[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
ENCRYPTION SECURITY IN A HIGH TECH ERA
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
INTERNATIONAL ECONOMIC POLICY AND TRADE
OF THE
COMMITTEE ON
INTERNATIONAL RELATIONS
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
__________
TUESDAY, MAY 18, 1999
__________
Serial No. 106-108
__________
Printed for the use of the Committee on International Relations
Available via the World Wide Web: http://www.house.gov/international
relations
______
U.S. GOVERNMENT PRINTING OFFICE
64-674 CC WASHINGTON : 2000
COMMITTEE ON INTERNATIONAL RELATIONS
BENJAMIN A. GILMAN, New York, Chairman
WILLIAM F. GOODLING, Pennsylvania SAM GEJDENSON, Connecticut
JAMES A. LEACH, Iowa TOM LANTOS, California
HENRY J. HYDE, Illinois HOWARD L. BERMAN, California
DOUG BEREUTER, Nebraska GARY L. ACKERMAN, New York
CHRISTOPHER H. SMITH, New Jersey ENI F.H. FALEOMAVAEGA, American
DAN BURTON, Indiana Samoa
ELTON GALLEGLY, California MATTHEW G. MARTINEZ, California
ILEANA ROS-LEHTINEN, Florida DONALD M. PAYNE, New Jersey
CASS BALLENGER, North Carolina ROBERT MENENDEZ, New Jersey
DANA ROHRABACHER, California SHERROD BROWN, Ohio
DONALD A. MANZULLO, Illinois CYNTHIA A. McKINNEY, Georgia
EDWARD R. ROYCE, California ALCEE L. HASTINGS, Florida
PETER T. KING, New York PAT DANNER, Missouri
STEVEN J. CHABOT, Ohio EARL F. HILLIARD, Alabama
MARSHALL ``MARK'' SANFORD, South BRAD SHERMAN, California
Carolina ROBERT WEXLER, Florida
MATT SALMON, Arizona STEVEN R. ROTHMAN, New Jersey
AMO HOUGHTON, New York JIM DAVIS, Florida
TOM CAMPBELL, California EARL POMEROY, North Dakota
JOHN M. McHUGH, New York WILLIAM D. DELAHUNT, Massachusetts
KEVIN BRADY, Texas GREGORY W. MEEKS, New York
RICHARD BURR, North Carolina BARBARA LEE, California
PAUL E. GILLMOR, Ohio JOSEPH CROWLEY, New York
GEORGE RADAVANOVICH, Califorina JOSEPH M. HOEFFEL, Pennsylvania
JOHN COOKSEY, Louisiana
THOMAS G. TANCREDO, Colorado
Richard J. Garon, Chief of Staff
Kathleen Bertelsen Moazed, Democratic Chief of Staff
------
Subcommittee on International Economic Policy and Trade
ILEANA ROS-LEHTINEN, Florida, Chairwoman
DONALD A. MANZULLO, Illinois ROBERT MENENDEZ, New Jersey
STEVEN J. CHABOT, Ohio PAT DANNER, Missouri
KEVIN BRADY, Texas EARL F. HILLIARD, Alabama
GEORGE RADANOVICH, California BRAD SHERMAN, California
JOHN COOKSEY, Louisiana STEVEN R. ROTHMAN, New Jersey
DOUG BEREUTER, Nebraska WILLIAM D. DELAHUNT, Massachusetts
DANA ROHRABACHER, California JOSEPH CROWLEY, New York
TOM CAMPBELL, California JOSEPH M. HOEFFEL, Pennsylvania
RICHARD BURR, North Carolina
Mauricio Tamargo, Subcommittee Staff Director
Jodi Christiansen, Democratic Professional Staff Member
Yleem Poblete, Professional Staff Member
Camilla Ruiz, Staff Associate
C O N T E N T S
----------
WITNESSES
Page
William Reinsch, Under Secretary of Commerce, Bureau of Export
Administration................................................. 9
Barbara McNamara, Deputy Director, National Security Agency...... 11
Ron Lee, Assistant Attorney General, National Security,
Department of Justice.......................................... 13
Gene Voegtlin, Esq., Legislative Counsel, International
Association of Chiefs of Police................................ 15
Ira Rubinstein, Senior Corporate Attorney, Microsoft Corporation. 41
Jeffrey Smith, General Counsel, Americans for Computer Privacy... 43
David Weiss, Vice President of Product Marketing, CITRIX
Corporation.................................................... 44
Alan Davidson, Staff Counsel, Center for Democracy and Technology 45
Dinah Pokempner, Deputy General Counsel, Human Rights Watch...... 47
Ed Black, President and CEO, Computer and Communications Industry
Association.................................................... 48
ENCRYPTION SECURITY IN A HIGH TECH ERA
----------
Tuesday, May 18, 1999
House of Representatives,
Subcommittee on International Economic
Policy and Trade,
Committee on International Relations,
Washington, D.C.
The Subcommittee met, pursuant to notice at 2:15 p.m., in
room 2172, Rayburn House Office Building, Hon. Ileana Ros-
Lehtinen [Chairwoman of the Subcommittee] presiding.
Ms. Ros-Lehtinen. [presiding] The Subcommittee will come to
order.
I apologize for arriving late. I had to give a brief remark
on a luncheon that Congressman Menendez, Mr. Gilman, and I are
hosting for Cuban political prisoners tomorrow. So I hope that
all of you could join us in room 2200 at 1 p.m. So I was
speaking on the Floor and I was unavoidably delayed. Thank you
so much for your patience and I apologize especially to my
Ranking Member.
Someone once said I used to think that cyberspace was 50
years away. What I thought was 50 years away was only 10 years
away. What I thought was 10 years away, it was already here, I
just wasn't aware of it yet. This applies to the debate today
on encryption where it seems our policy is trying to play a
game of catch up with our technological advancements.
The Internet has rapidly expanded as a form in which to
conduct business transactions, and millions of messages are
transferred in a matter of seconds across oceans and
continents, over barriers of languages and culture. Information
that used to take hours to transfer can now be sent in a matter
of seconds. Contracts are completed in minutes. Mergers in what
seems instantaneously. In an increasingly diverse and
globalized marketplace, the availability and efficiency of
electronic businesses is becoming more appealing for companies
hoping to keep a competitive advantage in international trade,
maintaining their dominance in or seeking to capture the market
of brain-power industries.
As these types of information transfers become more common,
fear has emerged about their security and about the
interception of messages and transactions by those who seek to
steal or sabotage. Technology to prevent these types of
invasions and violations of personal, corporate, and government
security by encoding digital information already exists. It is
what we call encryption. A need for commercial encryption
rapidly developed with the growth of the global economy and,
with it, so did concerns over exporting this technology to our
overseas counterparts. The business community, the
Administration, and law enforcement entities have been at odds
as to how to best promote American technological products
abroad while ensuring that our security, both national and
economic, are not threatened by the export of American-designed
encryption products.
The Administration has stated its concerns about possible
threats to U.S. national security and to public safety, which
they feel would arise if criminals and terrorists were to use
encryption that the U.S. Government could not penetrate. They
fear that if there were no export controls on encryption and no
key recovery features on the products we sell in overseas
markets, it would further complicate and impede law enforcement
efforts at tracking down terrorists or other criminals who use
computers in their efforts to promote violent terrorist acts or
who commit economic sabotage.
Opponents of the Administration's view argue that export
controls cannot prevent access to strong non key recovery
encryption by criminals because it is widely available
elsewhere, including over the Internet where it can be easily
downloaded from foreign company sites. They add that the one
thing these controls are ensuring is U.S. companies losing
market shares to foreign competitors. Currently, there are no
statutory restrictions on the domestic use of encryption, but
the industry argues that restrictive export controls have
hampered technological development and will continue to thwart
U.S. efforts until American companies will lose their current
technological dominance. There is a need for strong encryption
for domestic use and cross-border communications and
transactions.
While the Administration argues that it has continued to
promote stronger encryption products of greater than 56 bits,
it has done so under the condition that these be designed with
key recovery features where a third-party would have access to
a key to decrypt the information. Further, the Administration's
decision to liberalize exports for certain industries ignores
the security needs of other sectors left unprotected by current
restrictions.
Privacy advocates contend that the Administration has been
utilizing the export control process to influence whether
companies developed key recovery encryption products by
facilitating the exportation of these products and making it
more difficult to export unrecoverable encryption products.
They further state that the national security arguments fail
any test of logic that strong encryption serves as a deterrent
to criminal activity by making it difficult for those who
engage in espionage to penetrate the system.
Aside from the fact that all parties agree about the
important role of encryption in electronic commerce, little
consensus has been reached on the issue of export controls. The
SAFE Act is one of the several legislative attempts at
codifying existing domestic use policy and at liberalizing U.S.
export control regulations to compete successfully in the
global arena. This will be one of the issues we hope to cover
today as we attempt to debate the future of encryption and the
effects of controls on our technological market.
I would like to recognize our Ranking Member, Mr. Menendez
of New Jersey for his opening statement. Mr. Menendez.
Mr. Menendez. Thank you, Madam Chair Lady, and I am happy
to see that we are having this hearing which I think is an
incredibly important one the Committee has jurisdiction over,
and one that I think is going to be a part of making sure,
along with the Export Administration Act and a few other issues
that this Committee has jurisdiction in, that continues to fuel
America's competitiveness in the future. The decisions that we
make are going to affect American industry and American
competitiveness in this new millennium.
Now anyone who has been on the Internet and purchased a
book from Amazon.com or ordered an airline ticket online is
familiar with encryption technology. In the information age,
encryption technology is like a Wells Fargo truck. It keeps
your information under lock and key and delivers it only to its
intended end-user. Encryption technology is crucial to the
development of electronic commerce, which is growing by leaps
and bounds. According to Under Secretary Reinsch's testimony,
electronic commerce transactions in 1996 were $12 million, but
are projected to reach $2.1 billion by the year 2000.
So I think we need to be clear, from the very outset, that
the encryption debate is not about who does and who does not
support our national security interests. None of us who support
moving encryption technology forward believe that we would do
anything to risk the national security of the United States. I
do not care for those who would suggest that, in fact, we do.
No one is advocating a policy that would intentionally
compromise U.S. national security or the safety of American
citizens. The encryption debate is more about whether or not it
is too late for the U.S. Government and law enforcement to
control the spread of non key recovery encryption products in
the U.S. and abroad.
Clearly, we should consider the value of controlling only
the strongest encryption technologies. However, the value of
controlling anything over 56-bit technology when 128-bit
technology can be downloaded from the Internet, is
questionable. American industry is rightly concerned about
losing market shares to foreign competitors who have no
restrictions on their products. We can be certain that if the
United States cannot offer non key recovery encryption
technology overseas, that consumers will buy it from the
French, Japanese, and Israeli companies who are making similar
products. Or from American companies who establish companies
overseas, produce the intellectual property there, and that
ultimately means job losses here at home as well as revenue
losses here at home.
Now the goal of the FBI, NSA, and law enforcement agencies
is well-founded. The key recovery system would ensure that they
have access to the requisite data to snag criminals or track
suspected criminal activities. Yet the proliferation of non key
recovery technology within the United States and abroad and the
rapid speed at which this industry is developing leads me to
believe that the Administration's policy is too little, too
late.
I look forward to hearing the testimony of our witnesses,
in particular, the representatives from the FBI and NSA. I
would very much like to hear your views on current policy and
your concerns with the Goodlatte legislation. I will do so with
an open mind, but I believe we cannot turn back the clock as we
move forward into a new millennium. Thank you, Madam
Chairwoman.
Ms. Ros-Lehtinen. Thank you so much, Mr. Menendez. We are
thrilled to have the Chairman of our Committee, Congressman Ben
Gilman of New York, join us. It shows the high level of
importance that he gives to this issue of encryption. Welcome,
Mr. Gilman.
Mr. Gilman. Thank you, Madam chairman. I want to thank you
for arranging this hearing with these experts who are all
prepared to testify before us today. You certainly have a good
cross-section of views assembled. I welcome this opportunity to
attend this very important hearing on security in the high-tech
era and on the Security and Freedom through Encryption Act, the
SAFE Act, H.R. 850, sponsored by the gentleman from Virginia,
Mr. Goodlatte, and the gentle lady from California, Ms.
Lofgren.
I am pleased that the witnesses before us today come from a
broad cross-section of the law enforcement community, export
control and intelligence agencies, human rights and privacy
advocates, and the private sector representatives. I would like
to compliment you, Madam Chair, for your holding this hearing
at this time and taking a leading role on this vitally
important issue.
I would like to remind my colleagues that on Thursday of
this week at 9 a.m., the Chairman of the Intelligence
Committee, Mr. Porter, and I will be co-hosting a members-only
classified briefing on the implications of decontrolling the
export of encryption products. I urge our colleagues on this
Committee to attend if they would like to have a full
perspective on the national security and intelligence aspects
of the encryption issue.
In my view, before we begin the process of making sweeping
changes in our export control laws, Congress should avail
itself of all the information we can obtain in all venues
available to us. With the United States participating in a
NATO-led military operation against Serbia, we should be doubly
cautious in this respect because of the possibility of
terrorist attacks on our interests. I am very concerned that
the enactment of a SAFE Act would make strong encryption all
the more available to our adversaries and would undermine
international efforts to modernize and improve multilateral
export controls under the Wassenaar arrangement.
I draw the attention of the Subcommittee Members to the
recent statement of the International Association of the Chiefs
of Police. ``Unchecked proliferation of encryption technology
poses an enormous danger to both law enforcement and to society
as a whole.'' In a May 12th letter that we received from B'nai
Brith International, its president Richard Heideman noted
that--and I quote--``Unlimited proliferation of nonrecoverable
encryption products may result in their use by terrorist
groups, by narcotics traffickers, by members of organized
crime, and other dangerous criminals to the detriment of our
Nation's national security and public safety.'' Mr. Heideman
concluded that his organization has strong reservations about
the Security and Freedom through Encryption Act and urges that
Congress maintain meaningful export safeguards.
Unlimited proliferation of this technology only makes the
street-corner drug dealer further immune from the consequences
of his and others' actions. The drug trade costs us billions
each year in crime, in health care costs, lost worker
productivity, destroyed families, and lost young lives. Let us
not contribute to that carnage under the guise of greater trade
and commerce.
For those who say that this encryption technology is
already readily available abroad, they often fail to remind you
that foreign governments, in most cases, have also retained the
right to access in protection of their national security
interests. Those governments are not naive, nor should we be.
While we are still waiting for the final version of the Cox
report on high-tech exports to China, many of their
recommendations are already public. Among them are concrete
suggestions on how to strengthen the successor regime of the
Cold War COCOM export system. Its modern-day equivalent, the
so-called Wassenaar arrangement has just agreed to modernize
our multilateral encryption export control system, yet the
enactment of the SAFE Act would undercut that arrangement and
the findings of the Cox report.
Accordingly, I urge my colleagues not to rush to judgment
on an issue such as this which directly affects our national
security and our law enforcement needs. I thank the gentle lady
for recognizing me.
Ms. Ros-Lehtinen. Thank you so much, Chairman Gilman. Mr.
Delahunt.
Mr. Delahunt. I thank you, Madam. I just would welcome my
colleague from the Judiciary Committee and acknowledge the
presence of Mr. Goodlatte, one of the primary sponsors. I want
to personally welcome him.
Ms. Ros-Lehtinen. Thank you, Mr. Delahunt. Mr. Bereuter.
Mr. Bereuter. Madam Chairman, it is an important hearing
today. I have been following this issue for quite some period
of time now. I agree with many of the comments made by Chairman
Gilman. We do need to be concerned about the implications for
law enforcement and national security and a lot of the best
information we have in the way of documentation of its
importance is classified. On the other hand, we need to make
sure that we do in the way we control things does not have an
unnecessary anti-competitive factor which is brought to bear.
So I will say nothing further, but look forward to the
testimony of two large and important groups of panelists.
Ms. Ros-Lehtinen. Thank you, Doug. The sponsor of the bill,
Mr. Goodlatte. We are honored to have you with us today.
Mr. Goodlatte. Madam Chairman, first let me thank you for
holding this hearing and for being very gracious in allowing
me, a non-Member of the Committee, to participate. I would also
like to thank the Ranking Member, Mr. Menendez, and Chairman
Gilman for their participation in this and for allowing me to
participate as well.
I do have a statement that I would ask to be made a part of
the record.
Ms. Ros-Lehtinen. Without objection.
[The information referred to appears in the appendix.]
Mr. Goodlatte. I also have an article written by
Congressman Chris Cox, the Chairman of the Cox Commission, who
advocates a strong export policy with regard to exporting
encryption, making it more available, entitled ``China: Export
of Technology Would be Liberating Force,'' in which he
advocates the export of strong encryption.
Madam Chairman, this much-needed bipartisan legislation
currently has 253 cosponsors, about 110 Democrats, about 140
Republicans; a majority of the Republican and Democratic
leadership in the House are cosponsors as are two-thirds of the
Members of the International Relations Committee and all but 4
Members of this Subcommittee, and it accomplishes several
important goals. First and foremost, strong encryption in the
hands of the good guys, if you will, helps to prevent a number
of the concerns that have been raised by some of the Members of
the Committee, which are legitimate concerns by law enforcement
and national security, but making sure that we have strong
encryption to protect e-mail, medical records, financial
transactions, copyrighted material, industrial trade secrets,
and a whole host of other areas, as well as preventing major
terrorist and criminal activities such as breaking into the New
York Stock Exchange or the Chicago Board of Trade or a nuclear
power plant or the electric power grid of the United States are
all very positive purposes that are hindered by a policy that
discourages the use of strong encryption and which is the
policy that we have today.
The gentleman from New Jersey mentioned the use of
encryption by companies like Amazon.com and others who do
business on the Internet. Amazon.com cannot use the 128-bit
strong encryption that they use for domestic sales
internationally, unless they acquire it from a foreign vendor.
This, to me, seems to be a ludicrous consequence of the policy
that we currently confront in this country.
I'll give you another personal experience that I came
across recently when I led a congressional delegation to Europe
to deal with electronic commerce issues. In Brussels, in
meeting with the deputy chief of the U.S. mission there, he
indicated to me that he has worked with the National Security
Agency and the FBI and other agencies on a regular basis on
issues like this. But his own personal experience colored his
view of the need for significant change in our export control
laws when he told me that he bought a $2,000 computer system
which was shipped to him from the United States and he then
received a phone call from the company that sold it to him
telling him they could not send him the software because it
violated American export control laws. So he went down the
street to a little shop in Brussels and purchased the software
that he needed there.
Today there are more than 20 significant strong companies
in Europe creating encryption software that are major
competitors to the United States that did not exist just a few
years ago. What we are confronted with is a circumstance in
which we are already beginning to see significant erosion in
the U.S. dominance of the software and hardware computer
industry because of the fact that most major software and
hardware today has strong encryption built into it, and if you
can't export it out of the United States, you are better off
dealing with a company overseas because if you are, for
example, a company with branches in London, Paris, Tokyo, New
York, and San Francisco, you can buy these products
domestically--there is no limitation on the domestic use of
strong encryption--and use them in your New York and San
Francisco offices, but you can't send them to your London,
Paris, and Tokyo office.
However, if you buy it from a German company, to use an
example, there are no import restrictions on strong encryption.
So you can import the German products, use it at your New York
and San Francisco offices and also send it to your London,
Paris, and Tokyo offices. This is the crux of the problem that
we have in not facing up to the fact that encryption is not
like other items that are strongly suitable for export
controls.
Bombs, jets, mainframe computers are all products that are
manufactured in a few places, sent to a few places, and the
export of the products from this country can be a choke hold on
making sure they don't go to inappropriate places. But
encryption is not a tangible thing. It is a mathematical
algorithm. It is little ones and zeros going through fiber-
optic wires and by satellite all over the world. So it is my
hope that we will be able to move forward with this
legislation, which will help to create and protect American
jobs, which will help to fight crime in a whole host of ways,
and which will protect the privacy of law-abiding American
citizens and I very much thank you for the opportunity to
participate today.
Ms. Ros-Lehtinen. Thank you so much, Bob. Congressman Burr.
Mr. Burr. Thank you, Madam Chairman. Let me just say that,
my good friend Mr. Goodlatte, I had hoped that after we
dispensed with this in Commerce last year that law enforcement
and the technology businesses would find the agreement that
could move forward together. Unfortunately, I don't have the
impression that we are there. That as you talked about the
inability to export software, I think a year from now, with the
new chips, we will, in fact, find ourselves not exporting the
computer. I think we have some bigger problems to deal with.
I would suggest today to my colleagues that the way to find
the answer is not to dig our heels in the sand and say we can't
move from where we are. In fact, the challenge to each of us is
to find where that balance is, to move there, and not to find
new ways to drive technology offshore where, for a short-term
gain, we do significant long-term damage to not only the
development of business in this country and the creation of
jobs, but to our national security which is an area that we are
all sensitive to.
Technology has few boundaries, as my good friend Mr.
Goodlatte referred to, and our ability to understand
technology's flow around the world is, in fact, a significant
key to our understanding of where we move with legislation.
Madam chairman, I am only hopeful that all Members will
encourage not only the business sector, but the law enforcement
sector to work a little bit harder to try to find a compromise,
one that facilitates the business needs of the future, the
development of technology, and also provides some assurances of
law enforcement's access. Clearly, if technology is that
advanced in intelligence, I am hopeful that somebody will
transmit an updated map to our intelligence agencies. Maybe we
won't have quite the problem that we have had over the past
week.
Technology is a tremendous tool. It is a tremendous tool
for every person in the world. It will become more the tool for
opening up not only closed markets, but closed societies in the
future. We have to find a way to make this work, to make it
work for all who have a concern and to utilize this tool to its
fullest. I am confident that this hearing and many others that
we will have this session of Congress will help us to get to
that legislation. I thank the Chair and I yield back.
Ms. Ros-Lehtinen. Thank you. Mr. Radanovich.
Mr. Radanovich. Thank you, Madam Chair, I will be brief. I
would like to submit a statement for the record.
Ms. Ros-Lehtinen. Without objection.
[The information referred to appears in the appendix.]
Mr. Radanovich. Thank you. But do want to state my wish
that we get a bill forward sometime this session that would
open up markets for U.S. business and, at the same time,
preserve our security. I appreciate the chairwoman for having
this hearing and hopefully we can move this issue forward and
get it dealt with. Thank you very much.
Ms. Ros-Lehtinen. Thank you so much. Mr. Rohrabacher.
Mr. Rohrabacher. I would just like to say that Mr.
Goodlatte has put a lot of effort into this and is a very
patriotic American and where we have had our disagreements in
the past, I think that he is using good judgment here and I am
very happy to be a cosponsor of this bill.
Ms. Ros-Lehtinen. Thank you. Thank you so much for your
patience, all of you in the audience and our panelists as well.
We will first hear from Bill Reinsch, who currently serves as
the under secretary for export Administration in the Department
of Commerce. As head of this bureau, Mr. Reinsch is charged
with administering and enforcing the export control policies of
the U.S. Government. Before joining the Department of Commerce,
he served on the staffs of several Members of Congress who are
extensively involved with international trade issues. He has
testified before this Subcommittee many times and we are glad
to have you back, Bill. Thank you.
Next will be Barbara McNamara, who is Deputy Director of
the National Security Agency. From 1995 to 1997, Ms. McNamara
served as the Deputy Director of operations, National Security
Agency of the Central Security Service. Prior to that, she
served as the NSA representative to the Department of Defense,
as well as chief of the Office of International Economics and
Global Issues in the Operations Organization. Ms. McNamara
began her career in the National Security Agency as a linguist
and served in a variety of analytical and management positions
in the Operations Office. Thank you so much for being with us.
Ronald Lee is the associate deputy attorney general for the
Department of Justice. He is currently the Acting Director of
the Executive Office of National Security at the Department. He
has served as the program manager for the development of the
Administration's 5-year counter terrorism and technology crime
plan. In 1994, Mr. Lee was appointed as general counsel of the
National Security and served as their chief legal officer
representing the NSA in all legal matters. Welcome, Mr. Lee, to
our panel.
We also have a representative from the International
Association of Chiefs of Police, who is pro-export controls,
but he does not represent the Administration. Mr. Gene Voegtlin
is the legislative counsel of the International Association of
Chiefs of Police. In this position, he is responsible for
directing the day-to-day implementation of the Association's
government affairs program. Prior to joining the Association,
Mr. Voegtlin served as the Director of legislative and
political affairs for the National Federation of Federal
Employees. His prior experience also includes serving as a
legislative representative of the Federal Managers Association
and the American Chemical Society. We welcome you, Mr.
Voegtlin, today.
We will begin with the Honorable Mr. Reinsch. Thank you,
Bill.
STATEMENT OF WILLIAM REINSCH, UNDER SECRETARY OF COMMERCE,
BUREAU OF EXPORT ADMINISTRATION
Mr. Reinsch. Thank you very much, Madam chairman. It is a
pleasure to be here with you again to testify on the direction
of the Administration's encryption policy. I would appreciate,
Madam chairman, if you would put my full statement in the
record.
Ms. Ros-Lehtinen. Correct. Without objection, we will glad
to put all of your statements into the record.
Mr. Reinsch. Thank you. Notwithstanding the comments of
some of your colleagues, Madam Chairman, I think we have made a
great deal of progress in this area since the last time I was
here. But it is still, nevertheless, obvious that encryption
remains a hotly debated issue.
The Administration continues to support a balanced approach
which considers privacy and commerce, as well as protecting
important law enforcement and national security equities. We
have been consulting closely with industry and its customers to
develop policy that provides that balance in a way that also
reflects the evolving realities of the marketplace. The
Internet and other digital media are becoming increasingly
important to the conduct of international business. Mr.
Menendez used one of my better statistics and so I think I will
skip over the other ones in my statements and you can read
them. But I think there is no disagreement over that point, in
any event.
Clearly, many service industries, which traditionally
required face-to-face interaction, such as banks, other
financial institutions, and retail merchants, are now providing
cyberservice. Customers can now sit at their home computers and
access their banking and investment accounts or buy a winter
jacket with a few strokes of their keyboard. Furthermore, most
businesses maintain their records and other proprietary
information electronically. They now conduct many of their day-
to-day communications and business transactions via the
Internet and e-mail. An inevitable byproduct of this growth of
electronic commerce is the need for strong encryption to
provide the necessary secure infrastructure for digital
communications, transactions, and networks.
Developing a new policy in this area has been complicated
because we do not want to hinder encryption's legitimate use,
particularly for electronic commerce yet, at the same time, we
want to protect our vital national security foreign policy and
law enforcement interests. During the past 3 years, we have
learned that there are many ways to assist in lawful access.
There is no one-size-fits-all solution. On September 22nd of
last year, we published a regulation implementing our decision
to allow the export under a license exception of unlimited
strength encryption to banks and financial institutions located
in countries that are Members of the Financial Action Task
Force or which have effective anti-money laundering laws.
The further result of our ongoing dialogue with industry
was an update to our encryption policy which the Vice President
unveiled last September 16th. The regulations implementing the
update were published on December 31. This will not end the
debate over encryption controls, but we believe the regulation
addresses some private sector concerns by opening large markets
and further streamlining exports. The update reduced controls
on exports of 56-bit products and, for certain industry
sectors, on exports of products of unlimited bit length,
whether or not they contain recovery features.
In developing our policy, we identified key sectors that
can form the basis of a secure infrastructure for communicating
and storing information: banks, a broad range of financial
institutions, insurance companies, online merchants, and health
facilities. Many of the updates permit the export of encryption
to these end-users under a license exception. The policy also
allows for exports of 56-bit software and most hardware to any
end-user under a license exception; exports of strong
encryption, including technology to U.S. companies and their
subsidiaries, under a license exception, to protect important
business proprietary information; and approval under a
licensing arrangement of recovery-capable or recoverable
encryption products of any key length to recipients located in
46 countries. Such products include systems that are managed by
a network or corporate security administrator.
In December, through the hard work of Ambassador David
Aaron, the President's special envoy on encryption, the
Wassenaar arrangement's members agreed on several changes
related to encryption controls. Specific changes to
multilateral encryption controls included removing them on all
encryption products at or below 56-bits and on certain consumer
items regardless of key length.
Most importantly--and I want to take a moment on this,
Madam chairman--the Wassenaar members agreed to remove
encryption software from Wassenaar's general software note and
replace it with a new cryptography note. Drafted in 1991 when
banks, governments, and militaries were the primary users of
encryption, the general software note allowed countries to
permit the export of mass-market encryption software without
restriction. The GSN was created to release general purpose
software used on personal computers, but it inadvertently
encouraged some signatory countries to permit the unrestricted
export of encryption software. It was essential to modernize
the general software note and close a loophole that permitted
the uncontrolled export of encryption with unlimited key
length.
Under the new note, mass-market hardware has been added and
a 64-key length or below has been set as an appropriate
threshold. This will result in government review of the
dissemination of mass-market software of up to 64-bits. I want
to be clear that this does not mean encryption products of more
than 64-bits cannot be exported. Our own policy permits that as
does the policy of most other Wassenaar members. It does mean,
however, that such exports must be reviewed by governments
consistent with their national export control procedures.
Finally, Madam chairman, with respect to H.R. 850, the
Administration opposes this legislation, as we did its
predecessor in the last Congress. The bill proposes export
liberalization far beyond what the Administration can entertain
and which would be contrary to our international export control
obligations. Despite some cosmetic changes the authors have
made, the bill in letter and spirit would destroy the balance
we have worked so hard to achieve and would jeopardize our law
enforcement and national security interests.
I want to reiterate that this Administration does not seek
controls or restraints on domestic manufacture or use of
encryption. We continue to believe the best way to make
progress on ways to assist law enforcement is through a
constructive dialogue. As a result, we see no need for the
statutory provisions contained in the bill.
Second, once again, we must take exception to the bill's
export provisions. In particular, the references to IEEPA, as I
understand them, might have the effect of precluding controls
under current circumstances and in any future situation where
the EAA had expired and the definition of general availability,
as in the past, would preclude export controls over most
software. In addition, whether intended or not, we believe the
bill as drafted could inhibit the development of key recovery,
even as a viable commercial option for those corporations and
end-users that want it in order to guarantee access to their
data. The Administration has repeatedly stated that it does not
support mandatory key recovery, but we endorse and encourage
development of voluntary key recovery systems and, based on
industry input, we see growing demand for them, especially
corporate key recovery, that we do not want to cutoff.
The Administration does not seek encryption export control
legislation nor do we believe such legislation is needed. The
current regulatory structure provides for balanced oversight of
export controls and the flexibility needed so that it can
continue to promote our economic foreign policy and national
security interests while adjusting to advances in technology.
We believe this is the best approach to an encryption policy
that promotes secure electronic commerce, maintains U.S. leads
in information technology, protects privacy, and protects
public safety and national security interests.
Thank you, Madam chairman.
Ms. Ros-Lehtinen. Thank you so much.
Ms. McNamara.
STATEMENT OF BARBARA MCNAMARA, DEPUTY DIRECTOR, NATIONAL
SECURITY AGENCY
Ms. McNamara. Good afternoon, Madam Chair. Thank you for
the opportunity to appear today. I would like to begin briefly
by introducing the National Security Agency and its mission and
explain why this issue is so important to us.
NSA secures information systems for the Department of
Defense and other U.S. Government agencies and provides
information derived from foreign signals to a variety of users
in the Federal Government. It is the signal's intelligence role
that I want to address today. NSA intercepts and analyzes the
communications signals of foreign adversaries to produce
critically unique and actionable intelligence reports for our
national leaders and military commanders. Very often, time is
of the essence. Intelligence is perishable. It is worthless if
we cannot get it to the decisionmakers in time to make a
difference.
Signals intelligence proved its worth in World War II when
the United States broke the Japanese naval code and learned of
their plans to invade Midway Island. This intelligence
significantly aided the U.S. defeat of the Japanese fleet and
helped shorten the war. NSA provides the same kind of
intelligence support today in the former Yugoslavia and other
locations around the world wherever U.S. military forces are
deployed.
NSA signals intelligence efforts also support policymakers
and law enforcement. Demands on NSA for timely intelligence
have only grown since the breakup of the Soviet Union and have
expanded into national security areas of terrorism, weapons
proliferation, and narcotics trafficking. Today, many of the
world's communications are still unencrypted. Historically,
encryption has been used primarily by governments and the
military. It was employed for confidentiality and hardware-
based systems and was often difficult to use. As encryption
moves to software-based implementations and the
infrastructure--and I underline infrastructure--develops to
provide a host of encryption-related security services,
encryption will spread and be widely used by other foreign
adversaries that have traditionally relied upon unencrypted
communications. As a result, much of the crucial information we
are able to provide today could quickly become unavailable to
the decisionmaker.
As you will hear from my colleague from the Department of
Justice, it is important to understand that the needs of
national security and the needs of law enforcement are
different and must be addressed separately. At NSA, we are
focused on preserving export controls on encryption to protect
national security. As you consider the SAFE Act, it is very
important to understand the significant effect certain
provisions of this bill will have on national security.
The SAFE Act would mandate the immediate decontrol of most
commercial computer software encryption and specified hardware
encryption exports. This will greatly complicate our
exploitation of foreign targets and the timely delivery of
usable intelligence because it will take too long to decrypt a
message if, indeed, we can decrypt it at all. This bill would
also deprive us of the opportunity to conduct a meaningful
review of a proposed encryption export. Historically, this
review process has provided us with valuable insight into what
is being exported, to whom, and for what purpose. Without this
review and the ability to deny an export application if
necessary, it will be impossible to control exports of
encryption to countless bad guys.
The SAFE Act would permit exports of encryption based on
products comparable to those being exported for foreign
financial institutions. But using the special treatment
afforded banks and financial institutions which are well-
regulated and have a good record of providing access to lawful
requests for information, as the basis for a blanket approval
of export to all other end-users in a country would eliminate
important national security end-use considerations. The
criteria for exporting encryption to these institutions should
not be the basis for decontrolling other encryption exports.
The SAFE Act also eliminates control for computer hardware
with encryption capability if it is found that the product is
available in the overseas market. The apparent availability of
a product in a country without regard to its actual performance
capabilities or without restrictions on end-users or end-uses
will have the practical effect of forcing the decontrol of such
exports, a condition that is unacceptable to national security.
We believe that we need a balanced encryption policy that
considers the needs of national security and industry. The
recent U.S. and Wassenaar policy updates are positive moves in
that direction. You will hear from others that industry is
prohibited from exporting anything greater than 56 bits. That
is patently wrong. Last year's update allows vendors to export
unlimited-strength encryption, even 128 bits, to specified
market sectors in a set of countries that represents
approximately 70 percent of the world's economies or did at the
time and that redresses the issue of Amazon.com that
Congressman Goodlatte referred to.
This is an example of the kind of advances possible under
the current regulatory structure which provides greater
flexibility than a statutory structure would. Let me make it
clear. We want U.S. companies to effectively compete in world
markets. In fact, it is something that we strongly support as
long as it is done consistent with national security needs.
In summary, the SAFE Act will harm national security by
making NSA's job of providing critical actionable intelligence
to our leaders and military commanders difficult if not
impossible, thus putting our Nation's security at considerable
risk. The United States cannot have an effective decisionmaking
process, or a strong fighting force, or a responsive law
enforcement community, or a strong counterterrorism capability
unless the information required to support them is available in
time to make a difference. The nation needs a balanced
encryption policy that allows U.S. industry to continue to be
the world's leader, but that also protects the security of our
Nation. Thank you, Madam chairman.
Ms. Ros-Lehtinen. Thank you so much.
Mr. Lee.
STATEMENT OF RON LEE, ASSISTANT ATTORNEY GENERAL, NATIONAL
SECURITY, DEPARTMENT OF JUSTICE
Mr. Lee. Madam Chair, I would like to emphasize some of the
points in my written statement for the Subcommittee in my brief
remarks this afternoon. I would like to be clear, because the
views of the Department of Justice on encryption and export
controls are often caricatured or misrepresented.
The Department of Justice supports the spread of strong
recoverable encryption to protect the privacy of American
citizens and to protect the security of our information
infrastructure. This is not, after all, a debate about whether
the U.S. national interest is served by the success of U.S.
companies abroad. We fully accept and support that premise. We
are, however, deeply concerned about the threat to public
safety posed by the widespread distribution and use of
nonrecoverable encryption. Law enforcement agencies, both in
the United States and abroad--and we work closely with many law
enforcement agencies abroad--have already begun to see cases
where encryption has been used in efforts to conceal criminal
activity. The number and complexity of these cases will
certainly increase as encryption proliferates and, I emphasize,
as encryption increasingly becomes an integral part of mass-
market software items and network-based information services.
Thus, we cannot just extrapolate from past examples where
encryption has posed a problem. We must, as a government, in
partnership with the Congress, take this moment to realize that
encryption is becoming a part of our commerce and make
responsible public choices.
Faced with the use of nonrecoverable encryption, agents
would not be able to make effective use of search warrants,
wiretap orders, and other legal processes that have been
authorized by Congress and ordered by the courts. These tools
are absolutely essential to effective law enforcement
investigations today. Without these tools, law enforcement
would find it increasingly difficult, if not impossible, to
obtain important evidence of criminal activity and to gather
and develop and present the evidence needed in criminal
prosecutions.
In the face of these challenges, the Department of Justice
supports the carefully balanced approach to export controls
that the Administration is actively pursuing. The Chair asked
about progress in the last year. I would like to report that
the Attorney General, along with the Director of the Federal
Bureau of Investigation and other government officials have
been actively engaging industry leaders in a continuing,
cooperative, and positive dialogue. This dialogue has continued
throughout the Department and the FBI at several different
levels.
We have gained a lot from the dialogue. We have both
explained the public safety concerns that we have from the
spread of nonrecoverable encryption and we have learned about
innovative solutions that industry has presented. It was in
part this collaboration and dialogue that led us to be able to
participate in the active report in the export control updates
announced by the Administration last September. We thank the
Members of Congress who have helped to facilitate this dialogue
and we will work hard to make sure that these discussions
continue. We believe that the current balanced approach is the
most conducive approach to continuing this open dialogue with
industry.
In this connection, the rapid elimination of export
controls, as proposed in H.R. 850, the Security And Freedom
through Encryption Act, would upset this balance dramatically.
We believe that passage of the SAFE Act would cause the further
spread of unbreakable encryption products that will be used by
terrorist organizations and others for criminal purposes.
Of course, we recognize that law enforcement is already
coming across nonrecoverable encryption by criminals. We are
not standing still. In order to protect public safety, we are
continuing to develop our own technical expertise. The
Department of Justice has begun initiatives such as the funding
of a centralized technical resource within the FBI which will
support Federal, State, and local law enforcement personnel in
developing a broad range of expertise, technologies, and tools
to respond directly to the threat posed by unbreakable
encryption when used by criminals.
We look forward to working with Congress to develop this
resource. However, I must emphasize that no technology, no set
of technologies, no tool box offers a silver bullet. The
widespread use of nonrecoverable encryption by criminals would
quickly overwhelm whatever technical response and capabilities
we could develop. In summary, we believe that the
Administration's approach balances the need for secure private
communications and electronic commerce with the equally
important need to protect the safety of the public against
threats from terrorists and criminals. We look forward to
working with you on this important issue. Thank you.
Ms. Ros-Lehtinen. Thank you so much.
Mr. Voegtlin.
STATEMENT OF GENE VOEGTLIN, ESQ., LEGISLATIVE COUNSEL,
INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE
Mr. Voegtlin. Thank you. Good afternoon, Madam Chair,
Chairman Gilman, and Members of the Subcommittee. I am pleased
to be here today on behalf of the International Association of
Chiefs of Police. Our president, Ronald Neubauer, had hoped to
be here today, but, unfortunately, he is out of the country and
therefore cannot attend.
I would like to briefly tell you about the IACP and then
summarize our statement. Founded in 1893, the IACP, with 17,000
members in 112 countries, is the world's oldest and largest
association of law enforcement executives. Our mission
throughout the history of the association has been to identify,
address, and work to provide solutions to urgent law
enforcement issues. As I appear before you today, it is clear
that robust, nonrecoverable encryption technology and the
threat it poses to the ability of law enforcement agencies to
perform their mission looms as one of the most urgent and
important issues facing our members in the communities they
serve.
The IACP's position on the encryption issue is clear. We
strongly believe that the unchecked proliferation of robust
nonrecoverable encryption technology poses an enormous danger
to effective law enforcement, public safety, and to society as
a whole. Therefore, the IACP believes that any encryption
legislation that is enacted must protect the ability of law
enforcement agencies to perform court-authorized electronic
surveillance and the search and seizure of criminally related
information stored in computers.
In addition, the IACP believes that it is of vital
importance to maintain the stringent export controls on robust
nonrecoverable encryption products. The relaxation of export
controls would likely result in the widespread proliferation of
unbreakable encryption products which would severely limit if
not completely destroy the ability of law enforcement agencies
to effectively investigate and apprehend international
terrorists and criminals. This is why the IACP was pleased last
December when 33 nations signed on to the Wassenaar export
control agreement to impose or expand existing controls on
encryption and other data scrambling technologies.
I would like to note, however, that the IACP's position on
the need for law enforcement access does not mean that we
oppose all uses of encryption technology. The IACP certainly
recognizes that there is a legitimate need to use encryption
products as a tool to protect electronic commerce and
individual privacy. Indeed, law enforcement agencies themselves
have a need for secure communications and information storage.
Nevertheless, we must balance these legitimate concerns with
the threat we face by providing criminals, drug lords, and
terrorists with an impenetrable means of communicating to their
criminal associates.
In addition, the IACP is aware of the economic issues
involved in the manufacture and sale of encryption technology
and products. However, we believe that we must consider the
enormous economic damage that is being done to the United
States economy as a result of crime and related consequences.
For example, experts have estimated that the economic loss to
the United States as a result of drug-related crime, accidents,
medical care, and the loss of productivity reaches upward to
$50 billion a year.
Finally, I would like to stress that providing law
enforcement with a means to access the plain text of encrypted
information would not represent an expansion of the police
power to conduct searches or infringement on the Fourth
Amendment protections against unreasonable searches. Law
enforcement agencies would still be required to follow the
current procedures that are necessary to gain access to other
information that is used in the commission of crime. Providing
for law enforcement access is entirely consistent with the
constitutional safeguards of the Fourth Amendment.
What we would be doing by ensuring that law enforcement can
access the plain text of encrypted criminal information is
simply modernizing our current search warrant laws to keep pace
with advances in computer technology. It is imperative that
Congress take immediate steps to protect the capabilities of
law enforcement. Electronic surveillance and wiretaps are two
of the most effective tools in law enforcement's arsenal. Over
the years, numerous arrests, prosecutions, and convictions have
been secured against criminals because of court-authorized
surveillance and wiretaps operations.
It is our belief that if Congress allows a robust
encryption technology to be sold without providing for a means
of law enforcement plain text access, it would effectively be
stripping law enforcement agencies of their ability to
successfully perform electronic surveillance, wiretaps, and the
search and seizure of criminal information stored in computers.
Therefore, before any legislation is enacted, the IACP urges
Congress to ensure that it contain provisions that would
provide law enforcement with immediate and complete plain text
access to information encrypted in the furtherance of criminal
activity. The inclusion of such provisions are absolutely vital
if we are to preserve the investigative capabilities of our
Nation's law enforcement agencies.
If Congress fails to provide law enforcement with this
necessary access, law enforcement agencies will be further
behind the technology curve. Terrorists, drug lords, and other
criminal elements will have the upper hand over law enforcement
and, as a result, the personal safety and security of all
Americans and their property will be endangered. Thank you.
Ms. Ros-Lehtinen. Thank you so much to all of our panelists
and we are proud to begin our series of questions by our
Chairman of the International Relations Committee, Mr. Gilman.
Mr. Gilman. Mr. Lee, how many major organized crimes cases
have made without court-authorized wiretap evidence? Can you
give us a rough estimate?
Mr. Lee. Chairman Gilman, each major organized crime case,
like any other investigation of a major crime, is done with a
combination of law enforcement investigative tools. Law
enforcement brings to bear the entire set of tools to
investigate, apprehend, and prosecute these criminals. In each
of these investigations, court-authorized wiretap operations
and the evidence derived from them are absolutely essential to
the success of the enterprise. By that I would mean both the
successful investigation of the organized crime matter and also
the successful prosecution and marshalling of evidence against
the defendants.
Mr. Gilman. Thank you. Mr. Voegtlin, do you agree with that
assessment?
Mr. Voegtlin. Yes, absolutely.
Mr. Gilman. How often in cases such as kidnappings and
planned terrorist bombs has the court-authorized wiretap
prevented the loss of life? Mr. Lee.
Mr. Lee. Mr. Chairman, there have been numerous cases where
court-authorized wiretaps have been used by law enforcement
officials to prevent and solve--to prevent loss of life and to
solve the cases. I would add to that list not just terrorism
and kidnapping, but also cases such as child pornography and
other exploitation of children. It is an absolutely essential
tool.
Mr. Gilman. What about the timing of information that you
receive from wiretaps, too? Is that critical to the cases
involved?
Mr. Lee. Mr. Chairman, the timing, the ability to quickly
derive the plain text, the meaning from the wiretaps on a real-
time instantaneous basis is absolutely critical, both to saving
lives and also to apprehending criminals and furthering the
investigation.
Mr. Gilman. Thank you. Mr. Reinsch, what effect would the
implementation of the SAFE Act have on the Wassenaar
arrangement?
Mr. Reinsch. Mr. Gilman, first it would put us in violation
of it. It is inconsistent with it and, second, I believe it
would undercut our efforts to obtain stronger multilateral
controls. It would probably result in our allies abandoning
their efforts to control these products.
Mr. Gilman. Could you tell us, Mr. Reinsch, do the
provisions in the SAFE Act relating to terrorist countries
provide effective control for the Administration to stop the
export of encrypted products to those countries?
Mr. Reinsch. That is a more complicated question than the
Wassenaar question, Mr. Gilman. We believe generally no, but it
is a more--that they do not help us provide effective control,
but it is a more complicated legal analysis. The bill contains
two provisions that contradict each other. One which addresses
this question specifically and one which generally removes
licensing authority for what we believe would be most mass-
market products. Even if we were to try to reconcile those
conflicting provisions by construing the stricter one as
ruling, we have some concerns about the way that it is drafted.
It imposes, not with respect to countries, but with respect to
individuals--individual terrorists or individual terrorist
organizations--a substantial evidence test which is quite a
high test, an unusual one for the kind of system that would
make it much more difficult for us to identify and list,
meeting the standards of the Act, terrorist organizations and
proscribe exports to them.
Mr. Gilman. Just one last question: Mr. Voegtlin, what
would encryption without access do to local law enforcement's
ability to fight the drug war?
Mr. Voegtlin. Basically, we are concerned that it would all
but eliminate our ability to fight the drug war. Currently--and
it is becoming on an ever-increasing basis--State police
directors and local law enforcement agents are coming across
encryption in an ever-increasing fashion. Right now what we are
looking at are situations where you have drugs being imported
into this country and the command and control is taking place
overseas and they are using encrypted communications to talk to
the subordinates in this country, to talk about distribution
and other coordination efforts. Without being able to access
this information through wiretaps, the ability for State and
local law enforcement agencies to work in cooperation with the
Federal agencies on the drug issue will be severely limited if
not completely destroyed.
Mr. Gilman. Thank you and thank you, Madam chairman.
Ms. Ros-Lehtinen. Thank you so much, Mr. Gilman, for being
with us. Mr. Menendez.
Mr. Menendez. I thank you, Madam Chairlady, I appreciate
this panel's testimony. Before I ask my questions, I want to
ask Mr. Lee, is your division of the Justice Department
National Security? Is that my understanding?
Mr. Lee. Sir, I am a Senior Member of the Deputy Attorney
General's Office. One component of the Deputy Attorney
General's Office is called the Executive Office of National
Security. I am the acting head of that component, but I also
have other responsibilities in the Office of the Deputy
Attorney General.
Mr. Menendez. That is not the same division of the Justice
Department that declared the air space over Camden Yards to
banners talking about freedom and democracy our national
security risk, is it?
Mr. Lee. I am not familiar with that matter.
Mr. Menendez. Because that really colored my perception of
what national security is. Let me ask the panel the following.
My friend and colleague from New Jersey, a new Member of
Congress, Rush Holt, is a rocket scientist. His constituents
have a bumper sticker in his district that says, ``My
Congressman is a rocket scientist.'' Now, I am not a rocket
scientist. I am just a poor old country lawyer. What I don't
have an understanding about----
I am not a professor either of the law. But what I really
have a problem listening to the testimony here about is one
basic set of circumstances which seems to be glossed over and
maybe all of you can help.
No. 1 is, there is no domestic control of encryption. Is
that a correct statement?
Mr. Reinsch. That is correct.
Mr. Menendez. So I, as an American, or for that fact,
someone from abroad who is visiting here could buy this
domestically. I guess taking it back home might be a violation
of the law. Is that the case?
Mr. Reinsch. Yes, in general. There would be a personal use
issue, but if you were taking it back to give to somebody else
or to sell that would----
Mr. Menendez. If I wanted to buy and use it and take it
back. But I don't even have to do that, as I understand it.
This technology exists by a variety of countries--the Japanese,
the Israelis, French, others--who have all of this capacity at
its highest levels, as I said in my opening statement, in the
Internet, you can download 128 bits. Now I heard Ms. McNamara
say that we don't control, we, in fact, permit under the new
regulations over 56 bits. But that's if you have, in fact, a
key recovery system. If you have a non key recovery system, you
can't do that, can you?
Mr. Reinsch. No. Maybe I can clarify that part. I would
like to have Ms. McNamara talk a little bit about the
availability issue if we have time for that. The policy permits
the export in a variety of circumstances that my statement went
over fairly quickly of more than 56-bit encryption. In fact,
encryption without bit length limit and without key recovery
features can be exported to U.S. subsidiaries, for example, to
health care organizations, to banks, to financial institutions,
and so on.
Mr. Menendez. Yes. Outside of that specific category--and I
have a chart here: the banks, financial, health insurance,
health care----
Mr. Reinsch. Right.
Mr. Menendez. Outside of that category.
Mr. Reinsch. No.
Mr. Menendez. If you want to, you could not.
Mr. Reinsch. Except via--there is a whole list in that
category, more than the ones I mentioned, but outside of what I
assume is on your chart, the only way high-level encryption,
128-bit or whatever, could be exported would be pursuant to an
individual license that we would issue. An exporter can apply
for anything they want and we will consider any application
they submit, but it would take an individual license outside of
those categories.
Mr. Menendez. My point, Mr. Secretary--and for members of
the panel, maybe you can help me here, elucidate to me--the
point is whether you buy it here or domestically and you have
this capacity and you illegally--because we are talking about
illicit activities that we are concerned about and national
securities and espionage and all of that--bottom line is
whether you buy it domestically or whether you buy it abroad
and use it for an illicit purpose here in the United States,
what is it that we accomplish in terms of controlling the
technology that is readily available and that can be used by
anyone who seeks to do so illicitly for espionage or terrorism,
for anything. I listened to the line of questioning of our
distinguished Chairman and, all of those things can be
accomplished by someone who wants to break the law and use and
seek the technology abroad. Tell me what it is that--how do we
circumvent all of that?
Ms. McNamara. Let me try and answer that question and then
any of my colleagues can chime in behind, sir. Let me first
address the issue that you raised about nations overseas. As
you heard Mr. Reinsch say and I said as well, in December of
last year, 33 nations signed up to the Wassenaar agreement.
What that does is permits those 33 nations to have an umbrella
arrangement or agreement which allows them then to invoke
export controls in their own individual countries. They are
doing that and they are abiding by it.
Some of those nations without Wassenaar had their own
export control regime and they are abiding by that. The 33
nations that signed up to the Wassenaar agreement are the 33
nations which are today the world's predominant producers of
encryption, save one or two, and even those, although not
members of Wassenaar, do have their own export control
regulatory regime which they invoke for the export of
encryption from their own national producers.
The export of, or the individuals who, as you point out,
illegally use or apply for the use of encryption, on an
individual basis, we are never going to stop all of that. What
we are attempting to talk about here is the actual broad use of
encryption or the incentive for the broad export of encryption
from this country.
Encryption today is not being used broadly. Encryption
today is, for the most part, being used by individuals for
applications that are approved under our export control regime
for business, for banking, for online commerce. All of that
export, without requiring key recovery features, I might add,
is available under today's export control regime from this
country as of last September. That was reinforced and
reendorsed by the Wassenaar agreements.
When we look at the international use of encryption, I will
tell you that we expect to see the broad use of encryption
internationally when three conditions are met. Those three
conditions are it becomes inexpensive--and I will grant you, it
is becoming inexpensive--it becomes easy to use--and, in some
cases, it is in fact easy to use. In other cases it is not--and
what will be required for the broad international use of
encryption is a security management infrastructure which will
allow the registering of keys, the authentication of users, and
the free and open exchange of encryption across international
boundaries. Those international security management
infrastructures do not exist today, globally. So we are not
seeing the broad use of encryption.
Mr. Menendez. I appreciate your answer. My concern,
however, remains, I think, unanswered. That is, maybe you
cannot answer it. Not that you don't want to answer it. Maybe
it cannot be answered. That is this, that, listening to your
answer, Wassenaar, as I understand it, is ultimately not
binding, but even to the extent that, while it is predominate
of the countries, it is not exclusive. To the extent that you
have access in those countries, domestically, as we would have
access here domestically; and to the extent that you have
acknowledged that it is becoming more and more inexpensive and
easier to use, ultimately it just seems to me that those--
forgetting about the broad base appeal that we seek to divert
for the time being--ultimately, those who want to use such
encryption opportunities to do something illicitly, to do
something in terms of how this panel has described their
concerns about it, ultimately have the wherewithal to do it
now. So I don't know exactly what we stop here except American
companies from being competitive in the world because those who
want to do it will do it.
Last, even to those that you have given presumptions of
approval to, to American subsidiaries abroad that have foreign
nationals working for them. It does not give me a sense of
rhyme or reason. I get the sense that, we want to try to stop
what we cannot stop and we are just hoping to buy time here at
the end of the day. I may be wrong in that perception, but that
is certainly the perception I have.
Mr. Lee. Mr. Menendez, if I may address that briefly from
the law enforcement perspective, our position is not that the
policy is a failure if there is one single illicit or bad
person using encryption. We fully understand that people are
going to go to great lengths to use encryption that we probably
will never be able to read. The issue for us is that we are
starting to get into a world where everyone will be using
encryption and the policy issue, both for the world of exports
and for the United States, is what will that world look like?
Will it be a world where there is some possibility that the
wiretaps that Mr. Voegtlin and I have spoken about will have
some value, some meaning to protect public safety? Or will it
be a world where those wiretaps are completely useless? That is
the overarching policy issue, not whether a criminal or a
terrorist could--indeed they can and they do. We are seeing
that increasingly--not whether they can, in an isolated case,
find encryption that frustrates us. The question is, as
encryption becomes much more pervasive so that people don't
have to go to any effort whatsoever to use it, what kind of a
world will we live in?
Mr. Menendez. My concern, Mr. Lee, is that what you are
concerned about already is becoming a reality, notwithstanding
anything that we are doing right now. I thank the Chair Lady.
Ms. Ros-Lehtinen. Thank you so much, Mr. Menendez. Mr.
Bereuter.
Mr. Bereuter. Thank you, Madam chairman. Thank you for your
testimony. Mr. Reinsch, the reference has been made to the
dialogue the Administration had been engaging in with the
industry. I believe it may have first been started or at least
noticeably progressing when it was initiated by John Deutsch,
the Director of the Central Intelligence Agency. It seems to me
that he maintained a successful back channel communication with
the group of top industrial CEO's. They were moving ahead in
what appeared to be very useful negotiations to strike a useful
balance. When Deutsch left, Deputy Attorney General Jamie
Gorelick continued that process and she has been now for well
over a year.
It seems to me, looking at it from the outside, that the
discussions have withered away and do not appear to have the
attention or the focus of the necessary officials in the
Administration. In its place appears to be unilateral
declarations. The Administration, through a new policy unveiled
by Vice President Gore, implemented new regulations. Industry,
not satisfied with this action, is lobbying for enactment of
the SAFE legislation. I was always interested in the past to
see representatives, actual employees of the software
companies, coming up here, and lobbyists paid by them to
represent those software companies on this issue oftentimes
unaware of what had happened with negotiations with the top-
level CEO's in their own companies.
I think this matter of encryption control is a very serious
matter, yet it appears the issue has been left to drift off the
legislative cliff. We need, I think, to find a balance, an
option that works in the real world. That would entail intense,
very high-level negotiations and compromise, it seems to me,
much like the negotiations were leading to, I thought, that
Deutsch was leading.
So my questions, to begin with, are what steps are being
taken to reengage at the highest level industrial CEO's to find
a realistic, workable balance, or is something going on that
you can't talk about here or that you can talk about here? Who
is the Administration's point person in this dialogue? When was
the last dialogue meeting with top leadership of the software
companies? When is the next meeting? Is anything like this
happening?
Mr. Reinsch. I can make some comments, Mr. Bereuter,
without going into all the details of 2 of 3 years of history
on this which I see in some respects similar to your points and
in some respects, I think, different than the points you have
made. I don't think we have become unengaged, if you will.
I think after Mr. Deutsch's departure from the government,
the dialogue has ensued really on two levels. There was a
direct dialogue with law enforcement and with the Justice
Department and the FBI, which I think Mr. Lee could comment on
separately, which was designed to put those two groups in
direct contact for discussions, in many respects, at a
technical level of how they could help each other and how they
could try to advance the ball from that point of view.
Mr. Bereuter. With the industry? A dialogue with the
industry?
Mr. Reinsch. That is correct. I am sorry. Yes, with the
industry.
In addition, we have continued the dialogue at senior
levels, both with individual executives and also with several
large groups, both hardware and software, that have become the
representatives, if you will, of that point of view. Throughout
this dialogue, whether before or after Mr. Deutsch's departure
from the government, at no time has the industry abandoned or
dropped its goal of passing Mr. Goodlatte's bill and we don't
assume that there is anything that we can do that will cause
them to change their mind. When Mr. Goodlatte is offering them
the whole pie, I wouldn't expect them to deny the opportunity.
At the same time, I think that what we have done with them
has been very successful in addressing a lot of the problems
they have identified, and I think if you go back and look at
their reaction, you can ask the following panel. Ask Mr. Smith,
who will be on after me and some others about their reaction
after the Vice President's announcement in September. I think
you will find that it was quite a positive reaction and a
welcoming reaction as a product of some constructive dialogue
we had at that time. Their final sentence was, this is great,
we want more. We respect that. But I think it has been a
successful relationship. It goes on.
I think the next encounter is likely to be the 10th of June
when we have a group of CSPP CEO's coming to town on several
subjects. Computers is probably at the top of their agenda, but
I am sure encryption will not be far behind and I am sure they
will be meeting with representatives of the Administration. I
understand they will be up here as well. I think that will be a
chance to renew the dialogue collectively, but there are
frequent opportunities for one-on-one or smaller group
discussions. My secretary, Mr. Daley, has been to California
several times in the last 3 or 4 months, as have I. We have
these discussions every time we go.
Mr. Bereuter. Secretary Reinsch, I would expect that
seeking the whole pie, Mr. Goodlatte's legislation, would be a
good negotiating tactic. I wouldn't deem it impossible to find
something that is balanced despite their almost unanimous
support for it.
Director McNamara, my understanding is that the Wassenaar
agreement still allows the export to countries that set
different standards. I can't understand really, in that
situation, how you are able to achieve your purposes in
protecting the national security or how law enforcement is able
to pursue at the local, national, or State level their
objectives when you have got this differential under Wassenaar.
What am I missing here? Is that a problem or am I wrong about
the impact of Wassenaar on the exports to the various
countries?
Ms. McNamara. The existence of Wassenaar allows countries
to actually have something to connect an export control regime
to in those countries that didn't have a regulatory
underpinning in their countries. It is all up to national
discretion, as it is in our----
Mr. Bereuter. It is differential in its application, isn't
it, Director McNamara?
Ms. McNamara. I am sorry, sir?
Mr. Bereuter. It is differential in its application,
country-to-country?
Ms. McNamara. Yes. Country-to-country, as it is here. But
it is fundamentally based on end-use and end-user and there are
agreements that are in common, like preventing the export of
encryption to terrorists and we can do, actually, a comparison
for you, sir, if that would be helpful.
Mr. Bereuter. It does seem to me that the end-user approach
is unenforceable in reality. Secretary Reinsch, one final
question. You mentioned in your written testimony at least that
you believe the Goodlatte bill, as drafted, could inhibit the
development of key recovery even as a viable commercial option
for those corporation end-users that want it in order to
guarantee access to their data. Could you elaborate on that?
Mr. Reinsch. Yes, Mr. Bereuter, if I can find the
provision. I think if you look at--I wouldn't say, by the way,
that--I tried to phrase that statement in my testimony
carefully because I wouldn't say that the problem is as big in
this bill as it is in some other ones that have been
introduced, but I think if you look at, in general, the
provisions on page--in my draft, which I think is the one with
all the cosponsors on the front, the provisions on page five
and page six of the bill. We would interpret them as
significantly discouraging the use of key recovery. I would not
go so far as to say the bill prohibits that, but we think it
has an inhibiting effect.
Mr. Bereuter. You did say inhibit and that is the word I
tried to use in your quote. I will look at those. Thank you
very much. Thank you, Madam chairman.
Ms. Ros-Lehtinen. Thank you. Mr. Goodlatte, we are going to
recognize you in a moment even though you are not a Member of
our Committee. Mr. Delahunt.
Mr. Delahunt. Yes, thank you, Madam chairwoman. I have had
the benefit of this testimony in my capacity on the Judiciary
Committee and I have had an opportunity to engage in some
dialogue. I would just make some observations. I think that
both Mr. Bereuter and Mr. Menendez have articulated some of the
concerns I know that you have heard from me in terms of those
who are sophisticated and have an intent to indulge in illicit
activity, you simply can't deter them, given the realities of
foreign availability. I think this is the problem that we are
wrestling with. I think, if I am correct, Director McNamara, I
think you just acknowledged that earlier in your testimony? I
don't want to put words in your mouth, but that was the
conclusion that I draw.
Ms. McNamara. We are never going to stop everyone from
breaking the law. That is true, sir. But coming down in the
car, I happened to be thinking that just because somebody
speeds through a school zone doesn't necessarily mean we raise
the speed limit in the school zone.
Mr. Delahunt. Right.
Ms. McNamara. There are some products available overseas. I
would appreciate it if you accept Mr. Gilman's earlier offer
when he announced the classified session on Thursday and I
would be happy to talk about this in more detail at that
session.
Mr. Delahunt. I hope to accept that invitation, but I am
just saying for those who are unable to go to that particular
briefing. I think that the concern that I have from a national
security perspective, if the development of encryption
technology in this country is impeded--put aside for a moment
the adverse impact in terms of our balance, in terms of our
economy--what we are going to have is these cutting-edge
encryption technologies far surpassing what we have available
to us. If the marketplace is really driving this issue. I think
I understand where you are heading. I think, particularly, I am
addressing this to Ms. McNamara, not just because you are a
former resident of Massachusetts, because I know you have
strong feelings about this particular issue.
Ms. McNamara. About Massachusetts, sir.
Mr. Delahunt. About Massachusetts, obviously. Don't worry,
they won't tear down Fenway Park. I can assure you that.
But my point is, particularly from a national security
perspective, we are dealing with a level, I presume, of
sophistication in terms of potential adversaries where they
will take advantage of cutting-edge technologies that are
available in the marketplace. This is the bottom line in terms
of the concerns that I have and, at the same time,
disadvantaging our, commercial interests as far as competing in
the global economy.
Ms. McNamara. As Mr. Reinsch said, if I may, as Mr. Reinsch
said and I said in my testimony, we do not want to impede the
creativity of U.S. industry. That is not our goal. We want to
see U.S. industry succeed and we want to see them succeed
overseas. What this bill does, though, is eliminate all control
mechanisms on exports.
Now when we say that, what we want to see is a regulatory
process where, outside of those sectors who have broad relief
and therefore have--they can sell their products anywhere in
certain sectors and for electronic commerce for certain
purposes, we want to see a review process and we want to see
who the end-user and the end-use is going to be so we can
understand the product.
Mr. Delahunt. I don't disagree with what you are saying in
the stated goal. But, at the same time, I think what we have to
remember--you refer to Wassenaar and it is discretionary and I
don't think we ever level off that playing field until we have
an enforceable multilateral export control regime. I just don't
see--that all nations will respect and that do not disadvantage
commercial interests and we are not going to do this with an
agreement, that is related to the Wassenaar compact.
Mr. Reinsch. I think--if I could comment, Mr. Delahunt--
what intrigues me about this line of argument--and it was
similar to the one that Mr. Menendez was putting forward--is
the interesting question is what do we do in the interim before
we reach that point. We may never reach that point, but let us
assume that we are striving for an effective multilateral
arrangement, which would deal with this.
Mr. Delahunt. Right.
Mr. Reinsch. I think that is a fair statement. What do we
do between now and then? It seems to me that the suggestion you
are making is almost that because we cannot succeed completely,
we should give up. I think we are not prepared to give up
simply because we are not going to be perfect.
Mr. Delahunt. Again, I think you have got to deal with the
realities on the ground. Mr. Lee and Chief, you say there are
incidents that have occurred in terms of encryption. Can you
quantify them? Give us some hard data in terms of--Chief.
Mr. Voegtlin. Actually, like, Mr. Menendez, I am not a
rocket scientist nor am I police chief. I just represent the
police chiefs. As a matter of fact, in preparing for this
testimony today, I was on the phone with State police directors
in some of the largest States in the country asking them to
quantify the number of incidents. It kind of goes to the point
that you are making. What they told me is that right now, since
this is in a growing area, most of the evidence that they could
give me is anecdotal, but I think it speaks to the larger issue
of what you are talking about, that it is already out, that the
cow has left the barn or the horse has left the barn on this
issue.
But--and this is going back to me not being a rocket
scientist--from what we understand here, there are questions
about reliability, as Chairman Gilman mentioned, with foreign-
made products, that there is not a whole lot of robust
nonrecoverable encryption out there right now that is being
used.
Mr. Delahunt. Let me just regain my time and I know my time
is expiring and I just would ask for a minute's worth of
followup here. The reality is, I compared it during the hearing
in the Judiciary Committee to an imaginary line. You simply buy
it here. You don't even have to get on the plane and go across,
the ocean. Just download it and it is available instantaneously
all over the world. The criminal element that most chiefs of
police deal with on a regular basis--I served in the law
enforcement community for 21 years and when they start using
encryption, that comes as a surprise to me.
Mr. Voegtlin. That is----
Mr. Delahunt. These violent criminals--and I think that is
the concern that most Americans have in terms of traditional
street crimes which local chiefs of police and State police and
local prosecutors deal with--God forbid they start using
encryption because we are in real trouble.
Mr. Voegtlin. Congressman, and if I can----
Mr. Delahunt. I am talking about the, you know----
Mr. Voegtlin. I know who you----
Mr. Delahunt. Most of us aren't rocket scientists.
Mr. Voegtlin. Right.
Mr. Delahunt. Most of us have difficulty logging on.
Mr. Voegtlin. That is exactly the point that we are trying
to make in that when encryption, highly robust encryption,
becomes widespread, when the United States--which is a market
leader in this area and would be with this legislation--takes
the lead in the manufacture and distribution of this robust,
unbreakable encryption, it will become easier for those street-
level thugs to use encryption. The problem will become more
widespread and----
Mr. Delahunt. With all due----
Mr. Voegtlin [continuing]. Let me just finish.
Mr. Delahunt. OK.
Mr. Voegtlin. In the opinion of the International
Association of Chiefs of Police, what you are facing is a
choice: whether or not you want to take this kind of software,
make it available widespread to increase its use, to allow
people on a low-level of crime--I know we are always going to
be dealing with folks who are drug lords who have unlimited
resources--but when you start putting it on the street level,
it becomes more widespread and that is our concern.
Mr. Delahunt. With all due respect to your position, I
wasn't a chief-of-police, I was a chief prosecutor in a major
jurisdiction. I daresay, that, availability to the street-level
criminal simply is an argument that is disingenuous, with all
due respect. I can't accept that argument. I know better. I
know better. I yield back and thank the Chair.
Ms. Ros-Lehtinen. Thank you so much, Mr. Delahunt. Mr.
Goodlatte, if we could recognize Mr. Gilman for one question
before we turn to Mr. Goodlatte.
Mr. Gilman. Just one question in response to what the
testimony has been. The gentleman made the point that there are
always people willing to do illicit acts and use means to
conceal them, but is that a reason to throw in the towel and
see encryption devices on every street corner in the hands of
every petty drug dealer? Isn't the issue here proliferation of
unaccessible encryption?
Mr. Voegtlin. Absolutely. That is exactly what we are
talking about--is when this becomes proliferated. When this is
widespread, the problems will multiply and State and local law
enforcement, which is only dealing with it on an anecdotal
level at the moment, will deal with it over and over again. The
resources of the State and local law enforcement agencies are
obviously less than the Federal Government. If they are already
dealing with it, imagine what it will be in 10 years when even
local dealers dealing with distribution networks on the street
level are able to communicate in absolute security that law
enforcement has no idea what they are talking about.
Mr. Gilman. Mr. Lee, would you care to comment on that
issue?
Mr. Lee. I would only add, Mr. Chairman, that I think you
have really pinpointed the issue and the public policy dilemma
for all of us. One of the things that I mentioned in my opening
statement is that we have been having very productive
discussions at a number of levels with law enforcement, arising
from the CEO interaction and, in large part, it is to look at
where industry sees the marketplace going and how we can better
understand their needs, how they can better understand public
safety needs, and what the possibilities are for a convergence
of those interests. That has been a very productive dialogue
and I think it is one way that we are, with industry,
addressing the question: How are we going to shape the way the
market looks? How are we going to stand up together and make
sure that all of the interests that Mr. Reinsch has mentioned
here as having to be balanced, make sure they are all balanced?
That is the challenge for all of us.
Mr. Gilman. Thank you.
Ms. Ros-Lehtinen. Thank you, Mr. Gilman. Mr. Goodlatte.
Mr. Goodlatte. Thank you, Madam chairman. First, I would
like to note that, as someone who was born and grew up in the
Commonwealth of Massachusetts, I am glad to find that I have
something in common with Ms. McNamara. I am sorry we don't
agree on this legislation, but we do agree on something that
Congressman Menendez said earlier, and I think it is absolutely
correct--and that is we are all concerned about national
security and law enforcement issues.
The issue here is not whether or even when strong
encryption is going to be available. It is available now and it
is going to be widespread very soon. The issue is how we are
going to deal with it and whether we are, as a nation, going to
cede this market to dozens of foreign countries and literally
hundreds of foreign companies who are already starting up and
producing this product. There are 650 strong encryption
products available in the United States from foreign sources
that could not be exported if a U.S. company made the same
product and attempted to sell it overseas. That is a serious
problem and one that our competitors overseas are well-aware
of.
The problem with the Wassenaar agreement is that it is
Swiss cheese. It is something that is loaded with loopholes.
The gentleman from Nebraska is exactly right. It can be applied
differentially in different countries. It is being done. The
aspect of this related to recoverable encryption is one that is
being rejected. Madam chairman, if I may, I would make a part
of the record an article from the National Journal of
Technology Daily pointing out that the French who were
previously cited in previous hearings as one of our strongest
allies in this effort to control encryption have abandoned key
recovery.
Ms. Ros-Lehtinen. Without objection.
Mr. Goodlatte. Then the following day an article, also in
Tech Daily, pointing out that the British government has
abandoned key escrow or key recovery, leaving us with a
situation where, as more and more countries do this--and I
don't know of any that has attempted to implement a key
recovery scheme--we are going to be put in a position where we
are holding back the ability to make strong encryption
available to people who want to use it, except if they want to
download it from the Internet, buy it from foreign sources and
the only folks who are going to be impacted negatively by this
are the U.S. companies who aren't going to break the law. They
are not going to violate our export control laws, but dozens of
great companies from IBM to Microsoft to Sun Microsystems to
the list goes on and on and on, they are going to be competing
with one hand tied behind their back. So the effect is going to
be they either send the business offshore or they cede this
business to foreign competition.
Now, with regard to recoverable encryption, the gentleman
from the Commerce Department has indicated that you are not
calling for a key recovery system, but the gentleman from the
Justice Department keeps referring to recoverable encryption.
During the hearing in the Judiciary Committee, I asked him what
he meant by recoverable encryption if it wasn't key recovery
and he said that there are many technologies that aren't
strictly speaking key recovery that do promote the interests of
law enforcement as well as other government interests.
If you are not referring to key recovery, Mr. Lee, what are
you referring to? You have still, in spite of having agreed to
respond to that, not responded to that in any substantive way
to give us other ideas of what you mean, if it is not key
recovery. It might be the Clipper Chip, which is a notorious
proposal of the Justice Department of a few years back where
the chip was embedded into the computer itself and was
thoroughly rejected by everybody involved in the process. But
what are you referring to?
Mr. Lee. It is not the Clipper Chip. I was referring to a
variety of technologies which are going to depend on the
application, on the market sector, on the end-user, on the
business need. What each of those technologies have in common
is that they provide some capability to provide plain text upon
presentation of a lawfully authorized court warrant.
Some of the examples that we have given--I obviously don't
want to get into proprietary information or favoring particular
companies, but--for example, the consortium of private doorbell
companies that came to us and proposed a method, which
Secretary Reinsch can elaborate on, which would allow the
export of strong encryption while also meeting law enforcement
needs. There are many others. They are detailed on various web
sites. I don't have an exhaustive catalog of them here, Mr.
Goodlatte, but there are a variety of different products.
Again, no one of them is--there is no such thing as a key
recovery system. That is a term that we were using to refer,
perhaps unartfully, to the concept that a product which is
designed and marketed to meet a business need also supports the
needs of law enforcement. That is all we are after. We are not
wedded to any particular technology or product or application.
Mr. Goodlatte. But you would mandate that every company
that wants to manufacture and export a product in the United
States for sale overseas have that type of device attached to
it in spite of the fact that we are confronted with a flood of
foreign competition that would not have that mandated to it
and, in fact, would be advertising that they have a product
that is secure that U.S. companies cannot offer. In fact they
are advertising that fact right now.
Mr. Lee. Sir, we would not mandate that. As Secretary
Reinsch and the other panel members have testified, in pursuant
to the encryption export updates last September, there were a
number of encryption products for a number of very important
sectors, very significant parts of the world economy where
encryption does not have to provide those kinds of
capabilities. Also----
Mr. Goodlatte. So you would not object to the provisions in
this bill which prohibits the government from mandating key
recovery or key escrow?
Mr. Lee. That wasn't my testimony, sir.
Mr. Goodlatte. Please clarify then.
Mr. Lee. We have testified, both in our written statements
and in our verbal testimony, that we are concerned that
provisions in H.R. 850 would inhibit the government from
encouraging the use of key recovery, key escrow, other types of
plain text availability systems, both for its internal use and
for people seeking to do business with the government. You also
have Secretary Reinsch's testimony on that point.
Mr. Goodlatte. What do you mean by the word ``encourage?''
Mr. Lee. The government has a number of statutory
obligations to make information available to its citizens:
document retention programs, government public-right-to-know
information, all the information that the government has is
held in trust. If that information is encrypted, we have a
responsibility, which is set out in statute, to make sure that,
at the appropriate time, that information will be made
available to the public. So that is the kind of obligation
where some kind of plain text recovery system is going to be
necessary to meet that obligation. Again, contractors, others
who are collecting information for that purpose would----
Mr. Goodlatte. There is nothing in the legislation which
prohibits the government from having its own key recovery
system for its own record keeping purposes. But we do prohibit
the government from mandating that anybody who does business
with the government, which is virtually every business and
every citizen in the United States, from using a system that
requires a key recovery system to be attached to it. If they
prefer for their own security and their own privacy to not have
a key recovery system, as many people do, we do not allow the
government to mandate that. But we do not prohibit the
government from having its own key recovery system for its own
purposes. Nor do we prohibit any private business from doing
that for those who choose to do it. It is not the business of
the government to mandate to people whether they should have
key recovery or not have key recovery.
The problem with it is if you mandate it and other creators
of products in other countries do not. They have a tremendous
market dominating advantage in selling a whole array of
hardware and software products that are going to be using
strong encryption when they can say that they can guarantee you
that no one, the U.S. Government or anyone else has a key to
that system.
Mr. Lee. The government does a number of its business
through contractors and one of the concerns we have is that
this would prevent the government from doing its business in
the way that the government deemed most appropriate when the
contract is----
Mr. Goodlatte. So you would insidiously put key recovery
into the entire country by saying that if you want to do
business with the U.S. Government, you have got to have key
recovery. That is what you mean by encourage. When you say you
really don't want to mandate key recovery, but you want to
encourage it by saying if you want to do business with the
government online--which everybody will be doing in the near
future--you are going to require that they have a system that,
if they do business with the government, has a key recovery
feature. Is that what you are saying?
Mr. Lee. I guess, a couple of points in response, if I may.
It wasn't my testimony that the government is going to be
seeking to do those things. I have testified what the
government's position is, as have the other panelists. The
government's policy, the Administration's policy, is that there
are not restrictions on the use of encryption. What I did
testify, Mr. Goodlatte, was that, to fulfill its statutory
obligations in the way that it deems best, the government may
decide, if it is necessary, to have some form of key recovery.
Mr. Goodlatte. Require contractors doing business with the
government to use key recovery as well?
Mr. Lee. In order to fulfill statutory obligations such as
record keeping, that may be a possibility. I wouldn't----
Mr. Goodlatte. When you say contractors, would that be
other people doing business with the government like taxpayers
filing tax returns?
Mr. Lee. I was dealing with the situation of contractors.
Again----
Mr. Goodlatte. Where would you draw the line? I just want
to make it clear why this bill draws the line at saying we are
not going to be mandate because of the fact that this is an
all-encompassing thing. Once you start down that road of
saying, if you want to do business with the government, you
have got to use key recovery, you can, very shortly, require
that virtually every system of communications that we have in
the country have key recovery, not by mandating it, but by, to
use your phrase, encouraging it because if you want to
communicate with the government in this fashion, you have got
to do that.
Mr. Lee. I think with the possible exception of Washington,
D.C., we may have a difference of opinion of the impact of the
U.S. Government on the overall economy.
Mr. Goodlatte. I don't know many law-abiding citizens who
don't file tax returns or don't have to communicate with the
government on a whole host of other issues that are vitally
important to them from social security and Medicare to census
taking to--the list goes on and on and on.
Mr. Lee. I also respectfully disagree that the government
is trying to do something insidious here. What we are trying to
do is to make sure that we fulfill our statutory obligations.
Mr. Goodlatte. I don't--certainly there is no statutory
obligation to impose key recovery because, at this point in
time--and I hope forever in the future--we do not have any kind
of domestic limitations on the use of strong encryption or the
requirement that you use a key recovery system to protect your
privacy, to protect your property, which is what strong
encryption is designed to do. Thank you, Madam chairman.
Ms. Ros-Lehtinen. Thank you so much. Mr. Sherman.
Mr. Gilman. Madam chairman, before I go----
Ms. Ros-Lehtinen. Yes, Mr. Gilman.
Mr. Gilman. Can I just make a unanimous consent----
Ms. Ros-Lehtinen. Absolutely.
Mr. Gilman [continuing]. The May 11th letter from the
president of B'nai Brith, Richard Heideman, on encryption
issues be made part of the record.
Ms. Ros-Lehtinen. Without objection.
Mr. Gilman. Thank you, Madam.
Ms. Ros-Lehtinen. Thank you.
Mr. Sherman. Madam chairman, I would like to pick up on the
questions being asked by the honorable gentleman from Virginia.
Mr. Lee, maybe you could just put our minds to rest. Will this
Administration ever say that, in order for a bank to have any
deposits of the U.S. Government, that it must divulge the key
recovery information as a condition for having U.S. Government
deposits? Are you keeping open that hammer that you would use
to deprive Americans of their privacy?
Mr. Lee. I have testified, as have my fellow panelists,
that it is the Administration's policy not to seek mandatory
regulation of key recovery.
Mr. Sherman. I am not talking mandatory. I am saying, as
you may know, the U.S. Government sends out an awful lot of
social security checks. Those are being sent out by wire to
banks across this country. Will the Administration ever tell
banks that they must divulge the key information in order to be
eligible to receive such wired social security deposits?
Mr. Lee. I think the wise thing for me to do would be to
defer that question to Secretary Reinsch.
Mr. Sherman. You've shown tremendous wisdom.
Ms. Ros-Lehtinen. He's a country lawyer.
Mr. Sherman. Now let us see whether the Secretary will show
wisdom. Can you put our minds to rest or are you going to----
Mr. Reinsch. All I can say, Mr. Sherman, is that I have
been involved in, as far as I know, most of the discussions
that have gone on this issue for the last 3 years and nobody
has even thought about that. Nobody has even----
Mr. Sherman. Nobody has thought of it. Can you tell us
how----
Mr. Reinsch. Nobody has thought of that. Nobody has
suggested it.
Mr. Sherman [continuing]. That gentleman from Virginia has
thought of it. Can you put our minds to rest or could we face
that mechanism of trying to force the divulging of key----
Mr. Reinsch. I can only tell you what I have said because I
am not in the bank regulatory business. If you want to know
what is contemplated with respect to bank regulation, you will
have to have ask the bank regulators. I haven't talked to them
about this. As far as I know it has never occurred to them and
it is not on their agenda, but I certainly wouldn't presume to
speak for them.
Mr. Sherman. But you are representing the Administration
here in terms of a desire to have access to a key that would
allow you to decode encrypted information. In that capacity,
will you be pressing to use all of the levers of the
Administration to try to compel domestic organizations doing
domestic business with American citizens, will you try to
penalize them or take away their right to do business with, for
example, social security recipients because they do not divulge
the key?
Mr. Reinsch. As far as I know, we have no intention of
doing that. But let me stress, at the same time, what Mr. Lee
said. The issue here isn't keys, from a law enforcement point
of view, the issue here is data and access to data. Key
recovery and the existence of the key is one means of achieving
the objective. The Department of Justice and other law
enforcement entities have, as far as I know--and have said this
many times and I think Mr. Lee said it today--have no interest
in trying to expand their capacity to obtain private
information beyond what existing laws and existing courts
permit them to do.
What we are trying to deal with here is simply a means of
how do you apply existing court rulings and legislation with
respect to law enforcement access to private information to a
new technology? We are not trying to expand the right of
access. I think the best way to look at this debate is to focus
on the information and----
Mr. Sherman. Excuse me, I have a limited amount of time.
You have gone well beyond the question I asked.
There is, I think, no prospect of getting Congress to give
the Administration or any Administration domestically what you
are seeking internationally. Do you disagree or will you be
proposing legislation that would prevent someone from buying
encryption, strong encryption, at their local software store?
Mr. Reinsch. We have testified to that many times and it is
in my statement. We have no intention of doing that.
Mr. Sherman. So what we have is a situation where you can't
go after what you would like domestically, so you want to
punish the U.S. software industry by putting it at a
disadvantage vis-a-vis its foreign competitors. Not
surprisingly, our foreign competitors and their governments
have welcomed this effort and have engaged in a little dance at
Wassenaar where they pretend to be interested in preventing
their companies from marketing strong encryption worldwide and
we fall for it and are now in a process of giving away what may
be the world's most important industry to our foreign
competitors. Then you come to us and you show us how beautiful
our economic competitors' dance at Wassenaar and give us that
as a reason why we should bludgeon our own industry and make it
more difficult for them to compete worldwide.
I know there is a question in there somewhere.
Mr. Reinsch. Was there a question in there, Mr. Sherman?
Mr. Sherman. There will be a question, I assure you, Mr.
Secretary.
Mr. Reinsch. All right.
Mr. Sherman. That question is: For Mr. Voegtlin--Gene, I am
mispronouncing your name.
Mr. Voegtlin. Voegtlin.
Mr. Sherman. Voegtlin. That is: You talk about how you
don't want street thugs communicating with each other, using
encryption you cannot decode. Is there any prospect of
preventing that when, in fact, your colleagues here
representing the Administration won't even propose legislation
that would prevent any American, criminal or otherwise, from
getting all kinds of encryption from their local software
store?
Mr. Voegtlin. As you say, they represent the
Administration. I do not.
Mr. Sherman. Will you be proposing the legislation that
they are unwilling to propose?
Mr. Voegtlin. If I could, I don't know if we would. But I
will say this and I would like to get this as clear as I can.
The folks that I represent view this as an issue of great
importance and, to them, a simple choice. You have a choice--
they understand the need for encryption. They agree that it has
legitimate uses. But they are more concerned about trying to--
and trying to do their jobs and how encryption prevents them
from doing it.
If they had the answer to this issue, I wouldn't be up
here. Actually, I would be a very rich man. I am not, so they
don't. But what I think you are all confronting here is a basic
choice. You need to find some kind of balance between strong
recoverable encryption that can fulfill the vast majority of
legitimate uses and strong unbreakable encryption that could be
put to insidious, dangerous, frightening uses.
I know that is an answer that doesn't answer. But, again, I
don't have the answer for you. All I can try to tell you is
that we are facing----
Mr. Sherman. I agree with you completely. I agree with you
completely. I don't have the answer. You don't have the answer.
There are elements of the Administration so angry that there
isn't an answer that they would just like to bludgeon the hell
out of the U.S. software industry. They are, of course,
encouraged by our foreign competitors. But it is certainly not
an answer to say that we are going to allow something to be
purchased at every software store in America, but we are going
to prevent legitimate people from exporting that same software.
Because I will ask you, speaking on behalf of the police
chiefs, do you know of any mechanism that the police chiefs can
use to prevent anything that is purchasable at every software
store in America from being exported, either physically or over
the line to criminal figures in other countries? Do you have
any prospect at all of preventing that?
Mr. Voegtlin. I have no information myself. I would be glad
to check with our Committees that deal with terrorism,
international crime, and organized crime and see if any of
those experts have an answer.
Mr. Reinsch. Actually, Mr. Sherman, if I could comment.
That is my job. The other half of what BXA does is enforce the
Export Administration Act and that is what we try to do. The
answer to your question is, in the circumstances you have
described, it is extraordinarily difficult. There is no
question about that.
Mr. Sherman. Is extraordinarily difficult, is that
Washington talk for completely impossible?
Mr. Reinsch. It is not.
I try to avoid Washington talk.
Mr. Sherman. Again, if I were to walk into Egghead, buy
something, and send it over the Internet to somebody in Canada,
wouldn't you think that would be like completely impossible for
you to stop me?
Mr. Reinsch. What we have said about this many times and
what Ms. McNamara said earlier is, if somebody wants to defeat
the system, they can do that. There is no question about that.
We have never denied that. I would not go so far as to say it
is clearly impossible. We have a number of investigations going
on. We do catch people. Never underestimate the stupidity of
some of the people we have to deal with.
I didn't say that.
Mr. Sherman. It is a shame that you do have to deal with
Congress.
Again, I think that you are----
Ms. Ros-Lehtinen. He is not going to name names.
Mr. Sherman. I think my time has expired.
Ms. Ros-Lehtinen. Thank you, Mr. Sherman.
Mr. Burr. Let us move on.
Mr. Burr. Mr. Secretary, your comments are shared.
Mr. Reinsch. We may be talking about different people,
though, Mr. Burr.
Mr. Burr. I feel confident we are. Mr. Secretary, I would
like to read some statements to you and ask you some questions
relevant to those statements. The first is, and I quote, ``As
the line between military and civilian technology becomes
increasingly blurred, what remains clear is that a second-class
commercial satellite industry means a second-class military
satellite industry as well. The same companies make both
products and they depend on export for their health and for the
revenues that allow them to develop the next generation of
products.'' If we replaced the word satellite with the word
encryption, do you think that statement would still stand?
Mr. Reinsch. First of all, Mr. Burr, I am delighted to see
that Members of Congress are reading my speeches. It warms my
heart. I encourage you share that with some of your colleagues.
I would love to have them look at it.
I think, as a general statement, yes. I think that
statement would stand. I think there are a lot of similarities.
I was thinking when you made your opening comments, which I
felt were quite thoughtful on this subject, that it would be
appropriate to apply the comments you made to some other
situations as well. That does not mean, however, in either of
those cases, this one or the other one, that the answer is no
controls. I think it means that the answer is balance and a
realistic view about what is controllable and what is not and
what the national security implications of both are.
Mr. Burr. I hope, from my opening statement and from my
line of questions, you will understand that I think the
difficulty that we have or the disconnect with all of our
witnesses and many of the Members here and I think what we
struggle to understand is we see this reality of the access
that the domestic market has today, our inability to limit in
any way encryption products, yet some belief on the part of the
Administration and others that there is a way to do it. If
there is, then share that with us. If there isn't, then, as Mr.
Sherman said, let us find the best balance to allow our United
States companies to compete in this global marketplace.
Let me go on one more statement. ``Some of these satellites
bring telephone, television, and Internet services to the
Chinese people. I believe such services are an integral part of
any effort to bring democracy and freedom to China.'' Could the
same be said of strong encryption products, which might provide
those movements for democracy in China to stay behind the
prying eyes of the Chinese government?
Mr. Reinsch. Mr. Burr, that is--I would say two things
about that. I think that is certainly true. I think, at the
same time, some of your colleagues, particularly those on the
Armed Services Committee, would make exactly the other point
here and that is do we want to sell strong encryption to the
People's Liberation Army so it could be further used to protect
their own communications from our intelligence and to further
oppress the Chinese people?
Mr. Burr. Do we currently allow encryption products to be
placed on the satellites that we export?
Mr. Reinsch. The satellites that are launched have
encryption which might best be described as--and it is an
outdated encryption--it is encryption that allows us to encrypt
the signals that control the movement of the satellite.
Mr. Burr. Does it limit one's access to the information off
of the satellite?
Mr. Reinsch. I will defer to our satellite export.
Mr. Burr. It is not a proprietary question.
Ms. McNamara. The encryption that has been used on U.S.
satellites that have been sold overseas, when there is
encryption used, it is, as Secretary Reinsch describes, for
telemetering the satellite itself and, for the most part, in
fact, I believe in all cases with regard to China, always
remain in the hands of U.S. persons. It does not have anything
to do with the actual transmission of information over that
satellite. It is for the control purposes of the satellite and
when the U.S. persons were there at launch, the U.S. encryption
that was used was, in fact, retained in the hands of the U.S.
parties on the ground.
Mr. Burr. But there is no encryption product in the
satellite which protects the security of the data that is
transmitted from the satellite?
Ms. McNamara. In fact, these are dumb satellites. It is
what--it is the medium over which people communicate. If the
communications or the originator of the communications uses
encryption, then the information being passed over that
satellite is encrypted. But it is encrypted from the ground,
not because it transmits over the satellite.
Mr. Reinsch. If I could comment, Mr. Burr, though, Mr.
Goodlatte's bill, You have touched on a very central dilemma.
Mr. Goodlatte's bill would, in effect, permit the sale of
strong encryption both to Chinese individuals who want to
encrypt their communications in order to, do things that their
government would probably rather have them not do and it would
also permit the sale of that same encryption to other forces in
the Chinese government who don't want that to happen.
Mr. Burr. I think the part that possibly Mr. Goodlatte is
frustrated over is the willingness for the Administration to
understand the frustration that currently exists when that
product is available here in this country, can be transmitted
sold, carried out of the country to be used by people that we
restrict U.S. companies from marketing like product to. I
think, to some degree, we are like the ostrich with the common
practice of the head in the hole. When we have our head in that
hole, we believe nothing goes on while we are there. The fact
is, in reality it is, isn't it?
Mr. Reinsch. If it will make Mr. Goodlatte feel any
better--and I think he knows this--I am at least as frustrated
as he is, perhaps for different reasons. But we are working
very hard to try to prevent the situation that you have
described from occurring. I have testified in other
circumstances, I think, in the past before this Committee, that
I, for one, would say if we were to reach the point at which
you, in terms of commercial consequences, that you are
anticipating, I would hope that the Administration would be
wise enough to see that and adjust its policy.
I think the disagreement we might have is whether or not
that point has arrived now and, if not, how quickly it will
arrive. I think what Ms. McNamara suggested is that, for a
number of reasons, we find that point somewhat more distant
than the Members of this Committee probably do.
Mr. Burr. I hope you understand that my questions are more
broad than specifically to the encryption issue. If my
understanding is correct, this time next year, with the Merced
chip in computers, the off-the-shelf leader model with exceed
the M-top standards that we currently have requiring export
licenses. Is that accurate?
Mr. Reinsch. Oh, no question. In fact, I can tell you, I
think my latest sound bite on that is if we don't change what
we are doing by the end of the year, we are going to be
controlling Sony Play Stations. It is moving that fast. This is
also something the Administration is working quite hard on and
we expect to be able to consult with you all and share
something with you shortly. But I think it is going to come as
no surprise to you that there will be a substantial number of
Members in your body who will oppose any changes,
notwithstanding the point that you have made.
Mr. Burr. I would agree with your statement that there will
be quite a few people who oppose it.
Mr. Reinsch. I am delighted to hear the consistency of your
point of view. Not all of your colleagues are consistent on
these two sectors.
Mr. Burr. My hope is that that consistency is something
that becomes contagious with the Administration.
Mr. Reinsch. We strive for it every day.
Mr. Burr [continuing]. As it relates to the need for these
technology companies to, one, compete; two, compete on a level
playing field for the effort to grow to the next generation.
With that, I will yield back.
Ms. Ros-Lehtinen. Thank you. Mr. Rohrabacher.
Mr. Rohrabacher. Yes. Speaking of consistency--and I will
just put it right out front--I find it a bit appalling that
representatives of this Administration would be here so
adamantly arguing for something they claim to be, based in
national security, like this encryption debate, while, at the
same time, labeling Communist China, which is, at the very
least, a potential hostile power--if most of us believe that it
is a hostile power--by continuing to insist that we call
Communist China a strategic partner of the United States. So I
don't want to hear much about consistency in this debate on the
national security concerns of our country because the overall
policy toward China is doing far more damage to our national
security than any of this type of regulation that we are
talking about today. In fact, if there isn't a change in the
basic, fundamental approach to China, all of your talk about
national security is irrelevant.
What I see here is a lot of activity and a lot of effort
being put into this effort to--let us, I will just put it right
out--you are trying to strengthen government's control, not of
other people who are hostile to the United States, but trying
to strengthen government's control of ordinary Americans and
American enterprise. I don't want to--you hear this all of the
drug dealers are going to do this and the bad guys are going to
do this, but what do we end up with? Those guys are going to
end up with encryption anyway. This is the message I am hearing
all around me is these guys are going to end up--and I realize
that this is taking to it to absurdism, you might say, but the
fact is that when encryption is outlawed, only outlaws will
have encryption. Sorry to put it that way, but after listening
to the arguments today, I have just come to the conclusion that
the only impact you are going to have is on honest people and
on enterprisers and not on people who are hostile to the United
States.
You are going to have the doctors in this country. You will
have their electronic files open and available. You are going
to have the lawyers, the bankers. I am a former journalist--
trying to tell me that you are going to say you are not making
it mandatory, but you are going to say it is going to be
conditional, these restrictions are going to be conditional on
whether or not people are dealing with the government?
Journalists have to get up on their computer and dial in to get
their automatic press releases now. The press releases aren't
handed out on paper. They come over the electronic processes.
So in order to get those, the journalists, in order to get
information from the government, they have got to say that they
understand that their computers are going to be open to
government snooping? All in the name of getting the bad guys?
Let me just note: The government for the last 20 years has
had all of this control and the ability to go in and snoop as
you wanted to snoop and the drug war is a joke. You go down
into any city in the United States of America and any kid can
get drugs. This is telling us that we have got to open up the
possibility in the years ahead in the new millennium to have
this type of power in the hands of the government in order to
fight the drug war? It is a joke. You have been unsuccessful
with all that power already. Again, the only people you are
really going to affect are honest citizens like the doctors and
the lawyers, the journalists and the rest.
Let me just note this. In the years ahead, the computer
systems that we have are going to serve as the basis of
American prosperity. Like it or not, that is the world that we
are heading into. The Internet system will be used for
enterprise and purchases that are the foundation--look at our
stock market today. Where is the growth? Where is the faith in
the investors? It is in these Internet stocks. What you are
talking about is a threat to that foundation in order to make
sure the government has the power to snoop. Yes, we need
certain powers in the hands of the government to tackle the bad
guys. But, as I say, I don't see this as any type of threat to
the bad guys because the bad guys will be the ones to get it
and the good guys will be the ones who follow the law.
Here is my question. That is my statement. Here is my
question? I want to ask Mr. Lee this. Now your title, Mr. Lee,
is what?
Mr. Lee. I am an associate deputy attorney general at the
Department of Justice.
Mr. Rohrabacher. For?
Mr. Lee. The titles don't actually say for X or Y, but I
work in part on national security and international matters.
Mr. Rohrabacher. Was it you or your office that denied the
effort to get a wiretap on the suspect in the Los Alamos theft?
Mr. Lee. As other officials of the Department of Justice
have testified, there is a process set up where the counsel for
the Office of Intelligence, Policy, and Review reviews requests
from the FBI for that kind of search warrant.
Mr. Rohrabacher. Yes. So was it you or your office that
denied that request for a search warrant for a wiretap? I
understand that Mr. Lee who was the suspect in the case was the
only wiretap that was denied. Is that from your office?
Mr. Lee. Again--sir, I was not involved in that decision.
Mr. Rohrabacher. Was that your office?
Mr. Lee. There has been public testimony which, again, I
don't have the transcript in front of me, so I want to be
careful not to be inaccurate in any respect, but there has been
public testimony that the Attorney General asked a member of
the deputy attorney general's office to review that matter.
That was not me. I don't have any further firsthand
information.
Mr. Rohrabacher. That wasn't my question. Was it your
office? You are the head of an office. Was it your office that
denied that request?
Mr. Lee. Again, the public testimony is that the prior
incumbent of my office had a role in evaluating that request. I
do not have firsthand information and so I don't think it would
be appropriate for me to try to characterize it any further.
Mr. Rohrabacher. I will take that as a yes. Let me suggest,
as I did in my opening statement, when you have a wrong headed
Administration that has wrong headed policies toward people who
are hostile to the United States of America, no matter what we
do on this encryption, no matter what powers that we grant to
the government, we are not going to be safe. I feel, in fact,
very hesitant to grant the type of enormous powers, as we come
into this new age of electronics and computers, to grant this
enormous power to the Federal Government, especially one that
is represented by an Administration that is totally going the
wrong way on national security issues.
With that, I yield back my time.
Ms. Ros-Lehtinen. Thank you. Mr. Cooksey.
Mr. Cooksey. Thank you, Madam chairman. Earlier today, I
believe there was a question about the effect of H.R. 850 on
local law enforcement. It was mentioned that there was concern
about this effect.
I have a letter here from the Louisiana Sheriffs'
Association specifically endorsing H.R. 850 and rejecting the
escrowing of the encryption keys. I will ask this question of
any one of you that is willing to answer it. Can anyone explain
to me why the sheriffs in my area are not concerned about the
effect of this bill? I will take a response from any one of you
or all of you.
Mr. Voegtlin. I can't speak to the rationale of the
Louisiana Sheriffs' Association. Perhaps if you talk to folks
at the National Sheriffs' Association, they would be able to
fill you in. I can't speak to their concerns. I know, on behalf
of my membership, the 17,000 members that make up the IACP,
that they have expressed, both through numerous Committee
hearings and numerous membership resolutions that have been
passed, that they are very concerned about this issue and its
impact on their ability to perform at the State and local
level. I can't answer for the sheriffs.
Mr. Cooksey. Would anyone else like to try? In their
resolution--and I will read a couple of them--they said the
legislation proposed by the FBI would require all users of an
encryption to deposit a key with a key escrow agent that would
be available to FBI access. The FBI access would create and
maintain a dangerous and unnecessary vulnerability to
Louisiana's information computer infrastructure while failing
to offer any increased level of protection these systems
require. While the FBI's efforts toward recovering information
about criminal cases through high security encryption are well-
intentioned, the key escrow plan poses too many severe threats
to public safety, confidentiality, and legitimate computer
users that far outweigh the isolated benefits it may provide.
There is another resolution. Does anyone want to answer it
now?
Mr. Lee. Sir, it is hard to answer without having read the
letter which I have not had the benefit of doing. Again, the
Administration is not proposing some massive central data base
where everyone's keys would be kept. We have been quite clear
and consistent that, really, a variety of private agents who
would be serving people's whole range of security services for
business needs is what is envisioned and that is what we want
to work with industry on developing. One of the needs that we
think this set of services will have to address is the needs
that businesses have for the recovery of their information and
plain text.
Mr. Cooksey. Do you think each one of those could be
subject to hackers, to being broken into? Is that possible?
Mr. Lee. It is certainly possible.
Mr. Cooksey. Is it probable? I see someone out in the
audience shaking their head yes.
Mr. Lee. I don't have the information to answer that, sir.
Mr. Cooksey. Let me just state that I feel very strongly on
law enforcement. I have a very close working relationship with
law enforcement people in our area. We have some real
professionals, particularly some people from the Department of
Justice, the FBI. We have got some top people. But I quite
frankly don't feel that you see the same level of loyalty to
the principles of law enforcement in some of the political
appointees in your Department and it is really a disappointment
to me.
I am not a career politician. I am a physician. I don't
want to be a career politician and I quite frankly hold a lot
of the politicians in real contempt because of the
inconsistencies I see. Here I see the potential for some more
inconsistencies, but, that said, thank you, Madam chairman.
Ms. Ros-Lehtinen. Thank you so much. Mr. Campbell.
Mr. Campbell. Madam chair, out of courtesy to the next
panel and the fact that I haven't heard all of the testimony, I
will yield and thank you and thank the panel.
Ms. Ros-Lehtinen. Thank you so much. I will also furnish my
questions in writing in courtesy of the second set of
panelists. But we thank you very much for your patience and we
appreciate you being with us today and we will look forward to
continuing this dialogue as this bill goes through the process.
Thank you so much to all of you.
I would like to introduce the second set of panelists. We
will start with Ira Rubinstein, who is senior corporate
attorney for Microsoft Corporation. Prior to joining Microsoft,
Mr. Rubinstein was an associate with different law firms and is
currently a Member of the President's Export Council
Subcommittee on Encryption and serves on the Steering Committee
for Americans for Computer Privacy. Mr. Rubinstein is the
author of numerous publications addressing export controls and
encryption software.
Mr. Jeffrey Smith is a partner at the firm of Arnold and
Porter in the firm's Legislative and Government Contracts
Practices Division and serves as general counsel for Americans
for Computer Privacy. From 1995 to 1996, he served as general
counsel of the Central Intelligence Agency. Prior to that, he
was appointed by then-Secretary of Defense William Perry to the
Commission to Review the Roles and Missions of the Armed
Services. Mr. Smith has also served in various capacities
within Congress, including general counsel of the Senate Armed
Services Committee.
David Weiss is Vice President of product marketing at
CITRIX Systems. In this capacity, he is responsible for mapping
the company's long-term product strategy and direction. He was
instrumental in the release of the industry's first Windows
application and launching Internet technology and, prior to
joining the firm, he was a founding Member and Director in
marketing for Business Matters, Inc., a financial modeling
software company. This corporation, CITRIX, I am proud to say
is located in my hometown of South Florida and we are happy to
have David with us today. Thank you.
Mr. Alan Davidson is the Staff Counsel for the Center for
Democracy and Technology, a nonprofit, Washington-based
organization that works to promote civil liberties on the
Internet. Mr. Davidson is currently leading the efforts to
promote encryption policies that protect privacy and, prior to
joining the legal profession, Mr. Davidson was a computer
scientist. He worked as a senior consultant and designed the
information systems for NASA's space station freedom projects.
He also worked on technology and policy issues at the U.S.
Congress Office of Technology Assessment.
Ms. Dinah PoKempner is the Deputy General Counsel of Human
Rights Watch, one of the largest human rights monitoring
organizations in the world. Ms. PoKempner has performed field
research in Cambodia, Vietnam, Hong Kong, Bosnia, and Croatia
for the organization and currently directs institutional policy
in various areas, including electronics, communications, and
international law.
Mr. Edward Black is the President and CEO of the Computer
and Communications Industry Association, an international trade
association comprised of leading computer, communications, and
networking equipment manufacturers, software providers,
telecommunications, and online service providers. Prior to
being named president in earlier 1995, he served as vice
president and general counsel for CCIA since the mid-1980's. He
currently serves as the Chair of the State Department's
Advisory Committee on International Communications and
Information Policy.
We thank all of you for being here today. We will be glad
to put all of your statements in the record and we ask you to
please be as brief as possible.
Mr. Rubinstein.
STATEMENT OF IRA RUBINSTEIN, SENIOR CORPORATE ATTORNEY,
MICROSOFT CORPORATION
Mr. Rubinstein. Good afternoon, Madam chairman. I greatly
appreciate the opportunity to appear today before the Committee
on behalf of Microsoft and the business software lines of BSA.
I especially wanted to thank you, Madam chairman, for your
support of the SAFE Act in this and prior Congresses. I also
want to thank the other Committee Members who cosponsored the
bill this year.
American software and hardware companies have succeeded
because we have responded to the needs of computer users
worldwide. One of the most important features users are
demanding is the ability to protect their electronic
information and communications securely. American companies
have innovative products that can meet this demand and compete
internationally, but there is one thing in our way: the
continued application of over broad and restrictive U.S. export
controls.
BSA strongly supports the SAFE Act because it modernizes
and liberalizes U.S. export controls. We urge the Committee to
report the SAFE Act without amendment and we look forward to
its passage in the House this year.
I want to emphasize three points today. First, any effort
to control mass-market products based on key lengths is doomed
to failure. Eight years ago in a 1991 study, the National
Academy of Science discussed the nature of mass-market software
and the futility of trying to control it. The NAS concluded,
``The widespread availability of such software, coupled with
its difficulty of detection and ease of reproduction makes any
attempts at controls impossible,''.
These observations and conclusions were true in 1991 and
remain true today. If anything, they are even more true, given
the rise of the Internet and the other means for electronically
distributing software to mass-market customers on a worldwide
basis. The addition of encryption functionality to mass-market
products does not somehow alter these characteristics. Products
that are not controllable at 56-bit key length do not become
controllable at longer key lengths.
My second point is that export controls create competitive
advantages that foreign firms have been very successful in
exploiting. Their entry point is U.S. export controls. Because
U.S. firms are unable to satisfy customer demand for 128-bit
encryption, non-U.S. firms create and freely distribute so-
called step-up software whose sole purpose is to increase the
key lengths of U.S. products from 40 bits or 56 bits to 128
bits. At the same time, these foreign firms develop powerful
service software and related applications for Internet banking,
e-commerce, and secure messaging. They also develop consulting
expertise to service key customers such as banks, ISP's, telcos
and online merchants. These are all the pieces needed to offer
a complete package of 128-bit encryption to foreign customers
and U.S. firms can't compete with this.
This approach has spawned several of the fastest growing
and most successful non-U.S. software firms focusing on the
Internet market. In the interests of time, I will just
highlight one of them, a firm called Baltimore Technologies,
which is an Irish company which recently merged with Zergo, a
U.K. company, and now offers a complete line of e-commerce and
enterprise security products. At this point, I would like to
show you exactly how Baltimore markets its products over the
Internet.
[Slide.]
These slides, these are slides of what you would see if you
visited their web site. It is not a live connection, in the
interests of making it go quickly. The first page is their
homepage. You see in the upper lefthand corner that it is the
Zergo homepage and it lists products and services and other
information that you can find there.
[Slide.]
The next page includes in its marketing materials the very
statement of the problem that we are here today to discuss. I
will read it quickly. ``U.S. export restrictions dictate that
most web service and browsers cannot perform 128-bit encryption
for security. Instead, export versions of browsers, like
Internet Explorer and Netscape Navigator and export versions of
web servers like Netscape Enterprise Server and Microsoft
Internet Information Server, are limited to 40 bits of
encryption, which is not secure enough for most applications.''
So here is the marketing material of a very successful foreign
firm citing U.S. export controls.
The success of these foreign companies threatens the growth
of U.S. software firms and their contribution to the U.S.
economy. It also threatens American technological leadership,
the loss or diminution of which directly threatens U.S.
national security and law enforcement objectives as well.
Let me conclude with a final point and that is that the
SAFE Act strikes the right policy balance by promoting the use
of encryption for several purposes: to prevent crime by
protecting sensitive communications data; to promote national
security by protecting the nation's critical infrastructure; to
protect e-commerce; and to protect individual privacy. Thank
you, Madam chairwoman.
Ms. Ros-Lehtinen. Thank you so much for your testimony. Mr.
Smith.
STATEMENT OF JEFFREY SMITH, GENERAL COUNSEL, AMERICANS FOR
COMPUTER PRIVACY
Mr. Jeffrey Smith. Thank you, Madam chair, and Members of
the Subcommittee for the opportunity to testify on H.R. 850,
the SAFE Act, sponsored by Representatives Goodlatte and
Lofgren and cosponsored by a bipartisan group of over 250 House
Members. I serve as counsel to the Americans for Computer
Privacy, a coalition of 3,500 individuals, 40 trade
associations, and over 100 companies representing a wide range
of companies. We support policies that allow strong encryption
and we specifically endorse the enactment of the SAFE Act and
we respectfully urge the Subcommittee to report it without
amendments for full Committee consideration.
As Vice President Gore said in September 1998 when he
announced the current Administration policy, developing a
national encryption policy is one of the most difficult issues
facing the country. It requires balancing many competing
objectives, all of which are of great importance to the nation.
Strong encryption is essential to protecting our Nation's
infrastructure, ensuring the privacy of electronic
communications, protecting our national security interests,
safeguarding the public, and maintaining U.S. leadership in the
development of information technology.
The challenge is how to do that. The question this
Subcommittee must address is what is the best policy to achieve
these objectives? It is the firm view of ACP and its Members
that, given the breathtaking pace at which information
technology, including cryptography, is developing around the
globe, the only way to achieve these goals, in the long run, is
to adopt policies that will assure American industry continues
to lead the world in information technology.
It is often said that the first responsibility of
government is national defense and it seems to us that the
President, Congress, and industry collectively have a
responsibility to ensure that in the future our law enforcement
and intelligence agencies have the ability to continue to
protect this nation as they do today. Indeed, they will
probably need additional resources and technical help to meet
the challenges of the next century. But those challenges are
far greater if they are forced to face a world in which the
majority of communications pass-over systems that are foreign-
designed, foreign-built, foreign-installed, and incorporate
foreign encryption. We are concerned that the current policy of
this government risks just such an outcome.
We have worked hard over the last couple of years with the
Administration to help fashion its new policy and we are
grateful for the new policy, but we think further steps are
needed and we urge the enactment of the SAFE Act. With that, I
will yield the rest of my time, Madam chairman.
Ms. Ros-Lehtinen. Thank you so much. We appreciate it, Mr.
Smith.
Mr. Weiss.
STATEMENT OF DAVID WEISS, VICE PRESIDENT OF PRODUCT MARKETING,
CITRIX CORPORATION
Mr. Weiss. Thank you. I will try to be as brief. Good
afternoon, Madam chairwoman, and greetings from the Sunshine
State, and Members of the Subcommittee, thank you for the
opportunity to speak with you this afternoon regarding this
important topic. My name is David Weiss. I am the Vice
President of product marketing for CITRIX.
Ms. Ros-Lehtinen. Now, because you are a constituent, take
all the time you like.
Mr. Weiss. Thank you very much. I am pleased to be
testifying this afternoon on behalf of the Software Information
Industry Association, SIIA, the result of a merger between the
Software Publishers' Association and the Information Industry
Association. SIIA represents 1,400 member companies engaged in
every aspect of electronic commerce and has long supported
efforts to liberalize encryption export controls and H.R. 850,
the SAFE Act.
CITRIX is the worldwide leader in server-based computing.
Our products enable individuals to access applications which
are running on their corporate networks while traveling at home
or from anywhere in the world. Since 1989, we have worked hard
to ensure that we provide cost-effective products to allow
businesses to deliver access to their mission-critical
applications to their employees and partners reliably and
efficiently. Our products allow companies and organizations to
share their corporate network resources with all of their
employees, regardless of their physical location.
In today's fast-paced economy, companies must be able to
communicate and share information with their employees
securely. Companies like mine have worked hard to develop
technology and products that meet these critical needs,
providing both individuals and businesses with the tools they
need to remain competitive. Encryption has become a requirement
for the technologies we developed. Without these capabilities,
we cannot assure customers that our products incorporate
reliable security to protect their corporate communications and
proprietary information. Encryption helps individuals and
businesses meet the challenges that we face in the online
environment, while assuring that we are able to take advantage
of its key benefits.
CITRIX products enable communications and information
sharing, usually within a company and generally involving vital
applications. For most of our customers, the ability to
communicate privately with business colleagues is critical.
Many use CITRIX products to share sensitive information and
require our products to protect that data from misappropriation
by unauthorized parties or misuse by otherwise authorized but
negligent or malicious parties.
Encryption is the only practical means by which parties to
an online communication can trust that each is who he claims to
be and that the information is only available to its intended
recipients. It is the only practical way to guarantee that the
communication between those parties remains protected. Such
capabilities are critical for both businesses and individuals
seeking to take advantage to use the Internet. Without robust
tools, no one can be assured that their online activities
remain private and that their online transactions are
trustworthy.
Companies are rapidly developing innovative technologies
and applications for use on public networks and users are just
rapidly integrating these capabilities into their everyday
lives. To ensure that this market continues to grow, consumer
concerns like security, authentication, and privacy must be
addressed. Without encryption, we simply can't do it. We must
be able to use and widely deploy encryption if we are to help
users protect against the inherent vulnerabilities of public
networks. In order for our customers to be able to communicate
securely, our products offer a variety of encryption
technologies, some of which cannot be exported under the
current regulations.
The impact on our company and all of U.S. industry is
significant. Companies are forced to choose between
incorporating encryption into their products to meet the
consumers' requirements or creating multiple product lines. If
the company does not incorporate the strong security features
that so many businesses demand, their products will fail in the
marketplace. If the manufacturer does choose to incorporate
strong encryption, it forgoes the lucrative foreign marketplace
and many companies, especially many young Internet startup
firms that are shaping the electronic commerce marketplace
cannot afford to create multiple product lines.
Given the time constraints, I just want to say that on
behalf of CITRIX and the SIIA, we strongly endorse H.R. 850 and
I will yield the rest of my time.
Ms. Ros-Lehtinen. Thank you so much, David. To the panelist
and our Congressional Members and our visitors, I have asked
that Congressman Campbell be kind enough to Chair the remainder
of the hearing. I have to go to the Floor and await my turn to
speak on the Central America aid package so I have read your
testimony and I look forward to sending you some questions in
writing. Thank you so much. Thank you, Tom.
Mr. Campbell. [presiding] Mr. Davidson.
Mr. Davidson.
STATEMENT OF ALAN DAVIDSON, STAFF COUNSEL, CENTER FOR DEMOCRACY
AND TECHNOLOGY
Mr. Davidson. Thank you. Good afternoon and I would like to
thank you for this opportunity to testify in front of the
Subcommittee on behalf of the Center for Democracy and
Technology. CDT has supported the SAFE Act since it was first
introduced in the 104th Congress. While we are pleased to be
here testifying once again in front of this Subcommittee, it is
unfortunate that we are here making many of the same arguments
that we were making 2 years ago. I would like to take the
chance to thank the Chair and Mr. Goodlatte and the other
sponsors of the SAFE Act and supporters of the SAFE Act for
their continued support for privacy online.
I would like to make, briefly, three quick points today.
The first is that the current U.S. policy harms personal
privacy, that U.S. policy is failing in the international
marketplace and that it is time to move on because a new, more
comprehensive encryption relief package like SAFE offers is
ultimately going to be better for public safety and individual
privacy.
CDT is here today because current U.S. policy does violence
to our constitutional liberties here in the United States and
to individual privacy around the world. We live in an era of
eroding personal privacy where more and more of our personal
data is available in electronic form and particularly on the
Internet. Encryption is the essential tool to protecting the
security of our data in this open, decentralized, global
network. The U.S. export controls keep people from getting the
encryption they need and protecting their privacy online. Most
directly, export controls limit the availability of good, U.S.
encryption products around the world, particularly in the mass-
market products that most individuals use.
Export controls also affect the security of people in the
United States when they communicate abroad with people who
don't have access to those strong products. Finally, encryption
products affect the security of the infrastructure by dumbing
down our security infrastructure and keeping us from making
encryption something that is easily available to people around
the world, including in the United States. In summary,
encryption leaves us in the worst of both worlds. Sophisticated
criminals, terrorists, rogue governments have access to it, but
law-abiding individuals do not have security and privacy
protected by the tools that they need.
The second point I wanted to make was that U.S. encryption
policy is failing in the international arena. We were told 2
years ago that the world was on the verge of adopting key
recovery and export controls. In fact, the marketplace has
failed to embrace key recovery. The world community has failed
to embrace export controls and key recovery as well. In fact,
as we have heard in testimony, many countries, including
countries like Ireland, Canada, and Finland, are moving in the
opposite direction. Even some of the staunchest U.S. allies,
the U.K. and France, have failed to completely embrace U.S.
encryption policy.
U.S. encryption policy is failing in the courts. Just
earlier this month, the Ninth Circuit Court of Appeals found
that export controls on encryption source code were
unconstitutional violations of the First Amendment. The court
ruled that these were prior restraints on free expression that
rest boundless discretion in government officials. I think that
the court recognized something that the Administration hasn't,
that you can't stop the spread of ideas at the border and that
especially you can't do it without doing violence to our First
Amendment.
I think it is time for our U.S. encryption policy to move
on. We are setting the ground rules today for how much privacy
people will have as they move their lives online. On balance,
we believe that strong encryption both serves individual
privacy and protects public safety and that kind of change is
not going to happen without your help. While we remain
concerned about certain criminal provisions in the SAFE Act, we
believe that, on the balance, the bill is a dramatic step
forward for individual privacy and public safety and I would
encourage you all to support its rapid passage without any
weakening amendments.
Mr. Campbell. Thank you, Mr. Davidson.
Ms. PoKempner.
STATEMENT OF DINAH POKEMPNER, DEPUTY GENERAL COUNSEL, HUMAN
RIGHTS WATCH
Ms. PoKempner. Thank you. I appreciate very much the
opportunity to come before this Committee. I am Dinah
PoKempner, deputy general counsel of Human Rights Watch, one of
the largest human rights research and reporting organizations
in the world. We have used encryption for many years and I am
going to present two examples from my testimony. There has been
a great deal of discussion at this hearing about, on the one
hand, the economic interest inherent in encryption and, on the
other hand, law enforcement and national security.
I am going to tell you a little bit about human rights
applications of encryption and, in particular, dwell on two
examples. Now the Internet revolution changed human rights
advocacy dramatically. We can now report on things in real-
time. We can reach massive audiences very inexpensively and
really mobilize popular opinion and action as never before. But
we have a problem. Electronic communications are inherently
insecure and this can have deadly consequences for human rights
activists. Every year, human rights activists are attacked,
jailed, disappeared, and killed. We document this in our world
report. In 1998, we counted 10 such killings before the report
went to press.
So, for this reason, our researchers routinely use
encryption when they are in dangerous places like Bosnia,
China, Lebanon, Rwanda, Kashmir, Hong Kong, and Belgrade. I am
going to give you a couple of examples. We have had a
researcher who was arrested last year in the Kinshasa airport
and detained for 24 hours while guards threatened to beat him.
Fortunately, all of his research was encrypted. By the way, he
was on a human rights investigation mission for which he had
obtained a visa. It was perfectly transparent and obvious what
he was doing. Yet, the government arrested him to get his
information. Fortunately, because he felt secure his
information was safe, he was able to delay until his release
could be secured.
We have a situation where the lack of security produced
absolutely devastating consequences. For example, last year in
April, a Member of the United Nations Secretary General's
investigation team who went to gather evidence of massacres of
Rwandan refugees in the eastern part of what was then former
Zaire was arrested when he returned to Kinshasa. The Congolese
authorities meticulously copied his research notes, as well as
maps and reports that had been given him by local human rights
activists. This information set off a man hunt for all of this
official's informants. Many of these human rights activists had
to go underground to emerge later as refugees and one, Gallican
Ntirivamunda, has disappeared and is presumed dead.
In contrast, our researcher, who had gone the year before,
took pains to every night burn his notes after he had typed
them into his lap top, encrypted them, and transmitted them.
So, as this example might give you an idea, global access to
strong encryption is vital, not just access for United States
residents and citizens.
I am going to give you one more example that will point out
some of the problems that export controls can bring up and that
is what is going on in Kosovo. It is very difficult. The strong
encryption is available right now, but it is really difficult
to master it, download it, familiarize yourself, and exchange
keys when you are in the middle of a war. That is what is going
on right now in Kosovo. People who want to report abuses can't
communicate securely. The Serbian government is believed to
have sophisticated Russian technology that enables them to
crack code.
So privacy advocates teamed up with a private company
called the Anonymizer to create a gateway that allows people
living in former Yugoslavia to access the Anonymizer and,
through the Anonymizer, have confidential and encrypted
communications. But there is a problem which one of the other
panelists alluded to. If you have a browser that is export
strength, this is not secure. Your communications can be
intercepted. So you have to still do yet another step of going
to another site, downloading yet more software to upgrade your
browser. It still doesn't solve the problem of secure
communications in the most difficult circumstances, in crisis
situations.
This is what I wanted to point out is that export controls,
among other things, inhibit the development of products that
would be most useful to human rights activists. That is, mass-
market strong encryption that is ubiquitous, that is built-in,
that is easy-to-use, that you don't have to be a computer
expert or adept to use. I am certainly not one and most human
rights activists aren't adept either.
I am going to end that with the thought that when we talk
about the kinds of policies the United States is going to
adopt, it is going to be looked at as a global leader. It is
going to be looked at as a model. Will we adopt policies that
will allow our government to continue to protest abuses of
human rights advocates and suppression of human rights abuses?
Are we going to hold encryption hostage to the fear of
sophisticated terrorists and criminals who are going to use it
no matter what the legality is and then deprive law-abiding
citizens and human rights activists of its benefits.
I will just finish by saying that what I would like you to
keep in mind is that what is at stake is more than just our
market share, more than abstract principles of privacy and free
expression against, say, the tangible reality of terrorism.
There are actual lives of human rights advocates at stake and
that is what I would like you to keep in mind.
Mr. Campbell. Thank you very much. I only regret that the
Administration spokespersons are not here to listen to you as
you listened to them.
Mr. Black.
STATEMENT OF ED BLACK, PRESIDENT AND CEO, COMPUTER AND
COMMUNICATIONS INDUSTRY ASSOCIATION
Mr. Black. Thank you for the opportunity to testify before
you today and I apologize for my not-yet-disappeared
laryngitis. Encryption is a subject of vital importance to the
members of the Computer and Communications Industry Association
and to all of our industry. I have to take a quick aside and
say as a citizen, however, I think Dinah's comments are just so
right-on and that is a key part of this that we should never
focus on. We will focus on the business aspects, but it is hard
not to think of the importance to freedom and democracy of real
meaningful encryption available to people around the world.
Like the current key recovery requirements, the
Administration's original Clipper Chip proposal would have
mandated that all encryption products contain a back door for
law enforcement and national security agencies to give them
access to the plain text of any communication or computer file
upon request. Not surprisingly, CCIA members continue to oppose
the Administration's policy, as do most of the high-tech
industry, most of the broader business community, and privacy
groups. The Administration supporters on the Hill, we think,
are also few and dwindling in number.
Because of CCIA's members support for the SAFE bill, which
we think is an excellent bill which we congratulate Mr.
Goodlatte and Congresswoman Lofgren on, we believe that it is
possible that--we will use the word ``proliferation''--
proliferation of encryption is going to happen, is important to
happen. We think the use of strong encryption around the world
is essential to reaching the full potential of electronic
communications and commerce. We all recognize that the
relaxation of encryption export restrictions is of critical
importance if we are to fully realize the information age we
have just entered.
I want to address quickly the Administration's contention
that it does not control or seek to control domestic use or
sale of encryption. The National Security Agency has testified
on numerous occasions that the full implementation of the
Administration's key recovery plan would have no impact on
their ability to carry out their national security mission. The
only logical inference is that the key recovery export policy
is designed to benefit domestic law enforcement agencies while
avoiding the political and constitutional pitfalls of direct
domestic restrictions.
Another fallacy of the government's policy is that the
United States has some monopoly on the science of cryptography
or the production of encryption tools. This is hard to justify
in light of the government's own efforts to replace the current
DES encryption standard with a new advanced encryption
standard, AES. Of the 15 logarithms submitted in the NIST
competition, 10 were from organizations outside of the United
States, including countries such as Australia, Belgium, Canada,
Costa Rica, England, France, Germany, Israel, Japan, and South
Korea. At least half of the five finalists are likely to be
foreign competitors and it is very possible that the next U.S.
Government standard for encryption will be designed outside of
our borders.
To further illustrate the international nature of this
industry and the futility of our export controls, let me give
you an example of how the Administration policy has affected
just one of our member companies. Integrity Solutions is one of
the world's leading vendors of secured application
technologies. They are based in San Jose, California. Because
of our export laws, nearly all of their recent growth in
staffing and development has been in overseas locations in
Sweden and the United Kingdom. This was not by design. They
originally only intended to be based in the U.S. and Sweden,
but it was a response to the continued restriction of U.S.
exports on encryption.
Later this month, it will announced that Integrity, its
partnership with Major Systems Integrators, will be awarded a
contract for all certificate authentication technology for the
Special Administrative Region of Hong Kong. They expect that
this contract will reap millions of dollars in annual revenues
and eventually expand to include other Asian nations.
Unfortunately, none of the revenue will come to the United
States and none of the jobs that this contract will create will
go to Americans. Because of our export laws, all of these
products and services will be shipped out of the United Kingdom
division. Had the contract not gone to Integrity, it would have
gone to an Irish company, which would have been the alternative
winner of the contract.
My question is: How does our current policy support
important U.S. interests? We are driving American companies and
jobs overseas and driving their customers to foreign
competitors without any significant impact on our national
security or law enforcement capability. It is just nonsense.
I wish that I could say that if we experienced further
relaxations in export controls or even enacted The SAFE bill,
we would somehow regain these lost jobs and revenue; however,
Integrity has already established a critical mass of overseas
presence. They are beyond the point of no return. They will
continue to derive a majority of the revenue and experience
nearly all of their growth in foreign countries regardless of
what we do to our laws. I can only hope that we take quick
action to prevent this scenario from becoming even more common
and repeated over and over again until we reach the point where
a huge portion of this industry has migrated overseas.
Chairman, Members of the Committee, thank you again for the
opportunity to testify today.
Mr. Campbell. Thank you, Mr. Black. The first questioner
will be Mr. Goodlatte.
Mr. Goodlatte. I thank you, Mr. Chairman, and I would like
to echo your observation that it would have been very helpful
if the Administration's witnesses had been here to hear this
excellent testimony and, not only that, but the members of the
media. I think that the intensity of the debate has gone out of
the hearing because I think we are in great agreement with what
you have to say.
I would like to ask you about some of the points that were
made by the Administration witnesses. First, they made the
statement that this legislation would not be in compliance with
the Wassenaar agreement. I would note that the Wassenaar
agreement has never been ratified by the U.S. Senate. It is
purely a voluntary effort of the Administration only, but it
seems to me that the way it is drafted the legislation, which
provides for an application of export controls in real national
security instances, does comply. I would ask first, perhaps,
Mr. Rubinstein if he would comment on the impact of this
legislation on the Wassenaar agreement.
Mr. Rubinstein. I think the earlier testimony was that it
violated Wassenaar by not having adequate review provisions and
I think that is an incorrect reading of the SAFE Act. There is
a provision in all of the key export control sections allowing
for technical review of products prior to export and I think
that is the key requirement. If there is any difference,
really, between the SAFE Act and the positions that have
already been taken by some of the foreign countries that are
signatories of the Wassenaar arrangement, it is that the SAFE
Act requires review, but then, otherwise, does not restrict
export.
What other countries have done in technical compliance with
the Wassenaar is to simply impose a licensing requirement, but
that licensing requirement is one that says strong encryption
may be exported under general license. So that is, I think, a
very limited form of compliance and hardly achieves the results
that were trumpeted when this announcement was first made,
namely that it levels the playing field. All it really does is
allow these other countries who already have strong encryption
vendors in their jurisdictions to comply in appearance by
saying there is a general license requirement, but then the
companies are able to export the same products they did prior
to that arrangement.
Mr. Goodlatte. Anyone else? Mr. Black?
Mr. Black. I will pass. I will take some other questions,
but, for the moment----
Mr. Goodlatte. Anyone else care to comment on that? If not,
let me go on to the next--Mr. Davidson.
Mr. Davidson. Just to say that I think our reading is very
much the same that it certainly seems that SAFE, on its face,
does not necessarily come into conflict with Wassenaar, both in
letter and in spirit. That I think that it was particularly
interesting to me that Ms. McNamara was careful to say that
Wassanaar merely permits nations to adopt export controls. It
does not necessarily require them to adopt export controls and
are reading is that SAFE does not violate either the letter or
the spirit of Wassenaar.
Mr. Black. Maybe if I could take my turn and just respond.
We have a long experience in the Association of export controls
and everything from computers to telecom. We have a lot of
experience with what national discretion means. What we think
the adoption of your legislation here would in fact put us in
the position that for decades every other country was in, which
we would have a standard which might be a little saner and less
restrictive than other countries. We think it would be very
consistent with certainly what is the spirit of Wassenaar as it
will be interpreted by most other countries, which is they are
going to go off and sell whatever they want without any
restrictions. So certainly the spirit, we think, would be
complied with.
Mr. Goodlatte. Thank you. The Administration's witnesses
seemed to be divided into two camps: Law enforcement folks
concerned about recoverable encryption--and I think we have
pretty well addressed that. The questions asked of that panel.
Why that will not work. Although we failed to mention the
enormous cost of it. The cumbersome, perhaps even unworkable
nature of having a system where billions of keys are stored by
somebody under some very costly and bureaucratic system.
But the other issue wasn't touched on as much. That is that
the National Security folks seemed to be concerned about the
immediate decontrol--the words used by Barbara McNamara--and I
think the effort on their part seems to be to delay the
implementation of strong encryption, and I wonder if you might
comment on the effect of such a delay. Mr. Smith.
Mr. Jeffrey Smith. I will take that one if I may. It is our
sense that NSA is aware that sooner, perhaps rather than later,
they will face a world of ubiquitous encryption perhaps
produced outside the United States. I cannot speak for them,
but my guess is that they recognize that and are hoping that
delay will somehow permit the market to develop in such a way
that it permits them to continue to do what they do.
Our concern is that, as I said in my statement, the current
policy is driving us much more rapidly toward a world where
there is, in fact, ubiquitous encryption, but it is not ours. I
think the consequence of that for the nation, for everything
that we are trying to achieve, is quite substantial and is why
the SAFE Act is, in our view, such an important vehicle.
Mr. Goodlatte. Thank you, Mr. Chairman.
Mr. Campbell. Thank you, Mr. Goodlatte. The Ranking Member
of the Committee, the gentleman from New Jersey.
Mr. Menendez. Thank you, Mr. Chairman. I want to thank the
panel. I had to step out for a few minutes, but maybe you can
help me. I was glancing through some of your written testimony
of that which I may have missed. Is it fair to say that the
synthesis of your respective testimonies is that, in fact, what
I was asking the previous panel in terms of what can you really
control here at the end of day, that the consensus is, I think
Mr. Smith has just said, that this is available. It is
available outside. It is available domestically. It is
available abroad. Ultimately, all those who wish to have access
for the purposes of doing that which the previous panel is
concerned about presently have that access right now. Is that a
fair statement?
Mr. Black. Yes.
Mr. Jeffrey Smith. Yes.
Mr. Weiss. Yes.
Mr. Davidson. Yes.
Mr. Rubinstein. Absolutely.
Mr. Menendez. Second, could you--any of you who choose to
do so--quantify the potential loss this year if we do not move
in a manner that would, for example, on Mr. Goodlatte's
legislation, the regime that would be established there, if we
don't move in that direction, what are the potential losses to
American companies? Do you have any sense of quantifying that?
Mr. Weiss. I can take a very small attempt, looking
internally at my own company. We are a relatively small
software company at $250 million. While encryption has not been
a significant issue in the first 7 years of our existence, over
the past 3 it has been and I would quantify our loss last year
due to our inability to either develop or supply strong
encryption technology to our customers, multinational customers
or customers outside the United States, as approximately 10
percent of our revenue. I expect that to grow as a percentage
substantially as we begin to build the infrastructure
surrounding the digital age of which my company hopes to
participate. So that number will only increase as a percent and
really put a cap on the markets that we can play in.
Mr. Menendez. Is there any other industry sense of----
Mr. Rubinstein. It is hard for me to quantify, but I would
make two observations. One is that a pronounced trend in the
last few years is the use of PC's for ever more complex and
demanding computer applications so PC's networked together have
begun to replace minicomputers and mainframe computers and
really run the infrastructure of many large organizations and I
think that has made encryption and security a much more
important aspect of software sales even for mass-market vendors
like Microsoft and other members of the BSA.
Mr. Menendez. Let me ask another question. This is
hypothetical, but I would like to get a sense of what the
industry might say. If we were to, the U.S. Government, were to
fund the appropriate United States agency to work with the
private sector to do decryption technology, what would the
industry's response to that be?
Mr. Jeffrey Smith. If I might address that. Industry has
acknowledged that the law enforcement and National Security
Agencies face a real challenge in the future and recognize that
they may not have the technological skills possessed by
industry. So as the Administration panel said and as we have
said in several of our statements, industry is working with
government to help them reach that understanding. I can't
comment for how industry would react to a specific proposal to
provide specific funding to that, but there are some
suggestions like that, including one from Senator Bob Kerry in
the Senate that I, as a personal matter, find intriguing. But
whether industry as a whole would be prepared to support that,
I certainly can't speculate.
Mr. Black. If I could, I think we would all like to think
that there would be a solution like that. In all honesty, I
think the reality that it is sand going through the fingers and
I don't think you pick it back up again with open hands. The
idea of brute force, attack, is there. It is possible at the
edges, but most of the folks we talk to it really is probably
not a viable result. Key recovery is not--we have all looked
for years for some magic bullet that goes down the middle and
takes care of everybody's concern. We just don't find it.
Mr. Davidson. I would just like to echo and say that I
think, first of all, most people in the technical community
don't think that brute force attacks are going to work at these
high-strength encryption products. I wanted to address a
comment that was made by the Justice Department representative
earlier about the fact that they were still searching for new--
that we are not talking about key recovery anymore. That it is
really about new kinds of access technologies and I would just
like to say that, we have been playing the name game on this
from key escrow to commercial key escrow to key recovery and
now it is plain text access.
All of those systems have the same problem which is that
the same system that allows surreptitious access by government
also creates a huge vulnerability that allows surreptitious
access by the people that you are trying to protect yourself
from by encrypting to begin with. There are a series of real
security and economic concerns that have been raised about the
viability of these systems that have gone--are being completely
unaddressed.
There is a report that we submitted to the Committee--and
hopefully you folks have seen this--on the risks of key
recovery. I would encourage people who are concerned about the
national security and law enforcement aspects of all of this to
ask particularly in those classified briefings, perhaps, ask to
have the questions raised in this report answered because I
think the problem has been that they can't be answered and that
we don't have a viable system that provides access and protects
security and that is why these systems haven't caught on.
Mr. Menendez. I thank you all for your patience and your--
yes.
Mr. Rubinstein. If I could add just one point there, there
was some discussion in the earlier panel of whether the
dialogue between industry and law enforcement had withered away
over the last year and I would agree with Mr. Reinsch that it
has not and, in fact, there has been some very productive
dialogue going on and going on, quietly, but taking place. At
the heart of that dialogue, I think, is the recognition by law
enforcement that there is no magic bullet.
The precondition for a constructive dialogue is the
recognition that there is no single solution that industry can
offer but, instead, what is most important is that law
enforcement devote more resources to learning about the new
technology to understanding how it is used and, of course, in
order to effectively use that, that technology has to be
developed and produced in the United States.
Mr. Menendez. Thank you for your testimony. Thank you, Mr.
Chairman.
Mr. Campbell. Thank you, Mr. Menendez. It is my turn. I
have three specific questions and they are first directed to
Mr. Rubinstein. This example you gave us of Zergo.
Mr. Rubinstein. Yes.
Mr. Campbell. Did they cooperate with Microsoft or with
Netscape in developing their solution?
Mr. Rubinstein. No. Let me also apologize. When I was
showing those slides, I failed to show the last slide which was
the download page and which listed a number of tool kits and
add-on products that were available from Zergo. In no case did
Microsoft supply technical assistance nor was it even asked to
do so because--if I can try to explain this simply as
possible--if you have a browser that is signing onto a web
server, what you do is you insert two pieces of software
between that communication so that the browser talks to this
first piece, the first piece to a second piece, and then the
second piece to the existing server. It is those two
intermediate pieces that secure the communications at 128 bits.
It just takes that flow and inserts this new connection and it
decrypts it again.
Mr. Campbell. I follow.
Mr. Rubinstein. So there is no need for U.S. cooperation to
accomplish that.
Mr. Campbell. Although, at some point, the company, Zergo,
must have access to Microsoft's code in order to--they just
have to decompile what Microsoft is using in that first of the
four steps in order to make a good interface, I assume.
Mr. Rubinstein. Right, although one of the very significant
changes in this whole debate that has occurred results from the
fact that Internet products are built according to
international standards so, regardless of the specific company
implementation, as long as those standards are met, the
standards are readily available. Even reference code is
available on a worldwide basis.
Mr. Campbell. Thanks. Let me ask a hypothetical question
then of any of the panel, but particularly of the attorneys.
Would it be a violation of the Export Control Act in this
situation for Netscape or Microsoft to have assisted Zergo in
that it--you see my question. I am not sure of the answer. You
tell me you didn't. That is fine. I am pleased.
Mr. Rubinstein. The answer would be yes. There is a
specific provision that deals with providing technical
assistance to a foreign person in the manufacture of
encryption----
Mr. Campbell. Thanks for answering. It was the answer I was
afraid I might get. A question to Mr. Black and Mr. Smith. This
is a technological question of which I am ignorant. Does the
ability to deencrypt develop as the ability to encrypt or are
they different disciplines?
Mr. Black. They are really the same coin. The skills are,
there are differences but it really is the ability to do one is
the same set of skills and you will find the same people able
to do the other.
Mr. Campbell. Would you agree, Mr. Smith?
Mr. Jeffrey Smith. Yes.
Mr. Campbell. I hit a wall in mathematics at differential
equations. They didn't make any intuitive sense to me. That is
when I stopped. I have a sense there is a point of complexity
at which encryption can become like those differential
equations so that when it goes to a certain level, the ability
to deencrypt is just lost. Am I wrong or does deencryption
actually follow right along with the ability to encrypt so that
if we go to longer and longer bit length, we will have industry
capable of eventually breaking that?
Mr. Black. In the real world, we have seen the development
of technology that is more and more powerful and, whatever NSA
says, I think many of us think they have a lot more capability
than is there. But it still lags behind and lags behind
substantially and I think we are--most of us think we are at
point where, for all practical purposes, the ability to use
brute force deencryption is just not going to be available in
the future.
Mr. Davidson. If you will forgive the mathematical
terminology, the difficulty in decrypting increases
exponentially with the increase of the bit length. So, for
example, the difference between a 56-bit key and a 64-bit key,
it is only 8 bits longer. But it is 256 times more difficult to
decrypt in terms of the time it takes to do a brute force
attack. So when you move to something like 128-bit keys, which
are widely available outside of the United States, you reach a
point where people start to measure the amount of time it would
take to decrypt this using, technology that we----
Mr. Campbell. Thanks.
Mr. Black. We have a number which is 256, the number of
possibilities at that level equal the number of particles in
the universe.
Mr. Campbell. Subatomic? And 256 is 2 to the 8th power? Is
that where that came from? I was wondering----
Mr. Davidson. 256-bit length. I think you are talking about
keys that are 256-bits long.
Mr. Campbell. Let me just understand the algorithm. So if
you increase bit length by X bits, what is the effect on the--
--
Mr. Davidson. Two to the X. So, for example, each bit
doubles the amount of times.
Mr. Campbell. That is what I thought. Two to the eighth.
That is what I was asking. 256 is 2 to the 8th. You are
measuring that in terms of time difficulty of deencryption.
Mr. Davidson. Right. The number of steps; the number of
things you have to check.
Mr. Campbell. The number of steps.
Mr. Davidson. It is really like doing a combination lock
and trying all of the combinations.
Mr. Campbell. OK.
Mr. Black. There is always a chance you will stumble on it
right at the beginning, but you have to assume you don't.
Mr. Campbell. Thanks. My last question is to Ms. PoKempner.
Understand, I am entirely on your side of this. Nevertheless,
it seems to me the logic of your position would oppose a
universally accepted agreement, a Wassenaar that really worked,
whereas every other member of the panel might be able to live
with that because it would not put an American firm at a
competitive disadvantage, the burden of your testimony is the
value of encryption so strong that no government can break into
it. Am I reading you correctly?
Ms. PoKempner. I am reluctant to sound like an absolutist
because I do believe that there are genuine national security
and law enforcement issues here, but the problem is that
virtually unbreakable encryption exists. We use it. We use 128-
bit encryption. For practical purposes, no one is going to
break that very fast. So we live in a universe where that is
already out there and my concern is that U.S. attempts to
either influence the Wassanaar arrangement countries policies
or its own domestic export controls ultimately have the effect
of taking strong encryption out of the hands of the law-abiding
people like ourselves who need to use it but don't have any
deterrent effect on all of the bad guys that are constantly
paraded before us as the reason for these controls.
It is a difficult equation. I think that there is a balance
and a difficult judgment call that has to be made at the point
where encryption becomes ubiquitous, which I do believe is an
inevitability. It is just a question of whether the U.S. is
going to be part of that.
At that point, obviously, computer-challenged people like
myself can use it easily and so can the stupid criminals that
were referred to earlier. So everyone can use it. Then you have
a question of, in terms of deterring street crime versus
protecting human rights activists, people who want to
communicate from totally repressive situations. People who want
to, preserve their privacy, their medical records, their
commerce, then you have a very complicated balancing task.
But I think that is really where the level of debate should
be. We are not talking about international terrorists versus,
all the other interests because the international terrorists
already have access. Believe me, if my colleagues can use it,
the international terrorists are much more capable.
Mr. Campbell. I would like you to come back in another
occasion and tell us what you and Human Rights Watch found in
the Democratic Republic of Congo. I'm going to be polite to my
colleague and yield to him in just 1 second. Though if you
would be--and indulge me, Brad, I didn't speak before and I
just wanted to kind of put on record my own thought. I will
take about 30 seconds.
It would amaze me if the founders who wrote the Fourth
Amendment were presented with Congress passing a law compelling
Americans to make their communication more easily intercepted
by the government. Would it not? That is, it seems to me, what
we are asking. As to those who say national security and crime,
I would say--and this is my one polemic, forgive me. Then I
yield to my friend. My one polemic for today--I can give you
safe streets, just get rid of that pesky Fifth Amendment and I
will beat some confessions out of people and I will give you a
safe a major city in America, every major city safe from street
crime. But get rid of this warrant requirement because it is
too tedious; probable cause is a heck of thing----
So it isn't that we who believe in freedom ignore the other
side. We believe that our country made that compromise 200-plus
years ago. I yield to my colleague from California.
Mr. Sherman. Mr. Chairman, thank you. Thanks especially for
your technical questions. Like you, I hit a wall in
mathematics. In my case, I hit it at long division.
It seems like we are confronted with three levels of
criminals. There are the street criminals who aren't going to
use lap tops, let alone encryption. There are the semi-
sophisticated criminals who pretty much transact domestic
crime--and I would like anybody on the panel to correct me if I
am wrong--these folks can get all the encryption they want at
the local software store today and, if they can't, it is just
because you folks haven't made it yet and you will and you
don't need to change the law to put really great encryption in
every Egghead store in America. I see a lot of heads nodding.
Then you get up to the international criminals who you would
think would be sophisticated enough to send the encryption that
they need over the line, buy it from a foreign source.
I am at a loss to try to figure out who we are trying to
protect ourselves from. Now, as I understand it, if they get a
warrant, they can look at your bank records and if you sent a
message to your bank by encryption, the bank knows how to
unencrypt it. I see some heads nodding. So this whole--the
Administration effort is, I think, as the Chairman pointed out,
an effort to make sure that when we send messages to each other
we do it in a form that is most easily wiretappable and then
understandable. Which is--now one could imagine that that would
be argument. That we would really say we want everything that
goes over the wire to be interceptable and decipherable. But
that is not what we are doing. We are saying, well you can
encrypt, you just can't do it internationally.
Which seems to--and I will go back to what I said before
because I thought it needed a little explanation when I thought
that the Administration was just trying to punish the software
industry, but it seems like they are just angry that domestic
messages will be encrypted in ways that they cannot decipher
and the only handle they have under our legal system is to try
to punish that industry or throw a temper tantrum by saying, we
have got this law where we won't let you export it. I don't
think there is a question in there anywhere.
Yes, my more senior colleague from California illustrated
and explained to me just earlier today how I should deal with
this and that is, I say, don't you agree?
Mr. Black. Your questioning actually earlier was, I thought
very much on point where you were trying to get some people in
the Administration to acknowledge that the concept of mandatory
and voluntary that there is something in between which is
called coercion, extortion, and that is really what we see
going on. They are using the export control rules to try to
force, coerce people into adopting practices because they don't
want to say domestically that some people in the Administration
really want to have the controls. It is really disingenuous, in
our view, for them to be saying that this kind of heavy
leverage, put a gun to your head, let us make a deal is not
really pushing and forcing and mandating it. It is not any
semblance of voluntary.
Mr. Sherman. Let me sneak in one more question here and
then this is really the question: What would it take for a
foreign company to produce encryption that works well with
Microsoft and other U.S.-created products and to sell that
encryption product around the world? Is there any prohibition
on us importing encryption? Everybody's saying no. I do that so
the record will actually reflect your head shakes. Mr.
Davidson, you were about to say something?
Mr. Davidson. I was going to agree with your earlier
comment and say I think you are right and your second question
gets to that also, which is that really what this is about
seems to be an attempt to slow-down the spread of encryption.
That is the best that we hope for in this policy and, to some
extent, it has worked so far. I think what you are hearing from
us is that now the costs of that policy far outweigh any
incremental benefits of continuing it, that the costs not only
to business, but to privacy interests of individuals, to the
human rights workers around the world and others, you know are
too high for continuing to pursue this.
But I will say one other thing which is that I think we
remain concerned domestically about the ultimate goals of the
Administration in this area and what I mean by that is that it
was only 1\1/2\ years ago that the Administration was
testifying on Capitol Hill and the FBI director was testifying
that he would like domestic controls on encryption, mandatory,
key recoverable, and the House Intelligence Committee, in fact,
passed a version of the SAFE Act that would have imposed that.
Although it is somewhat reassuring, I guess, to hear the
Administration officials say that is not current policy, we
don't feel that this is far off the table. That remains our
concern and I think the interchange between Chairman Gilman and
the Justice Department witnesses was about domestic criminals
using encryption and the only way that they are ever going to
stop that is by some kind of domestic control. I think that is
what we remain very fearful of.
Mr. Sherman. I would like to comment that domestic control
at least has the advantage of being a logical action--I think
inconsistent with the Fourth Amendment--but a logical action
where you are actually achieving a law enforcement purpose
other than punishing an industry for coming up with technology.
I yield back.
Mr. Campbell. I thank the gentleman. We are at the end of
our hearing, but I would like to offer each of the panelists 1
minute, if each wishes, to add anything that he or she did not
have the opportunity to add heretofore. Is there anyone who
wishes to avail himself or herself of this opportunity? Mr.
Rubinstein.
Mr. Rubinstein. Yes. I would like to add one point which is
that I think the hope of the Administration policy was that key
escrow or some form of it would become so ubiquitous that
everybody would use it and only the very small substratum of
very sophisticated criminals would escape from that and, as the
Administration readily admits, they can never really do
anything about that.
But as the market has rejected that type of key escrow for
reasons that Congressman Goodlatte alluded to earlier--its
cost, its complexity, its vulnerability--as the market has
rejected that and as the Administration has begun to soften its
message on key recovery and say we are not insisting on any one
technology; there are many different approaches; et cetera, the
very logic of their position begins to erode because if there
are no mandatory controls and if nonrecovery encryption is
available overseas, then it is no longer apparent what the
ongoing controls would achieve.
Mr. Campbell. Read you loud and clear. Anyone else wish to
speak? Mr. Davidson.
Mr. Davidson. First of all I would like to say to the
Chair, I think that the Chair is right about the Bill of Rights
and the Fourth Amendment as it applies to this area. You are
very much on point. While we will see and are hopeful about how
it moves in the courts, I think that that should inform
Congresses decisions in terms of thinking about encryption. I
would also commend this Bernstein decision to you from the
Ninth Circuit. It is quite interesting. The last thing I would
just say very briefly is I am noticing that Mr. Goodlatte's
attendance here at the bitter end of this hearing, and his
commitment to this issue for the last several years and I would
like to thank him for that because this has been very important
for individual privacy.
Mr. Campbell. Appropriate and so noted. Mr. Smith.
Mr. Jeffrey Smith. One more minute to go back to a point
Mr. Bereuter made about the conversations between industry and
the Administration, initially done by John Deutsch when he was
the Director of Central Intelligence. That dialogue has
continued. I think my colleague Mr. Rubinstein made the point
but I think it is important for this Committee to understand
that there is a continuing dialogue, but it is a very difficult
one to maintain because one is reluctant to discuss it too much
in these public sessions. So I think it is something to be
explored offline.
Second, to urge this Committee to take the long-run view of
this policy. Our concern is that the Administration's policy is
a short-term policy and our strong view is that both the law
enforcement and national security interests need to be seen by
Congress in the long-run and that only the kind of solution
that is proposed by this bill, in our judgment, strikes the
balance, gives the government what it needs, gives industry and
citizens what they need.
Mr. Campbell. Thank you. With that, the meeting of the
Subcommittee on International Economic Policy and Trade stands
adjourned.
[Whereupon, at 5:35, the Subcommittee was adjourned.]
�