoperable standards and user choice -- both of which are jeopardized by government-mandated key escrow standards. The standards upon which the Internet runs are freely available to designers of new products, and are established through a democratic, international standard setting process. The interoperability of the system is essential for users to be able to communicate with others across the globe. Interoperability and open,

democratically developed standards have in turn given users a free choice of products and services. User choice has been essential to competition and innovation in our industry, which has brought a dizzying array of new products and communications capabilities to the marketplace in a few short years. Making escrow standards the subject of national governmentdeterminations would mark a serious change, and would jeopardize the interoperability and choice that are critical to the usefulness of the Internet and the innovations it affords the tens of million of people who increasingly depend upon it.

(4) Cost: Key escrow carries with it large infrastructure management costs. In a few short years, there will be nearly 200 million people connected to each other over the Internet. Withdrawing and managing their keys securely would be a major and expensive management problem. Responding rapidly to law enforcement requests for keys -- some of them from different countries -- would be particularly burdensome. At the very least, these costs risk significantly increasing the price of

Internet communications, and reducing connectivity among "information have nots" to this enormously promising network.

(5) Liability for MiShandling Of Keys: Thus far, the government's trusted third party key escrow proposal does not address the important question of liability for mishandling of keys. Under the government's proposal, users would be required to entrust some of their most sensitive and valuable information -- such as trade secrets, credit card and bank information, and personal medical information -- to agents chosen by the government. However, we have yet to hear whether the government will accept liability if it mishandles keys or what relief it proposes to give users against escrow agents who mishandle information. Unless they are assumed by the government, these liability costs would in turn be passed along to users, further increasing costs and further reducing connectivity.

Indications that the Administration intends to offer reciprocal access for foreign governments to escrowed keys raise even broader repercussions. By virtue of purchasing a U.S. product for an interoffice communications link that includes an overseas subsidiary, U.S. firms would expose themselves to ex pane surveillance by foreign governments. F.B.I. Director Louis Freeh has made clear in public testimony that there are dozens of countries and state-sponsored economic espionage cells actively trying to get their hands on corporate proprietary information. Given that threat, it would seem deeply unwise not to offer foreign governments access to that information.

(6) Circumvention of Key Escrow: Key escrow is likely to disrupt the market significantly without having a major impact on crime, terrorism or U.S. intelligence gathering. As the NRC report observes, targets of our law enforcement surveillance and intelligence gathering are likely to be able to circumvent the key escrow encryption regime. As an Internet Society working group that recently examined this issue reported:

Even if escrowed encryption schemes are used, there is nothing to prevent someone from using another encryption scheme first. Certainly, any serious malefactor would do this; the outer encryption layer, which would use an escrowed scheme, would be used to divert suspicion. /1

Take the example of SSL: even if the session key did not change and were somehow escrowed and available to government agents, users could still encrypt data using PGP or commercial encryption available from foreign suppliers before sending it through an SSL communications channel ("super-encryption") or by re-encrypting the message after key escrow has been used already.

Unescrowed strong encryption is available overseas, and the world is simply too big a place for the U.S. to prevent intelligence and law enforcement targets sophisticated enough to use computers from obtaining it. While law abiding companies like Netscape will follow

U.S. law in this area to the detriment of their world market share and their ability to compete effectively, other countries have a strong incentive not to require key escrow, since such products will have an edge on the world marketplace. Furthermore, notwithstanding prohibitions of U.S. law, unescrowed encryption can travel easily across international borders over the Internet or on a single computer diskette.

For all these reasons, H.R. 3011 is correct to prohibit mandatory third-party key escrow.

VI. REGULATORY BURDEN OF EXISTING EXPORT CONTROL LAWS

H.R. 3011 would provide much needed streamlining of the burdensome export licensing process.

The existing regime is burdensome, slow, chills innovation and disproportionately hurts smaller players. Export licensing law is obscure and convoluted, understood by only a few experts and implemented by officials who wield extraordinarily broad discretion. The agencies that pass on export licensing requests have little compulsion to act quickly or cooperatively in close cases. Judicial review of individual licensing decisions is expressly foreclosed, preventing any path to appeal an adverse final agency decision.

The effect of the law is to chill investment in innovative products with robust encryption capabilities. Companies in many instances simply cannot know whether a product that they are considering producing will be exportable. In an industry where product cycles are as short as four months, the risk and uncertainty associated with obtaining special, one-off licenses to gain even a very limited approval for export of strong security products is often too great and kills deals.

The adverse effect of export control laws is particularly onerous on smaller exporters. The risk for such firms of investing in a product or products that may not be licensed is greater. Furthermore, the internal costs and outside legal fees of negotiating through the export licensing process are more burdensome, adding a significant expense to just doing business. Worse yet, the Administration's plans for a key management infrastructure will likely benefit only a few ofthe largest companies that can afford to risk investing capital in a key escrow regime that is unlikely to work or be widely used.

VII. CONCLUSION

What will work in solving this issue is unleashing the competitive and innovative energies of this country. Competition and innovation only work in an open network environment and throughout the global marketplace. H.R. 3011 enables this to happen.

Netscape's commercial customers and other companies will typically want some form of escrow, but will want to decide themselves where to store the key. They have a need to access and recover keys -- for example, to be able to recover information on the computer of an employee who has died, left the company, or become disgruntled. Individuals know that they lose keys to their cars and homes once in a while, and that the same thing could happen on their computer hard disks. Private sector recovery services will likely have a market to supply. As more people and companies come to perform more of their communications and transactions on the Internet or via Intranets, demand will grow for products that not only provide the protection of robust encryption, but also enable a user to recover from their own mistakes. Self-escrow is the first step in building toward regular use of services that can supply access and recovery. If consumers can have a free choice of products, they will be likely to choose the one that best suits their concerns and confidence.

In short, operation of the free market, rather than precluding N.S.A. and law enforcement access to unescrowed commercial information, will in many instances permit the subpoena of encryption keys in much the same manner as corporate records are subpoenaed today.

Consumer choice and interoperable, open standards are necessary for America's information economy to benefit fully from the Internet. The Administration's key management infrastructure plans thwart marketplace competition and preclude open standards. It is rather strange to look at this Administration's efforts to promote free trade (e.g., NAFTA, negotiationswith Japan), its support for slimming down government (e.g., the "end of big government as we know it" pledge), and its promotion of the benefits of information technology (e.g., the NII and GII programs ), and then compare these policies to the command and control planning for a massive key management mandate that jeopardizes U.S. leadership in the information economy and electronic commerce. On encryption, this Administration's high-tech policy is internally contradictory.

Security is a requirement, not an option in computer-based communications. Encryption must be an easy-to-use part of the product. Security cannot be regulated into a third party service one is forced to pay for in addition to the cost of accessing the GII. Otherwise, only the wealthy will be secure, American jobs will be lost, and the Administration's export control policy and key escrow proposals will create a new kind of "information have-not" -- with the average person forced to use insecure communications or old technologies.

NOTE:

1 Brian E. Carpenter & Fred Baker, Internet Architecture Board and Internet Engineering Steering Group, Statement on Cryptographic Technology and the Internet, Network Working Group, Request For Comments #1984, at 3 (Internet Society, Aug. 1996).