News

USIS Washington 
File

25 May 1999

TEXT: COMMERCE'S REINSCH ON ADMINISTRATION ENCRYPTION POLICY

(Cites opposition to export-control liberalization)  (2800)

Washington -- Under Secretary of Commerce William Reinsch says the
Clinton administration continues to oppose legislation -- which has
significant support in Congress -- that would substantially liberalize
U.S. exports of encryption technology arguing that it would hamper
U.S. law enforcement abilities and threaten national security
interests.

The legislation, called the Security and Freedom Through Encryption
(SAFE) Act, "proposes export liberalization far beyond what the
administration can entertain and which would be contrary to our
international export control obligations," said Reinsch, under
secretary for export administration.

The proposed bill, H.R. 850, "in letter and intent would destroy the
balance we have worked so hard to achieve and would jeopardize our law
enforcement and national security interests," Reinsch said, testifying
May 25 before the House of Representatives Commerce Subcommittee on
Telecommunications, Trade and Consumer Protection.

Reinsch and other administration witnesses at the hearing faced
opposition from private industry representatives and from many of the
congressmen on the subcommittee who argued that current law bans the
distribution of types of encryption software that are already
available to all on the Internet. A result of this policy is that
foreign companies are gaining markets and developing technologies
while U.S. firms are held back, the opponents said.

Reinsch argued that other encryption-producing countries were
beginning to share U.S. public safety and security concerns and were
interested in "developing a harmonized international approach to
encryption controls."

He cited specific progress in the Wassenaar Arrangement on
multilateral export controls to address the issue of encryption
exports. Thirty-three countries participate in the Wassenaar
Arrangement.

The Clinton administration holds that the current regulatory structure
"provides for balanced oversight of export controls and the
flexibility needed ... to promote our economic, foreign policy and
national security interests while adjusting to advances in
technology," Reinsch said.

The SAFE act, introduced in February by Representative Bob Goodlatte
of Virginia, was referred to three House committees -- Armed Services,
Commerce and Judiciary -- because of the complexity of the issues. So
far, the House Judiciary Committee has approved the provisions of the
bill under its jurisdiction. The other two committees have not yet
acted.

Following is the text of Reinsch's testimony as submitted to the
subcommittee:

(begin text)

Testimony of
William A. Reinsch
Under Secretary for Export Administration
Department of Commerce

Before
The House Committee on Commerce
Subcommittee on Telecommunications, Trade and Consumer Protection

Security and Freedom Through Encryption Act -- H.R. 850
May 25, 1999


Thank you, Mr. Chairman, for the opportunity to testify on the
direction of the Administration's encryption policy. We have made a
great deal of progress since my last testimony before this Committee
on this subject.

Even so, encryption remains a hotly debated issue. The Administration
continues to support a balanced approach which considers privacy and
commerce as well as protecting important law enforcement and national
security equities. We have been consulting closely with industry and
its customers to develop a policy that provides that balance in a way
that also reflects the evolving realities of the market place.

The Internet and other digital media are becoming increasingly
important to the conduct of international business. There were 43.2
million Internet hosts worldwide last January compared to only 5.8
million in January 1995. One of the many uses of the Internet which
will have a significant effect on our everyday lives is electronic
commerce. According to a recent study, the value of e-commerce
transactions in 1996 was $12 million. The projected value of
e-commerce in 2000 is $2.16 billion. To cite one example, travel
booked on Microsoft's Website has doubled every year since 1997, going
from 500,000 to an estimated 2.2 million this year. Many service
industries which traditionally required face-to-face interaction such
as banks, financial institutions and retail merchants are now
providing cyber service. Customers can now sit at their home computers
and access their banking and investment accounts or buy a winter
jacket with a few strokes of their keyboard.

Furthermore, most businesses maintain their records and other
proprietary information electronically. They now conduct many of their
day-to-day communications and business transactions via the Internet
and E-mail. An inevitable byproduct of this growth of electronic
commerce is the need for strong encryption to provide the necessary
secure infrastructure for digital communications, transactions and
networks. The disturbing increase in computer crime and electronic
espionage has made people and businesses wary of posting their private
and company proprietary information on electronic networks if they
believe the infrastructure may not be secure. A robust secure
infrastructure can help allay these fears, and allow electronic
commerce to continue its explosive growth.

Developing a new encryption policy has been complicated because we do
not want to hinder its legitimate use -- particularly for electronic
commerce; yet at the same time we want to protect our vital national
security, foreign policy and law enforcement interests. We have
concluded that the best way to accomplish this is to continue a
balanced approach: to promote the development of strong encryption
products that would allow lawful government access to plaintext under
carefully defined circumstances; to promote the legitimate uses of
strong encryption to protect confidentiality, and continue looking for
additional ways to protect important law enforcement and national
security interests.

During the past three years, we have learned that there are many ways
to assist in lawful access. There is no one-size-fits-all solution.
The plans for recovery encryption products we received from more than
sixty companies showed that a number of different technical approaches
to recovery exist. In licensing exports of encryption products under
individual licenses, we also learned that, while some products may not
meet the strict technical criteria of our regulations, they are
nevertheless consistent with our policy goals.

Additionally, we learned that the use of strong non-recovery
encryption within certain trusted industry sectors Is an important
component of our policy in order to protect private consumer
information and allow our US high tech industry to maintain its lead
in the information security market while minimizing risk to national
security and law enforcement equities. Taking into account all that we
have learned and reviewing international market trends and realities,
in 1998 we made several changes to our encryption policy that I will
summarize for you.

On September 22, 1998, we published a regulation implementing our
decision to allow the export, under a license exception, of unlimited
strength encryption to banks and financial institutions located in
countries that are members of the Financial Action Task Force or which
have effective anti-money laundering laws. This regulation also allows
exports, under a license exception, of encryption products that are
specially designed for financial transactions. This policy recognizes
the need to secure and safeguard our financial networks, and that the
banking and financial communities have a history of cooperation with
government authorities when information is required to combat
financial and other crimes.

As I mentioned earlier, we have been looking for ways to make our
policy consistent with both market realities and national security and
law enforcement concerns. For more than a year, the Administration has
been engaged in a dialogue with U.S. industry, law enforcement, and
privacy groups on how our policy might be improved to find technical
solutions, in addition to key recovery, that can assist law
enforcement in Its efforts to combat crime. At the same time, we
wanted to find ways to assure continued U.S. technology leadership,
promote secure electronic commerce, and protect important privacy
concerns. The purpose of this dialogue was to find cooperative
solutions that could assist law enforcement while protecting national
security, plus assuring continued U.S. technology leadership and
promoting the privacy and security of U.S. firms and citizens in
electronic commerce. We believed then and now that the best way to
make progress on this issue is through a constructive, cooperative
dialogue, rather than seeking legislative solutions. Through our
dialogue, there has been increased understanding among the parties,
and we have made progress.

The result of this dialogue was an update to our encryption policy
which Vice President Gore unveiled last September 16. The regulations
implementing the update were published on December 31. This will not
end the debate over encryption controls, but we believe the regulation
addresses some private sector concerns by opening large markets and
further streamlining exports.

The update reduced controls on exports of 56-bit products and, for
certain industry sectors, on exports of products of unlimited bit
length, whether or not they contain recovery features. In developing
our policy we identified key sectors that can form the basis of a
secure infrastructure for communicating and storing information:
banks, a broad range of financial institutions, insurance companies,
on-line merchants, and health facilities. Many of the updates permit
the export of encryption to these end-users under a license exception.
That is, after the product receives a technical review, it can be
exported by manufacturers, resellers, and distributors without the
need for a license or other additional review. Specifically, the new
policy allows for:

-- exports of 56-bit software and most hardware to any end user under
a license exception;

-- exports of strong encryption, including technology, to U.S.
companies and their subsidiaries under a license exception to protect
important business proprietary information;

-- exports of strong encryption to the insurance and medical/health
sectors in 46 countries under a license exception for use in securing
proprietary medical and health information;

-- exports of strong encryption to secure on-line transactions between
on-line merchants and their customers in 46 countries under a license
exception.

-- "recovery capable" or "recoverable" encryption products of any key
length, such as the "Doorbell" products developed by a number of
companies, can now be approved under a kind of bulk license called an
"encryption licensing arrangement" to recipients in located in 46
countries. Such products include systems that are managed by a network
or corporate security administrator.

I would note that these provisions apply to exports of products with
or without key recovery features. One of the aspects of our policy
update is to permit exports of strong encryption with or without key
recovery to protect electronic commerce while also minimizing the risk
to national security and law enforcement. For example, in some cases
we have limited our approval policy to a list of countries or a set of
end users, rather than permit exports on a global basis, to help
protect national security interests.

We have also expanded our policy to encourage the marketing of a wider
variety of "recoverable" products that may not be key recovery in a
narrow sense but which may be helpful to law enforcement acting
pursuant to strict legal authorities. Again, these are typically
systems managed by a network or corporate administrator. We also
further streamlined exports of key recovery products by no longer
requiring a review of foreign key recovery agents and no longer
requiring companies to submit business plans.

This past year, we also made progress on developing a common
international approach to encryption controls through the Wassenaar
Arrangement. Established in 1996 as the successor to COCOM, it is a
multilateral export control arrangement among 33 countries whose
purpose is to prevent destabilizing accumulations of arms and civilian
items with military uses in countries or regions of concern. Wassenaar
provides the basis for many of our export controls.

In December, through the hard work of Ambassador David Aaron, the
President's special envoy on encryption, the Wassenaar Arrangement
members agreed on several changes relating to encryption controls.
These changes go a long way toward increasing International security
and public safety by providing countries with a stronger regulatory
framework for managing the spread of robust encryption.

Specific changes to multilateral encryption controls include removing
multilateral controls on all encryption products at or below 56 bit
and certain consumer items regardless of key length, such as
entertainment TV systems, DVD products, and on cordless telephone
systems designed for home or office use.

Most importantly, the Wassenaar members agreed to remove encryption
software from Wassenaar's General Software Note and replace it with a
new cryptography note. Drafted in 1991, when banks, government and
militaries were the primary users of encryption, the General Software
Note allowed countries to permit the export of mass market encryption
software without restriction. The GSN was created to release general
purpose software used on personal computers, but it inadvertently
encouraged some signatory countries to permit the unrestricted export
of encryption software. It was essential to modernize the GSN and
close the loophole that permitted the uncontrolled export of
encryption with unlimited key length. Under the new cryptography note,
mass market hardware has been added and a 64-bit key length or below
has been set as an appropriate threshold. This will result in
government review of the dissemination of mass market software of up
to 64 bits.

I want to be clear that this does not mean encryption products of more
than 64 bits cannot be exported. Our own policy permits that, as does
the policy of most other Wassenaar members. It does mean, however,
that such exports must be reviewed by governments consistent with
their national export control procedures.

Export control policies without a multilateral approach have little
chance of success. Agreement, by the Wassenaar members, to close the
loophole for mass market encryption products is a strong indication
that other countries are beginning to share our public safety and
national security concerns. Contrary to what many people thought two
years ago, we have found that most major encryption producing
countries are interested in developing a harmonized international
approach to encryption controls.

At the same time, we recognize that this is an evolutionary process,
and we intend to continue our dialogue with industry. Our policy
should continue to adapt to technology and market changes. We will
review our policy again this year with a view toward making further
changes. An important component of our review is input from industry,
which we are receiving through our continuing dialogue.

With respect to H.R. 850, the Administration opposes this legislation
as we did its predecessor in the last Congress. The bill proposes
export liberalization far beyond what the Administration can entertain
and which would be contrary to our international export control
obligations. Despite some cosmetic changes the authors have made, the
bill in letter and spirit would destroy the balance we have worked so
hard to achieve and would jeopardize our law enforcement and national
security interests. I defer to other witnesses to describe the impact
of the bill on their equities, but let me describe two of its other
problems.

First, I want to reiterate that this Administration does not seek
controls or restraints on domestic manufacture or use of encryption.
We continue to believe the best way to make progress on ways to assist
law enforcement is through a constructive dialogue. As a result, we
see no need for the statutory prohibitions contained in the bill.
Second, once again we must take exception to the bill's export control
provisions. In particular, the references to IEEPA as I understand
them might have the effect of precluding controls under current
circumstances and in any future situation where the EAA had expired,
and the definition of general availability, as in the past, would
preclude export controls over most software.

In addition, whether intended or not, we believe the bill as drafted
could inhibit the development of key recovery even as a viable
commercial option for those corporations and end users that want it in
order to guarantee access to their data. The Administration has
repeatedly stated that it does not support mandatory key recovery, but
we endorse and encourage development of voluntary key recovery
systems, and, based on industry input, we see growing demand for them,
especially corporate key recovery, that we do not want to cut off.

The Administration does not seek encryption export control
legislation, nor do we believe such legislation is needed. The current
regulatory structure provides for balanced oversight of export
controls and the flexibility needed so that it can continue to promote
our economic, foreign policy and national security interests while
adjusting to advances in technology. This is the best approach to an
encryption policy that promotes secure electronic commerce, maintains
U.S. lead in information technology, protects privacy, and protects
public safety and national security interests.

As this Committee knows better than most, public debate over
encryption policy has been spirited. Many in the debate have had
difficulty grasping different views or realizing that there is a
middle ground. Our dialogue with industry has gone a long way toward
bridging that gap and finding common ground. We will continue this
policy of cooperative exchange, which is clearly the best way to
pursue our policy objectives of balancing public safety, national
security, and the competitive interests of US companies.

(end text)