Congressional Documents
39 006
105 th Congress
Rept. 105 108
HOUSE OF REPRESENTATIVES
1st Session
Part 1
SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
May 22, 1997.--Ordered to be printed
Mr. Coble, from the Committee on the Judiciary, submitted the following
R E P O R T
together with
ADDITIONAL VIEW
[To accompany H.R. 695]
[Including cost estimate of the Congressional Budget Office]
The Committee on the Judiciary, to whom was referred the bill (H.R.
695) to amend title 18, United States Code, to affirm the rights of
United States persons to use and sell encryption and to relax export
controls on encryption, having considered the same, report favorably
thereon with an amendment and recommend that the bill as amended do
pass.
CONTENTS
The Amendment 2
Purpose and Summary 4
Background and Need for Legislation 5
I. Background 5
A. What is Encryption? 5
B. Issues in the Encryption Debate 5
1. Arguments Relating to the Domestic Use of Encryption 6
2. The Administration's Recent Initiative 6
3. Arguments Relating to Export Controls on Encryption Products 8
4. Recent Litigation 9
II. Need for Legislation 9
A. Sections 2 and 4--Domestic Use of Encryption 9
B. Section 3--Export Controls 10
Hearings 11
Committee Consideration 12
Vote of the Committee 12
Committee Oversight Findings 12
Committee on Government Reform and Oversight Findings 12
New Budget Authority and Tax Expenditures 12
Congressional Budget Office Estimate 12
Constitutional Authority Statement 14
Section-by-Section Analysis 15
Agency Views 17
Changes in Existing Law Made by the Bill, as Reported 19
Additional Views 24
The amendment is as follows:
Strike out all after the enacting clause and insert in lieu thereof the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Security and Freedom Through Encryption
(SAFE) Act''.
SEC. 2. SALE AND USE OF ENCRYPTION.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 123 the following new chapter:
``CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
``2801. Definitions.
``2802. Freedom to use encryption.
``2803. Freedom to sell encryption.
``2804. Prohibition on mandatory key escrow.
``2805. Unlawful use of encryption in furtherance of a criminal act.
``2801. Definitions
``As used in this chapter--
``(1) the terms `person', `State', `wire communication', `electronic
communication', `investigative or law enforcement officer', and `judge
of competent jurisdiction' have the meanings given those terms in
section 2510 of this title;
``(2) the terms `encrypt' and `encryption' refer to the scrambling
of wire communications, electronic communications, or electronically
stored information, using mathematical formulas or algorithms in order
to preserve the confidentiality, integrity, or authenticity of, and
prevent unauthorized recipients from accessing or altering, such
communications or information;
``(3) the term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component thereof, used
to decrypt wire communications, electronic communications, or
electronically stored information, that has been encrypted; and
``(4) the term `United States person' means--
``(A) any United States citizen;
``(B) any other person organized under the laws of any State, the
District of Columbia, or any commonwealth, territory, or possession of
the United States; and
``(C) any person organized under the laws of any foreign country who
is owned or controlled by individuals or persons described in
subparagraphs (A) and (B).
``2802. Freedom to use encryption
``Subject to section 2805, it shall be lawful for any person within
any State, and for any United States person in a foreign country, to use
any encryption, regardless of the encryption algorithm selected,
encryption key length chosen, or implementation technique or medium
used.
``2803. Freedom to sell encryption
``Subject to section 2805, it shall be lawful for any person within
any State to sell in interstate commerce any encryption, regardless of
the encryption algorithm selected, encryption key length chosen, or
implementation technique or medium used.
``2804. Prohibition on mandatory key escrow
``(a) Prohibition.--No person in lawful possession of a key to
encrypted communications or information may be required by Federal or
State law to relinquish to another person control of that key.
``(b) Exception for Access for Law Enforcement Purposes.--Subsection
(a) shall not affect the authority of any investigative or law
enforcement officer, or any member of the intelligence community as
defined in section 3 of the National Security Act of 1947 (50 U.S.C.
401a), acting under any law in effect on the effective date of this
chapter, to gain access to encrypted communications or information.
``2805. Unlawful use of encryption in furtherance of a criminal act
``Any person who, in the commission of a felony under a criminal
statute of the United States, knowingly and willfully encrypts
incriminating communications or information relating to that felony with
the intent to conceal such communications or information for the purpose
of avoiding detection by law enforcement agencies or prosecution--
``(1) in the case of a first offense under this section, shall be
imprisoned for not more than 5 years, or fined in the amount set forth
in this title, or both; and
``(2) in the case of a second or subsequent offense under this
section, shall be imprisoned for not more than 10 years, or fined in the
amount set forth in this title, or both.''.
(b) Conforming Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 123 the following new item:
``125. Encrypted wire and electronic information
2801''.
SEC. 3. EXPORTS OF ENCRYPTION.
(a) Amendment to Export Administration Act of 1979.--Section 17 of
the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended
by adding at the end thereof the following new subsection:
``(g) Computers and Related Equipment.--
``(1) General rule.--Subject to paragraphs (2), (3), and (4), the
Secretary shall have exclusive authority to control exports of all
computer hardware, software, and technology for information security
(including encryption), except that which is specifically designed or
modified for military use, including command, control, and intelligence
applications.
``(2) Items not requiring licenses.--No validated license may be
required, except pursuant to the Trading With The Enemy Act or the
International Emergency Economic Powers Act (but only to the extent that
the authority of such Act is not exercised to extend controls imposed
under this Act), for the export or reexport of--
``(A) any software, including software with encryption capabilities--
``(i) that is generally available, as is, and is designed for
installation by the purchaser; or
``(ii) that is in the public domain for which copyright or other
protection is not available under title 17, United States Code, or that
is available to the public because it is generally accessible to the
interested public in any form; or
``(B) any computing device solely because it incorporates or employs
in any form software (including software with encryption capabilities)
exempted from any requirement for a validated license under subparagraph
(A).
``(3) Software with encryption capabilities.--The Secretary shall
authorize the export or reexport of software with encryption
capabilities for nonmilitary end uses in any country to which exports of
software of similar capability are permitted for use by financial
institutions not controlled in fact by United States persons, unless
there is substantial evidence that such software will be--
``(A) diverted to a military end use or an end use supporting
international terrorism;
``(B) modified for military or terrorist end use; or
``(C) reexported without any authorization by the United States that
may be required under this Act.
``(4) Hardware with encryption capabilities.--The Secretary shall
authorize the export or reexport of computer hardware with encryption
capabilities if the Secretary determines that a product offering
comparable security is commercially available outside the United States
from a foreign supplier, without effective restrictions.
``(5) Definitions.--As used in this subsection--
``(A) the term `encryption' means the scrambling of wire or
electronic information using mathematical formulas or algorithms in
order to preserve the confidentiality, integrity, or authenticity of,
and prevent unauthorized recipients from accessing or altering, such
information;
``(B) the term `generally available' means, in the case of software
(including software with encryption capabilities), software that is
offered for sale, license, or transfer to any person without
restriction, whether or not for consideration, including, but not
limited to, over-the-counter retail sales, mail order transactions,
phone order transactions, electronic distribution, or sale on approval;
``(C) the term `as is' means, in the case of software (including
software with encryption capabilities), a software program that is not
designed, developed, or tailored by the software publisher for specific
purchasers, except that such purchasers may supply certain installation
parameters needed by the software program to function properly with the
purchaser's system and may customize the software program by choosing
among options contained in the software program;
``(D) the term `is designed for installation by the purchaser'
means, in the case of software (including software with encryption
capabilities) that--
``(i) the software publisher intends for the purchaser (including
any licensee or transferee), who may not be the actual program user, to
install the software program on a computing device and has supplied the
necessary instructions to do so, except that the publisher may also
provide telephone help line services for software installation,
electronic transmission, or basic operations; and
``(ii) the software program is designed for installation by the
purchaser without further substantial support by the supplier;
``(E) the term `computing device' means a device which incorporates
one or more microprocessor-based central processing units that can
accept, store, process, or provide output of data; and
``(F) the term `computer hardware', when used in conjunction with
information security, includes, but is not limited to, computer systems,
equipment, application-specific assemblies, modules, and integrated
circuits.''.
(b) Continuation of Export Administration Act.--For purposes of
carrying out the amendment made by subsection (a), the Export
Administration Act of 1979 shall be deemed to be in effect.
SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.
(a) Collection of Information by Attorney General.--The Attorney
General shall compile, and maintain in classified form, data on the
instances in which encryption (as defined in section 2801 of title 18,
United States Code) has interfered with, impeded, or obstructed the
ability of the Department of Justice to enforce the criminal laws of the
United States.
(b) Availability of Information to the Congress.--The information
compiled under subsection (a), including an unclassified summary
thereof, shall be made available, upon request, to any Member of
Congress.
PURPOSE AND SUMMARY
The widespread use of strong encryption to encode digital
communications will prevent crime, economic espionage, and information
warfare. Unfortunately, our current encryption policy discourages the
use of encryption. H.R. 695, the ``Security And Freedom through
Encryption (SAFE) Act,'' makes a series of changes to U.S. encryption
policy which will facilitate the use of encryption.
Current policy does not restrict the domestic use, sale, or import of
encryption. Section 2 of H.R. 695 generally codifies that policy by
affirmatively prohibiting restrictions on the domestic use and sale of
encryption. It also prohibits any mandatory key escrow system, allowing
voluntary systems to develop in the marketplace, and provides criminal
penalties for the knowing and willful use of encryption to avoid
detection of other federal felonies.
At the same time, however, the export of strong encryption products
is tightly restricted under the export control laws. Section 3 of H.R.
695 significantly relaxes those export controls. In addition, section 4
requires that the Attorney General compile statistics on instances in
which these new policies may interfere with the enforcement of federal
criminal laws.
BACKGROUND AND NEED FOR THE LEGISLATION
I. Background
A. What is encryption?
Encryption is the process of encoding data or communications in a
form that only the intended recipient can understand. Until fairly
recently, society generally considered encryption to be the exclusive
domain of national security and law enforcement agencies. However, with
the advent of computers and digital electronic communications,
encryption's importance to persons and companies in the private sector
has increased because they want to transmit data securely. Many people
feel that the Internet has not succeeded as a commercial medium as well
as it might because those who want to use it do not feel the data
transmitted is secure. For example, people do not want to transmit their
credit card numbers when hackers may steal those numbers.
To understand the issues involved, one must understand some basic
terminology. In the digital world, data are communicated in a string of
ones and zeroes that computers understand, but the average person does
not. An encryption scheme converts ones to zeroes and zeroes to ones
according to an algorithm or mathematical formula. The intended
recipient knows the formula or ``key'' which he uses to decode the
encrypted data.
The complexity and quality of an encryption scheme determines how
difficult it is to break the code and therefore how well the scheme
protects the data. One factor determining the complexity of the
encryption scheme is the length of the key. The length of the key is
usually expressed as a number known as the ``bit length.'' A bit is one
digit in the key. A bit length of 40 is considered relatively weak,
whereas a bit length of 128 is considered very strong.
However, a bit length of 40 is not 3.2 times weaker than a bit
length of 128 because this is an exponential scale, not an arithmetic
one. A bit length of 40 has 2\40\ possible keys, whereas a bit length of
128 has 2\128\ possible keys. To give some practical sense of the
difference, one researcher estimated that a relatively inexpensive
computer attempting a ``brute force'' effort to decode--i.e. simply
trying all the mathematical possibilities--could on average decode a
40-bit scheme in a few seconds, whereas a 128-bit scheme would on
average take millions of years. Although there is no assurance that this
estimate is accurate, it does give a general sense of the exponential
differences in complexity that flow from an increase in bit length.
B. Issues in the encryption debate
The encryption debate encompasses two main issues. The first issue is
whether the domestic use and sale of encryption products should be
restricted, and in particular, whether domestic users should be required
to place their keys in escrow with the government or some other neutral
third party, e.g. an existing computer company or an entity created
solely for the purpose of holding keys. Current law does not have any
such restrictions.
The second issue is whether the export of encryption products should
be restricted. As discussed in more detail below, current law regulates
the export of encryption products under two statutes: (1) the Arms
Export Control Act (``AECA''), 22 U.S.C. 2751 et seq., and its
accompanying International Trafficking in Arms Regulations (``ITAR''),
22 C.F.R. 120 et seq., and (2) the Export Administration Act (``EAA''),
50 U.S.C. App. 2401 et seq., and its accompanying Export Administration
Regulations (``EAR''), 15 C.F.R. 730 et seq. Although the EAA expired in
1994, President Clinton kept its provisions in force by invoking his
powers under the International Emergency Economic Powers Act, 50 U.S.C.
1701 et seq. Executive Order 12924 (August 19, 1994); 59 Fed. Reg. 43437
(August 23, 1994).
1. Arguments relating to the domestic use of encryption
Law enforcement and national security agencies believe that they need
some form of key escrow system to maintain their ability to perform
legitimate wiretaps and to read computer data seized through lawful
means. They argue that widespread use of strong encryption without key
escrow would end the use of wiretapping as a tool for fighting crime.
For example, they argue that instances occur when law enforcement
agencies learn in the course of a wiretap that someone is about to
commit a serious crime. If strong encryption prevented a contemporaneous
understanding of this information, the agencies would not be able to
prevent the crime. Likewise, if strong encryption prevented the reading
of lawfully seized computer data, it could unreasonably delay criminal
investigations. They further argue that a key escrow system would have
the salutary side effect of providing a backup for those users who might
lose their keys. Although they contend that they only favor a voluntary
key escrow system, many believe that the use of export controls as
leverage to encourage the use of a key escrow system effectively amounts
to making such a system mandatory.
The computer industry, the American business community, and privacy
groups vehemently oppose any mandatory key escrow system. They argue
that a mandatory system would unnecessarily invade the privacy of users
and that the market should develop any voluntary key escrow system. They
believe that law enforcement can gain access to keys through traditional
means for obtaining evidence and that those with criminal intent will
not use key escrow products, thus defeating the purpose of the
Administration's policy. They argue that our law and tradition do not
require private citizens to take positive action to assist the
government in surveilling them in any other instance.
Moreover, they contend that private citizens should not be required
to give access to their most precious assets to anyone else regardless
of whether it is the government or a third party. In the digital age,
information is often the most valuable property that a company owns.
They further argue that the good that widespread use of encryption can
do in preventing crime far outweighs the harm done by the relatively few
instances in which the use of encryption hampers law enforcement.
2. The administration's recent initiative
Until last fall, the Administration treated encryption products as
munitions for export purposes. The State Department has jurisdiction
over the export of munitions under AECA and ITAR, and it had, as a
matter of practice, generally only allowed the export of encryption
products with bit lengths of 40 or less. The State Department treated
these relatively weak encryption products as non-defense products
subject to the jurisdiction of the Department of Commerce under the
Export Administration Act, 50 U.S.C. App. 2401 et seq. Beyond that
level, any export of encryption products required a special license.
On October 1, 1996, Vice President Gore announced the
Administration's intention to develop a new policy on the export of
encryption products. The Vice President's announcement stated in part:
Under this initiative, the export of 56-bit key length encryption
products will be permitted under a general license after one-time
review, and contingent upon industry commitments to build and market
future products that support key recovery. This policy will apply to
hardware and software products. The relaxation of controls will last up
to two years.
* * * * * * *
Exporters of 56-bit DES or equivalent encryption products would make
commitments to develop and sell products that support the key recovery
system that I announced in July. That vision presumes that a trusted
party (in some cases internal to the user's organization) would recover
the user's confidentiality key for the user or for law enforcement
officials acting under proper authority. Access to keys would be
provided in accordance with destination country policies and bilateral
understandings. No key length limits or algorithm restrictions will
apply to exported key recovery products.
* * * * * * *
Under the relaxation, six-month general export licenses will be
issued after one-time review, contingent on commitments from exporters
to explicit benchmarks and milestones for developing and incorporating
key recovery features into their products and services, and for building
the supporting infrastructure internationally. Initial approval will be
contingent on firms providing a plan for implementing key recovery. The
plan will explain in detail the steps the applicant will take to
develop, produce, distribute, and/or market encryption products with key
recovery features. The specific commitments will depend on the
applicant's line of business.
The government will renew the licenses for additional six-month
periods if milestones are met. Two years from now, the export of 56-bit
products that do not support key recovery will no longer be permitted.
Currently exportable 40-bit mass market software products will continue
to be exportable. We will continue to support financial institutions in
their efforts to assure the recovery of encrypted financial information.
Longer key lengths will continue to be approved for products dedicated
to the support of financial applications.
Statement of the Vice President dated October 1, 1996.
On November 15, 1996, President Clinton issued Executive Order
13026, 61 Fed. Reg. 58767 (November 19, 1996), and an accompanying
Presidential Memorandum which began the implementation of the policy
outlined in the October 1 statement. Among other things, the executive
order and the memorandum transferred all non-military encryption
products to the Commerce Control List, meaning that their licensing for
export would be overseen by the Department of Commerce under the EAA.
The order and memorandum also gave the Department of Justice a
significant voice in such licensing decisions.
On December 30, 1996, the Department of Commerce promulgated
regulations that implemented the new policy. 61 Fed. Reg. 68572
(December 30, 1996). Although the policy has only been in place for a
few months, much of the computer industry, particularly software
companies, have criticized it.
3. Arguments relating to export controls on encryption products
The Administration has to date opposed any lifting of export controls
beyond that in its recent initiative. It argues that the controls are
still effective and that our allies would dislike the negative effect on
law enforcement efforts if we lifted the controls. It also argues that
the lifting of the controls might not help business because other
countries would impose import controls. Finally, the Administration
argues that it is making efforts under its new policy to find ways to
relax the controls on a case by case basis.
The computer industry and the privacy groups argue that the
Administration ought to substantially relax, if not eliminate the
controls. They argue that wrongdoers can easily evade them because many
encryption products are available to anyone over the Internet. At least
one study estimated that at least 500 products are available worldwide.
They also argue that the controls are easily evaded because as a
practical matter, anyone can come into the United States, buy encryption
products, and take them out of the country with little risk of
detection. Because the controls are so easily evaded, they further argue
that the controls serve only to put American companies at a competitive
disadvantage and to discourage investment in the development of better
encryption products. If the situation does not change, they believe that
American companies will no longer dominate this field.
In addition, they contend that the Administration's new policy is a
backdoor attempt to force the domestic use of encryption with key
escrow. Under the policy, a company that wants both to sell encryption
products here and abroad must either make two versions of its product or
sell only a product that meets the export restrictions. They also
question whether the carrot and stick approach the new policy takes is a
legitimate and logical use of export controls. Current encryption
products of the 56-bit strength are either safe to export or they are
not--a company's compliance or noncompliance with the Administration's
directives regarding future products will not change that.
4. Recent litigation
Currently, at least two plaintiffs have ongoing lawsuits that
challenge the Administration's policies regarding encryption. In one
case, the United States District Court for the District of Columbia
ruled that the government's decision to designate an encryption product
as a munition, and therefore restrict its export, was not subject to
judicial review. Karn v. Department of State , 925 F.Supp. 1 (D.D.C.
1996) , remanded , 107 F.3d 923 (D.C. Cir. 1997). The Court further held
that the export restriction on the product was content neutral and
narrowly tailored, and therefore did not violate the First Amendment.
The United States Court of Appeals for the District of Columbia Circuit
recently remanded the case for further consideration in light of the
Administration's new policy, and the Committee understands that the
Court has not made a further decision. The plaintiff in the case, Philip
Karn, testified before the Subcommittee on Courts and Intellectual
Property at the March 20, 1997 hearing on H.R. 695.
In the other case, the United States District Court for the Northern
District of California ruled that the export restrictions on encryption
products were unconstitutional prior restraints on free speech because
they did not have adequate procedural safeguards. Bernstein v.
Department of State , 945 F.Supp. 1279 (N.D. Cal. 1996). The Committee
understands that this case is still before the District Court for
further consideration in light of the Administration's new policy.
II. Need for the Legislation
A. Sections 2 and 4--domestic use of encryption
The Committee believes that sections 2 and 4 of H.R. 695, as reported
by the Committee, will significantly aid the fight against crime. Both
sides of the debate agree that the use of strong encryption will help
users to prevent crimes before they happen. As we increasingly depend on
computers to control our national infrastructure, the danger of
information warfare and economic espionage also increase. The use of
strong encryption diminishes that terrifying prospect.
The affirmative statements in new sections 2802 and 2803 that it is
legal for persons in the United States and for United States persons
abroad to use, and for persons in the United States to sell, encryption
will encourage the use of encryption to fight crime. These sections only
state what the Committee understands to be existing law, and therefore
they should not worsen any law enforcement and national security
concerns. By making these affirmative statements of positive law, the
bill will prevent any reduction of the existing right to use or sell
encryption domestically by administrative action, state law, or other
means.
New section 2804 effectively prohibits the imposition of any
mandatory key escrow system. The Committee believes that Americans
should not be forced to surrender the keys to their data without proper
justification any more than they should be forced to surrender the keys
to their homes. The limited circumstances under which law enforcement
and national security officers may obtain access to the private spaces
of Americans have stood the test of time. They exist for good reasons
that are well understood by all. The advent of a new technology is not a
sufficient justification for diminishing these historic protections.
At the same time, however, new section 2804 preserves existing
authorities for law enforcement and national security officers to obtain
keys for legitimate purposes. Just as new technology should not take
away the longstanding rights of citizens against government, it also
should not take away the traditional means for legitimate law
enforcement and national security investigations. However, the Committee
does not believe that the advance of technology warrants a system of
forcing people to deposit their keys with any third party without proper
justification. Thus, new section 2804 prohibits any such system.
Despite the Committee's opposition to any mandatory key escrow
system, nothing in section 2804 should be construed to prevent or hinder
the development of a voluntary key escrow system if the market demands
it. Such a system may have many benefits so long as users are allowed to
choose freely whether to join. If enough users desire it, the Committee
believes that the market will develop it.
In addition to the preservation of existing law enforcement
authorities to obtain keys for legitimate purposes in new section 2804,
new section 2805 further aids law enforcement and national security by
making it a crime to avoid detection of another federal felony through
the knowing and willful use of encryption. This section gives the
government another tool with which to fight the misuse of encryption.
Section 4 requires the Attorney General to compile and make available
to Congress information on instances in which encryption interferes with
the enforcement of the federal criminal law. This requirement will
assist the Committee in determining whether to make any further changes
to encryption policy. It will also foster a continuing dialogue between
the Congress and the executive branch on these matters. Through all of
these means, the Committee believes that it has carefully balanced the
needs of law abiding citizens against those of the law enforcement and
national security agencies as to the matters within its jurisdiction.
B. Section 3--export controls
Section 3 of H.R. 695 significantly relaxes existing export controls
on encryption products. Because Section 3 amends the Export
Administration Act of 1979, it falls within the
jurisdiction of the House Committee on International
Relations. The International Relations Committee has been given a
secondary referral of H.R. 695 for consideration of Section 3.
For that reason, the Committee on the Judiciary did not address
Section 3 during its consideration of H.R. 695. However, the Committee
realizes that export controls must be addressed as part of any
comprehensive national encryption policy. The Committee believes that it
has carefully balanced the interests involved in the matters under its
jurisdiction. It stands ready to work with the Committee on
International Relations, the Administration, and all other interested
parties in an effort to develop a similar, but more comprehensive,
balancing of all the interests, including those relating to export
controls, as this legislation moves forward.
HEARINGS
The Committee's Subcommittee on Courts and Intellectual Property held
one day of hearings on H.R. 695 on March 20, 1997. The Subcommittee
received testimony from the following twelve witnesses: Hon. William
Reinsch, Under Secretary, Bureau of Export Administration, Department of
Commerce, Washington, D.C.; Hon. William Crowell, Deputy Director,
National Security Agency, Fort Meade, Maryland; Hon. Robert Litt, Deputy
Assistant Attorney General, Criminal Division, United States Department
of Justice, Washington, D.C.; Mrs. Phyllis Schlafly, President, Eagle
Forum, St. Louis, Missouri; Mr. Ira Rubinstein, Senior Corporate
Attorney, Microsoft Corporation, on behalf of the Business Software
Alliance; Ms. Roberta Katz, Senior Vice-President, General Counsel, and
Secretary, Netscape Communications Corporation, Mountain View,
California, on behalf of the Information Technology Association of
America and the Software Publishers Association; Mr. Jonathan Seybold,
Chairman of the Executive Committee and Director, Pretty Good Privacy,
Inc., San Mateo, California; Mr. Tom Morehouse, President and Chief
Executive Officer, SourceFile, Inc., Oakland, California; Mr. Grover
Norquist, President, Americans for Tax Reform, Washington, D.C.; Mr.
Philip Karn, Staff Engineer, Qualcomm, Inc., San Diego, California; Mr.
Marc Rotenberg, Director, Electronic Privacy Information Center,
Washington, D.C.; and Mr. Jerry Berman, Executive Director, Center for
Democracy and Technology, Washington, D.C. Two organizations submitted
additional material for the record.
In addition, Congressman Goodlatte introduced identical legislation,
H.R. 3011, in the 104th Congress. The full Committee held one day of
hearings on H.R. 3011 on September 25, 1996 (Serial No. 100). The
Committee received testimony from the following eight witnesses: Hon.
Bob Goodlatte, United States Representative, 6th District of Virginia;
Hon. Jamie Gorelick, Deputy Attorney General, United States Department
of Justice, Washington, D.C.; Hon. William Crowell, Deputy Director,
National Security Agency, Fort Meade, Maryland; Hon. William Reinsch,
Under Secretary, Bureau of Export Administration, Department of
Commerce, Washington, D.C.; Ms. Melinda Brown, Vice-President and
General Counsel, Lotus Development Corporation, Cambridge,
Massachusetts, on behalf of the Business Software Alliance; Ms. Roberta
Katz, Senior Vice-President, General Counsel, and Secretary, Netscape
Communications Corporation, Mountain View, California, on behalf of the
Information Technology Association of America and the Software
Publishers Association; Ms. Patricia Ripley, Managing Director, Bear
Stearns & Company, Inc., New York, New York; and Dr. Charles Deneka,
Senior Vice-President and Chief Technology Officer, Corning, Inc.,
Corning, New York, on behalf of the National Association of
Manufacturers. Two organizations submitted additional material for the
record.
COMMITTEE CONSIDERATION
On April 30, 1997, the Subcommittee on Courts and Intellectual
Property met in open session and ordered reported the bill H.R. 695
without amendment, by a voice vote, a quorum being present. On May 14,
1997, the Committee met in open session and ordered reported favorably
the bill H.R. 695 with a single amendment in the nature of a substitute,
by a voice vote, a quorum being present.
VOTE OF THE COMMITTEE
During their consideration of H.R. 695, the Committee and the
Subcommittee took no roll call votes.
COMMITTEE OVERSIGHT FINDINGS
In compliance with clause 2(l)(3)(A) of rule XI of the Rules of the
House of Representatives, the Committee reports that the findings and
recommendations of the Committee, based on oversight activities under
clause 2(b)(1) of rule X of the Rules of the House of Representatives,
are incorporated in the descriptive portions of this report.
COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT FINDINGS
No findings or recommendations of the Committee on Government Reform
and Oversight were received as referred to in clause 2(l)(3)(D) of rule
XI of the Rules of the House of Representatives.
NEW BUDGET AUTHORITY AND TAX EXPENDITURES
Clause 2(l)(3)(B) of House rule XI does not apply because this
legislation does not provide new budgetary authority or increased tax
expenditures.
CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
In compliance with clause 2(l)(3)(C) of rule XI of the Rules of the
House of Representatives, the Committee sets forth, with respect to the
bill, H.R. 695, the following estimate and comparison prepared by the
Director of the Congressional Budget Office under section 403 of the
Congressional Budget Act of 1974:
U.S. Congress,
Congressional Budget Office,
Washington, DC, May 21, 1997.
Hon. Henry J. Hyde, Chairman, Committee on the Judiciary,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has prepared the
enclosed cost estimate for H.R. 695, the Security and Freedom Through
Encryption (SAFE) Act.
If you wish further details on this estimate, we will be pleased to
provide them. The CBO staff contacts are Rachel Forward (for federal
costs); Stephanie Weiner (for revenues); and Leo Lex (for the state and
local impact).
Sincerely,
James L. Blum
(For June E. O'Neill, Director).
Enclosure.
H.R. 695--Security and Freedom Through Encryption (SAFE) Act
Summary: H.R. 695 would allow individuals in the United States to use
and sell any form of encryption and would prohibit states or the federal
government from requiring individuals to relinquish the key to
encryption technologies to any third party. The bill also would prevent
the Bureau of Export Administration (BXA) in the Department of Commerce
from restricting the export of most nonmilitary encryption products.
H.R. 695 would establish criminal penalties and fines for the use of
encryption technologies to conceal incriminating information relating to
a felony from law enforcement officials. Finally, the bill would require
the Attorney General to maintain data on the instances in which
encryption impedes or obstructs the ability of the Department of Justice
(DOJ) to enforce the criminal laws.
Assuming appropriation of the necessary amounts, CBO estimates that
enacting this bill would result in additional discretionary spending of
between $1 million and $3 million over the 1998 2002 period of BXA and
DOJ. Spending by BXA and DOJ for activities required by H.R. 695 would
total between $5 million and $7 million over the next five years. By
comparison, CBO estimates that--under current policies--spending by BXA
for reviewing the export of nonmilitary encryption products would total
about $4.5 million over the same period. (Spending related to encryption
exports by DOJ is negligible under current law.) Enacting H.R. 695 also
would affect direct spending and receipts beginning in fiscal year 1998
through the imposition of criminal fines and the resulting spending from
the Crime Victims Fund. Therefore, pay-as-you-go procedures would apply.
CBO estimates, however, that the amounts of additional direct spending
or receipts would not be significant.
H.R. 695 contains no private-sector mandates as defined in the
Unfunded Mandates Reform Act of 1995 (UMRA). The bill would prohibit
states from requiring persons to make encryption keys available to
another person or entity. This prohibition would be an
intergovernmental mandate as defined in UMRA. However, states
would bear no costs as a result of the mandate because none currently
require the registration or availability of such keys.
Estimated cost to the Federal Government: Under current policy, BXA
would likely spend about $900,000 a year reviewing exports of encryption
products. Assuming appropriation of the necessary amounts, CBO estimates
that enacting H.R. 695 would lower BXA's encryption-related costs to
about $500,000 a year. In November 1996, the Administration issued an
executive order and memorandum that authorized BXA to control the export
of all nonmilitary encryption products. If H.R. 695 were enacted, BXA
would still be required to review requests to export most computer
hardware with encryption capabilities but would not be required to
review most requests to export computer software with encryption
capabilities. Thus, enacting H.R. 695 would reduce the costs to BXA to
control the exports of nonmilitary encryption products.
According to the DOJ, maintaining data on the instances in which
encryption impedes or obstructs the ability of the Department of Justice
to enforce the criminal laws could cost $1 million or more per year. The
cost of maintaining the data is difficult to ascertain because DOJ
believes that if H.R. 695 were enacted such instances would be numerous.
But the agency is uncertain as to how much it would cost to track such
classified information nationwide. For the purposes of this estimate,
CBO projects that maintaining the data would cost DOJ between $500,000
and $1 million a year, assuming appropriation of the necessary amounts.
CBO estimates that the collections of criminal fines for the use of
encryption technologies to conceal incriminating information relating to
a felony from law enforcement officials would not be significant.
The costs of this legislation fall within budget functions 370
(commerce and housing credit) and 750 (administration of justice).
Pay-as-you-go considerations: Section 25 of the Balanced Budget and
Deficit Control Act of 1985 sets up pay-as-you-go procedures for
legislation affecting direct spending or receipts through 1998. Enacting
H.R. 695 would affect direct spending and receipts through the
imposition of criminal fines for encrypting incriminating information
related to a felony. Collections from such fines are likely to be
negligible, however, because the federal government would probably not
pursue many cases under the bill. Any such collections would be recorded
in the budget as governmental receipts, or revenues. They would be
deposited in the Crime Victims Fund and spent the following year.
Because the increase in direct spending would be the same amount as the
amount of fines collected with a one-year lag, the additional direct
spending would also be negligible.
Estimated impact on State, local, and tribal governments: H.R. 695
would prohibit states from requiring persons to make encryption keys
available to another person or entity. This prohibition would be an
intergovernmental mandate as defined in UMRA. However, states would bear
no costs as the result of the mandate because none currently require the
registration or availability of such keys.
Estimated impact on the private sector: The bill would impose no new
private-sector mandates as defined in UMRA.
Estimate prepared by: Federal Costs: Rachel Forward--Revenues:
Stephanie Weiner--Impact on State, Local, and Tribal Governments: Leo
Lex.
Estimate approved by: Robert A. Sunshine, Deputy Assistant Director
for Budget Analysis.
CONSTITUTIONAL AUTHORITY STATEMENT
Pursuant to rule XI, clause 2(l)(4) of the Rules of the House of
Representatives, the Committee finds the authority for this legislation
in Article I, section 8 of the Constitution.
SECTION-BY-SECTION ANALYSIS
Section 1. Short Title. Section 1 provides that H.R. 695 may be
cited as the ``Security And Freedom through Encryption (SAFE) Act.''
Section 2. Sale and Use of Encryption. Subsection 2(a) of H.R. 695
creates a new chapter 122 in Title 18 of the United States Code. This
chapter 122 would include new sections 2801 05.
New section 2801 provides for definitions of terms to be used in the
chapter. Many of the definitions used are explicitly taken from the
definitions in the existing federal wiretap statute, 18 U.S.C. 2510 et
seq. During the Committee markup, Mr. Delahunt offered an amendment
making technical changes to these definitions to conform them more
closely with the existing definitions. The Delahunt amendment passed on
a voice vote.
New section 2802 affirmatively states that it is legal for any person
in the United States, or any United States person in a foreign country,
to use any form of encryption regardless of the algorithm, key length,
or technique used in the encryption. New section 2803 affirmatively
states that it is legal for any person in the United States to sell in
interstate commerce encryption products using any form of encryption
regardless of the algorithm, key length, or technique used. Some
business groups have expressed concern that new sections 2802 and 2803
might be construed to override their lawful policies for employee use of
their computer systems. The Committee does not intend for these sections
to be so read. The Committee intends that these sections should be read
as limitations on government power. They should not be read as
overriding otherwise lawful employer policies concerning employee use of
the employer's computer systems, nor as limiting the employer's
otherwise lawful means for remedying violations of those policies.
Thus, even though employees cannot be prosecuted for an offense of
unlawful encryption under Section 2802, employees may be prosecuted for
failing to return business property, unlawful appropriation, or
conversion. Consider, for example, the case in which an employer's
information management policy calls for company-wide deployment of key
recovery encryption, and a given employee refuses to comply, encrypting
instead without key recovery using some other system. In that instance,
the employer remains within his rights, under state statutory or common
law, to sue to obtain the needed key to recover the business
property--plans, designs, texts, databases, and the like--contained in
the computer or computers under the employee's control.
New section 2804 specifically prohibits requiring any person in
lawful possession of an encryption key to turn that key over to another
person. This section effectively prevents any form of mandatory key
escrow system. As introduced, this section provided an exception for law
enforcement personnel acting under any law in effect on the date of
enactment. At the Committee markup, Mr. McCollum offered an amendment
that expands the exception to include members of the intelligence
community as defined in section 3 of the National Security Act of 1947
(50 U.S.C. 401a). The McCollum amendment passed by a voice vote.
Finally, new section 2805 makes it a crime to use encryption
unlawfully in furtherance of some other crime. This new crime is
punishable by a sentence of 5 years for the first offense and 10 years
for a subsequent offense. The Delahunt amendment that made technical
changes to the definitions also changed the language of this section.
The Delahunt amendment clarified two points relating to this new crime:
(1) it applies only to the use of encryption to avoid detection of some
other federal felony, and (2) it applies only when the encryption is
knowingly and willfully used to avoid detection. In other words, this
crime cannot occur without the commission of some other federal felony,
and the use of encryption must be a deliberate attempt to avoid
detection of that felony. It may not be unknowing or accidental. As
noted above, the Delahunt amendment passed on a voice vote.
Subsection 2(b) of H.R. 695 provides for a conforming amendment to
the table of chapters in Title 18.
Section 3. Exports of Encryption. Subsection 3(a) of H.R. 695 amends
the Export Administration Act by creating a new subsection (g) to 50
U.S.C. App. 2416. New subsection (g)(1) would place all encryption
products, except those specifically designed or modified for military
use, under the jurisdiction of the Secretary of Commerce. New subsection
(g)(2) allows encryption software that is generally available or in the
public domain, like mass-market software products, to be exported
freely. New subsection (g)(3) requires the Secretary to allow other
encryption software to be exported unless there is substantial evidence
that it will be put to military or terrorist uses or that it will be
reexported without U.S. authorization.
New subsection (g)(4) requires the Secretary to allow the export of
hardware with encryption capabilities when the Commerce Department finds
that it is commercially available from foreign suppliers without
effective restrictions. New subsection (g)(5) provides definitions.
The Committee would like to clarify that with the ever increasing
incorporation of computer-like intelligence (including hardware and
software) into consumer products for the protection of privacy,
information security, and intellectual property interests, it intends
this legislation to cover all devices--whether traditional ``computing''
devices or ``convergent'' consumer products--that incorporate
encryption. Further, the applications covered by this legislation
include video, audio, and data communications systems. Hardware and
software containing encryption, such as encoders, decoders, and network
terminals, which are essential to protect the video signal, are
therefore included under section 3(a) of this Act. Video, audio, and
data communications systems containing encryption and decryption
capability are used by cable, satellite, and wireless delivery systems.
Subsection 3(b) of H.R. 695 provides that for purposes of carrying
out the amendment made by subsection 3(a), the Export Administration Act
shall be deemed to be in effect. This statement is necessary because
Congress allowed the Export Administration Act to lapse in 1994. To
date, it has not been renewed, and its policies have been continued by
executive order.
Section 4. Effect on Law Enforcement Activities. Section 4 was not
part of the bill as introduced. An amendment offered by Mr. Hutchinson
added this language to the bill. Subsection 4(a) requires the Attorney
General to compile information on instances in which encryption has
interfered with, impeded, or obstructed the ability of the Justice
Department to enforce federal criminal law and to maintain that
information in classified form. The Committee intends that information
compiled by the Attorney General pursuant to this section also include
instances in which encryption has prevented crimes from occurring,
especially in protecting national infrastructures and preventing
economic espionage (although not limited to those areas). Subsection
4(b) requires that the Attorney General shall make the information
compiled under subsection 4(a), including an unclassified summary,
available to Members of Congress upon request. The Hutchinson amendment
passed on a voice vote.
AGENCY VIEWS
U.S. Department of Justice,
Office of Legislative Affairs,
Washington, DC, April 30, 1997.
Hon. Howard Coble,
Chairman, Subcommittee on Courts and Intellectual Property,
Committee on the Judiciary, House of Representatives, Washington, DC.
Dear Mr. Chairman: Your Subcommittee will soon begin mark-up of H.R.
695, the ``Security and Freedom Through Encryption (SAFE) Act.''
Although the Department of Justice supports H.R. 695's overall goal of
promoting the wide dissemination of strong encryption, we believe that
the bill would severely compromise law enforcement's ability to protect
the American people from the threats posed by terrorists, organized
crime, child pornographers, drug cartels, financial predators, hostile
foreign intelligence agents, and other criminals. In addition, the bill
would greatly impair the government's ability to prosecute those crimes
when they do occur. We urge the Subcommittee to reject H.R. 695 in its
present form.
There is widespread agreement that strong encryption is essential to
the success of the emerging Global Information Infrastructure (GII).
Communications and data must be protected--both in transit and in
storage--if the GII is to be used for personal communications, financial
transactions, medical care, the development of new intellectual
property, and myriad other applications. Having recognized the
importance of encryption, we must ensure that its application is
consistent with the larger goals of society. One approach, that taken by
H.R. 695 advocates the proliferation of unbreakable encryption that
would not only protect commerce and privacy, but also unintentionally
protect criminals. A better approach, advocated by the Administration,
encourages the use of data recovery products that fully protect commerce
and privacy, but without sacrificing public safety and national
security.
Viewed in this light, the proposed legislation poses two major
problems for federal, state, and local law enforcement. First, it would
effectively eliminate all export controls on
strong encryption, thereby undermining public safety and
national security by encouraging the proliferation of unbreakable
encryption. Second, the bill discourages formation of a key management
infrastructure that addresses the needs of public safety, economic
security and privacy.
The elimination of export controls would adversely affect national
security and foreign policy interests and severely impair many law
enforcement efforts at the federal, state and local level. We have
heard, of course, the oft-repeated argument that the ``genie is already
out of the bottle''--that strong encryption is already widely available
overseas and over the Internet and that attempts to limit its spread are
futile, and serve only to handicap U.S. manufacturers seeking to sell
their encryption products overseas. In fact, this is not the case.
Although strong encryption products can be found overseas, these
products are not ubiquitous, in part because the export of strong
encryption is controlled by both the U.S. and other countries. It is
worth noting in this regard that export of encryption over the Internet,
like any other means of export, is restricted under U.S. law. Although
it is difficult to prevent completely encryption products from being
sent abroad over the Internet, we believe that the legal restrictions
will limit the use of the Internet as a means of evading export
controls.
In addition, the quality of encryption products offered abroad varies
greatly, with some encryption products not providing the levels of
protection advertised. Finally, the vast majority of businesses with a
serious need for strong encryption are not likely to rely on encryption
downloaded from the Internet from untested sources, but will prefer
instead to deal with known and reliable suppliers. For these reasons,
export controls continue to serve a critical function.
A few other factors are important to consider regarding export
controls. First, our allies strongly concur that unrestricted export of
encryption would severely hamper law enforcement objectives. It would be
a terrible irony if this government--which prides itself on its
leadership in fighting international crime--were to enact a law that
would jeopardize public safety and weaken law enforcement agencies
worldwide.
Second, critics of export controls have mistakenly assumed that the
lifting of export controls would result in unrestricted access to
markets abroad by U.S. companies. But this assumption ignores the likely
reaction of foreign governments to the elimination of U.S. export
controls. To date, most other countries have not needed to restrict
imports or domestic use of encryption, largely because export controls
in the U.S.--the
world leader in computer technology--and other countries have
made such restrictions unnecessary. But given other countries'
legitimate concerns about the potential worldwide proliferation of
unbreakable encryption products, we believe that many of those countries
would respond to any lifting of U.S. export controls by imposing import
controls, or by restricting use of strong encryption by their citizens.
France, Russia and Israel, for example, have already established
domestic restrictions on the import, manufacture, sale and use of
encryption products. In addition, a number of European Union countries
are moving towards the adoption of a key-recovery-based key management
infrastructure similar to that proposed by the Administration. In the
long run, then, U.S. companies might not be any better off if U.S.
export controls were lifted, but the would have undermined our
leadership role in fighting international crime and damaged our own
national security interests in the meantime.
We also oppose H.R. 695 because it would impede or prevent the
development of a key management infrastructure. The bill could be read
as prohibiting the United States government from using appropriate
incentives to support a key management infrastructure and key recovery.
Without such an infrastructure supporting key recovery, federal law
enforcement investigations will become far more difficult. The problems
that enactment of H.R. 695 would pose for state and local law
enforcement, which lack access to supercomputers, are even greater.
In law enforcement, quick action can save lives, reduce crime and
apprehend criminals. Criminals, therefore, rely on techniques that help
them slow or prevent law enforcement officers from detecting and solving
crimes and catching offenders. The passage of H.R. 695 could
unintentionally add a powerful new technique--unbreakable encryption--to
the collection of methods that criminals use to thwart law enforcement
and prey upon the residents of the United States. It is difficult enough
to fight crime without making criminals' tasks any easier.
The Subcommittee should approve a bill that encourages the
development of a key management infrastructure and key recovery system
coupled with responsible export controls. We look forward to working
with you in developing an approach to encryption that meets the dual
goals of maintaining law enforcement's ability to fight crime and
protecting the right to privacy within the burgeoning global information
infrastructure. We are hopeful that by working together we can create a
mutually acceptable national encryption policy. The Office of Management
and Budget has advised that there is no objection from the standpoint of
the Administration's program to the presentation of this report.
Sincerely,
Andrew Fois,
Assistant Attorney General.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
In compliance with clause 3 of rule XIII of the Rules of the House of
Representatives, changes in existing law made by the bill, as reported,
are shown as follows (new matter is printed in italic, and existing law
in which no change is proposed is shown in roman):
TITLE 18, UNITED STATES CODE
* * * * * * *
PART I--CRIMES
Chap.
Sec.
1. General provisions
1
* * * * * * *
125. Encrypted wire and electronic information
2801
* * * * * * *
CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
2801. Definitions.
2802. Freedom to use encryption.
2803. Freedom to sell encryption.
2804. Prohibition on mandatory key escrow.
2805. Unlawful use of encryption in furtherance of a criminal act.
2801. Definitions
As used in this chapter--
(1) the terms ``person'', ``State'', ``wire communication'',
``electronic communication'', ``investigative or law enforcement
officer'', and ``judge of competent jurisdiction'' have the meanings
given those terms in section 2510 of this title;
(2) the terms ``encrypt'' and ``encryption'' refer to the scrambling
of wire communications, electronic communications, or electronically
stored information, using mathematical formulas or algorithms in order
to preserve the confidentiality, integrity, or authenticity of, and
prevent unauthorized recipients from accessing or altering, such
communications or information;
(3) the term ``key'' means the variable information used in a
mathematical formula, code, or algorithm, or any component thereof, used
to decrypt wire communications, electronic communications, or
electronically stored information, that has been encrypted; and
(4) the term ``United States person'' means--
(A) any United States citizen;
(B) any other person organized under the laws of any State, the
District of Columbia, or any commonwealth, territory, or possession of
the United States; and
(C) any person organized under the laws of any foreign country who
is owned or controlled by individuals or persons described in
subparagraphs (A) and (B).
2802. Freedom to use encryption
Subject to section 2805, it shall be lawful for any person within any
State, and for any United States person in a foreign country, to use any
encryption, regardless of the encryption algorithm selected, encryption
key length chosen, or implementation technique or medium used.
2803. Freedom to sell encryption
Subject to section 2805, it shall be lawful for any person within any
State to sell in interstate commerce any encryption, regardless of the
encryption algorithm selected, encryption key length chosen, or
implementation technique or medium used.
2804. Prohibition on mandatory key escrow
(a) Prohibition.--No person in lawful possession of a key to
encrypted communications or information may be required by Federal or
State law to relinquish to another person control of that key.
(b) Exception for Access for Law Enforcement Purposes.--Subsection
(a) shall not affect the authority of any investigative or law
enforcement officer, or any member of the intelligence community as
defined in section 3 of the National Security Act of 1947 (50 U.S.C.
401a), acting under any law in effect on the effective date of this
chapter, to gain access to encrypted communications or information.
2805. Unlawful use of encryption in furtherance of a criminal act
Any person who, in the commission of a felony under a criminal
statute of the United States, knowingly and willfully encrypts
incriminating communications or information relating to that felony with
the intent to conceal such communications or information for the purpose
of avoiding detection by law enforcement agencies or prosecution--
(1) in the case of a first offense under this section, shall be
imprisoned for not more than 5 years, or fined in the amount set forth
in this title, or both; and
(2) in the case of a second or subsequent offense under this
section, shall be imprisoned for not more than 10 years, or fined in the
amount set forth in this title, or both.
* * * * * * *
SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979
Sec. 17. (a) * * *
* * * * * * *
(g) Computers and Related Equipment.--
(1) General rule.--Subject to paragraphs (2), (3), and (4), the
Secretary shall have exclusive authority to control exports of all
computer hardware, software, and technology for information security
(including encryption), except that which is specifically designed or
modified for military use, including command, control, and intelligence
applications.
(2) Items not requiring licenses.--No validated license may be
required, except pursuant to the Trading With The Enemy Act or the
International Emergency Economic Powers Act (but only to the extent that
the authority of such Act is not exercised to extend controls imposed
under this Act), for the export or reexport of--
(A) any software, including software with encryption capabilities--
(i) that is generally available, as is, and is designed for
installation by the purchaser; or
(ii) that is in the public domain for which copyright or other
protection is not available under title 17, United States Code, or that
is available to the public because it is generally accessible to the
interested public in any form; or
(B) any computing device solely because it incorporates or employs
in any form software (including software with encryption capabilities)
exempted from any requirement for a validated license under subparagraph
(A).
(3) Software with encryption capabilities.--The Secretary shall
authorize the export or reexport of software with encryption
capabilities for nonmilitary end uses in any country to which exports of
software of similar capability are permitted for use by financial
institutions not controlled in fact by United States persons, unless
there is substantial evidence that such software will be--
(A) diverted to a military end use or an end use supporting
international terrorism;
(B) modified for military or terrorist end use; or
(C) reexported without any authorization by the United States that
may be required under this Act.
(4) Hardware with encryption capabilities.--The Secretary shall
authorize the export or reexport of computer hardware with encryption
capabilities if the Secretary determines that a product offering
comparable security is commercially available outside the United States
from a foreign supplier, without effective restrictions.
(5) Definitions.--As used in this subsection--
(A) the term ``encryption'' means the scrambling of wire or
electronic information using mathematical formulas or algorithms in
order to preserve the confidentiality, integrity, or authenticity of,
and prevent unauthorized recipients from accessing or altering, such
information;
(B) the term ``generally available'' means, in the case of software
(including software with encryption capabilities), software that is
offered for sale, license, or transfer to any person without
restriction, whether or not for consideration, including, but not
limited to, over-the-counter retail sales, mail order transactions,
phone order transactions, electronic distribution, or sale on approval;
(C) the term ``as is'' means, in the case of software (including
software with encryption capabilities), a software program that is not
designed, developed, or tailored by the software publisher for specific
purchasers, except that such purchasers may supply certain installation
parameters needed by the software program to function properly with the
purchaser's system and may customize the software program by choosing
among options contained in the software program;
(D) the term ``is designed for installation by the purchaser''
means, in the case of software (including software with encryption
capabilities) that--
(i) the software publisher intends for the purchaser (including any
licensee or transferee), who may not be the actual program user, to
install the software program on a computing device and has supplied the
necessary instructions to do so, except that the publisher may also
provide telephone help line services for software installation,
electronic transmission, or basic operations; and
(ii) the software program is designed for installation by the
purchaser without further substantial support by the supplier;
(E) the term ``computing device'' means a device which incorporates
one or more microprocessor-based central processing units that can
accept, store, process, or provide output of data; and
(F) the term ``computer hardware'', when used in conjunction with
information security, includes, but is not limited to, computer systems,
equipment, application-specific assemblies, modules, and integrated
circuits.
ADDITIONAL VIEWS OF HON. BOB GOODLATTE
H.R. 695, the Security And Freedom through Encryption (SAFE) Act of
1997, accomplishes three critical goals: preventing economic crime,
promoting electronic commerce, and protecting the personal privacy of
all law-abiding Americans. I am pleased that both the Courts and
Intellectual Property Subcommittee and the full Judiciary Committee have
approved this bipartisan legislation by voice vote. I would also like to
thank the lead cosponsor of the SAFE Act, Rep. Zoe Lofgren (D CA), for
her leadership. support, and dedication to this important issue.
The Administration's encryption policies are at odds with its stated
goals. For example, the Administration has stated in testimony before
both the House and Senate that it supports the widespread use of strong
encryption. However, the Administration continues to enforce antiquated
Cold War export restrictions that prevent the widespread use of strong
encryption.
The Department of Justice has been particularly hostile to H.R. 695,
even going so far as publicly stating that the bill would be devastating
to international law enforcement. As an example, just hours prior to
Subcommittee markup of H.R. 695 on April 30, 1997, the Department of
Justice circulated a letter to Judiciary Committee members opposing the
legislation. This letter contained a series of allegations which deserve
a response.
DOJ Claim: The bill ``discourages formation of a
key management infrastructure''.
Response: The SAFE Act takes no position on the
development of a key management infrastructure.
The term ``key management infrastructure'' refers to a system, yet to
be fully developed, that would allow Internet users to know with whom
they are communicating, to verify document signatures, and to identify
whether documents are tampered with or altered in transmission. Such a
system could partly operate through ``Certificate Authorities'', or
commercial entities that would certify, like digital notary publics,
that certain public keys are in fact the keys of particular individuals
or corporations.
Driven by user needs, the on-line world is developing such systems of
assurance without government intervention. The security and
effectiveness of these systems will be tested by the market.
Consequently, it is impossible to know at this point which systems will
succeed and which will fail--the intensely competitive global
marketplace will decide that question. Government bureaucracy and
regulation is neither necessary nor desirable.
Perhaps the greatest impediment to the development of a widespread
global key management infrastructure to date has been the
Administration's restrictive export policies. By preventing American
companies from exporting strong encryption, this Administration has
perpetuated a sense of uncertainty in the global market that has
discouraged these companies from developing commercial infrastructures.
Contrary to the Administration's claim, therefore, H.R. 695 would
actually promote development of' Certificate Authorities and key
management infrastructures in the best way possible, by removing
unwanted, unworkable, and unwise government bureaucracy and regulation.
A recent report issued by nine of the world's top cryptographers,
entitled ``The Risks of Key Recovery, Key Escrow, and Trusted Third
Party Encryption'', offers further evidence that various key escrow, key
recovery. and key management systems that have been proposed by the
Administration are neither feasible nor advisable. As stated In this
report:
Government key recovery proposals call for one of
the most ambitious and far-reaching deployments of the
information age. The field of cryptography has no experience
in deploying secure systems of this scope and complexity.* * *
Attempts to force the widespread adoption of key recovery
encryption through export controls, import or domestic use
regulations, or international standards should be considered
in light of these factors. The public must carefully consider
the costs and benefits of embracing government-access key
recovery before imposing the new security risks and spending
the huge investment required--potentially many billions of
dollars, in direct and indirect costs--to deploy a global key
recovery infrastructure.
The Administration has stated publicly that ``only industry can build
a robust and scalable key management infrastructure''. This report shows
quite clearly that proposals to establish global key management systems,
including incentives to use such systems, are at best premature. As
former British Prime Minister Margaret Thatcher aptly put it,
``Governments * * * are themselves `blind forces' blundering about in
the dark, and obstructing the operations of markets rather than
improving them.''
DOJ Claim: Strong encryption is not widely
available overseas, in part because of U.S. export controls.
Response: German, Dutch, Swedish, British, Russian
and other foreign manufacturers have created strong and
reliable encryption products that are available
internationally and on the Internet.
As evidence of this, the following excerpt is from a recent New York
Times article discussing the success of a German company, Brokat
Informationsysteme, which produces a 128-bit encryption program:
Far from hindering the spread of powerful
encryption programs * * * American policy has created a
bonanza for alert entrepreneurs outside the United States.
When America Online wanted to offer on-line banking and
shopping services in Europe, it turned to Brokat for the
software that encodes transactions and protects them from
hackers and on-line bandits. When Netscape Communications and
Microsoft wanted to sell Internet software to Germany's
biggest banks, they had to team up with Brokat to deliver the
security guarantees that the banks demanded.* * * Besides
America Online, Brokat's customers include more than 30 big
banking and financial institutions around Europe.
Perhaps a more vivid example of the folly of the Administration's
export restrictions is the recent announcement that Sun Microsystems,
one of the leading U.S. computer companies, will be entering into a
partnership with Elvis+, a Russian encryption manufacturer, to
distribute strong encryption worldwide. Since the U.S. has no import or
domestic controls on the use of non-key escrow encryption, Sun can
import the Russian product and distribute it domestically, while the
Russian company distributes the same product overseas. Therefore, U.S.
companies will now be able to securely communicate with their overseas
offices and subsidiaries without violating the export control laws.
The Sun announcement demonstrates three critical facts that reveal
the absurdity of arguments the Administration uses to defend its current
policies: (1) consumers are demanding strong encryption products to
protect their digital communications; (2) strong encryption products are
already available from foreign manufacturers, and reputable U.S. firms
are willing to stake their corporate reputations on the quality of those
products; and (3) the current export control scheme is taking jobs and
revenue away from our economy.
Additionally, many individuals and small businesses rely on the
Pretty Good Privacy encryption program, which is available on the
Internet worldwide. PGP is equivalent to 128-bit encryption, and has
been tested again and again. It is based on a public algorithm, so every
hacker, graduate student, and computer scientist in the world can try to
break it. None have succeeded.
DOJ Claim: If the U.S. were to relax its current
export controls on strong encryption, foreign governments
would respond by creating import controls on U.S. products and
thus those markets would not open to U.S. companies.
Response: The United States should not set its
export policies on the basis of actions that other countries
might take.
The U.S. government should not stand in the way of our industry's
ability to compete in the global marketplace--in fact, it should use any
resources available to help American companies succeed in global
markets. When foreign governments raise import barriers to keep out U.S.
products, they do so to allow their own industries to dominate the
marketplace. We should not allow ourselves to be fooled into believing
otherwise.
DOJ Claim: H.R. 695 would ``adversely affect
national security and foreign policy interests and severely
impair many law enforcement efforts at the federal, state, and
local level.''
Response: Strong encryption prevents crime.
Consider the findings of the National Research Council on the
use of strong encryption:
If cryptography can protect the trade secrets and
proprietary information of businesses and thereby reduce
economic espionage (which it can). it also supports in a most
important manner the job of law enforcement. If cryptography
can help protect nationally critical information systems and
networks against unauthorized penetration (which it can), it
also supports the national security of the United States.
When criminals talk to other criminals, they will always be able to
use strong encryption, with no mechanism for law enforcement access, to
protect their communications. The Administration's policy will not
prevent this, since it is not proposing direct domestic or import
controls on strong encryption, and cannot prevent foreign companies from
developing and distributing such products. However, when these criminals
communicate with legitimate organizations, such as banks, law
enforcement will always be able to obtain evidence from such
organizations via court order or grand jury subpoena. Therefore,
allowing law-abiding people to use strong encryption to protect
themselves, and allowing U.S. companies to fully compete in the global
marketplace, will not prevent law enforcement from pursuing and stopping
criminals.
It is truly ironic that law enforcement agencies would oppose
legislation that prevents crime. Unfortunately, it seems that the
Administration does not want to empower our citizens and our industries
to protect themselves in the Information Age. Just as dead-bolt locks
and alarm systems help people protect their houses against intruders,
thereby assisting law enforcement in preventing crime, strong encryption
allows people to protect their digital communications and computer
systems against criminal hackers and computer thieves.
The SAFE Act prevents crime, promotes commerce, and protects privacy.
Additionally, it allows the free market to design its own standards and
solutions for the development of global commerce, free from unwanted and
unworkable government regulation. This bipartisan legislation ensures
that all law-abiding Americans will be able to communicate and conduct
business securely in the Information Age.
Bob Goodlatte.
ADDITIONAL MINORITY VIEWS
We offer these additional views not to foment dissent but to
encourage dialogue with the Administration on the issues related to
encryption. We would like to work with federal law enforcement and
national security agencies to address their concerns.
We sympathize with the difficulties faced by investigative and
security agencies in combating crime, terrorism, and espionage. We
believe it is quite legitimate for the Administration to be concerned
about the uncertain impact that strong and ubiquitous encryption
products may have on law enforcement and national security agencies. We
realize that it may ultimately become impossible for government agencies
to decipher intercepted or retrieved data and communications that have,
by encryption, been transformed into a seemingly unintelligible form.
We recognize the days of cracking strong codes are nearly gone.
Unbreakable codes (256-bit key algorithms can generate more possible
solutions than there are particles in the known universe) are already
widely known. Private security experts and sophisticated hackers have
already realized this and are beginning to develop ways of attacking the
vulnerable points before and after the information is encrypted (i.e.,
on the sender's hard drive or at a ``good-guy'' recipient such as a
bank). We suspect that law enforcement and national security experts
within the government are acquiring similar capabilities. But these
alternative (and more subtle) approaches are not reflected in the
Administration's current public policy toward encryption.
The Administration's current encryption policy, a policy that runs
back at least to the Bush Administration, creates more problems than it
resolves. The policy is a combination of encryption export controls and
a key escrow system by which the key to the code encrypting the
information is to be held by a third party (so it may be made available
to the government).
We need to be honest about this situation. We don't expect most
narcotics traffickers, terrorists, or criminals to respect export
restrictions on encryption when they don't respect our underlying drugs
or weapons laws. And we don't generally expect anyone who employs
encryption in furtherance of a crime to readily give their keys to some
third party so they may be made available to the government.
The Administration maintains that there is a commercial need for key
recovery. While that may be true to some extent, there appears to be
little or no demand for the all-encompassing system they want to
mandate. Experts have uniformly concluded the government's proposed
system is either excessively costly and complex or insecure. In part,
this is true because the government seeks access to real-time
communications and data transmissions, rather than the ability to
recover stored data.
The Administration insists it doesn't want domestic restrictions on
encryption. We are concerned, however, that the Administration policy
does have this effect. Development of software programs, including those
utilizing encryption, occurs at an amazingly rapid pace, so it is not
feasible for computer software and hardware companies to develop
separate products for export and for domestic use. As a result, as a
practical matter, only products that are exportable, with weaker
encryption or with government-approved key recovery-escrow, can be
marketed at present.
We fear that current encryption policy, encouraging as it does weaker
encryption, makes every American more vulnerable to illicit or
surreptitious access to our computer files, our phone conversations, and
personal information, and thus exposes our citizens to hackers,
terrorists, and thieves. It is ironic that what is trumpeted as an aid
to law enforcement may instead
compromise individual and corporate security.
What we have here is not only a combination of export controls and a
key recovery system that does not work, we have a system that
compromises the competitiveness and security of this nation's software
and hardware industry, as well as our privacy rights. As conceded by
Administration witnesses, the proposed key recovery system can succeed
only as long as there is no non-conforming encryption software readily
available in the market. But there is already an abundance of such
software, some of it freeware, that is readily available over the
Internet.
The proposed key recovery system can not work unless the United
States persuades every other nation to adopt key recovery. We can safely
say we are unlikely to obtain the agreement of Libya, Iran, Iraq, or
North Korea. In addition, the efforts to date of David Aaron, U.S.
Ambassador to the Organization for Economic Cooperation and Development
(OECD), to obtain a consensus in support of key recovery resulted
instead in a consensus opposing it.
The Administration's policy has therefore been a strong market
incentive:
(a) for non-participants (in the Administration's key escrow
program) to make non-standard, secure encryption available, and
(b) for U.S. companies to set up abroad in ``encryption havens'' so
they may legally market strong, secure encryption products to customers
who decline to make their ``international key'' available to diverse
governments around the world.
There are already U.S. companies establishing ties with foreign
companies in Japan, Russia, and elsewhere.
Nor is this policy without its cost. It is estimated that, if the
U.S. persists in its current policy through the year 2000, we shall lose
200,000 jobs and $60 billion each year. This is what it will cost this
nation to lose the cryptography lead we enjoy and the competitive
expertise necessary to maintain our market position.
Unfortunately, our discussions to date with law enforcement and
intelligence agencies have not admitted of the possibility of any
further relaxation of export restrictions as part of the broader process
essential to resolving this complex question. Nor has the Administration
offered to consider alternatives to its key escrow or key recovery
system.
H.R. 695 need not be the end of the process but the beginning of a
real dialogue. This is what we would like to happen. We continue to
remain hopeful that the Administration will acknowledge the shortcomings
of its current policy and sincerely hope that this will happen soon lest
more serious damage be done to our industry, to our security and to our
privacy.
John Conyers, Jr.
Rick Boucher .
Zoe Lofgren .
Maxine Waters .
William Delahunt .
Martin T. Meehan .
|
NEWSLETTER
|
| Join the GlobalSecurity.org mailing list |
|
|
|
