Page 1 TOP OF DOC
44–838 CC
1998
ENCRYPTION: INDIVIDUAL RIGHT TO PRIVACY VS. NATIONAL SECURITY
HEARING
BEFORE THE
SUBCOMMITTEE ON INTERNATIONAL ECONOMIC POLICY AND TRADE
OF THE
COMMITTEE ON
INTERNATIONAL RELATIONS
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTH CONGRESS
FIRST SESSION
MAY 8, 1997
Printed for the use of the Committee on International Relations
COMMITTEE ON INTERNATIONAL RELATIONS
Page 2 PREV PAGE TOP OF DOC
BENJAMIN A. GILMAN, New York, Chairman
WILLIAM GOODLING, Pennsylvania
JAMES A. LEACH, Iowa
HENRY J. HYDE, Illinois
DOUG BEREUTER, Nebraska
CHRISTOPHER SMITH, New Jersey
DAN BURTON, Indiana
ELTON GALLEGLY, California
ILEANA ROS-LEHTINEN, Florida
CASS BALLENGER, North Carolina
DANA ROHRABACHER, California
DONALD A. MANZULLO, Illinois
EDWARD R. ROYCE, California
PETER T. KING, New York
JAY KIM, California
STEVEN J. CHABOT, Ohio
MARSHALL ''MARK'' SANFORD, South Carolina
MATT SALMON, Arizona
AMO HOUGHTON, New York
TOM CAMPBELL, California
JON FOX, Pennsylvania
JOHN McHUGH, New York
LINDSEY GRAHAM, South Carolina
ROY BLUNT, Missouri
JERRY MORAN, Kansas
Page 3 PREV PAGE TOP OF DOC
KEVIN BRADY, Texas
LEE HAMILTON, Indiana
SAM GEJDENSON, Connecticut
TOM LANTOS, California
HOWARD BERMAN, California
GARY ACKERMAN, New York
ENI F.H. FALEOMAVAEGA, American Samoa
MATTHEW G. MARTINEZ, California
DONALD M. PAYNE, New Jersey
ROBERT ANDREWS, New Jersey
ROBERT MENENDEZ, New Jersey
SHERROD BROWN, Ohio
CYNTHIA A. McKINNEY, Georgia
ALCEE L. HASTINGS, Florida
PAT DANNER, Missouri
EARL HILLIARD, Alabama
WALTER CAPPS, California
BRAD SHERMAN, California
ROBERT WEXLER, Florida
STEVE ROTHMAN, New Jersey
BOB CLEMENT, Tennessee
BILL LUTHER, Minnesota
JIM DAVIS, Florida
RICHARD J. GARON, Chief of Staff
MICHAEL H. VAN DUSEN, Democratic Chief of Staff
Page 4 PREV PAGE TOP OF DOC
Subcommittee on International Economic Policy and Trade
ILEANA ROS-LEHTINEN, Florida, Chairperson
DONALD A. MANZULLO, Illinois
STEVEN J. CHABOT, Ohio
TOM CAMPBELL, California
LINDSEY O. GRAHAM, South Carolina
ROY BLUNT, Missouri
JERRY MORAN, Kansas
KEVIN BRADY, Texas
DOUG BEREUTER, Nebraska
DANA ROHRABACHER, California
SAM GEJDENSON, Connecticut
PAT DANNER, Missouri
EARL F. HILLIARD, Alabama
BRAD SHERMAN, California
STEVEN R. ROTHMAN, New Jersey
BOB CLEMENT, Tennessee
TOM LANTOS, California
BILL LUTHER, Minnesota
MAURICIO TAMARGO, Chief of Staff
YLEEM D.S. POBLETE, Professional Staff Member
AMOS HOCHSTEIN, Democratic Professional Staff Member
JOSE A. FUENTES, Staff Associate
C O N T E N T S
Page 5 PREV PAGE TOP OF DOC
WITNESSES
The Honorable William Reinsch, Under Secretary of
Commerce, Bureau of Export Administration
The Honorable William Crowell, Deputy Director,
National Security Agency
The Honorable Robert S. Litt, Deputy Assistant
Attorney General, Criminal Division, U.S. Department of Justice
Mr. John Gage, Chief Scientist, Sun
Microsystems
Mr. Humphrey P. Polanen, General Manager, Network
Security Products Group, Sun Microsystems Incorporated (accompanied by Mr.
John Gage, Chief Scientist, Sun Microsystems Incorporated)
Mr. Jerry Berman, Executive Director, Center for
Democracy and Technology
Mr. Tom Parenty, Director of Security, Sybase
Corporation
Mr. Stephen T. Walker, President and CEO, Chairman
of the Board, Director, Trusted Information Systems
APPENDIX
Prepared statements:
The Honorable William Reinsch
The Honorable Robert S. Litt
The Honorable William Crowell
The Honorable Bob Goodlatte, a Representative in Congress from
Virginia
Mr. Humphrey P. Polanen
Mr. Jerry Berman
Mr. Tom Parenty
Page 6 PREV PAGE TOP OF DOC
Mr. Stephen T. Walker
Additional material submitted for the record:
Article submitted by Congressman Goodlatte of Virginia, ''Fact and
Comment'', by Steve Forbes, editor in chief, Forbes Magazine
ENCRYPTION: INDIVIDUAL RIGHT TO PRIVACY VS. NATIONAL SECURITY
THURSDAY, MAY 8, 1997
House of Representatives,
Subcommittee on International Economic Policy and Trade,
Committee on International Relations,
Washington, DC.
The Subcommittee met, pursuant to notice, at 9:30
a.m. in room 2172, Rayburn House Office Building, Hon. Ileana Ros-Lehtinen
[chairwoman of the Subcommittee] presiding.
Ms. ROS-LEHTINEN. The Subcommittee will
come to order. Thank you for being here today.
We have a Republican caucus that got started just
a few minutes ago and that will be going for an hour, so I apologize for
our side for the folks who will not be here. But we are joined by our
Ranking Member, Mr. Sam Gejdenson, who is here already.
Today, the Subcommittee will address an issue
which is highly complex, which encompasses a wide variety of U.S. national
interests and has multiple ramifications. Once the exclusive domain of the
national security and intelligence agencies, encryption now has an expanded
application, impacting the daily lives of U.S. citizens.
Today, banking systems, stock markets, air traffic
control systems, credit bureaus, telephone networks, weather satellites,
social security systems, television networks, civilian and government
payrolls are all affected by a flow of data managed by countless computer
and telecommunication networks around the world. We are truly living in a
global environment, where computer technology serves as the nervous system
of our modern society.
Page 7 PREV PAGE TOP OF DOC
Brainpower industries are growing in
incredible amounts. The technology is evolving at an ever-increasing pace,
and new issues are surfacing daily that we must find solutions to. Advances
in computer technology have created a new frontier where policymakers serve
as pioneers trying to guide others through this unknown land.
The initial reaction is to try to control the rate
at which these changes are occurring to allow time to recover and plan for
the future. However, how can knowledge and intellectual development be
restrained?
Such is the reality we face. It is the scenario
which serves to frame the discussion about encryption. Encryption today
encompasses several issues dealing with U.S. economic and commercial
priorities, with law enforcement and national security concerns and as well
with individual civil liberties.
One of the key issues is whether there should be
any restrictions on the domestic use and sale of encryption
technology—specifically, whether domestic users must place their keys
in escrow with the government or some neutral third party. According to its
supporters, escrowed encryption would provide strong protection for
legitimate uses of encryption but would also provide a mechanism which
would enable law enforcement officials to gain access to the encryption key
as part of the criminal investigation.
Another pertinent issue is whether there should be
any restrictions on the export of encryption technology. Current law
regulates the export of encryption technology in a manner similar to
military technology. U.S. export control laws limit the sale of strong
encryption products overseas in the interest of denying foreign countries
the ability to encode information in ways that would make it more difficult
for U.S. authorities to monitor activities which threaten U.S. national
security and domestic tranquillity.
The argument is focused on the ability of
terrorists and other criminal groups to conduct activities undetectable if
non-key recovery encryption is widely available. However, the validity of
the availability argument as a measuring stick for export controls is
frequently called into question, given the liquidity of computer technology
and given the reports of other countries using and selling encryption
technology that is far more complex than the one U.S. industries are
permitted.
Page 8 PREV PAGE TOP OF DOC
Opponents of export controls argue that it
merely serves to restrict U.S. businesses and to constrict their potential
growth by limiting their foreign commercial capabilities.
Furthermore, the issue of encryption has generated
interest at the most basic level of American society, with individual
consumers questioning their right to privacy within the context of key
recovery. Consumer groups want individuals to have access to the best
encryption possible, without regard to key recovery features. They cite the
spillover effects that this type of controlled encryption could have in the
daily routine of American citizens, fueling fears about the big brother
watching.
In the end, it is our responsibility to fully
investigate and evaluate each of these issues in order to decide on the one
particular policy configuration which best describes the overall national
interest. As the Greek philosophers argued, we must look to what would
serve the greater good.
Now, I would like to recognize our Ranking Member,
Mr. Sam Gejdenson, for remarks. Sam.
Mr. GEJDENSON. Thank you, Madam
Chairman.
The situation in the finance office today seems to
be a continuation of where we have been for at least the last decade as
Administration after Administration has tried to stumble through the issue
of encryption. There was, of course, the great solution called Clipper
chip, which was going to solve all our problems internationally. I think
two Administrations assured us we would have global support for Clipper
chip, but somehow other countries weren't as inclined to give the CIA the
key to all their encrypted information as our Administrations thought they
would.
Again, if you look at 7 years ago, we had the
Secretary of Commerce, Mr. Mosbacher, in a fight with the Secretary of
Defense, Mr. Cheney, over the decontrol of 286 computers at a time when 386
chips were available in Radio Shack in Beijing.
Page 9 PREV PAGE TOP OF DOC
I am fearful that we are stuck in the same
situation with encryption. There is a recent New York Times story of a
German company basically sending its appreciation to the American
Government and the restrictions we placed on encryption because we are
about to make them really rich.
Now I understand international competition and I
understand the desire to keep sophisticated encryption away from the bad
guys; but, you know, we don't have an exclusive marketing agreement with
bad guys. If other people have these products, they are going to go
overseas to get them.
And while there are all these references that
other systems aren't as good, the reality, as I understand it, most of
these are mathematical formulas; and scientists in a dozen countries around
the world can create them. And what we are in the process of doing is not
so much in any way restricting the access of this equipment to terrorists
or bad guys, but what we are really going to be doing is costing the
American economy—ranges as much as $60 billion.
People responsible for the security of this
country, I understand, have to try to keep constant balance over, no matter
what the cost is in dollars and jobs and economy, whether or not that cost
gives us additional protection.
If, as it seems to be the case with this German
company, and I understand there are lots of companies in other countries
who are marketing very capable and equally capable and able encryption
production, then it seems to me the only thing we are doing is injuring the
country and our economy and our future position in many of these critical
sectors and not in any way depriving this technology from the individuals
we would like to deprive it from.
So I hope that we can make some progress on Mr.
Goodlatte's bill, which I am cosponsor of. I think he has done some very
important work in this area. And, you know, I think that unless we can find
some very hard, very clear reasons why we should allow Germans and others
to take this market away, what is the benefit if they can get products
everywhere else and we are not selling them?
Page 10 PREV PAGE TOP OF DOC
Ms. ROS-LEHTINEN. Thank you, Sam, for
your words.
We are proud to have a new member, William Luther
of Minnesota, joining our panel—welcome—and, of course, our
loyal friend, Pat Danner. Thank you, Congresswoman Danner.
I don't know if either member would like to make
any opening statements.
Ms. DANNER. I have none at the time, except
I join you in welcoming our new colleague.
Ms. ROS-LEHTINEN. Thank you some so much,
and let us proceed with the introduction of our first panel.
Testifying first will be Mr. William Reinsch, who
currently serves as the Under Secretary for Export Administration in the
Department of Commerce. As head of the Bureau of Export Administration, Mr.
Reinsch is charged with administering and enforcing the export control
policies. Before that, Mr. Reinsch served on the congressional staffs of
Senator John D. Rockefeller and the late Senator John Heinz, as well as two
Members of Congress.
Then we will hear the testimony of the Deputy
Director of the National Security Agency, Mr. William D. Crowell. As the
senior civilian at NSA, Mr. Crowell serves as the Agency's Chief Operating
Officer, guiding and directing strategies and policies.
He also receives major quality management efforts
and serves as the principal advisor to the Director. Mr. Crowell serves as
a member of the Cabinet-level Committee on National Encryption Policy and
has received numerous awards for his dedicated public service.
Our next witness will be Deputy Assistant in the
Criminal Division of the Department of Justice, Robert Litt. Mr. Litt has
served as Assistant U.S. Attorney in the Southern District of New York,
prosecuting fraud, racketeering and official corruption cases. Mr. Litt was
also an associate and later a partner in the law firm of Williams and
Connolly in Washington, DC.
I thank all three of you gentlemen for joining
us.
Page 11 PREV PAGE TOP OF DOC
Ms. ROS-LEHTINEN. Mr. Reinsch, you may
begin.
STATEMENT OF THE HONORABLE WILLIAM REINSCH, UNDER SECRETARY OF COMMERCE,
BUREAU OF EXPORT ADMINISTRATION
Mr. REINSCH. Thank you very much, Madam
Chairman.
I am very pleased to be here, and I am
particularly pleased that the Subcommittee under your leadership is
continuing its tradition of interest in this issue, which, you know, has
been manifest over several years, as Mr. Gejdenson pointed out. And I think
that is particularly apt since, as your statement pointed out, so many of
the issues that are encompassed in the encryption debate fall within the
purview of this Subcommittee. We are delighted you are doing this.
Mr. Gejdenson said so many things in his remarks
that I want to comment on that I am tempted to just dump my statement and
talk about them, but I think that I won't do that except to say that we
don't like to think of our policy currently as stumbling. We like to think
of ourselves as firmly walking down the road. You may think it is in the
wrong direction, but I think we have our act together, and what I would
like to do in my statement is tell you what it is, because we have a number
of people in the private sector telling it like it isn't.
So I want to make clear what the policy is and
what we intend to do, both short term and long term, with respect to
legislation and some other things; and then my colleagues are going to
amplify on a couple of the key pieces.
I think we all agree that developing strong
commercial encryption is in the best interest of the United States. We
think it is inevitable. We think developing public network security or
secure public networks is an integral part of electronic commerce, and that
is something that we want to facilitate and encourage in this country, and
we have tried to develop a policy that will do that.
Page 12 PREV PAGE TOP OF DOC
I am not going into any great length for this
Subcommittee, because of the depth of your knowledge of the subject, about
why we think electronic commerce is important or why we think exports are
important or why we have an interest in this industry, both hardware and
software, maintaining its world lead. That is all obvious. I just want to
assure you that we share those objectives.
At the same time, as Mr. Litt will point out, the
increased use of encryption does carry with it serious risks for public
safety, law enforcement and also our national security; and we want to try
to pursue a policy, as the President has indicated in his statement last
October, which balances the equities that I have just
described—privacy, electronic commerce, law enforcement and national
security.
We believe that the approach that does provide
that balance is key recovery; and Mr. Crowell will be talking in more
detail about precisely what key recovery is, how it works and why it is
important.
What I want to do in my remaining few minutes is
to tell you what we have done to try to implement that policy, making clear
in the process that we are doing it working with the market, working with
the industry, and not against it.
This is not a policy of technology by fiat. This
is not Clipper. This is an attempt to discover what the market is doing and
trying to reinforce it. We believe that the market and our policy are both
moving in the same direction, which is the direction of key recovery; and I
think some of your private-sector witnesses will tell you the same thing in
the later panels.
At the end of last year, we published new
regulations that transfer licensing of export of these items from State to
Commerce, thereby emphasizing the President's view that these things are
not munitions but integral elements of electronic commerce, to be treated
as commercial items.
Page 13 PREV PAGE TOP OF DOC
The regulations set forth several procedures
which are intended to support the development of a key management
infrastructure and development of key recovery. The most important of these
is the creation of a license exemption which would allow recovery of
encryption products of any strength and key length to be exported freely
after a single review by the government.
The new regulations also allow for self-escrow and
escrow of keys overseas under certain circumstances.
We have also created a special, 2-year
liberalization period for companies to export 56-bit DES or equivalent
products if they submit plans showing they are working to develop key
management infrastructure to the Administration.
Let me say that I think that the proof of the
success of our policy is revealed by the results that we have had since we
put those regulations in place. We have received close to 700 license
applications for exports valued at almost $800 million. More than that, we
have 24 companies submitting plans to build key recovery products,
including some of the largest software and hardware manufacturers in the
country. We have approved 12 of these plans. We expect to approve more
shortly. Most importantly, none have been rejected.
We are in the process of developing through NIST a
Federal standard for Federal procurement of these products. We are doing it
the way NIST always has done it, using an industry advisory group to
develop a standard. When the standard is done, then the Secretary of
Commerce will promulgate it for Federal use. If it is a good standard, I
think others will adopt it as well; but that is their business. The
government is not in the business in this case of mandating private
standards for private use.
Let me say a word about the kind of legislation we
support to facilitate the development of key management infrastructure. We
support legislation that will expressly confirm the freedom of domestic
users to choose any type or strength of encryption; that explicitly states
the participation is voluntary; that sets forth legal conditions for the
release of recovery of information pursuant to lawful authority and which
provides liability protection for key recovery agents who properly release
such information; that criminalizes the misuse of keys or the use of
encryption to further a crime; that offers, on a voluntary basis, firms
that are in the business of providing public cryptography keys the
opportunity to obtain government recognition, allowing them to market the
trustworthiness implied by government approval.
Page 14 PREV PAGE TOP OF DOC
Now, let me emphasize that last point, Madam
Chairman.
Ms. ROS-LEHTINEN. If you could try to wrap
it up.
Mr. REINSCH. This is my last point. Since
Mr. Goodlatte is here, I will reserve my comments on the Goodlatte bill for
questions.
I want to make clear the last point, Madam
Chairman, if I may, and that is we intend, on behalf of the government, to
develop a key management infrastructure for government use. We will license
certificate authorities and key recovery agents and require those entities
to adhere to the rules that we are providing in our regulations.
I also want to make clear this is not going to be,
in our conception, the exclusive key management infrastructure of this
country. Private entities of any sort—banks, other financial
institutions, service providers, people in the digital signature
business—now will all be free to undertake the same process without
linking to the government system. This is not a mandatory system in any
sense of the word. Legislation is pending up here. As you know, one of its
authors is sitting next to you and we would be pleased when the panel
concludes to comment specifically on that.
Ms. ROS-LEHTINEN. Thank you so much. We
appreciate it.
[The prepared statement of Mr. Reinsch appears in
the appendix.]
Ms. ROS-LEHTINEN. Mr. Crowell.
STATEMENT OF THE HONORABLE WILLIAM CROWELL, DEPUTY DIRECTOR, NATIONAL
SECURITY AGENCY
Mr. CROWELL. Thank you for inviting me to
testify on the technical implications of the Administration's policy on
encryption and to address the five specific areas that you identified in
your letter of invitation.
Page 15 PREV PAGE TOP OF DOC
The Nation's encryption policy must be
multidimensional and balanced, and its technical underpinnings must be
sound. I have identified several important issues in my written testimony,
and I ask that it be submitted as part of the record.
Ms. ROS-LEHTINEN. Yes, of course. All of
the testimony will be. Thank you.
Mr. CROWELL. Today I will summarize the
main technical points and move to the points you indicated in your
letter.
Everybody in this room shares the goal of
promoting the use of secure encryption to achieve greater security in
electronic commerce. To accomplish this goal, a number of technical steps
are required.
The first step is to recognize the need for
establishment of key management infrastructures as an integral part of
using encryption. The essential elements of these include digital
signatures, public key certificates and key recovery. Robust, trustworthy,
full-featured key management infrastructures are needed to provide the
international framework, an internationally acceptable framework that can
enable the use of encryption to grow and electronic commerce to
flourish.
When I refer to trustworthy infrastructures, I
mean that you must be willing to bet your company and your company's future
not only on the strength of the algorithms that are used but on the
integrity of those who issue the encryption credentials that vouch for your
identity and the identity of those you deal with, that build the
directories that allow others to communicate with you, and assist you if
you believe your encryption key has been compromised, lost or
corrupted.
The system integrity fostered by key management
infrastructures will allow you to have the same confidence in electronic
transactions that you now have with signatures on paper, handshakes with
business partners and face-to-face meetings. Without infrastructure, we
risk building an electronic Tower of Babel.
Page 16 PREV PAGE TOP OF DOC
Users will also expect a key recovery feature
when using encryption, particularly if they lose or corrupt their keys. If
any of you have ever forgotten a password or pin number, you know what I
mean.
Key management infrastructure provides the means
for encryption users to recover their lost keys and for lawful access to
the encrypted communications for law enforcement purposes. This is an
important technical issue since users and public safety officials cannot
rely on brute force techniques to obtain access to the information.
Several companies recognize the benefits of key
recovery and have formed business ventures to thrive within the new
climate. In October, 1996, the Key Recovery Alliance was formed; and that
alliance has already grown to 57 domestic and international companies. Some
alliance members include Mitsubishi, Boeing, DEC, Hewlett Packard,
Motorola, Sun, Unisys, RCA, IBM, Apple and America Online.
In summary, to achieve greater security and trust
in electronic commerce, you need more than just strong algorithms. You also
need trustworthy key and certificate generation, authentic nonforgeable
digital signatures and a way to gain access to encrypted data when the key
is lost or unavailable.
I encourage you to consider the details of these
important technical points and others by referring to the written
statement, and now I would like to give you NSA's responses to the
questions you raised in the letter of invitation.
In your letter, you asked that I address five main
points: restrictions on domestic encryption, the extent of domestic and
exported encryption regulations, exporting encryption like military items,
potential conflicts among free trade, privacy and encryption regulations
and pending legislative initiatives.
There are currently no domestic restrictions, and
we are not advocating them. We support the Administration's initiatives
that are designed to encourage encryption to be used more in the United
States. These initiatives include legislation to protect personal privacy,
public safety and key management infrastructure service provider liability,
and to encourage the development of encryption standards that will help
encryption to be interoperable and secure.
Page 17 PREV PAGE TOP OF DOC
Export regulations have already been relaxed
to allow any algorithm and key length to be exported as long as the keys
can be recovered by authorized entity. Some vendors are already exporting
key recovery products. For those vendors who have not yet developed
products, the export regulations will allow them to export 56-bit DES,
something the industry has asked for and the council recommended. The
Administration has already changed its export policy so dual use commercial
encryption is treated as a commercial product.
Ms. ROS-LEHTINEN. If I can ask you to just
summarize the other questions.
Mr. CROWELL. Let me summarize then, and I
can address the rest of your questions later as we go.
In closing, let me say, from a technical
perspective, NSA sees the emergence of key management infrastructure as
necessary and inevitable. The Administration's regulations and legislative
initiatives will help establish infrastructures and encourage the
acceptance of key recovery. The policy also ensures early on that such
growth is not haphazard and does not place users and public safety as risk;
and I want to emphasize, while the government can assist in significant
ways, only industry can build robust and scalable key management
infrastructures that are necessary.
Thank you, Madam Chairman.
Ms. ROS-LEHTINEN. Thank you so much, and we
will include all of your testimony in the record.
[The prepared statement of Mr. Crowell appears in
the appendix.]
STATEMENT OF THE HONORABLE ROBERT LITT, DEPUTY ASSISTANT ATTORNEY GENERAL,
CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE
Page 18 PREV PAGE TOP OF DOC
Mr. LITT. Thank you, Madam Chair and
members of the Subcommittee, for giving me the opportunity to discuss the
views of law enforcement on this very important and complex issue. I
particularly appreciate it because, as I read the statements of other
people on the issue, I find that our views are caricatured and
unrecognizable; and I would like to take this opportunity to let you know
what our issue really is on the issues presented before you.
First, I want to make clear that the Department of
Justice and law enforcement in general strongly supports the spread of
strong encryption. Part of our responsibility is to enforce the laws that
protect personal privacy and commerce, and we believe we will be
significantly aided in that regard by the use of strong cryptography.
We think that the availability and use of strong
cryptography will be critical for the new global infrastructure to fullfil
its promise. But, at the same time, we also have the responsibility to
protect the American people from the threats posed by terrorists, organized
crime, child pornographers, drug cartels, foreign intelligence agents and
others and to prosecute crimes when they do occur.
So while we favor the spread of strong encryption,
we are gravely concerned that the proliferation of unbreakable encryption
would seriously undermine our ability to protect the people. Our national
policy has to reflect a balance between these competing interests of
privacy and public safety. If unbreakable encryption proliferates, critical
law enforcement and national security tools would be nullified.
For example, we have the ability, under the laws
passed by Congress, to go to court, satisfy rigorous legal and procedural
requirements and obtain a court order to tap the phones of drug traffickers
or any other criminals. Those wiretaps under court order would be worthless
if, when we install them, all we can hear is an unintelligible jumble of
noise. We might seize the computer of a terrorist or child molester who
uses the Internet and be unable to read the data which identify his targets
and his plans.
Page 19 PREV PAGE TOP OF DOC
The potential harm to law enforcement and to
our domestic security from unbreakable encryption could be devastating.
This is not theoretical or future or exaggerated.
In my written statement, I give you specific
examples of cases where we are already encountering encryption in criminal
investigations. As it proliferates and becomes an ordinary component of
mass market items and as the strength of encryption products increases, the
threat to public safety will increase.
To some, this is an acceptable outcome. They argue
that people have the right to absolute immunity from government intrusion
regardless of the cost to public order and safety and that any new
technology that enhances absolute privacy should go unrestricted.
But this would be a radical change to the way we
structure our society. The Fourth Amendment strikes a careful balance
between an individual's right to privacy and society's needs, on occasion
and when authorized by law, to intrude into that policy. Our encryption
policy should try to preserve that balance, which has served this country
well for several centuries.
Others say our fears are overstated. But that is
not true. We don't have the computing power to break encryption even in the
strength available today in any reasonable period of time, and it is always
going to be cheaper and easier to devise algorithms that use longer keys
than to build computers that are powerful enough to break them in a
reasonable period of time.
We also have to remember that we are not only
talking about Federal law enforcement here but of the thousands of State
and local police forces all over the country who don't have access to
top-of-the-line supercomputers but are still going to be encountering
encryption. Attempting to crack a code is not a feasible solution when you
are trying to find a kidnapped child before she is killed or prevent a
terrorist attack.
As we said, our goal is to encourage strong
encryption but, at the same time, protect law enforcement's ability through
the use of a key recovery system.
Page 20 PREV PAGE TOP OF DOC
But I want to emphasize another point,
because this is also an area where we are often misunderstood. We are not
asking for any new authority to obtain data, to examine records, or to
conduct a wiretap. Our goal is only to preserve the legal authority that we
have today to protect Americans' public safety through encouraging the
voluntary manufacture and use of key recovery products.
I would like to close, Madam Chairman, by making
one other point.
We believe that our Nation's encryption policy has
to be a balance that recognizes and accommodates competing interests. As I
have said before, law enforcement recognizes that there are important
privacy and commercial interests at stake in this issue, and we want to
encourage strong encryption. We have taken steps to accommodate these
important privacy and commercial interests in our policy, even though a
stronger policy would better protect law enforcement and national security
interests.
And I would ask you to ask those who are in
opposition to the Administration's policy, do they recognize that there are
important public safety interests at stake here? What would they propose to
accommodate the public safety interests? Or are they prepared to sacrifice
public safety entirely for the privacy and commercial interests?
Thank you very much, Madam Chair.
Ms. ROS-LEHTINEN. Thank you so much for
your testimony.
[The prepared statement of Mr. Litt appears in the
appendix.]
Ms. ROS-LEHTINEN. We are pleased to have
with us Congressman Goodlatte, whose bill has generated a lot of interest
on the Hill. His bill is moving along in the legislative process, and I am
pleased to see him joining our panel today. I would like to recognize him
to make an opening statement as well as to start the round of questioning
on our side. Bob.
Mr. GOODLATTE. Thank you, Madam Chairman. I
appreciate your holding these hearings and allowing me to be a participant.
This is important for you as well as the Judiciary Committee.
Page 21 PREV PAGE TOP OF DOC
I also want to thank Congressman Gejdenson
for his cosponsorship and his promotion of the use of strong encryption in
this country and also welcome all three of our witnesses here today. I know
all of them very well. They have all testified before me on a number of
other occasions.
I especially know Mr. Crowell very well. He has
some ties to my congressional district, and we have spent a lot of time
together talking about this issue, and I very much consider him and the
other gentleman to be a friend. We happen to fundamentally disagree on the
best approach to fighting crime and terrorism in this country.
Mr. Litt, I very much agree with you and welcome
your expression of support for the spread of the use of strong encryption
by legitimate businesses and individuals in this country; but I very, very
strongly disagree that the Administration's policy is designed to promote
that. I think what you are doing is creating a bottleneck that is having
the effect of slowing down very, very dramatically the use of
encryption.
And when it comes to answering your question about
what the objections of opponents are, it is my opinion, strongly held and
shared by a great many people in this country, that promoting the use of
strong encryption without the restrictions that the Administration would
like to impose will do far, far more to fight crime and prevent terrorism
in this country, many, many, many fold, than the obvious danger the use of
encryption by those who would abuse it; and I say that for two reasons.
First of all, it is my opinion, shared again by a
great many people, that right now—and certainly in the very near
future—the availability of that strong encryption, not escrowed, not
in a recovery system, not in a management system, is and will increasingly
be available to those people, those organized criminals, terrorists and so
on who would abuse it; and, as a result, the Administration's policy is
only directed at those people who are law-abiding.
Page 22 PREV PAGE TOP OF DOC
If somebody wants to get ahold of strong
encryption, which, as you have noted, is freely available with no
restrictions in this country today and send it out of this country in the
form of a computer disk or even through the wires in the forms of little 1s
and 0s going anywhere in the world, that can happen today. But what can't
happen is for legitimate U.S. software manufacturers who dominate this
industry in the world today—about 75 percent of all the software
created in the world—what they cannot do is violate your export
control laws, and they will not do it, but they will suffer severe
consequences as a result of that.
Now you say you have formed your regulations to
make it possible for them to export stronger encryption, and a few have
taken advantage of that. But they do so with tremendous trepidation because
they know of the very, very serious disadvantages that come about by doing
that.
One is the inordinate cost they will incur in
complying with regulations in the creation of those programs and getting
those programs licensed through the Department of Commerce; and in the cost
of implementing and selling those programs, they will be at a competitive
disadvantage. But I think they even more greatly fear the competitive
disadvantage of having to have foreign competition like the German software
company who was reported on in The New York Times——
And Madam Chair, I would ask that this article be
made a part of the record.
Ms. ROS-LEHTINEN. Yes.
Mr. GOODLATTE [continuing]. Boasting,
boasting about what competitive advantages they now have and will continue
to have if the United States maintains its current encryption policy, and
they strongly support your policy. The West German manufacturers of
software competing with our companies strongly support what you are doing,
because you are giving them a tremendous competitive advantage over our
U.S. software companies.
Page 23 PREV PAGE TOP OF DOC
Mr. GOODLATTE. And I would also like
to ask that an editorial from Forbes magazine written by Steve
Forbes——
Ms. ROS-LEHTINEN. Without objection.
Mr. GOODLATTE [continuing]. Endorsing this
legislation be made a part of the record as well. So for those reasons, I
do oppose what you are attempting to do.
I do think it is very, very important that we
establish strong encryption and give every American the opportunity to have
the advantage of that. And groups all across this country are rallying to
this cause and understanding it, dozens of privacy groups—groups like
the American Civil Liberties Union and the Center for Democracy and
Technology, which might be on the liberal or libertarian side; and
conservative groups like Americans for Tax Reform and Eagle Forum have come
together in support this legislation.
Certainly the software and hardware computer
industries have strongly supported this legislation, but it goes well
beyond just that portion of American business. The National Association of
Manufacturers and the National Retail Federation have both endorsed this
legislation, because they know of the importance of encryption in promoting
the commercial use of the Internet and protecting citizens in this country
from crime; and the only way that it will rapidly develop will be for the
Administration to change its policy and not try to create this bottleneck
using our export control laws.
And you say you don't want to have domestic laws
involving encryption, but I suggest to you that your use of the domestic
control laws is not your fear of what goes out of this country but rather
your hope that using those laws will create the opportunity to set up a
domestic system of control of encryption, which today is prohibited in this
country and which my legislation would continue to prohibit.
So, Madam Chairman, I thank you for the
opportunity to participate and make this statement and, again, thank the
Committee for its interest.
Page 24 PREV PAGE TOP OF DOC
Ms. ROS-LEHTINEN. Thank you.
Without objection, we will put those in the
testimony.
[The material mentioned by Mr. Goodlatte appears
in the appendix.]
Ms. ROS-LEHTINEN. I wonder, Mr. Goodlatte,
if you would like to ask the panelists any questions?
Mr. GOODLATTE. Not at this time, Madam
Chairman. We have had a number of exchanges on these issues, and I am sure
they will have the opportunity to respond to some of the things I have just
said.
Ms. ROS-LEHTINEN. Thank you very much.
Sam.
Mr. GEJDENSON. Let me ask a couple
questions.
I can buy pretty decent encryption in this
country, Mr. Litt?
Mr. LITT. Yes.
Mr. GEJDENSON. And so if I am a terrorist
coming to do damage I can walk into CompUSA, whatever, buy my encryption;
and anything I do in this country will give you some challenge in
deciphering it.
Mr. LITT. That is correct.
Mr. GEJDENSON. And if I am a terrorist, I
am probably not going to follow your export laws precisely, so I can also
dial up and export the encryption anywhere in the world via modem.
Mr. LITT. Under the current regime, if you
are willing to do that, yes.
Mr. GEJDENSON. So what we have now is a
situation where I can buy good encryption in this country, and I can send
it globally to my partners in crime. Or I can, as Microsoft did when it
needed to get better encryption for its products overseas, just buy this
German product and marry it to my product overseas, so I can legally get
good encryption overseas. Can I buy this German encryption and bring it
into the country?
Page 25 PREV PAGE TOP OF DOC
Mr. LITT. Under U.S. laws, yes.
Mr. GEJDENSON. All right. I can buy this
pretty decent German encryption which goes beyond what you allow in this
country. So I wouldn't have to break the law by sending what we have. I
could simply buy the German product and bring it here. Would that work as
well?
Mr. LITT. Well, Mr. Crowell, who is more up
on the technical aspects of these things than I am, tells me that product
only does banking applications. So if I was a terrorist who wanted to do
home banking, I could use that.
Mr. GEJDENSON. But they don't sell any
other products.
Mr. CROWELL. I assume you are talking about
Brokat. They only sell home banking products.
Mr. GEJDENSON. So if I find somebody else
internationally who sells pretty decent encryption which isn't compromised
or is that possible?
Mr. CROWELL. There are products on the
market.
Mr. GEJDENSON. So I can find a good foreign
product—I shouldn't make all these admissions in a public
forum—and then I can buy that product and bring it back into the
country and communicate with my fellow criminals globally in encrypted
fashion.
Mr. LITT. Yes. And if you ask me if we
are——
Mr. GEJDENSON. That is the world we live
in.
The question is, what are you trying to achieve
through your policy? I assume you are not trying to destroy America's
economic future in this area. That might be incidental to your policy, but
that is not the prime focus.
So my assumption is you have figured out there is
a cost here, and you are willing to pay that cost if you can kind of hold
the tide back. It is going to get you, and you are hoping you can build a
fast enough computer before it gets you completely. So you are putting
sandbags on a river that is rising faster than you can handle, and any way
you can slow it down is worth the price. Is that your basic assessment?
Page 26 PREV PAGE TOP OF DOC
Mr. LITT. No.
Mr. GEJDENSON. You have another goal in
mind?
Mr. LITT. Yes.
Mr. GEJDENSON. What is your goal?
Mr. LITT. First of all, I think we all
recognize we can't possibly sandbag the river fast enough. As I said, it is
a lot easier to build stronger encryption than we can break; and there is
encryption out there far beyond our ability to decrypt.
That is not what the goal is. Our goal is to try
to get an international standard of key recovery, to work with foreign
countries and work domestically so we don't have unbreakable encryption
being the standard.
Mr. GEJDENSON. Through the years, I have
been given lists of countries that are on the verge of making all this
illegal domestically. Which countries have you entered into agreements
on?
Mr. REINSCH. Ambassador Aaron has submitted
a statement for the record that provides some details about that. He has
talked to all the G–7 countries, the remainder of the EU that is
relevant here, the Australians, the Canadians, the South Africans, the
Japanese. He has plans to talk to the Israelis and several others.
I think the picture is—I would say most of
them on moving in our direction. I think they are behind——
Mr. GEJDENSON. That is very slow movement,
sir. I don't want to argue with you, but I was chairman of this Committee 4
years ago. Three years ago, at the beginning of my tenure, they were moving
in our direction.
Mr. REINSCH. Well, some of them have taken
some actions that are worth noting.
The French have already passed a law more
restrictive than ours. You have to deposit the key with the government.
Page 27 PREV PAGE TOP OF DOC
The British have made a proposal which they
will embody in legislation by the end of this year which differs from the
French; but, in some respects, is more restrictive than our proposal is. I
think Mr. Crowell can describe the difference.
The other European countries that we have had
discussions with, I think, are working closely with the EU in Washington to
see what the British and French and particularly the Germans do. The
Germans are having a decision about this that has become public in the last
few weeks.
If you read other publications other than The New
York Times on this, the Interior Minister of Germany made a speech in which
he recommended a policy which I guess would be similar to the French; and
several other German ministers made public statements of disagreement with
him. The Germans have yet to resolve where they are.
I think we have discussed in other fora where the
Japanese are. I think the Japanese want to see a multilateral approach to
this problem, and they very much want to be a part of the multilateral
consensus. I don't think you will see them deviating from that
consensus.
We have had one multilateral meeting consisting of
most of the countries I described and some others. We intend to have
another one next month to try to move things in that direction.
Mr. GEJDENSON. So you have accomplished
nothing yet except for some very good discussions. And maybe one day you
will get there, but at the moment we have won no international agreement.
We have one country with some rules in place, discussions with others.
I am not saying you are wrong. This is a
complicated issue. Obviously, when you walk into the White House and tell
the President of the United States, if we change this law and any American
is injured anywhere, it is going to end up on your desk, we are going to
make legislators, Presidents very cautious about fiddling with this
legislation.
But it seems to me what Mr. Litt said, and others
have said, is this is a mathematical formula that is not impossible to
recreate. Even without large institutions behind you, that lots of people
can make this, that criminals will be able to get very high-quality
encryption, encryption that doesn't have a key sitting somewhere in the
U.S. Government's availability, that the only thing we are going to achieve
here is we are going to build competing industries worldwide in encryption,
which will actually make it more difficult for us to come to any kind of
agreement because then there will be large economic centers outside of the
United States that benefit from ever-increasing
encryption—international banking, the Internet, automatic kinds of
things demand higher and higher encryption.
Page 28 PREV PAGE TOP OF DOC
Maybe your policy is right, but the policy
has to be seen as you are an anchor in the sand, and we are going to drag
you along the shore and every so often move that line forward.
Mr. REINSCH. Let me make a couple comments
in response.
First, with respect to the foreigners, I don't
think it is so much a question of what we accomplish as what they decide to
do for themselves. The dialog we have been having has accelerated the
timing in terms of them making their own decisions. What we believe, and we
could be wrong, sure, but we believe all of them are moving in our
direction.
Now, we would certainly agree with you, Mr.
Gejdenson, that if they don't we are going to have a problem. We are going
to have a competitiveness problem and a problem implementing our own
policy.
In fact, the point we are making to them on export
controls is that if they are not prepared to exercise export controls in
their own countries, none of them will be able to pursue their own national
policies with any effectiveness. Now, if they don't want to have a national
policy or if they want to have a national policy that provides for no
restraint at all, export controls wouldn't matter, but if they want to have
the British national policies or French national policies or any of the
other policies we have been talking about, they are going to have to have
some element of export controls in——
Mr. GEJDENSON. I think you are all
honorable individuals. I believe you believe in what you are saying. I know
it would be true in two of you, and the third I don't know so well, but I
assume that is true.
Mr. REINSCH. I feel a but coming on
here.
Mr. GEJDENSON. It was next to
impossible.
I remember sitting here fighting over fast
switches to China for their phone system. And we fought over it; and the
next thing we knew was the Israelis were selling them faster switches than
we were; and the next thing, the Chinese were building their own switches
as fast as the ones we could sell them. So it seemed at the end of the day
we brought the Chinese into the manufacturing business as well as some
other nationals along the way.
Page 29 PREV PAGE TOP OF DOC
I think that is what we are going to do here.
And the question is whether the loss of market share and time will be of
any benefit at all at the end of the day, when today, if I want to use
encryption for evil and illegal activity, I can do it worldwide. When I
wanted to build a very fast computer, I needed to have clean rooms and
technology of a significant nature. When I want to create encryption, my
understanding is, if I am a decent mathematician and I walk off with one of
these laptops, I can create some pretty decent encryption.
So demand is increasing, and I don't know where
you guys are going.
Mr. CROWELL. Could I address that?
Mr. REINSCH. Let me say, first, we could
have used you 2 weeks ago at a National Security Committee hearing on
exports.
Mr. CROWELL. We have been trying to make a
very important point about the use of encryption that I think we have been
unsuccessful in making with many of you, and that is encryption alone is
not necessarily security, that there is much more to providing security
than an algorithm.
Since we have had difficulty with that, I thought
I would read from an article published by Brushner in the communications of
the ACM. Brushner, for those in the audience who don't know him, is a
leading private sector cryptologist. Therefore, he is more credible.
Mr. GEJDENSON. Not with me.
Mr. CROWELL. I will just take a couple of
parts of it out.
But the cryptography now on the market doesn't
provide the security it advertises. Most systems are designed and
implemented not by cryptographers but by engineers who think cryptography
is like any other computer technology. It is not. You can't make systems
secure by tacking on cryptography as an afterthought. You have to know what
you are doing every step of the way from conception through
installation.
Page 30 PREV PAGE TOP OF DOC
The good news about cryptography is we
already have the algorithms and protocols needed to secure systems. The bad
news is that is the easy part. Implementing the new protocol successfully
requires considerable expertise.
The areas of security that interact with
people—human management interface security, access
control—often defy analysis; and the disciplines of public key
infrastructure, software security, computer security, network security and
tamper-resistant hardware design are poorly understood.
His point and the point that we have been trying
to make—two points—one is, the key management infrastructures
are necessary to allow cryptography to provide the public with real
security. Without public key infrastructures, no one knows who they are
securely communicating with. It is part of the way you build a system, and
we know that from 50 years of studying cryptography.
The second thing is, as encryption is used for
electronic commerce, these infrastructures are going to be built in order
to protect the economic interests of the entities using them and the public
interest; and then the criminals and the terrorists will have to use those
systems. They cannot create their own cells and do their banking, and they
cannot create their own little cells and do their own business on the open
market. So, yes, they can build little cells and communicate with each
other; but they cannot carry on their daily business.
Mr. LITT. Could I just——
Ms. ROS-LEHTINEN. Maybe you could
incorporate that answer into the next round of questioning.
We recognize Mr. Goodlatte.
Mr. GOODLATTE. Thank you.
I would like to follow up on the questions that
the gentleman from Connecticut made, because he made some good ones.
Page 31 PREV PAGE TOP OF DOC
None of us disagree with the concern you have
of misuse of encryption by criminals or terrorists, and I understand the
concern the President might have in changing his policy in terms of what
that spells for somebody having access to encryption and misusing it. But
the problem is the President doesn't run the risk of saying that is a harm
that may come to some American or some somebody else in the world by
changing the policy.
I think the risk is far greater by not changing
the policy. Because the lack of strong encryption protecting, for example,
a nuclear power plant today that a terrorist could break into and cause a
meltdown or stealing and altering industrial secrets as they are
transmitted between the design plant and the manufacturing plant of a
manufacturer are great concerns right now. And the promotion of strong
encryption, which we know you say you support but you have a policy which
harms the implementation of that, is to me far greater.
Now when we talk about the other countries'
national policies, I don't think their efforts are going to work any better
than the efforts have here; but, nonetheless, the point is this: No nation
on earth protects the freedom and privacy of its citizens greater than the
United States does. And I don't want to base my standard on what any of
those other countries may or may not do, but I can almost assure you they
will never reach universal agreement on how to handle it because they don't
trust each other any more than we trust all of them.
You are absolutely right, Mr. Crowell, that we
have to promote the use of key management and key recovery. Because if
anybody sets up a heavily encrypted computer system and loses their key or
hasn't the ability to communicate with some aspect of their communications
system, they have created an enormous problem for themselves, risking huge
economic loss by doing so.
The question is, however, whether a free market
system of this country and the very, very capable computer software
industry should manage the development of that system or whether big
government should be involved in setting that system up in such a way that
causes competitive disadvantages and severe mistrust on the part of a great
many Americans who are concerned that the access to their private
communications are going to be interrupted by government.
Page 32 PREV PAGE TOP OF DOC
I mean, we are talking about a situation
where 1,000 people's FBI files wind up down at the White House where they
did not belong. Why are we going to feel more confident with a gamed system
where the government has access to keys to computers that give people a
greater sense of security, that the same thing won't happen on a much, much
larger scale?
After all, the FBI files are information gathered
by government on individuals in the country. Access to people's computers
is the citizens themselves gathering the information under a system where
it could be abused, that access being turned over entirely to government.
We would be essentially reporting to the government ourselves. So, to me,
the approach is wrong-headed; and it is hurting our ability to prevent and
control crime; and I would like you to address that.
Ms. ROS-LEHTINEN. We would ask for them to
briefly address. Then we will recess for a vote and then come back, if the
gentlemen could stay, because the other members do have questions.
Mr. LITT. I would like to address that last
point that you made and to emphasize that we would have no more access to
the contents of your computer than we do today. The government does not go
into people's computers and steal their data today. We need to have
warrants and need to have lawful authority——
Mr. GOODLATTE. Mr. Litt, under the proposed
legislation that is floating around here, you would need far less than a
warrant to get access. You would only need a letter from the Attorney
General of the United States. That is a far less secure system to protect
our citizens than we have under current law.
Mr. LITT. That is not correct. We would
need to have the independent legal authority to get access to the
underlying data. We could not walk into any place and get a key unless
independently we had the lawful authority to get the data that was
encrypted. We could not just go get a key.
Page 33 PREV PAGE TOP OF DOC
We are not seeking any expansion of our
present legal authority to get data or communications or anything else. The
American citizen's privacy would be protected to the exact same extent that
it is today.
Mr. GOODLATTE. Now, when you get that key
for the banking purposes that every criminal and every terrorist has to
engage in, you can get that key right now. Because the banking institution
that also has to have that key to encrypt that communication with that
criminal, they are sitting right there responsive to your current ability
under current law to subpoena that key.
Why do you need to change that in order to
accomplish what you are talking about? If these entities can use their own
encryption when they communicate among themselves and they turn around and
communicate with legitimate entities, you can already get those keys.
Ms. ROS-LEHTINEN. We will have a brief
recess, and you may address that when we come back, and then we will
recognize as well the other members of our panel.
The Committee is now in recess.
[Recess.]
Ms. ROS-LEHTINEN. The Subcommittee will
come to order.
Thank you, gentlemen, for waiting to answer Mr.
Goodlatte's question; and he will get the answer, even if he joins us
mid-sentence.
Mr. LITT. Thank you, Madam Chairman.
I think the answer is we can have our spinach and
our ice cream, too. We think we can get the benefit of strong encryption
while protecting law enforcement. I am not suggesting that we are going to
have a system where every single terrorist throughout the world uses a key
recovery system, but we think that our policy will eventually make the
worldwide standard encryption that uses key recovery.
And one of the things that we notice in the law
enforcement business is that criminals don't necessarily take advantage of
every opportunity to thwart our investigation. Although everyone knows we
can wiretap phones, nonetheless, with great regularity, criminals continue
to use the telephone to conduct their business.
Page 34 PREV PAGE TOP OF DOC
We are confident that if key recovery becomes
the worldwide standard, the great number of criminals will use that because
that is what is available to them and it is easy to use. So we will get
that while at the same time allowing—I couldn't agree with Mr.
Goodlatte more when he said we need to get encryption to protect our
infrastructure from terrorist attacks, but we need to do that in a way that
allows law enforcement to continue to have the abilities that it has
now.
Mr. CROWELL. Madam Chairman, if I could
just add, I think some of the statements Mr. Goodlatte made are very
important; and I think there are many areas of agreement that we should
capitalize on.
Mr. Goodlatte and we agree that a key management
infrastructure is necessary to good security. I heard him say that, that
key recovery is something the market will demand. He said, we agree that it
should be industry-led and not government-mandated.
We agree with that. We agree that it should be
voluntary, not mandatory; and we agree that there should be in the areas of
domestic use and with good key management infrastructure some key recovery,
no bit-length restrictions.
So there are so many areas of agreement that we
keep coming back to as areas of disagreement that I think we are not making
much progress, and I am sorry.
Mr. GOODLATTE. Let me follow up on that,
because there are four elements in my mind.
One I know you don't disagree with, and that is
making it a crime to use encryption in the commission of a crime or
covering up a crime. I know you don't disagree, because you have stated in
these hearings and before that the stated principle to every law-abiding
American to use encryption is something you support.
You say you do not want mandated government key
recovery or key escrows. Well, the bill prohibits that; and if you don't
object, why would you object to the prohibition of it?
Page 35 PREV PAGE TOP OF DOC
It simply allows U.S. software manufacturers
to export heavily encrypted software up to the point they can show that
foreign competition is already offering a similar product. That doesn't
interfere with your right to establish a national or international system,
because if other countries are already allowing folks to do it elsewhere
why shouldn't we be allowed into that game? If, in the meantime, you can
continue to conduct negotiations for some kind of international agreement,
this bill doesn't prohibit that.
Why do you object to my bill if what you say is
correct?
Mr. CROWELL. First of all, we believe that
your bill which prohibits mandatory key recovery will inhibit the market
for key recovery. It certainly will inhibit the government's use or
mandated use for government records and government networks and systems,
which are extremely important to protecting the public interests where we
are the custodians of those records and must be able to turn them back to
the public after they become public record.
Mr. GOODLATTE. We would certainly work with
you to make it clear that we are not attempting to prevent the government
from having a key recovery system. We are trying to prevent the government
from mandating that other people have a key recovery system who don't want
to be one with the Federal Government.
Ms. ROS-LEHTINEN. Thank you, Mr. Goodlatte.
We appreciate your being here to discuss this issue which is of great
concern to you as well.
Mr. Luther, welcome again to our Subcommittee.
Mr. LUTHER. Thank you, again. I thank you
for the kind welcome.
My question really is about legislative proposals.
As I understand it, the Administration is considering some legislative
proposals; and I am wondering if you could elaborate on those.
Mr. REINSCH. Yes, Mr. Luther.
Page 36 PREV PAGE TOP OF DOC
We have been working on a bill which is on
the Net—or earlier versions of it are on the Net. I am not sure that
the final version is linked yet, but I have no doubt that ultimately it
will.
The contents of the bill reflect principles that I
mentioned in my statement.
We, too, will confirm that there will be no
domestic regulation of encryption.
We will make clear that participation and key
management infrastructure is voluntary.
We will set forth legal conditions, as Mr. Litt
described, for the release of recovery information to law enforcement
officials pursuant to lawful authority.
We will provide liability protection for key
recovery agents who follow the rules.
We will criminalize the misuse of keys and misuse
of encryption to further a crime, which is something Mr. Goodlatte
discussed.
And we will create, as I said in my statement, on
a voluntary basis a government key recovery system that we will use for
government use, as Mr. Crowell indicated. We think that there will be some
demand for participation in that system anyway.
Mr. Goodlatte is concerned about people who don't
want to participate. That is fine. We don't want anybody to participate if
they don't want to.
On the other side of the coin, we don't want to
discourage people from participating who want to participate, who find that
the government's assurance of authenticity and validation through its
licensing the certificate authorities and key recovery agents is something
valuable to them.
One of the points that Mr. Crowell alluded to in
the answer to one of Mr. Gejdenson's questions is that, in developing
secure systems, what we are really talking about here, is not just
encryption; it is how can you do commerce on the Net securely; and a
critical part of that isn't just being able to encrypt your transaction, it
is having confidence that it is going where you want it to go and being
received by your intended recipient and not somebody else who is
masquerading. That is a question of using the digital signature that is
rapidly becoming part of that, and we want to facilitate that.
Page 37 PREV PAGE TOP OF DOC
We think that a key recovery system where the
government says these are valid people because we have checked them out,
and when they certify a key recovery agent that lends an element of
authenticity to it that we think would help the market. If people don't
want that, that is fine; but that is in our bill.
We have not submitted our bill yet, Mr. Luther;
and I think for the time being we are not going to. We are going to see how
the situation develops both here and in the Senate for a few more
weeks.
Ms. ROS-LEHTINEN. Thank you.
Mr. Rothman, would you like to question?
Mr. ROTHMAN. Thank you, Madam Chairwoman.
It is great to be with you again.
A couple of general questions. Does the Goodlatte
bill prohibit voluntary key recovery systems?
Mr. REINSCH. I think we would say that it
inhibits it, Mr. Rothman.
Mr. ROTHMAN. No, my question was, does it
prohibit it?
Mr. REINSCH. I would have to look at
it.
Mr. CROWELL. It prohibits the mandatory key
escrow procedures.
Mr. ROTHMAN. Prohibits mandatory, so does
not prohibit accomplishing Mr. Reinsch's objective of establishing if
somebody wants to get the government's certification or know if a company
they are dealing with has this certificate.
Mr. CROWELL. It would have an impact on the
government mandating key recovery for government use, which is something
that we would encourage.
Mr. ROTHMAN. Right. Would Mr.
Goodlatte—you indicated he would have no objection to allowing the
government to create——
Page 38 PREV PAGE TOP OF DOC
Mr. GOODLATTE. If the gentleman will
yield.
Mr. ROTHMAN. Yes.
Mr. GOODLATTE. We don't believe the bill
prohibits and we don't believe it inhibits the development of a key
recovery or key management or key escrow system that individuals want to
privately contract for with a software company, a bank, whoever they want
to deal with.
If there is a concern on the part of the
government that somehow they will be prohibited, certainly we want them to
be able to recover their records and we want them to encrypt the records to
protect the citizens. If they feel the legislation in any way prohibits
them from doing that, we would work with them and make that clear, that
they could use it themselves.
Mr. ROTHMAN. If you would allow me, I would
be delighted to participate with you in amending the bill to accomplish
that objective.
Mr. GOODLATTE. We would want to take a look
at it and see if it does need to be amended. But, if it does, we would like
the cooperation.
Mr. ROTHMAN. All right. For the life of me,
I can't—if it doesn't mandate participation in a government-mandated
key recovery system and if we can accomplish some clarity with regard to
our intention to allow the government to have a key recovery system for its
own documents and own legitimate purposes, then what is left to the
objection?
Mr. REINSCH. The removal of export
controls.
Mr. CROWELL. And the lack of any provision
for facilitating it and encouraging the growth of key management
infrastructures and key recovery.
Mr. ROTHMAN. Well, if I may, Madam
Chairman, the removal of export controls, I don't get it. What is the
problem with allowing—if we are not mandating this for our own
people, why would we require that it be prohibited from other people, if,
as Mr. Goodlatte said, the technology is already out there?
Page 39 PREV PAGE TOP OF DOC
Mr. REINSCH. Well, there is a
difference of opinion, first, between us and Mr. Goodlatte and others over
the extent to which the technology is out there.
Mr. ROTHMAN. To the extent the burden is
met first before the export is permitted, which apparently is what the bill
reads.
Mr. GOODLATTE. If the gentleman yields, the
bill does not remove export control, simply allows us to show that a
foreign competitor has a competitive product. They should be able to rise
to the level of encryption of that competitive product. That is all we are
asking for.
We recognize the concern of the Administration
about unlimited access to encryption. We think they have a problem that
their solution doesn't solve.
And if I could add one other thing with regard to
that. The export controls don't just affect the access of people overseas
to strong encryption. It also affects the ability to have strong encryption
domestically.
For example, Citibank, which strongly supports
this legislation, and you can communicate with your San Francisco office,
you can use any level of encryption you want to transmit your financial
transaction, but if you want to transmit to your London office or Tokyo
office, you cannot use U.S. domestically created software because you can't
export because of the export control laws to those overseas locations. You
can, however, buy, as the gentleman from Connecticut pointed out,
German-created software, bring that into the United States and use that
internationally. And that is ludicrous.
The policy of trying to control the availability
of little 1s and 0s going through wires through our export control laws
designed to control things like jets and bombs and maybe even mainframe
computers being exported simply will not work in this regard, but it will
work a serious detriment to the U.S. software industry and the availability
of encryption to U.S. citizens.
Page 40 PREV PAGE TOP OF DOC
Mr. ROTHMAN. If I may reclaim my time,
thank you. Just one concern with regard to—and I haven't really
thought this through too much—and that is the civil libertarian
aspect of this whole issue. Is it the government's position that they would
like to have a mandatory worldwide key recovery system in place so no one
around the world would be able to buy any computer system or software for
which the government didn't have a back door key?
Mr. REINSCH. No, that is not our position;
that is not our position; and let me, if I may, elaborate on that and
respond to your previous question.
We seek to use export controls as an effort to
move all of our major trading partners and ourselves in the direction of
the key recovery and key management infrastructure in the way that we have
described, which is in the direction of a voluntary system.
Export controls undertaken by the United States
unilaterally, if that were to be the case, ultimately would have the
adverse effects, I believe, that Mr. Gejdenson described. If they are
successfully undertaken multilaterally—and we do have some now; we
control these items multilaterally, less so for banking than others; we
intend to make an announcement in an hour and a quarter with respect to
that. But as part of a multilateral framework, we believe that export
controls are virtually the only instrument available that will allow
countries to pursue their own policies.
Our national policy will be one of allowing law
enforcement access under the circumstances that Mr. Litt described. Other
countries may have different national policies by virtue of their concerns
and their histories. If you have a world with no export laws, no country
could pursue its national policies because there would be items coming in
in violation of it.
Mr. ROTHMAN. But this is a voluntary
policy; whoever decides to be a part of it will be; right?
Mr. REINSCH. Well, yes. What we hope will
happen and what we see happening in the marketplace is the increasing use
of the technology that provides the access that we seek to have available.
We think key recovery is what people are going to adopt, not because we
want them to, not because of our policy, but because it makes good
commercial sense. Ask the next panel, and see what they say about that.
Page 41 PREV PAGE TOP OF DOC
Mr. ROTHMAN. Thank you.
Ms. ROS-LEHTINEN. Thank you, Mr.
Rothman.
Mr. Chabot has no questions, so we will continue
to Mr. Sherman.
Mr. SHERMAN. You know, I believe in key
recovery. I have got a key to my apartment hidden near the front door, but
it never——
Mr. REINSCH. Are you going to tell us
where, Mr. Sherman?
Mr. SHERMAN. That is the point I am going
to make. It never occurred to me to give that key to any agency of the
government.
Mr. REINSCH. We don't want it.
Mr. SHERMAN. I don't know why the
government should be involved in any way in key recovery unless it is the
intent of the government to use the key without the permission of the
person whose data has been encrypted. I think it is somewhat artificial to
come here and say, well, any big business would want a key, so we want to
impose a Federal regulation that will lead to that key being available. I
am sure that various private users will find a way to hold on to a key
without Federal export controls.
I am particularly concerned, and I think the last
speaker made it very clear, we are using export controls because it is the
only available mechanism to control something that really can't be
controlled through export control. We have got a situation where anybody
can buy anything domestically, and there is no attempt—correct me if
I am wrong, Mr. Litt—to regulate that at the Federal level.
Mr. LITT. That is correct.
Mr. SHERMAN. So you can buy anything
American industry can create, use it anywhere in the United States, and
for, I think it is about $12, Federal Express will send it to your friends
in Japan. We have, to my knowledge, no capacity to stop an individual
package from going abroad if owned by the consumer. We also don't have any
import controls. It ignores the Administration proposing them; correct?
Page 42 PREV PAGE TOP OF DOC
Mr. REINSCH. That is correct, Mr.
Sherman.
Mr. SHERMAN. So in any country, even if you
got 20 technologically developed countries to sign up that nobody can use
more than 2-bit encryption, and they have to have a key anywhere, and there
is just one country out there that manufactures software with 128-bit
encryption, that can be imported by any drug dealer and terrorist in the
United States; right?
Mr. REINSCH. Yes. I think the answer to
that lies in the comments Mr. Crowell made previously. I don't know if you
were here when he made them.
Mr. CROWELL. The use of that encryption
requires some means of conveying trust in the people represented by their
public keys. Earlier we commented on that, that to be used widely,
encryption needs the support of the infrastructure that will identify a
public key, you know—I guess I have to start at the beginning.
Mr. SHERMAN. I am sorry, you don't have
enough time to start at the beginning, but I am sure——
Mr. CROWELL. Let me try and say it in just
a couple words. If you were to use an Internet browser today that provides
128-bit cryptography and provides great encryption, it provides very little
security, because when you hook up over the Internet, which is a large
party line, and the little key closes on the left-hand side, all you know
is that you are encrypted. You have no idea whom you are talking to. There
is no way to certify whom you are talking to, because the infrastructure
that is necessary to provide that security doesn't exist.
Mr. SHERMAN. So we would need to see the
loss not only of jobs involved in creating encryption software but
communications software as well, and if people were unwilling to entrust
the government with their keys, they would have to buy not only encryption
software but a whole package of software.
Mr. CROWELL. We do not seek in the
government to hold the keys of anyone.
Page 43 PREV PAGE TOP OF DOC
Mr. SHERMAN. In any case, if someone
wanted a greater degree of privacy from the government than is provided
from the regime you are trying to create, they would have to buy not only
their encryption software but other related communications software from a
foreign supplier that did not——
Mr. GOODLATTE. Would the gentleman yield on
that point?
I thank the gentleman for yielding.
It is a very, very good point, because encryption
is not a separate segment of the software industry. Every type of
communications that people want to have secure in the future, where that is
their copyrighted material that is not on the Internet, because you can't
protect Snow White, Disney can't do that, whether it is any type of medical
record that might be transmitted by telemedicine procedure, every type of
financial transaction, be it banking or whatever, the software that
underlies that is going to be encrypted. Some of it is encrypted today.
Within a few short years, every American who wants
to buy over the Internet and be secure with their credit card number being
on there, we are going to encrypt. So you are not talking about losing that
segment of the market that would be called encryption, you are talking
about losing massive portions of our software industry to foreign
competition that is constrained by an export policy that we have.
Mr. SHERMAN. So if even 1 of 20 or 30
developed countries wanted to take the software industry away from us, or a
big portion of it, all they would have to do is not enter into any of the
international agreements that are being proposed, and they would be the
only country that would offer communications software without the full
degree of privacy that some consumers want.
Mr. GOODLATTE. That is right, and you are
going to see U.S. companies with a strong interest in moving to those
countries to create that business, and we will lose it here.
Page 44 PREV PAGE TOP OF DOC
Mr. SHERMAN. So that virtually
guarantees that at least one country won't enter into an agreement. And
perhaps our panel can correct me; the United States is not going to impose
any sanction on any country that says, we want free access to the American
market, we want all the advantages of being part of the developed world and
having our border protected by the American military, but we want to make a
lot of money selling encryption software, and we refuse to enter into an
OCED agreement. We would impose no sanctions, no disadvantages, on such a
country; right?
Mr. REINSCH. Well, I don't think the way to
begin a negotiation or a conversation with our allies is to threaten
them.
Mr. SHERMAN. Well, these negotiations are
not beginning; they are stalled.
Mr. REINSCH. On the contrary, they have
already begun.
Mr. SHERMAN. That is what I mean, they have
begun, they are not beginning, and I think it is highly unlikely that they
are going to lead to universal success.
Mr. REINSCH. Well, I think that is a
judgment where we can differ, but it is a judgment. I encourage you to read
Ambassador Aaron's statement that he submitted for the record. I think we
are making more progress than generally recognized, because the other
governments understand the issue the same way we do and understand their
stake in it. They have the same law enforcement issues, the same issues
with terrorists and with drug cartels that we do; we are not unique. Other
governments recognize that. They are wrestling with the same problems that
we are.
Mr. SHERMAN. Excuse me. What you are trying
to do is draw to an inside straight. That is to say, it is not enough to
get 50 percent of the countries all on board on the same agreement, or 60
percent, you need them all. If every country but Holland or every country
but Thailand agrees to this, those are countries which, within a year or
two, will have the software technology to completely thwart the
effectiveness of this agreement.
Page 45 PREV PAGE TOP OF DOC
The reason why in poker you don't draw to an
inside straight, even if you get four out of five, the fifth card is never
there. Do you have any reason to think that you are not going to get just
general agreement or universal agreement from every country capable of
producing encryption software, all without the threat of sanctions?
Mr. CROWELL. One of the things that we
believe is that unilaterally opening up export controls will undermine the
international agreements.
Mr. SHERMAN. You have clearly undermined an
effort that seems doomed to failure.
Mr. LITT. I think I would disagree with the
premise that we need every country to agree, because I think our
expectation is that people will recognize that the kind of product we are
talking about is a better product, and that this is a product that they
will want to buy, and that fundamentally you will not have large numbers of
people who will be looking for non-key recovery software.
Mr. SHERMAN. I think a lot of people want
software where they keep their own extra copy of the key. Some might even
trust Bill Gates with an extra copy of the key, but none of the people who
have written me want to entrust the government with the key.
Mr. LITT. We don't want it.
Mr. SHERMAN. Nor do they want to entrust it
to anyone who might make it available to the government.
Mr. LITT. To go back to your analogy of the
key by the front door, I think it is an easy analogy but there is a
fundamental difference from the law enforcement point of view. Obviously,
this would never happen with you, so let's assume John Gotti keeps a key by
his front door. If we go to court and establish there is probable cause
that there is evidence of a crime in Mr. Gotti's house, and we get a
warrant, if we don't have his key, we can break down the door and seize
that evidence. We can't do that with encrypted data. We have no other way
into that. Even if we get the court order and establish probable cause, we
can't get it.
Page 46 PREV PAGE TOP OF DOC
Mr. SHERMAN. Mr. Litt, I fully
understand why it would be valuable for law enforcement to be able to
decode all encrypted messages. I just see this as an effort to punish U.S.
software makers, because there is no chance of ever giving law enforcement
that ability which you describe as being very useful and arguably
necessary. And if you are going to ever have that kind of ability, it is
not going to come from export controls with no import controls or an
assumption that you are going to draw to an inside straight. You are going
to have to do what the French have done, which is limit their own citizens'
right to the use of software, no matter where developed or
manufactured.
Ms. ROS-LEHTINEN. Thank you, Mr. Sherman,
if you would like to add that up, we would like to move onto our other
panelists.
Mr. SHERMAN. You don't have the votes to do
so. So as long as there is any country in the world that will make
communications software that provides this level of encryption, Americans
will, because you don't have the votes here to be able to use it, and that
will include those engaged in crime.
Thank you.
Ms. ROS-LEHTINEN. Thank you so much. I
would like to thank the panelists for being here with us.
Ms. ROS-LEHTINEN. I would like to introduce
our second set of panelists. We will be hearing from Humphrey Polanen, the
general manager of Network Security Products Group. Mr. Gage will provide
our Subcommittee with a short informative demonstration of the encryption
issue.
We will next hear from Jerry Berman, the executive
director and one of the founders of the Center for Democracy and
Technology. The Center is an independent nonprofit policy organization, and
their mission is to develop and implement public policies and answer
individual liberty and individual fallout in the new digital media. Mr.
Berman also coordinates the Digital Privacy and Security Working Group and
the Interactive Technology Working Group. Mr. Berman received his M.A. from
the University of California at Berkeley and also graduated with honors and
served as the editor of the California Law Review at law school.
Page 47 PREV PAGE TOP OF DOC
And we will also hear from Mr. Tom Parenty,
the director of security for Sybase Corporation. Mr. Parenty has been
active in the cryptography and computer security field for over a decade,
starting with his tenure at the National Security Agency, where he worked
on global nuclear demand and control networks. He has worked with several
intelligence agencies regarding design of operating systems, networks, data
base management systems also. He holds a bachelor's degree in philosophy
and master's in computer science.
And last, Stephen Walker, the president and chief
executive officer of Trusted Information Systems, which he founded in 1983.
Mr. Walker served 22 years in the Department of Defense and several
branches, including the National Security Agency. He has over 35 years of
experience in systems design and program management and is nationally
recognized for his pioneering work in computer security.
I believe that Mr. Gage will start with the
demonstration. Is that correct, gentlemen?
STATEMENT OF JOHN GAGE, CHIEF SCIENTIST, SUN MICROSYSTEMS
Mr. GAGE. My name is John Gage. I am the
chief scientist for Sun Microsystems.
Responding to the last panel that asked that big
business speak, we are a $9-billion company, so it is a medium-sized
business.
I want to show you something very quickly which is
accessible to any kid with a modem, anybody sitting at that panel with
their computer on the House Information Systems link to the Internet. So
what I have set up, you can see on the screen, is a simple Web page that
says what you can do if you are a non-U.S. company, why you can use strong
encryption, what you can do if you are a U.S. company, you can use strong
U.S. encryption, but you have to fight your way through the export
regulations to let your users somewhere else protect their machines. Well,
OK, that is fine.
Page 48 PREV PAGE TOP OF DOC
What can you do if you are a kid on the
Internet? You can download strong encryption. What can you do as a company
to protect your own company data abroad? Well, if you can't use strong U.S.
encryption, really strong, you will have to use foreign, so that is what
hundreds of U.S. companies do.
So I put these little buttons here to summarize
what it is we are up to. You can push this button—don't do it
yet—to see where you can get strong encryption worldwide. You click
another button and it comes to your computer, the one right there on that
bench where you are sitting. Then, the red line said if you send it back
where it came from—that is just one click—you go to jail.
Well, you don't, because you are Members of
Congress and you have a general counsel who is highly paid to keep you out.
But, you know, what happens out there in the real world?
Our concern—I think every member of the
industrial commercial panel you have in front of you will agree with Bill
Crowell—our concern is that the systems we use for air traffic
control, controlling of the power grid, control of the trading floors where
$1 trillion a day is traded in New York, in Tokyo, even a momentary
disruption there brings chaos to world financial markets. We as a company
and all of the people here at the panel do business in those arenas; that
is it, it is real world stuff.
And what do we have today? We have insecure
operating systems, insecure networks, and a wonderful 1976 invention. This
isn't God speaking. Public key encryption was invented in 1976, not a long
time ago, and it gave us a brand new powerful tool to use in order to
authenticate who you are. Is the check in the mail? Prove it. We now have a
little machinery to do that.
So if you want to use that machinery to go around
the world and make your product safe and authenticate who you are and make
sure who is inside your machine ought to be there, if you go to the top and
hit ''Forward''—and we just went to Germany. This is that company
mentioned earlier today, Brokat. The German company sells things for the
Gelt and capital market; that means money people.
Page 49 PREV PAGE TOP OF DOC
And if you go forward once more, you will see
precisely the New York Times article. This is now coming from Germany. This
is their advertisement. It says, if you scroll down a little bit, there are
the people in Germany; they are happy because they can sell something U.S.
companies can't.
Just keep going down. Brokat makes $6 million; it
is a tiny company; it has kids in a coffee shop. Far from hindering the
spread of powerful encryption programs, U.S. policies created a bonanza for
alert entrepreneurs.
Now, for U.S. industry, we are blessed that there
aren't that many alert entrepreneurs, but don't bet on it, because things
are moving fast. There was a citation just a moment ago about what in the
technical community we call the crossbar problem. That is, if you have 50
countries that want a policy and they have to deal with 50 others, that is
50 by 50 meetings. So much for Ambassador Aaron; he sinks from sight. Fifty
by 50 meetings, 2,500 meetings if the United States wants to find out if
Malaysia, which declared yesterday that the new capital city of Malaysia
will be a data haven where anybody can use strong encryption with their
data, they are going to be talking to Japan.
Let's go forward once more, because we are going
to leave the United States, we are going to leave Germany, and we are going
to go to a hotbed of independent encryption. It is called Finland. Finland
is the densest Internet country in the world. Sometimes people say it is
dark so long, there is not much else to do in Finland.
But what people do in Finland is get on the
Internet, and they provide here the Finnish archive. Scroll down a little
bit: The Finnish news, Fin Net. Just hit ''Forward'' again. We will go to a
page instantly accessible from Finland that lists all sorts of crypto
systems. You want 128-bit key, 256, 512, 1,024, RSA; you want to have code,
source code for RSA, the European code; it is all here; you can just
download it. So there are all these different, accessible to anyone in the
world, pieces of code.
Page 50 PREV PAGE TOP OF DOC
We go forward, and look at all this. Idea;
that is an encryption; that is the DES code. How old is DES? Very old. Is
their source code all around? You bet. Do you want to download it? Now,
legally, I can click on one of these and it will come cross the wire and
land right here on this machine. Triple DES. Let's not do that yet. Let's
go back and see where else we can do.
Ms. ROS-LEHTINEN. Thank you for bringing in
Finland, land of my husband's birth.
Mr. GAGE. It is a wonderful country.
Finland hosted the last cryptography conference, and the NSA, thank God, is
one of the world's best centers for encryption, world's largest pool of
mathematicians. A lot of NSA people went to Finland.
Let's now go to a strange place where you can get
encryption. Let's go to Zagreb. This is in Croatia. Everybody is on the
Net, so access is allowed all day, bombing excepted. Local time; what is it
in Croatia?
And FTP, that means file transfer; that means get
me, touch me, and I will send you the entire source code, everything you
need to build your encryption systems. Well, let's continue on. In Croatia,
there is crypt—let's go in—and there is DES, and there is some
more freely downloadable DES code from Croatia. Now, we can do this, and
maybe we should do this. We can do this in a minute.
I didn't want to get to this button yet, and maybe
next time we do this, you can do that just so you can test the law. I
thought we would go down to other places, all around Russia. If you are
hungry and you are a cryptologist and you don't have any money coming in,
what do you do? You sell your crypto. Sweden is an enormous center of this,
because the mail systems now for the Scandinavian countries are completely
strongly encrypted. They say it is silly, the U.S. position; they wouldn't
think of putting any impediment in the way of a Swedish citizen or
Norwegian citizen or a Finnish citizen to have secure, private mail.
Norway, go to the Netherlands—unbelievable amounts of stuff. I guess
I went on Zagreb again.
Page 51 PREV PAGE TOP OF DOC
Here is a site. This site is a U.S. site that
points to all these sites around. So when there is a moment in the
Department of Justice's harried schedule when the Deputy Assistant Attorney
General in the Criminal Division decides to become a product manager for
U.S. industry, he is up proposing himself as one with insights into what
the business community will buy. That is our business; that is what we
spend our time doing; that is where we have millions and millions of people
that we deal with every day using encryption for interior security to make
their systems secure, overall systems.
And that is why I don't believe I would hire the
Deputy Assistant Attorney General, Robert Litt, as a product manager. He
doesn't know the ground. And when he uses language, which I must say makes
me worry a bit, he is misunderstood, not just him but the entire Department
of Justice, they are caricatured.
And at the end of his testimony, he says: If you
don't believe me, let me tell you what you are doing; you plan to sacrifice
public safety entirely. I heard those words just a few minutes ago. It
makes me worry that there is something out of hand.
Bill Crowell from NSA is a wise man. He has
watched this go on for years. He is confident—and I am happy he
is—that the United States has the capability to intercept
communications in the role of providing information to make the government
work well, and decrypt it.
The FBI is pretty much backward in this, and what
has happened here is, they have become, I think the word was, not
frightened, alarmed. They suddenly discovered that when people talk to each
other, which is the basis for crime, it is tough to do crime without the
phone system; alligator clips don't work anymore because this phone system
puts your voice into little packets.
And it is not just encrypting the little packets
that is a problem; the little packets can go some to the left, some to the
right, some to Tulsa, some through Omaha. They reassemble themselves. You
can't get the entire transmission, so the engineering of the overall
communications systems of the world has bypassed the ability given to law
enforcement for 120 years of arriving with alligator clips and listening to
the bad guys.
Page 52 PREV PAGE TOP OF DOC
Now we hear testimony that would have been a
shame to hear 5 years ago, and we are hearing it in 1997. So we have to do
something that moves us forward, and I think the rest of the panel will
address the thing that everyone that runs large computer systems must be
able to recover: If they lose the keys, how you find out where everybody's
address is.
We all support the ability, self-determined
ability, to be a systems administrator. The notion that we need to provide
keys for all transmissions, people sending stuff around the world, when you
can have each packet with a different key—oh, my, my, suddenly we are
restoring millions of packet keys. This doesn't seem to be in any way in
consonance with today's policy, so it seems doomed as a policy.
So with that short demo, I won't ask you to
download a file, although at the moment, when you download DES, be sure not
to send it back outside the country or you are in trouble.
Ms. ROS-LEHTINEN. Thank you so much.
Mr. Polanen.
STATEMENT OF HUMPHREY POLANEN, GENERAL MANAGER, NETWORK SECURITY PRODUCTS
GROUP, SUN MICROSYSTEMS INCORPORATED
Mr. POLANEN. Madam Chairman, thank you very
much.
It is a pleasure to be here and testify in front
of this Subcommittee.
I would request that the written statement which
you have before you is entered in its entirety.
Ms. ROS-LEHTINEN. Of course, without
objection.
Mr. POLANEN. Thank you very much.
Page 53 PREV PAGE TOP OF DOC
I will limit my comments to some of the
highlights in representing the Computer and Communications Industry
Association, whose members employ over half a million people and generate
annual revenues in excess of $200 billion.
We also would like to endorse Mr. Goodlatte's
bill, and we believe that in principle it represents a viable and solid
solution to the conflict in the competing interests, policy interests, that
occur here.
We would like to say immediately at the outset
that industry really does not oppose having a voluntary key infrastructure
or a key recovery system. We believe that it is useful and possibly even
necessary to commercial interests. Our desire is, however, for market
forces and for customer requirements to drive those specifications and
those standards and for them not to be mandated by the government.
In addition, our concern is that you have seen how
easily some of these strong cryptography products and technologies are
already available, both within the United States as well as outside, and
our concern is that this industry and this competency in cryptography will
quickly move across our borders to other locales.
We are aware of a number of companies who are
either purchasing their strong cryptography requirements outside the United
States or are setting up facilities outside the United States where the
expertise which currently resides here will be developed and evolved
outside the United States. And we are concerned not only for the loss of
jobs that entails, but from a law enforcement and national security
perspective, it is important to recognize that as this center of excellence
and expertise moves abroad, the U.S. long-term interest in law enforcement
and national security will be significantly undermined. And we would urge
you to support Mr. Goodlatte, and this Subcommittee to support Mr.
Goodlatte's legislation.
I would comment very briefly that we believe that
the government's plan to control the export of strong cryptography does not
really lead to an effective policy of protecting the national security
interests, nor protecting the availability of this technology. As many
members have already commented, you can buy it easily today, you can import
it, you can buy it abroad, so by restricting exports, you are not really
accomplishing anything except the ability of our industry to take advantage
of the burgeoning market for strong cryptography which we believe will be
about $60 billion in only a few years, and we cannot play on a level
playing field with the proposed Administration's policy.
Page 54 PREV PAGE TOP OF DOC
At this point, I would simply close by saying
that the river is not only rising, we believe that the dam has completely
broken and that because this technology is already freely available abroad,
there is simply no point in trying to restrict U.S. companies from taking
advantage of this growing market.
At the same time, if we are restricted from
competing abroad and on a global basis, not only do the consumers who have
a right to privacy and protection of their intellectual property lose, I
think U.S. national security interests and law enforcement interests also
lose long-term. And this was the conclusion of a finding of the study by
the National Research Council in which the NRC recommended against
restrictions of export of strong cryptography because those would be
against the long-term interests of U.S. national security requirements.
Thank you, and I will be available for
questions.
[The prepared statement of Mr. Polanen appears in
the appendix.]
Ms. ROS-LEHTINEN. Thank you so much.
Mr. Berman.
STATEMENT OF JERRY BERMAN, EXECUTIVE DIRECTOR, CENTER FOR DEMOCRACY AND
TECHNOLOGY
Mr. BERMAN. Thank you, Madam Chairman. And,
like other members of this panel, I want to express my gratitude to
Representative Goodlatte of this SAFE legislation. We are very, very
supportive of it.
As a civil liberties organization but an
organization that tries to work with the private sector and across the
political spectrum, I just want to take us back for a moment to a higher
level, which is, what is going on here in this debate is, we are really
talking about electronic commerce in this new environment. The world is
shifting in a fundamental way, and we are dealing with a new paradigm. It
is not the issue simply of selling cryptography overseas, it is whether
they can product transactions on this global communications network in a
secure way.
Page 55 PREV PAGE TOP OF DOC
As other members of the panel,
representatives, have pointed out, we are putting all of our information on
this infrastructure. It is global, it is decentralized, and you have seen
John Gage taking us around the world; you are around the world
instantaneously. That means that we may be facing a point where we are
facing a paradigm shift and that our traditional ideas of how to protect
security and privacy in communications have to change. The traditional
balances between law enforcement and privacy may not be able to be struck
in this arena.
I do not see the debate as a debate between
security and privacy but a debate between two views of how we have security
on the Internet. It is, I think, instructive that the business community is
not coming to Congress and saying, in order for us to do business on the
Internet, we need more police. They are coming in and saying, law
enforcement is one thing, but if you want to protect us from the hackers,
the security, the financial transactions, our information that is on the
Net, we need encryption, we need technical means of protecting against
crime around the world, because law enforcement stops at the border.
Privacy advocates are saying the same thing from
the other side, which says the fourth amendment stops at our border. We
don't know how the fourth amendment will work in this global environment.
We could use unlimited encryption in the United States, but when we get out
on the information network, how are these systems going to work?
And when the government proposes key recovery
systems, I think it produces a considerable vulnerability. If we get to the
government's argument that we will have a key recovery system, if it was
voluntary, we could live with that. In fact, we think it is going to be
developed. But the government cannot say it will be a voluntary system and
not support your legislation.
The way to drive a voluntary system if the market
is going to develop would be to lift the controls, and if the market is
going to develop a key for access, it will.
Also, I would argue that if you wanted to make
other countries more cognizant of the law enforcement problem and figure
out ways to solve this problem, you would lift export controls so we could
deal with this encrypted communications network.
Page 56 PREV PAGE TOP OF DOC
I think that we really have to look at
alternatives here. I really believe that the market will develop if we lift
export controls, that there will be key management issues, and that there
are alternatives to wiretapping for law enforcement to recover
information.
Thank you very much.
[The prepared statement of Mr. Berman appears in
the appendix.]
Ms. ROS-LEHTINEN. Thank you so much.
Mr. Parenty.
STATEMENT OF TOM PARENTY, DIRECTOR OF SECURITY, SYBASE CORPORATION
Mr. PARENTY. Thank you, Madam Chairwoman.
Thank you for the opportunity to speak with you this morning. Also I would
like to thank your Committee and Subcommittee for your continued and
continuing interest in this particular issue.
I am director of the data communications at Sybase
but am today speaking on behalf of the Business Software Alliance, which is
an association of U.S. software vendors which, in addition to Sybase,
includes such companies as Lotus, Novell, and Microsoft.
I would like to say at this point there is
unqualified support in the U.S. software industry for Congressman
Goodlatte's legislation, and we view this as an extraordinarily important
step forward in allowing the U.S. software industry to continue to compete
internationally.
In my written testimony I have focused on the
economic issues surrounding this issue because they directly affect the
software industry. However, in my comments today I would like to focus on a
couple of other issues.
One of the things that bothers me in this debate
is that people who advocate and support Congressman Goodlatte's position
are frequently characterized as in some sense being anti-American and
trying to endanger our country. That is not the case. Passage of the SAFE
legislation would enhance our national security, and it would promote
public safety. And I say this not as a representative of the software
industry but, rather, as a former employee of the National Security Agency
who learned about encryption there and more recently as an advisor to the
President's Commission on Critical Infrastructure Protection.
Page 57 PREV PAGE TOP OF DOC
The broad use of cryptography in U.S.
software products is indispensable in protecting all of the infrastructures
upon which all of our lives depend.
The second point I would like to make is, it is
not the case by any stretch of the imagination that passage of this bill
would substantively inhibit law enforcement from the detection and
prosecution of criminals. On this point, I would like to address two
different scenarios.
In the case of smart criminals, or criminals
communicating among themselves, independent of anything the U.S. Government
does or is capable of doing, they will be able to wrap around their
communications and data strong encryption widely available today to make
them unavailable to U.S. law enforcement. There is nothing we can do about
it.
In the case of criminals communicating with
legitimate businesses, there is existing legislation with respect to search
warrants and things like that that would allow law enforcement agents with
proper authorization to be able to get access to data.
There is another category of criminals which law
enforcement representatives frequently refer to as dumb criminals, and for
those dumb criminals, law enforcement argues if we make encryption easy to
use, then they will use it, making prosecution more difficult.
My response to that is, dumb criminals are
precisely that, dumb, and regardless of whatever encryption they use, they
will continue to do things like renting hotels or Ryder trucks in their own
name or depositing money in banks that they robbed the previous day. They
will provide an ample trail for law enforcement to follow.
The final thought I would like to share with you
is that we are at a critical moment in the history of the U.S. software
industry. We currently have world domination; we have over 70 percent of
the market. We did this with: One, the innate creativity of Americans; and,
two, the ability to provide products that the world wants.
Page 58 PREV PAGE TOP OF DOC
The primary benefit, or one of the many
benefits, of Representative Goodlatte's legislation is that it would remove
government impediments, thus allowing the U.S. software industry to
continue this trend of world dominance.
I would like to thank you for the opportunity to
make this statement.
[The prepared statement of Mr. Parenty appears in
the appendix.]
Ms. ROS-LEHTINEN. Thank you so much.
Mr. Walker.
STATEMENT OF STEPHEN T. WALKER, PRESIDENT AND CEO, CHAIRMAN OF THE BOARD,
DIRECTOR, TRUSTED INFORMATION SYSTEMS
Mr. WALKER. Thank you. I appreciate the
opportunity to speak to you again.
I was here 3 1/2 years ago when you had a hearing
on this same set of subjects. It is frustrating for a lot of us to be back
here again with the same arguments and the same demos.
Now, the Web wasn't as well established as now, so
they weren't quite as dramatic, but in fact we went to Finland 3 1/2 years
ago and picked up DES and demonstrated we could bring it in and, if we sent
it back, we would be violating the laws.
I was here then, and I argued at that point we are
right at the end of the Clipper debate. Clipper had been introduced by the
government as the answer to all of this: Strong cryptography, but the
government kept the key. The government established key escrow centers at
NIST and Treasury in order to keep the keys, so if they ever needed them,
all they had to do was go to their own people and pick it off. Everyone
hated that. It was a terrible situation and was totally rejected.
Page 59 PREV PAGE TOP OF DOC
In fact, the legislation, back in the
1993–94 timeframe that Representative Cantwell and Senator Murray
introduced was very similar to the legislation that is here now. I sat here
and I testified also before Senator Leahy in May 1994 that government key
escrow was a very bad thing and we needed to do something else.
I walked the halls of this building and talked to
folks about that legislation, and I heard firsthand attacks on myself and
my own integrity as to the viability of it, treated as non-American. But I
also watched the battles that happened behind the scenes that brought that
legislation to its knees. It turned it into a survey of worldwide
cryptography.
A number of us following that concluded that this
was a no-win battle, there was going to be this struggle going on, and the
fact that we are here today is an indication that that struggle goes
on.
We began to look for an alternative. We began to
realize that companies and individuals who use encryption, encryption is
used to keep other people from reading your information, but if you lose
the keys, you are not going to be able to read it either. They are
effective.
So we concluded that if key recovery systems,
user-controlled key recovery systems, systems run by companies and
organizations for their own purposes, if they were to become widespread,
maybe we have a middle ground solution beginning to emerge.
We talked to folks at the NSA and FBI and
convinced them that if in fact they didn't promote the existence of
user-controlled key recovery, that in fact they would be up against totally
unbreakable encryption within 5 years and certainly within 50 years.
And as a result of pressure from—suggestions
from us and from others, the Administration has changed their policy in a
significant way. They are now granting the ability to export strong
encryption, the strongest encryption that you can get anywhere, so long as
there is a key recovery system involved, user-controlled key recovery
systems.
Page 60 PREV PAGE TOP OF DOC
Now, unfortunately, a lot of people are
portraying this as just another version of Clipper, another extension of
Clipper. We have permission to export strong cryptography to Royal Dutch
Shell, the Netherlands, totally outside the United States running their own
key recovery center. We have dozens of other companies able to do that
around the world.
I want to not disagree with my fellow panelists
here but, in fact, indicate that there actually has been some dramatic
progress since 1993 and 1994. There is a middle-ground solution; there is a
chance to have the opportunity to make some progress here and to move on
and do our things with our lives. In fact, we find ourselves very much in
the same situation as we did in 1993 and 1994, and, unfortunately, I see
the forces at work that are going to cause these bills to come to the same
conclusion, that the Cantwell and Murray bill came to.
I believe a significant thing happened last
October. The Administration announced that you could export any
cryptography as long as it had a key recovery system. But another important
thing happened when the Key Recovery Alliance was created. Initially there
were 11 companies involved, IBM, DEC, Apple, HP, Sun, and others. That
Alliance has grown to 60 members. These people are not there to harangue
the government about export control. If these people agree that key
recovery is a good idea, and everybody is saying voluntary user-controlled
key recovery is a good idea, if it is a good idea, let's promote the
existence of that, and then without any change in any law, without
establishing any jurisdiction at all, the FBI can have access to key
recovery centers just as they have access to your computer or to your files
or papers through normal search warrant processes.
I believe that, in fact, we need to give this
industry-driven key recovery activity a chance to succeed. I believe we
should——
Ms. ROS-LEHTINEN. Thank you. Go ahead.
Mr. WALKER [continuing]. That we need, the
Congress should pass minimalist legislation that, in fact, defines, as some
people have talked about here, the liability and limitations on people that
hold keys, people that give out keys. I don't think we need to do radical
things or even semi-radical things.
Page 61 PREV PAGE TOP OF DOC
The Administration's proposal to link key
recovery to the establishment of some public key infrastructure I think is
fundamentally wrong. It is not necessary. There are going to be lots of
public key infrastructures established. Key recovery in various forms can
work with any one of those. But I also believe it is not wise for us to try
to abolish export control, as was proposed 4 or 5 years ago. I believe that
is an unnecessary step and one that key recovery, user-controlled key
recovery, can in fact provide a middle-ground solution that can get us past
these battles. I hope we are not sitting here 4 or 8 years from now on the
same subject.
Ms. ROS-LEHTINEN. Thank you.
[The prepared statement of Mr. Walker appears in
the appendix.]
Ms. ROS-LEHTINEN. Mr. Gage, all this
high-tech talk, and still here it says ''low battery.''
Mr. GOODLATTE. Thank you, Madam
Chairman.
Mr. Walker, you supported the Cantwell
legislation——
Mr. WALKER. Yes, I did.
Mr. GOODLATTE [continuing]. Several years
ago.
This legislation is, if not identical, very, very
similar. It does not eliminate export controls, it simply says if the
foreign guy has the same product, why can't our folks offer the same
product without having to go through a clearinghouse, without having to
have a label, a stamp put on it that says: Hey, hey, we have gamed this
system. Where the foreign guy, these guys in West Germany and thousands
more like them around the world, they are going to say: Hey, nothing like
that on ours. You don't have to worry about who you trust. That is the
issue here.
The bottom line is, whom do you trust? Different
people trust different people. Some people trust our government; some
people trust other governments; governments don't trust each other. The
gentleman from California made a very good point. We are never going to
reach universal acceptance of this. Why not simply allow our companies to
go up and meet the foreign competition, which is all that my legislation
does and all the legislation you supported in the past has done? What would
change your mind about that?
Page 62 PREV PAGE TOP OF DOC
Mr. WALKER. The same argument existed
here 4 years ago, that there were lots of foreign products out there. In
fact, my company has conducted a survey for the available cryptography for
4 years now. We have published our results on the Web. There is lots of
cryptography out there by little companies here and there.
Mr. GOODLATTE. Little companies tend to
become big companies. That is the history of Microsoft and others in the
business, and the way they do it is by perceiving an opportunity in the
market and exploiting that opportunity, and clearly the article we
introduced here was also posted on the computer projection. These folks are
doing just that; not just this group but many, many others. Why shouldn't
we be able to compete with them?
Mr. WALKER. I am not arguing that we
shouldn't. The situation is, somebody producing DES or PGP or whatever, PGP
has been around forever. It is growing in interest in the United States,
but it is not integrated into any of the products that you and I would buy
today. The fact that this——
Mr. GOODLATTE. But it should be. Something
like that should be available to allay the concerns that people have in
this country right now that Mr. Parenty addressed about the vulnerability
of our financial systems——
Mr. WALKER. No question about it.
Mr. GOODLATTE. Our electric generation
facilities and a whole host of other things that relate to the security of
this country or the right of privacy of individual Americans.
Why would we want to tie the hands of our software
companies and not allow them to go head to head with the foreign
competition, and why would you change your position from support of the
Cantwell bill, which is the model for my bill today?
Mr. WALKER. What I have tried to do is find
a space in the middle between those hard-liners on the national security
law enforcement side who will try to kill your bill and successfully killed
the predecessor of your bill before——
Page 63 PREV PAGE TOP OF DOC
Mr. GOODLATTE. Let me give you an
example of how times have changed. We have 35 members of the House
Judiciary Committee; 24 of them have cosponsored this legislation. That is
the principal committee in the U.S. Congress for dealing with law
enforcement issues and has a long history of standing up and fighting
against crime and supporting law enforcement with the tools they need to
fight crime.
We have come to recognize that law enforcement is
behind the times. They have an Industrial Age solution to an Information
Age problem, and we have stepped up to the plate and said now is the time
to move this legislation forward and free up American companies to, one,
protect jobs and compete with the foreign competition, but, two, even more
importantly, get that heavily encrypted software into every home and every
business in America to prevent crime and fight crime. And that is why the
Judiciary Committee will support this legislation and why it will pass and
didn't pass a few years ago.
Mr. Parenty, let me ask you, could you briefly
explain the difference between the key management structure and the key
recovery or key escrow?
Mr. PARENTY. OK. That is something I am
glad you brought up, because in all of the discussions on the first panel
with respect to the need to trust somebody who issues keys, the need to be
able to have some mechanism for managing keys, that is quite true, and for
electronic commerce and general use of the Internet to succeed, that is an
absolute requirement, and that is something that there are a number of both
international and national standards bodies that are looking at
standardized, effective, secure ways of being able to issue and manage
keys.
That is entirely logically separate from, and can
be separated from, the whole issue of having a third party that keeps spare
copies or escrowed copies of keys. And in point of fact, the primary work
that is being done in the Internet arena for standardization of a public
key infrastructure is not addressing, because there is no pronounced demand
at the moment, the issues of incorporating into that infrastructure
mechanisms for third-party escrow agents.
Page 64 PREV PAGE TOP OF DOC
Mr. GOODLATTE. Are you creating any
key recovery products now, and have you applied for an export license under
the new regulations?
Mr. PARENTY. Actually, we are now coming up
on the 2-month anniversary of Sybase submitting an application for export
under the new regulations in which we proposed a voluntary key recovery
mechanism that differed from the Administration's recommendation in two
ways, one of which is that the key recovery mechanism would only be for
stored data, not for communications, because that is the only kind of key
recovery for which we see a commercial demand; and, two, that there would
be no requirement for the customer to use any third-party escrow agent.
And we have had conversations with the Commerce
Department, who had questions from the FBI with respect to clarification.
In 2 days, it will be 2 months, and we have not received a formal response.
It is 2 months—it seems like 2 years, but no, it is 2 months, and
even if our application is approved, that does not in any way diminish the
need for legislation, because the set of conditions that are in place for
the issuance of the export license make it extraordinarily difficult for
not only my own software company to make business decisions, but also for
the whole host of companies downstream who build products upon our products
to be able to make business decisions.
Mr. GOODLATTE. And isn't it fair to say
that in your industry 2 months is like 2 years under some of the other lead
times necessary to develop products in other Industrial Age type of
industries? Things move very, very quickly in your field, do they not?
Mr. PARENTY. That is why there is now
coined the term, ''Internet time.''
Mr. GOODLATTE. Exactly. So when Mr. Reinsch
says the Department has not turned down any applications, that may well be
correct, but that doesn't solve the problem of the bottleneck that is going
to be far more severe. And what is the other alternative? They can take
that offshore and provide that same product somewhere else.
Page 65 PREV PAGE TOP OF DOC
Mr. PARENTY. That is technologically
an alternative. However, the result will be a product whose quality,
integration and performance may not be as good as if we were able to do it
ourselves in the United States.
Mr. GOODLATTE. Currently, but as time
evolves that may change.
Mr. PARENTY. That is correct.
Mr. GOODLATTE. You found this very, very
interesting, because I thought my legislation was geared toward promoting
the use of encryption—one would logically want to make sure they knew
how to get into their own computer if they heavily encrypted the
information, whether that were a bank or medical concern or whatever, and
therefore some management of the keys, some system to recover those keys
and be able to get into the system, I presumed would be something that we
would want to promote along with my legislation.
But now we hear from the Administration that they
think that my legislation inhibits the development of key recovery or key
management. And I wonder if you would comment on that, any of the panel
members.
Mr. PARENTY. To begin with, the importance
of being able to have spare or extra keys for encrypted stored data is
indispensable for running a business; there is no question about that at
all. And a mechanism that allows for a corporation or individual to be able
to very conveniently keep spare copies of keys is an absolute requirement
for using cryptography. So independent of anything the government does,
there will be a move for key recovery that is voluntary and that pertains
to stored data.
Mr. GOODLATTE. And I would take it that
everybody on this panel, including Mr. Walker, strongly supports the
development of key recovery systems. Do any of you know anything in my
legislation that inhibits it?
Mr. Berman.
Mr. BERMAN. I know nothing in your
legislation. But I do want to make a point that the Administration draft
bill that is floating around on the Internet would inhibit the development
of voluntary key recovery systems. It is going to have just a
counterimpact, because while we say it is voluntary, I think when you dot
the I's and cross the T's, they are really talking about the
government-dominated key recovery system where 90 percent of their concerns
are ensuring access to keys by government agencies on an instantaneous
basis and not dealing with the real security problems that are created
every time you have third-party access guaranteed further and further away
from the end user.
Page 66 PREV PAGE TOP OF DOC
So the government, while saying that this is
not a secure system to have key recovery unless we come in here is going to
have the adverse consequence and make people very leery of developing and
using such products.
Mr. WALKER. And let me say I agree that the
proposed legislation that was floated by whoever in the Administration,
which they apparently are now giving up on, it sounds like would have been
detrimental to this.
I am proposing exactly the same thing that Tom and
others are talking about, that we have voluntary user-controlled key
recovery. If that comes into place, then law enforcement, if they get a
search warrant, is going to be able to come in, look at your computer, look
at whatever information you have, and that is fine. We have search warrant;
we have wire tap legislation; that is fine; they don't need any more than
that. And if key recovery is going to become something that grows in the
industry—which we believe it will, the Administration believes it
will—I think we may have found the solution to this problem without
having to go through any more legislative process.
Maybe it is reasonable to pass your
bill——
Mr. GOODLATTE. If the Administration would
back off from severe export controls and back off from this effort to
impose what I would call mandatory, you may call it voluntary, but I think
the underlying effort is still to create a mandatory—I am glad to
hear them say they don't want it, because I think that is the first step
toward getting rid of that policy.
I hope we are all in agreement that my legislation
is designed to promote both the use of encryption and key recovery, and we
would welcome comments from anybody about efforts to make sure we are
promoting key recovery. We are very desirous of doing that.
Mr. GAGE. I am a member of the Federal
networking committee advisory committee, it is a group that advises the
Federal Government on what directions to take in all networks and all
institutions of the Federal Government, and we felt it necessary 2 weeks
ago to explicitly state that though it may be appropriate for national
policy to limit the deployment of Federal production systems—that is,
to keep things from moving out into the embassies or something—or
even control some private systems, you cannot constrain research or
experimentation on security or privacy technologies. Our point is to
prohibit the mandatory enforcement of key recovery mechanisms on those that
are evolving the way the Internet works.
Page 67 PREV PAGE TOP OF DOC
And I just point out when Kasparov gave up a
draw to Big Blue, to Deep Think, the thing playing chess, the Internet chat
room came up with—I am sorry, Kasparov gave up, accepted defeat, when
it could have been a draw. And on the Internet, a group of people found the
pathway, the proper chess game that would have beaten Big Blue and forced a
draw. Kasparov hit his head and looked off into space, and somebody
watching him said, and he said that was all there was to it. The Internet
came up with a new solution that the world's chess champion and the best
chess playing computer couldn't come up with. We are watching that same
change in the Internet, and it is necessary that we not have an Assistant
Secretary Reinsch act as the gateway controlling all advancing
technology.
Mr. GOODLATTE. So competition is a good
thing here, in chess as well. I have to say that I am very supportive of
you, as you know, with this legislation, but in that match, I am on
Kasparov's side.
Madam Chairman, thank you very much.
Ms. ROS-LEHTINEN. Mr. Goodlatte, it was a
pleasure having you here. You are a welcome addition. You are welcome back
any time.
We have another hearing, I think, next week at
2:30 on another subject, but please come back. We welcome Mr. Luther.
Thank you to both sets of panelists and most
especially to our second set. And thank you, Mr. Gage, for your
demonstration. And we thank the audience for sticking around as well.
The Subcommittee is now adjourned.
[Whereupon, at 12:06 p.m., the Subcommittee was
adjourned.]
A P P E N D I X
Page 68 PREV PAGE TOP OF DOC
Insert "The Official Committee record
contains additional material here."
