[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]



 
                 ENCRYPTION SECURITY IN A HIGH TECH ERA

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                INTERNATIONAL ECONOMIC POLICY AND TRADE

                                 OF THE

                              COMMITTEE ON
                        INTERNATIONAL RELATIONS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             FIRST SESSION

                               __________

                         TUESDAY, MAY 18, 1999

                               __________

                           Serial No. 106-108

                               __________

    Printed for the use of the Committee on International Relations







 Available via the World Wide Web: http://www.house.gov/international 
                               relations

                                 ______



                    U.S. GOVERNMENT PRINTING OFFICE
64-674 CC                   WASHINGTON : 2000




                  COMMITTEE ON INTERNATIONAL RELATIONS

                 BENJAMIN A. GILMAN, New York, Chairman
WILLIAM F. GOODLING, Pennsylvania    SAM GEJDENSON, Connecticut
JAMES A. LEACH, Iowa                 TOM LANTOS, California
HENRY J. HYDE, Illinois              HOWARD L. BERMAN, California
DOUG BEREUTER, Nebraska              GARY L. ACKERMAN, New York
CHRISTOPHER H. SMITH, New Jersey     ENI F.H. FALEOMAVAEGA, American 
DAN BURTON, Indiana                      Samoa
ELTON GALLEGLY, California           MATTHEW G. MARTINEZ, California
ILEANA ROS-LEHTINEN, Florida         DONALD M. PAYNE, New Jersey
CASS BALLENGER, North Carolina       ROBERT MENENDEZ, New Jersey
DANA ROHRABACHER, California         SHERROD BROWN, Ohio
DONALD A. MANZULLO, Illinois         CYNTHIA A. McKINNEY, Georgia
EDWARD R. ROYCE, California          ALCEE L. HASTINGS, Florida
PETER T. KING, New York              PAT DANNER, Missouri
STEVEN J. CHABOT, Ohio               EARL F. HILLIARD, Alabama
MARSHALL ``MARK'' SANFORD, South     BRAD SHERMAN, California
    Carolina                         ROBERT WEXLER, Florida
MATT SALMON, Arizona                 STEVEN R. ROTHMAN, New Jersey
AMO HOUGHTON, New York               JIM DAVIS, Florida
TOM CAMPBELL, California             EARL POMEROY, North Dakota
JOHN M. McHUGH, New York             WILLIAM D. DELAHUNT, Massachusetts
KEVIN BRADY, Texas                   GREGORY W. MEEKS, New York
RICHARD BURR, North Carolina         BARBARA LEE, California
PAUL E. GILLMOR, Ohio                JOSEPH CROWLEY, New York
GEORGE RADAVANOVICH, Califorina      JOSEPH M. HOEFFEL, Pennsylvania
JOHN COOKSEY, Louisiana
THOMAS G. TANCREDO, Colorado
                    Richard J. Garon, Chief of Staff
          Kathleen Bertelsen Moazed, Democratic Chief of Staff
                                 ------                                

        Subcommittee on International Economic Policy and Trade

                ILEANA ROS-LEHTINEN, Florida, Chairwoman
DONALD A. MANZULLO, Illinois         ROBERT MENENDEZ, New Jersey
STEVEN J. CHABOT, Ohio               PAT DANNER, Missouri
KEVIN BRADY, Texas                   EARL F. HILLIARD, Alabama
GEORGE RADANOVICH, California        BRAD SHERMAN, California
JOHN COOKSEY, Louisiana              STEVEN R. ROTHMAN, New Jersey
DOUG BEREUTER, Nebraska              WILLIAM D. DELAHUNT, Massachusetts
DANA ROHRABACHER, California         JOSEPH CROWLEY, New York
TOM CAMPBELL, California             JOSEPH M. HOEFFEL, Pennsylvania
RICHARD BURR, North Carolina
             Mauricio Tamargo, Subcommittee Staff Director
        Jodi Christiansen, Democratic Professional Staff Member
                Yleem Poblete, Professional Staff Member
                     Camilla Ruiz, Staff Associate





                            C O N T E N T S

                              ----------                              

                               WITNESSES

                                                                   Page

William Reinsch, Under Secretary of Commerce, Bureau of Export 
  Administration.................................................     9
Barbara McNamara, Deputy Director, National Security Agency......    11
Ron Lee, Assistant Attorney General, National Security, 
  Department of Justice..........................................    13
Gene Voegtlin, Esq., Legislative Counsel, International 
  Association of Chiefs of Police................................    15
Ira Rubinstein, Senior Corporate Attorney, Microsoft Corporation.    41
Jeffrey Smith, General Counsel, Americans for Computer Privacy...    43
David Weiss, Vice President of Product Marketing, CITRIX 
  Corporation....................................................    44
Alan Davidson, Staff Counsel, Center for Democracy and Technology    45
Dinah Pokempner, Deputy General Counsel, Human Rights Watch......    47
Ed Black, President and CEO, Computer and Communications Industry 
  Association....................................................    48





                 ENCRYPTION SECURITY IN A HIGH TECH ERA

                              ----------                              


                         Tuesday, May 18, 1999

                  House of Representatives,
             Subcommittee on International Economic
                                          Policy and Trade,
                              Committee on International Relations,
        Washington, D.C.
    The Subcommittee met, pursuant to notice at 2:15 p.m., in 
room 2172, Rayburn House Office Building, Hon. Ileana Ros-
Lehtinen [Chairwoman of the Subcommittee] presiding.
    Ms. Ros-Lehtinen. [presiding] The Subcommittee will come to 
order.
    I apologize for arriving late. I had to give a brief remark 
on a luncheon that Congressman Menendez, Mr. Gilman, and I are 
hosting for Cuban political prisoners tomorrow. So I hope that 
all of you could join us in room 2200 at 1 p.m. So I was 
speaking on the Floor and I was unavoidably delayed. Thank you 
so much for your patience and I apologize especially to my 
Ranking Member.
    Someone once said I used to think that cyberspace was 50 
years away. What I thought was 50 years away was only 10 years 
away. What I thought was 10 years away, it was already here, I 
just wasn't aware of it yet. This applies to the debate today 
on encryption where it seems our policy is trying to play a 
game of catch up with our technological advancements.
    The Internet has rapidly expanded as a form in which to 
conduct business transactions, and millions of messages are 
transferred in a matter of seconds across oceans and 
continents, over barriers of languages and culture. Information 
that used to take hours to transfer can now be sent in a matter 
of seconds. Contracts are completed in minutes. Mergers in what 
seems instantaneously. In an increasingly diverse and 
globalized marketplace, the availability and efficiency of 
electronic businesses is becoming more appealing for companies 
hoping to keep a competitive advantage in international trade, 
maintaining their dominance in or seeking to capture the market 
of brain-power industries.
    As these types of information transfers become more common, 
fear has emerged about their security and about the 
interception of messages and transactions by those who seek to 
steal or sabotage. Technology to prevent these types of 
invasions and violations of personal, corporate, and government 
security by encoding digital information already exists. It is 
what we call encryption. A need for commercial encryption 
rapidly developed with the growth of the global economy and, 
with it, so did concerns over exporting this technology to our 
overseas counterparts. The business community, the 
Administration, and law enforcement entities have been at odds 
as to how to best promote American technological products 
abroad while ensuring that our security, both national and 
economic, are not threatened by the export of American-designed 
encryption products.
    The Administration has stated its concerns about possible 
threats to U.S. national security and to public safety, which 
they feel would arise if criminals and terrorists were to use 
encryption that the U.S. Government could not penetrate. They 
fear that if there were no export controls on encryption and no 
key recovery features on the products we sell in overseas 
markets, it would further complicate and impede law enforcement 
efforts at tracking down terrorists or other criminals who use 
computers in their efforts to promote violent terrorist acts or 
who commit economic sabotage.
    Opponents of the Administration's view argue that export 
controls cannot prevent access to strong non key recovery 
encryption by criminals because it is widely available 
elsewhere, including over the Internet where it can be easily 
downloaded from foreign company sites. They add that the one 
thing these controls are ensuring is U.S. companies losing 
market shares to foreign competitors. Currently, there are no 
statutory restrictions on the domestic use of encryption, but 
the industry argues that restrictive export controls have 
hampered technological development and will continue to thwart 
U.S. efforts until American companies will lose their current 
technological dominance. There is a need for strong encryption 
for domestic use and cross-border communications and 
transactions.
    While the Administration argues that it has continued to 
promote stronger encryption products of greater than 56 bits, 
it has done so under the condition that these be designed with 
key recovery features where a third-party would have access to 
a key to decrypt the information. Further, the Administration's 
decision to liberalize exports for certain industries ignores 
the security needs of other sectors left unprotected by current 
restrictions.
    Privacy advocates contend that the Administration has been 
utilizing the export control process to influence whether 
companies developed key recovery encryption products by 
facilitating the exportation of these products and making it 
more difficult to export unrecoverable encryption products. 
They further state that the national security arguments fail 
any test of logic that strong encryption serves as a deterrent 
to criminal activity by making it difficult for those who 
engage in espionage to penetrate the system.
    Aside from the fact that all parties agree about the 
important role of encryption in electronic commerce, little 
consensus has been reached on the issue of export controls. The 
SAFE Act is one of the several legislative attempts at 
codifying existing domestic use policy and at liberalizing U.S. 
export control regulations to compete successfully in the 
global arena. This will be one of the issues we hope to cover 
today as we attempt to debate the future of encryption and the 
effects of controls on our technological market.
    I would like to recognize our Ranking Member, Mr. Menendez 
of New Jersey for his opening statement. Mr. Menendez.
    Mr. Menendez. Thank you, Madam Chair Lady, and I am happy 
to see that we are having this hearing which I think is an 
incredibly important one the Committee has jurisdiction over, 
and one that I think is going to be a part of making sure, 
along with the Export Administration Act and a few other issues 
that this Committee has jurisdiction in, that continues to fuel 
America's competitiveness in the future. The decisions that we 
make are going to affect American industry and American 
competitiveness in this new millennium.
    Now anyone who has been on the Internet and purchased a 
book from Amazon.com or ordered an airline ticket online is 
familiar with encryption technology. In the information age, 
encryption technology is like a Wells Fargo truck. It keeps 
your information under lock and key and delivers it only to its 
intended end-user. Encryption technology is crucial to the 
development of electronic commerce, which is growing by leaps 
and bounds. According to Under Secretary Reinsch's testimony, 
electronic commerce transactions in 1996 were $12 million, but 
are projected to reach $2.1 billion by the year 2000.
    So I think we need to be clear, from the very outset, that 
the encryption debate is not about who does and who does not 
support our national security interests. None of us who support 
moving encryption technology forward believe that we would do 
anything to risk the national security of the United States. I 
do not care for those who would suggest that, in fact, we do. 
No one is advocating a policy that would intentionally 
compromise U.S. national security or the safety of American 
citizens. The encryption debate is more about whether or not it 
is too late for the U.S. Government and law enforcement to 
control the spread of non key recovery encryption products in 
the U.S. and abroad.
    Clearly, we should consider the value of controlling only 
the strongest encryption technologies. However, the value of 
controlling anything over 56-bit technology when 128-bit 
technology can be downloaded from the Internet, is 
questionable. American industry is rightly concerned about 
losing market shares to foreign competitors who have no 
restrictions on their products. We can be certain that if the 
United States cannot offer non key recovery encryption 
technology overseas, that consumers will buy it from the 
French, Japanese, and Israeli companies who are making similar 
products. Or from American companies who establish companies 
overseas, produce the intellectual property there, and that 
ultimately means job losses here at home as well as revenue 
losses here at home.
    Now the goal of the FBI, NSA, and law enforcement agencies 
is well-founded. The key recovery system would ensure that they 
have access to the requisite data to snag criminals or track 
suspected criminal activities. Yet the proliferation of non key 
recovery technology within the United States and abroad and the 
rapid speed at which this industry is developing leads me to 
believe that the Administration's policy is too little, too 
late.
    I look forward to hearing the testimony of our witnesses, 
in particular, the representatives from the FBI and NSA. I 
would very much like to hear your views on current policy and 
your concerns with the Goodlatte legislation. I will do so with 
an open mind, but I believe we cannot turn back the clock as we 
move forward into a new millennium. Thank you, Madam 
Chairwoman.
    Ms. Ros-Lehtinen. Thank you so much, Mr. Menendez. We are 
thrilled to have the Chairman of our Committee, Congressman Ben 
Gilman of New York, join us. It shows the high level of 
importance that he gives to this issue of encryption. Welcome, 
Mr. Gilman.
    Mr. Gilman. Thank you, Madam chairman. I want to thank you 
for arranging this hearing with these experts who are all 
prepared to testify before us today. You certainly have a good 
cross-section of views assembled. I welcome this opportunity to 
attend this very important hearing on security in the high-tech 
era and on the Security and Freedom through Encryption Act, the 
SAFE Act, H.R. 850, sponsored by the gentleman from Virginia, 
Mr. Goodlatte, and the gentle lady from California, Ms. 
Lofgren.
    I am pleased that the witnesses before us today come from a 
broad cross-section of the law enforcement community, export 
control and intelligence agencies, human rights and privacy 
advocates, and the private sector representatives. I would like 
to compliment you, Madam Chair, for your holding this hearing 
at this time and taking a leading role on this vitally 
important issue.
    I would like to remind my colleagues that on Thursday of 
this week at 9 a.m., the Chairman of the Intelligence 
Committee, Mr. Porter, and I will be co-hosting a members-only 
classified briefing on the implications of decontrolling the 
export of encryption products. I urge our colleagues on this 
Committee to attend if they would like to have a full 
perspective on the national security and intelligence aspects 
of the encryption issue.
    In my view, before we begin the process of making sweeping 
changes in our export control laws, Congress should avail 
itself of all the information we can obtain in all venues 
available to us. With the United States participating in a 
NATO-led military operation against Serbia, we should be doubly 
cautious in this respect because of the possibility of 
terrorist attacks on our interests. I am very concerned that 
the enactment of a SAFE Act would make strong encryption all 
the more available to our adversaries and would undermine 
international efforts to modernize and improve multilateral 
export controls under the Wassenaar arrangement.
    I draw the attention of the Subcommittee Members to the 
recent statement of the International Association of the Chiefs 
of Police. ``Unchecked proliferation of encryption technology 
poses an enormous danger to both law enforcement and to society 
as a whole.'' In a May 12th letter that we received from B'nai 
Brith International, its president Richard Heideman noted 
that--and I quote--``Unlimited proliferation of nonrecoverable 
encryption products may result in their use by terrorist 
groups, by narcotics traffickers, by members of organized 
crime, and other dangerous criminals to the detriment of our 
Nation's national security and public safety.'' Mr. Heideman 
concluded that his organization has strong reservations about 
the Security and Freedom through Encryption Act and urges that 
Congress maintain meaningful export safeguards.
    Unlimited proliferation of this technology only makes the 
street-corner drug dealer further immune from the consequences 
of his and others' actions. The drug trade costs us billions 
each year in crime, in health care costs, lost worker 
productivity, destroyed families, and lost young lives. Let us 
not contribute to that carnage under the guise of greater trade 
and commerce.
    For those who say that this encryption technology is 
already readily available abroad, they often fail to remind you 
that foreign governments, in most cases, have also retained the 
right to access in protection of their national security 
interests. Those governments are not naive, nor should we be. 
While we are still waiting for the final version of the Cox 
report on high-tech exports to China, many of their 
recommendations are already public. Among them are concrete 
suggestions on how to strengthen the successor regime of the 
Cold War COCOM export system. Its modern-day equivalent, the 
so-called Wassenaar arrangement has just agreed to modernize 
our multilateral encryption export control system, yet the 
enactment of the SAFE Act would undercut that arrangement and 
the findings of the Cox report.
    Accordingly, I urge my colleagues not to rush to judgment 
on an issue such as this which directly affects our national 
security and our law enforcement needs. I thank the gentle lady 
for recognizing me.
    Ms. Ros-Lehtinen. Thank you so much, Chairman Gilman. Mr. 
Delahunt.
    Mr. Delahunt. I thank you, Madam. I just would welcome my 
colleague from the Judiciary Committee and acknowledge the 
presence of Mr. Goodlatte, one of the primary sponsors. I want 
to personally welcome him.
    Ms. Ros-Lehtinen. Thank you, Mr. Delahunt. Mr. Bereuter.
    Mr. Bereuter. Madam Chairman, it is an important hearing 
today. I have been following this issue for quite some period 
of time now. I agree with many of the comments made by Chairman 
Gilman. We do need to be concerned about the implications for 
law enforcement and national security and a lot of the best 
information we have in the way of documentation of its 
importance is classified. On the other hand, we need to make 
sure that we do in the way we control things does not have an 
unnecessary anti-competitive factor which is brought to bear. 
So I will say nothing further, but look forward to the 
testimony of two large and important groups of panelists.
    Ms. Ros-Lehtinen. Thank you, Doug. The sponsor of the bill, 
Mr. Goodlatte. We are honored to have you with us today.
    Mr. Goodlatte. Madam Chairman, first let me thank you for 
holding this hearing and for being very gracious in allowing 
me, a non-Member of the Committee, to participate. I would also 
like to thank the Ranking Member, Mr. Menendez, and Chairman 
Gilman for their participation in this and for allowing me to 
participate as well.
    I do have a statement that I would ask to be made a part of 
the record.
    Ms. Ros-Lehtinen. Without objection.
    [The information referred to appears in the appendix.]
    Mr. Goodlatte. I also have an article written by 
Congressman Chris Cox, the Chairman of the Cox Commission, who 
advocates a strong export policy with regard to exporting 
encryption, making it more available, entitled ``China: Export 
of Technology Would be Liberating Force,'' in which he 
advocates the export of strong encryption.
    Madam Chairman, this much-needed bipartisan legislation 
currently has 253 cosponsors, about 110 Democrats, about 140 
Republicans; a majority of the Republican and Democratic 
leadership in the House are cosponsors as are two-thirds of the 
Members of the International Relations Committee and all but 4 
Members of this Subcommittee, and it accomplishes several 
important goals. First and foremost, strong encryption in the 
hands of the good guys, if you will, helps to prevent a number 
of the concerns that have been raised by some of the Members of 
the Committee, which are legitimate concerns by law enforcement 
and national security, but making sure that we have strong 
encryption to protect e-mail, medical records, financial 
transactions, copyrighted material, industrial trade secrets, 
and a whole host of other areas, as well as preventing major 
terrorist and criminal activities such as breaking into the New 
York Stock Exchange or the Chicago Board of Trade or a nuclear 
power plant or the electric power grid of the United States are 
all very positive purposes that are hindered by a policy that 
discourages the use of strong encryption and which is the 
policy that we have today.
    The gentleman from New Jersey mentioned the use of 
encryption by companies like Amazon.com and others who do 
business on the Internet. Amazon.com cannot use the 128-bit 
strong encryption that they use for domestic sales 
internationally, unless they acquire it from a foreign vendor. 
This, to me, seems to be a ludicrous consequence of the policy 
that we currently confront in this country.
    I'll give you another personal experience that I came 
across recently when I led a congressional delegation to Europe 
to deal with electronic commerce issues. In Brussels, in 
meeting with the deputy chief of the U.S. mission there, he 
indicated to me that he has worked with the National Security 
Agency and the FBI and other agencies on a regular basis on 
issues like this. But his own personal experience colored his 
view of the need for significant change in our export control 
laws when he told me that he bought a $2,000 computer system 
which was shipped to him from the United States and he then 
received a phone call from the company that sold it to him 
telling him they could not send him the software because it 
violated American export control laws. So he went down the 
street to a little shop in Brussels and purchased the software 
that he needed there.
    Today there are more than 20 significant strong companies 
in Europe creating encryption software that are major 
competitors to the United States that did not exist just a few 
years ago. What we are confronted with is a circumstance in 
which we are already beginning to see significant erosion in 
the U.S. dominance of the software and hardware computer 
industry because of the fact that most major software and 
hardware today has strong encryption built into it, and if you 
can't export it out of the United States, you are better off 
dealing with a company overseas because if you are, for 
example, a company with branches in London, Paris, Tokyo, New 
York, and San Francisco, you can buy these products 
domestically--there is no limitation on the domestic use of 
strong encryption--and use them in your New York and San 
Francisco offices, but you can't send them to your London, 
Paris, and Tokyo office.
    However, if you buy it from a German company, to use an 
example, there are no import restrictions on strong encryption. 
So you can import the German products, use it at your New York 
and San Francisco offices and also send it to your London, 
Paris, and Tokyo offices. This is the crux of the problem that 
we have in not facing up to the fact that encryption is not 
like other items that are strongly suitable for export 
controls.
    Bombs, jets, mainframe computers are all products that are 
manufactured in a few places, sent to a few places, and the 
export of the products from this country can be a choke hold on 
making sure they don't go to inappropriate places. But 
encryption is not a tangible thing. It is a mathematical 
algorithm. It is little ones and zeros going through fiber-
optic wires and by satellite all over the world. So it is my 
hope that we will be able to move forward with this 
legislation, which will help to create and protect American 
jobs, which will help to fight crime in a whole host of ways, 
and which will protect the privacy of law-abiding American 
citizens and I very much thank you for the opportunity to 
participate today.
    Ms. Ros-Lehtinen. Thank you so much, Bob. Congressman Burr.
    Mr. Burr. Thank you, Madam Chairman. Let me just say that, 
my good friend Mr. Goodlatte, I had hoped that after we 
dispensed with this in Commerce last year that law enforcement 
and the technology businesses would find the agreement that 
could move forward together. Unfortunately, I don't have the 
impression that we are there. That as you talked about the 
inability to export software, I think a year from now, with the 
new chips, we will, in fact, find ourselves not exporting the 
computer. I think we have some bigger problems to deal with.
    I would suggest today to my colleagues that the way to find 
the answer is not to dig our heels in the sand and say we can't 
move from where we are. In fact, the challenge to each of us is 
to find where that balance is, to move there, and not to find 
new ways to drive technology offshore where, for a short-term 
gain, we do significant long-term damage to not only the 
development of business in this country and the creation of 
jobs, but to our national security which is an area that we are 
all sensitive to.
    Technology has few boundaries, as my good friend Mr. 
Goodlatte referred to, and our ability to understand 
technology's flow around the world is, in fact, a significant 
key to our understanding of where we move with legislation. 
Madam chairman, I am only hopeful that all Members will 
encourage not only the business sector, but the law enforcement 
sector to work a little bit harder to try to find a compromise, 
one that facilitates the business needs of the future, the 
development of technology, and also provides some assurances of 
law enforcement's access. Clearly, if technology is that 
advanced in intelligence, I am hopeful that somebody will 
transmit an updated map to our intelligence agencies. Maybe we 
won't have quite the problem that we have had over the past 
week.
    Technology is a tremendous tool. It is a tremendous tool 
for every person in the world. It will become more the tool for 
opening up not only closed markets, but closed societies in the 
future. We have to find a way to make this work, to make it 
work for all who have a concern and to utilize this tool to its 
fullest. I am confident that this hearing and many others that 
we will have this session of Congress will help us to get to 
that legislation. I thank the Chair and I yield back.
    Ms. Ros-Lehtinen. Thank you. Mr. Radanovich.
    Mr. Radanovich. Thank you, Madam Chair, I will be brief. I 
would like to submit a statement for the record.
    Ms. Ros-Lehtinen. Without objection.
    [The information referred to appears in the appendix.]
    Mr. Radanovich. Thank you. But do want to state my wish 
that we get a bill forward sometime this session that would 
open up markets for U.S. business and, at the same time, 
preserve our security. I appreciate the chairwoman for having 
this hearing and hopefully we can move this issue forward and 
get it dealt with. Thank you very much.
    Ms. Ros-Lehtinen. Thank you so much. Mr. Rohrabacher.
    Mr. Rohrabacher. I would just like to say that Mr. 
Goodlatte has put a lot of effort into this and is a very 
patriotic American and where we have had our disagreements in 
the past, I think that he is using good judgment here and I am 
very happy to be a cosponsor of this bill.
    Ms. Ros-Lehtinen. Thank you. Thank you so much for your 
patience, all of you in the audience and our panelists as well. 
We will first hear from Bill Reinsch, who currently serves as 
the under secretary for export Administration in the Department 
of Commerce. As head of this bureau, Mr. Reinsch is charged 
with administering and enforcing the export control policies of 
the U.S. Government. Before joining the Department of Commerce, 
he served on the staffs of several Members of Congress who are 
extensively involved with international trade issues. He has 
testified before this Subcommittee many times and we are glad 
to have you back, Bill. Thank you.
    Next will be Barbara McNamara, who is Deputy Director of 
the National Security Agency. From 1995 to 1997, Ms. McNamara 
served as the Deputy Director of operations, National Security 
Agency of the Central Security Service. Prior to that, she 
served as the NSA representative to the Department of Defense, 
as well as chief of the Office of International Economics and 
Global Issues in the Operations Organization. Ms. McNamara 
began her career in the National Security Agency as a linguist 
and served in a variety of analytical and management positions 
in the Operations Office. Thank you so much for being with us.
    Ronald Lee is the associate deputy attorney general for the 
Department of Justice. He is currently the Acting Director of 
the Executive Office of National Security at the Department. He 
has served as the program manager for the development of the 
Administration's 5-year counter terrorism and technology crime 
plan. In 1994, Mr. Lee was appointed as general counsel of the 
National Security and served as their chief legal officer 
representing the NSA in all legal matters. Welcome, Mr. Lee, to 
our panel.
    We also have a representative from the International 
Association of Chiefs of Police, who is pro-export controls, 
but he does not represent the Administration. Mr. Gene Voegtlin 
is the legislative counsel of the International Association of 
Chiefs of Police. In this position, he is responsible for 
directing the day-to-day implementation of the Association's 
government affairs program. Prior to joining the Association, 
Mr. Voegtlin served as the Director of legislative and 
political affairs for the National Federation of Federal 
Employees. His prior experience also includes serving as a 
legislative representative of the Federal Managers Association 
and the American Chemical Society. We welcome you, Mr. 
Voegtlin, today.
    We will begin with the Honorable Mr. Reinsch. Thank you, 
Bill.

  STATEMENT OF WILLIAM REINSCH, UNDER SECRETARY OF COMMERCE, 
                BUREAU OF EXPORT ADMINISTRATION

    Mr. Reinsch. Thank you very much, Madam chairman. It is a 
pleasure to be here with you again to testify on the direction 
of the Administration's encryption policy. I would appreciate, 
Madam chairman, if you would put my full statement in the 
record.
    Ms. Ros-Lehtinen. Correct. Without objection, we will glad 
to put all of your statements into the record.
    Mr. Reinsch. Thank you. Notwithstanding the comments of 
some of your colleagues, Madam Chairman, I think we have made a 
great deal of progress in this area since the last time I was 
here. But it is still, nevertheless, obvious that encryption 
remains a hotly debated issue.
    The Administration continues to support a balanced approach 
which considers privacy and commerce, as well as protecting 
important law enforcement and national security equities. We 
have been consulting closely with industry and its customers to 
develop policy that provides that balance in a way that also 
reflects the evolving realities of the marketplace. The 
Internet and other digital media are becoming increasingly 
important to the conduct of international business. Mr. 
Menendez used one of my better statistics and so I think I will 
skip over the other ones in my statements and you can read 
them. But I think there is no disagreement over that point, in 
any event.
    Clearly, many service industries, which traditionally 
required face-to-face interaction, such as banks, other 
financial institutions, and retail merchants, are now providing 
cyberservice. Customers can now sit at their home computers and 
access their banking and investment accounts or buy a winter 
jacket with a few strokes of their keyboard. Furthermore, most 
businesses maintain their records and other proprietary 
information electronically. They now conduct many of their day-
to-day communications and business transactions via the 
Internet and e-mail. An inevitable byproduct of this growth of 
electronic commerce is the need for strong encryption to 
provide the necessary secure infrastructure for digital 
communications, transactions, and networks.
    Developing a new policy in this area has been complicated 
because we do not want to hinder encryption's legitimate use, 
particularly for electronic commerce yet, at the same time, we 
want to protect our vital national security foreign policy and 
law enforcement interests. During the past 3 years, we have 
learned that there are many ways to assist in lawful access. 
There is no one-size-fits-all solution. On September 22nd of 
last year, we published a regulation implementing our decision 
to allow the export under a license exception of unlimited 
strength encryption to banks and financial institutions located 
in countries that are Members of the Financial Action Task 
Force or which have effective anti-money laundering laws.
    The further result of our ongoing dialogue with industry 
was an update to our encryption policy which the Vice President 
unveiled last September 16th. The regulations implementing the 
update were published on December 31. This will not end the 
debate over encryption controls, but we believe the regulation 
addresses some private sector concerns by opening large markets 
and further streamlining exports. The update reduced controls 
on exports of 56-bit products and, for certain industry 
sectors, on exports of products of unlimited bit length, 
whether or not they contain recovery features.
    In developing our policy, we identified key sectors that 
can form the basis of a secure infrastructure for communicating 
and storing information: banks, a broad range of financial 
institutions, insurance companies, online merchants, and health 
facilities. Many of the updates permit the export of encryption 
to these end-users under a license exception. The policy also 
allows for exports of 56-bit software and most hardware to any 
end-user under a license exception; exports of strong 
encryption, including technology to U.S. companies and their 
subsidiaries, under a license exception, to protect important 
business proprietary information; and approval under a 
licensing arrangement of recovery-capable or recoverable 
encryption products of any key length to recipients located in 
46 countries. Such products include systems that are managed by 
a network or corporate security administrator.
    In December, through the hard work of Ambassador David 
Aaron, the President's special envoy on encryption, the 
Wassenaar arrangement's members agreed on several changes 
related to encryption controls. Specific changes to 
multilateral encryption controls included removing them on all 
encryption products at or below 56-bits and on certain consumer 
items regardless of key length.
    Most importantly--and I want to take a moment on this, 
Madam chairman--the Wassenaar members agreed to remove 
encryption software from Wassenaar's general software note and 
replace it with a new cryptography note. Drafted in 1991 when 
banks, governments, and militaries were the primary users of 
encryption, the general software note allowed countries to 
permit the export of mass-market encryption software without 
restriction. The GSN was created to release general purpose 
software used on personal computers, but it inadvertently 
encouraged some signatory countries to permit the unrestricted 
export of encryption software. It was essential to modernize 
the general software note and close a loophole that permitted 
the uncontrolled export of encryption with unlimited key 
length.
    Under the new note, mass-market hardware has been added and 
a 64-key length or below has been set as an appropriate 
threshold. This will result in government review of the 
dissemination of mass-market software of up to 64-bits. I want 
to be clear that this does not mean encryption products of more 
than 64-bits cannot be exported. Our own policy permits that as 
does the policy of most other Wassenaar members. It does mean, 
however, that such exports must be reviewed by governments 
consistent with their national export control procedures.
    Finally, Madam chairman, with respect to H.R. 850, the 
Administration opposes this legislation, as we did its 
predecessor in the last Congress. The bill proposes export 
liberalization far beyond what the Administration can entertain 
and which would be contrary to our international export control 
obligations. Despite some cosmetic changes the authors have 
made, the bill in letter and spirit would destroy the balance 
we have worked so hard to achieve and would jeopardize our law 
enforcement and national security interests.
    I want to reiterate that this Administration does not seek 
controls or restraints on domestic manufacture or use of 
encryption. We continue to believe the best way to make 
progress on ways to assist law enforcement is through a 
constructive dialogue. As a result, we see no need for the 
statutory provisions contained in the bill.
    Second, once again, we must take exception to the bill's 
export provisions. In particular, the references to IEEPA, as I 
understand them, might have the effect of precluding controls 
under current circumstances and in any future situation where 
the EAA had expired and the definition of general availability, 
as in the past, would preclude export controls over most 
software. In addition, whether intended or not, we believe the 
bill as drafted could inhibit the development of key recovery, 
even as a viable commercial option for those corporations and 
end-users that want it in order to guarantee access to their 
data. The Administration has repeatedly stated that it does not 
support mandatory key recovery, but we endorse and encourage 
development of voluntary key recovery systems and, based on 
industry input, we see growing demand for them, especially 
corporate key recovery, that we do not want to cutoff.
    The Administration does not seek encryption export control 
legislation nor do we believe such legislation is needed. The 
current regulatory structure provides for balanced oversight of 
export controls and the flexibility needed so that it can 
continue to promote our economic foreign policy and national 
security interests while adjusting to advances in technology. 
We believe this is the best approach to an encryption policy 
that promotes secure electronic commerce, maintains U.S. leads 
in information technology, protects privacy, and protects 
public safety and national security interests.
    Thank you, Madam chairman.
    Ms. Ros-Lehtinen. Thank you so much.
    Ms. McNamara.

   STATEMENT OF BARBARA MCNAMARA, DEPUTY DIRECTOR, NATIONAL 
                        SECURITY AGENCY

    Ms. McNamara. Good afternoon, Madam Chair. Thank you for 
the opportunity to appear today. I would like to begin briefly 
by introducing the National Security Agency and its mission and 
explain why this issue is so important to us.
    NSA secures information systems for the Department of 
Defense and other U.S. Government agencies and provides 
information derived from foreign signals to a variety of users 
in the Federal Government. It is the signal's intelligence role 
that I want to address today. NSA intercepts and analyzes the 
communications signals of foreign adversaries to produce 
critically unique and actionable intelligence reports for our 
national leaders and military commanders. Very often, time is 
of the essence. Intelligence is perishable. It is worthless if 
we cannot get it to the decisionmakers in time to make a 
difference.
    Signals intelligence proved its worth in World War II when 
the United States broke the Japanese naval code and learned of 
their plans to invade Midway Island. This intelligence 
significantly aided the U.S. defeat of the Japanese fleet and 
helped shorten the war. NSA provides the same kind of 
intelligence support today in the former Yugoslavia and other 
locations around the world wherever U.S. military forces are 
deployed.
    NSA signals intelligence efforts also support policymakers 
and law enforcement. Demands on NSA for timely intelligence 
have only grown since the breakup of the Soviet Union and have 
expanded into national security areas of terrorism, weapons 
proliferation, and narcotics trafficking. Today, many of the 
world's communications are still unencrypted. Historically, 
encryption has been used primarily by governments and the 
military. It was employed for confidentiality and hardware-
based systems and was often difficult to use. As encryption 
moves to software-based implementations and the 
infrastructure--and I underline infrastructure--develops to 
provide a host of encryption-related security services, 
encryption will spread and be widely used by other foreign 
adversaries that have traditionally relied upon unencrypted 
communications. As a result, much of the crucial information we 
are able to provide today could quickly become unavailable to 
the decisionmaker.
    As you will hear from my colleague from the Department of 
Justice, it is important to understand that the needs of 
national security and the needs of law enforcement are 
different and must be addressed separately. At NSA, we are 
focused on preserving export controls on encryption to protect 
national security. As you consider the SAFE Act, it is very 
important to understand the significant effect certain 
provisions of this bill will have on national security.
    The SAFE Act would mandate the immediate decontrol of most 
commercial computer software encryption and specified hardware 
encryption exports. This will greatly complicate our 
exploitation of foreign targets and the timely delivery of 
usable intelligence because it will take too long to decrypt a 
message if, indeed, we can decrypt it at all. This bill would 
also deprive us of the opportunity to conduct a meaningful 
review of a proposed encryption export. Historically, this 
review process has provided us with valuable insight into what 
is being exported, to whom, and for what purpose. Without this 
review and the ability to deny an export application if 
necessary, it will be impossible to control exports of 
encryption to countless bad guys.
    The SAFE Act would permit exports of encryption based on 
products comparable to those being exported for foreign 
financial institutions. But using the special treatment 
afforded banks and financial institutions which are well-
regulated and have a good record of providing access to lawful 
requests for information, as the basis for a blanket approval 
of export to all other end-users in a country would eliminate 
important national security end-use considerations. The 
criteria for exporting encryption to these institutions should 
not be the basis for decontrolling other encryption exports.
    The SAFE Act also eliminates control for computer hardware 
with encryption capability if it is found that the product is 
available in the overseas market. The apparent availability of 
a product in a country without regard to its actual performance 
capabilities or without restrictions on end-users or end-uses 
will have the practical effect of forcing the decontrol of such 
exports, a condition that is unacceptable to national security.
    We believe that we need a balanced encryption policy that 
considers the needs of national security and industry. The 
recent U.S. and Wassenaar policy updates are positive moves in 
that direction. You will hear from others that industry is 
prohibited from exporting anything greater than 56 bits. That 
is patently wrong. Last year's update allows vendors to export 
unlimited-strength encryption, even 128 bits, to specified 
market sectors in a set of countries that represents 
approximately 70 percent of the world's economies or did at the 
time and that redresses the issue of Amazon.com that 
Congressman Goodlatte referred to.
    This is an example of the kind of advances possible under 
the current regulatory structure which provides greater 
flexibility than a statutory structure would. Let me make it 
clear. We want U.S. companies to effectively compete in world 
markets. In fact, it is something that we strongly support as 
long as it is done consistent with national security needs.
    In summary, the SAFE Act will harm national security by 
making NSA's job of providing critical actionable intelligence 
to our leaders and military commanders difficult if not 
impossible, thus putting our Nation's security at considerable 
risk. The United States cannot have an effective decisionmaking 
process, or a strong fighting force, or a responsive law 
enforcement community, or a strong counterterrorism capability 
unless the information required to support them is available in 
time to make a difference. The nation needs a balanced 
encryption policy that allows U.S. industry to continue to be 
the world's leader, but that also protects the security of our 
Nation. Thank you, Madam chairman.
    Ms. Ros-Lehtinen. Thank you so much.
    Mr. Lee.

  STATEMENT OF RON LEE, ASSISTANT ATTORNEY GENERAL, NATIONAL 
                SECURITY, DEPARTMENT OF JUSTICE

    Mr. Lee. Madam Chair, I would like to emphasize some of the 
points in my written statement for the Subcommittee in my brief 
remarks this afternoon. I would like to be clear, because the 
views of the Department of Justice on encryption and export 
controls are often caricatured or misrepresented.
    The Department of Justice supports the spread of strong 
recoverable encryption to protect the privacy of American 
citizens and to protect the security of our information 
infrastructure. This is not, after all, a debate about whether 
the U.S. national interest is served by the success of U.S. 
companies abroad. We fully accept and support that premise. We 
are, however, deeply concerned about the threat to public 
safety posed by the widespread distribution and use of 
nonrecoverable encryption. Law enforcement agencies, both in 
the United States and abroad--and we work closely with many law 
enforcement agencies abroad--have already begun to see cases 
where encryption has been used in efforts to conceal criminal 
activity. The number and complexity of these cases will 
certainly increase as encryption proliferates and, I emphasize, 
as encryption increasingly becomes an integral part of mass-
market software items and network-based information services.
    Thus, we cannot just extrapolate from past examples where 
encryption has posed a problem. We must, as a government, in 
partnership with the Congress, take this moment to realize that 
encryption is becoming a part of our commerce and make 
responsible public choices.
    Faced with the use of nonrecoverable encryption, agents 
would not be able to make effective use of search warrants, 
wiretap orders, and other legal processes that have been 
authorized by Congress and ordered by the courts. These tools 
are absolutely essential to effective law enforcement 
investigations today. Without these tools, law enforcement 
would find it increasingly difficult, if not impossible, to 
obtain important evidence of criminal activity and to gather 
and develop and present the evidence needed in criminal 
prosecutions.
    In the face of these challenges, the Department of Justice 
supports the carefully balanced approach to export controls 
that the Administration is actively pursuing. The Chair asked 
about progress in the last year. I would like to report that 
the Attorney General, along with the Director of the Federal 
Bureau of Investigation and other government officials have 
been actively engaging industry leaders in a continuing, 
cooperative, and positive dialogue. This dialogue has continued 
throughout the Department and the FBI at several different 
levels.
    We have gained a lot from the dialogue. We have both 
explained the public safety concerns that we have from the 
spread of nonrecoverable encryption and we have learned about 
innovative solutions that industry has presented. It was in 
part this collaboration and dialogue that led us to be able to 
participate in the active report in the export control updates 
announced by the Administration last September. We thank the 
Members of Congress who have helped to facilitate this dialogue 
and we will work hard to make sure that these discussions 
continue. We believe that the current balanced approach is the 
most conducive approach to continuing this open dialogue with 
industry.
    In this connection, the rapid elimination of export 
controls, as proposed in H.R. 850, the Security And Freedom 
through Encryption Act, would upset this balance dramatically. 
We believe that passage of the SAFE Act would cause the further 
spread of unbreakable encryption products that will be used by 
terrorist organizations and others for criminal purposes.
    Of course, we recognize that law enforcement is already 
coming across nonrecoverable encryption by criminals. We are 
not standing still. In order to protect public safety, we are 
continuing to develop our own technical expertise. The 
Department of Justice has begun initiatives such as the funding 
of a centralized technical resource within the FBI which will 
support Federal, State, and local law enforcement personnel in 
developing a broad range of expertise, technologies, and tools 
to respond directly to the threat posed by unbreakable 
encryption when used by criminals.
    We look forward to working with Congress to develop this 
resource. However, I must emphasize that no technology, no set 
of technologies, no tool box offers a silver bullet. The 
widespread use of nonrecoverable encryption by criminals would 
quickly overwhelm whatever technical response and capabilities 
we could develop. In summary, we believe that the 
Administration's approach balances the need for secure private 
communications and electronic commerce with the equally 
important need to protect the safety of the public against 
threats from terrorists and criminals. We look forward to 
working with you on this important issue. Thank you.
    Ms. Ros-Lehtinen. Thank you so much.
    Mr. Voegtlin.

    STATEMENT OF GENE VOEGTLIN, ESQ., LEGISLATIVE COUNSEL, 
         INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE

    Mr. Voegtlin. Thank you. Good afternoon, Madam Chair, 
Chairman Gilman, and Members of the Subcommittee. I am pleased 
to be here today on behalf of the International Association of 
Chiefs of Police. Our president, Ronald Neubauer, had hoped to 
be here today, but, unfortunately, he is out of the country and 
therefore cannot attend.
    I would like to briefly tell you about the IACP and then 
summarize our statement. Founded in 1893, the IACP, with 17,000 
members in 112 countries, is the world's oldest and largest 
association of law enforcement executives. Our mission 
throughout the history of the association has been to identify, 
address, and work to provide solutions to urgent law 
enforcement issues. As I appear before you today, it is clear 
that robust, nonrecoverable encryption technology and the 
threat it poses to the ability of law enforcement agencies to 
perform their mission looms as one of the most urgent and 
important issues facing our members in the communities they 
serve.
    The IACP's position on the encryption issue is clear. We 
strongly believe that the unchecked proliferation of robust 
nonrecoverable encryption technology poses an enormous danger 
to effective law enforcement, public safety, and to society as 
a whole. Therefore, the IACP believes that any encryption 
legislation that is enacted must protect the ability of law 
enforcement agencies to perform court-authorized electronic 
surveillance and the search and seizure of criminally related 
information stored in computers.
    In addition, the IACP believes that it is of vital 
importance to maintain the stringent export controls on robust 
nonrecoverable encryption products. The relaxation of export 
controls would likely result in the widespread proliferation of 
unbreakable encryption products which would severely limit if 
not completely destroy the ability of law enforcement agencies 
to effectively investigate and apprehend international 
terrorists and criminals. This is why the IACP was pleased last 
December when 33 nations signed on to the Wassenaar export 
control agreement to impose or expand existing controls on 
encryption and other data scrambling technologies.
    I would like to note, however, that the IACP's position on 
the need for law enforcement access does not mean that we 
oppose all uses of encryption technology. The IACP certainly 
recognizes that there is a legitimate need to use encryption 
products as a tool to protect electronic commerce and 
individual privacy. Indeed, law enforcement agencies themselves 
have a need for secure communications and information storage. 
Nevertheless, we must balance these legitimate concerns with 
the threat we face by providing criminals, drug lords, and 
terrorists with an impenetrable means of communicating to their 
criminal associates.
    In addition, the IACP is aware of the economic issues 
involved in the manufacture and sale of encryption technology 
and products. However, we believe that we must consider the 
enormous economic damage that is being done to the United 
States economy as a result of crime and related consequences. 
For example, experts have estimated that the economic loss to 
the United States as a result of drug-related crime, accidents, 
medical care, and the loss of productivity reaches upward to 
$50 billion a year.
    Finally, I would like to stress that providing law 
enforcement with a means to access the plain text of encrypted 
information would not represent an expansion of the police 
power to conduct searches or infringement on the Fourth 
Amendment protections against unreasonable searches. Law 
enforcement agencies would still be required to follow the 
current procedures that are necessary to gain access to other 
information that is used in the commission of crime. Providing 
for law enforcement access is entirely consistent with the 
constitutional safeguards of the Fourth Amendment.
    What we would be doing by ensuring that law enforcement can 
access the plain text of encrypted criminal information is 
simply modernizing our current search warrant laws to keep pace 
with advances in computer technology. It is imperative that 
Congress take immediate steps to protect the capabilities of 
law enforcement. Electronic surveillance and wiretaps are two 
of the most effective tools in law enforcement's arsenal. Over 
the years, numerous arrests, prosecutions, and convictions have 
been secured against criminals because of court-authorized 
surveillance and wiretaps operations.
    It is our belief that if Congress allows a robust 
encryption technology to be sold without providing for a means 
of law enforcement plain text access, it would effectively be 
stripping law enforcement agencies of their ability to 
successfully perform electronic surveillance, wiretaps, and the 
search and seizure of criminal information stored in computers. 
Therefore, before any legislation is enacted, the IACP urges 
Congress to ensure that it contain provisions that would 
provide law enforcement with immediate and complete plain text 
access to information encrypted in the furtherance of criminal 
activity. The inclusion of such provisions are absolutely vital 
if we are to preserve the investigative capabilities of our 
Nation's law enforcement agencies.
    If Congress fails to provide law enforcement with this 
necessary access, law enforcement agencies will be further 
behind the technology curve. Terrorists, drug lords, and other 
criminal elements will have the upper hand over law enforcement 
and, as a result, the personal safety and security of all 
Americans and their property will be endangered. Thank you.
    Ms. Ros-Lehtinen. Thank you so much to all of our panelists 
and we are proud to begin our series of questions by our 
Chairman of the International Relations Committee, Mr. Gilman.
    Mr. Gilman. Mr. Lee, how many major organized crimes cases 
have made without court-authorized wiretap evidence? Can you 
give us a rough estimate?
    Mr. Lee. Chairman Gilman, each major organized crime case, 
like any other investigation of a major crime, is done with a 
combination of law enforcement investigative tools. Law 
enforcement brings to bear the entire set of tools to 
investigate, apprehend, and prosecute these criminals. In each 
of these investigations, court-authorized wiretap operations 
and the evidence derived from them are absolutely essential to 
the success of the enterprise. By that I would mean both the 
successful investigation of the organized crime matter and also 
the successful prosecution and marshalling of evidence against 
the defendants.
    Mr. Gilman. Thank you. Mr. Voegtlin, do you agree with that 
assessment?
    Mr. Voegtlin. Yes, absolutely.
    Mr. Gilman. How often in cases such as kidnappings and 
planned terrorist bombs has the court-authorized wiretap 
prevented the loss of life? Mr. Lee.
    Mr. Lee. Mr. Chairman, there have been numerous cases where 
court-authorized wiretaps have been used by law enforcement 
officials to prevent and solve--to prevent loss of life and to 
solve the cases. I would add to that list not just terrorism 
and kidnapping, but also cases such as child pornography and 
other exploitation of children. It is an absolutely essential 
tool.
    Mr. Gilman. What about the timing of information that you 
receive from wiretaps, too? Is that critical to the cases 
involved?
    Mr. Lee. Mr. Chairman, the timing, the ability to quickly 
derive the plain text, the meaning from the wiretaps on a real-
time instantaneous basis is absolutely critical, both to saving 
lives and also to apprehending criminals and furthering the 
investigation.
    Mr. Gilman. Thank you. Mr. Reinsch, what effect would the 
implementation of the SAFE Act have on the Wassenaar 
arrangement?
    Mr. Reinsch. Mr. Gilman, first it would put us in violation 
of it. It is inconsistent with it and, second, I believe it 
would undercut our efforts to obtain stronger multilateral 
controls. It would probably result in our allies abandoning 
their efforts to control these products.
    Mr. Gilman. Could you tell us, Mr. Reinsch, do the 
provisions in the SAFE Act relating to terrorist countries 
provide effective control for the Administration to stop the 
export of encrypted products to those countries?
    Mr. Reinsch. That is a more complicated question than the 
Wassenaar question, Mr. Gilman. We believe generally no, but it 
is a more--that they do not help us provide effective control, 
but it is a more complicated legal analysis. The bill contains 
two provisions that contradict each other. One which addresses 
this question specifically and one which generally removes 
licensing authority for what we believe would be most mass-
market products. Even if we were to try to reconcile those 
conflicting provisions by construing the stricter one as 
ruling, we have some concerns about the way that it is drafted. 
It imposes, not with respect to countries, but with respect to 
individuals--individual terrorists or individual terrorist 
organizations--a substantial evidence test which is quite a 
high test, an unusual one for the kind of system that would 
make it much more difficult for us to identify and list, 
meeting the standards of the Act, terrorist organizations and 
proscribe exports to them.
    Mr. Gilman. Just one last question: Mr. Voegtlin, what 
would encryption without access do to local law enforcement's 
ability to fight the drug war?
    Mr. Voegtlin. Basically, we are concerned that it would all 
but eliminate our ability to fight the drug war. Currently--and 
it is becoming on an ever-increasing basis--State police 
directors and local law enforcement agents are coming across 
encryption in an ever-increasing fashion. Right now what we are 
looking at are situations where you have drugs being imported 
into this country and the command and control is taking place 
overseas and they are using encrypted communications to talk to 
the subordinates in this country, to talk about distribution 
and other coordination efforts. Without being able to access 
this information through wiretaps, the ability for State and 
local law enforcement agencies to work in cooperation with the 
Federal agencies on the drug issue will be severely limited if 
not completely destroyed.
    Mr. Gilman. Thank you and thank you, Madam chairman.
    Ms. Ros-Lehtinen. Thank you so much, Mr. Gilman, for being 
with us. Mr. Menendez.
    Mr. Menendez. I thank you, Madam Chairlady, I appreciate 
this panel's testimony. Before I ask my questions, I want to 
ask Mr. Lee, is your division of the Justice Department 
National Security? Is that my understanding?
    Mr. Lee. Sir, I am a Senior Member of the Deputy Attorney 
General's Office. One component of the Deputy Attorney 
General's Office is called the Executive Office of National 
Security. I am the acting head of that component, but I also 
have other responsibilities in the Office of the Deputy 
Attorney General.
    Mr. Menendez. That is not the same division of the Justice 
Department that declared the air space over Camden Yards to 
banners talking about freedom and democracy our national 
security risk, is it?
    Mr. Lee. I am not familiar with that matter.
    Mr. Menendez. Because that really colored my perception of 
what national security is. Let me ask the panel the following. 
My friend and colleague from New Jersey, a new Member of 
Congress, Rush Holt, is a rocket scientist. His constituents 
have a bumper sticker in his district that says, ``My 
Congressman is a rocket scientist.'' Now, I am not a rocket 
scientist. I am just a poor old country lawyer. What I don't 
have an understanding about----
    I am not a professor either of the law. But what I really 
have a problem listening to the testimony here about is one 
basic set of circumstances which seems to be glossed over and 
maybe all of you can help.
    No. 1 is, there is no domestic control of encryption. Is 
that a correct statement?
    Mr. Reinsch. That is correct.
    Mr. Menendez. So I, as an American, or for that fact, 
someone from abroad who is visiting here could buy this 
domestically. I guess taking it back home might be a violation 
of the law. Is that the case?
    Mr. Reinsch. Yes, in general. There would be a personal use 
issue, but if you were taking it back to give to somebody else 
or to sell that would----
    Mr. Menendez. If I wanted to buy and use it and take it 
back. But I don't even have to do that, as I understand it. 
This technology exists by a variety of countries--the Japanese, 
the Israelis, French, others--who have all of this capacity at 
its highest levels, as I said in my opening statement, in the 
Internet, you can download 128 bits. Now I heard Ms. McNamara 
say that we don't control, we, in fact, permit under the new 
regulations over 56 bits. But that's if you have, in fact, a 
key recovery system. If you have a non key recovery system, you 
can't do that, can you?
    Mr. Reinsch. No. Maybe I can clarify that part. I would 
like to have Ms. McNamara talk a little bit about the 
availability issue if we have time for that. The policy permits 
the export in a variety of circumstances that my statement went 
over fairly quickly of more than 56-bit encryption. In fact, 
encryption without bit length limit and without key recovery 
features can be exported to U.S. subsidiaries, for example, to 
health care organizations, to banks, to financial institutions, 
and so on.
    Mr. Menendez. Yes. Outside of that specific category--and I 
have a chart here: the banks, financial, health insurance, 
health care----
    Mr. Reinsch. Right.
    Mr. Menendez. Outside of that category.
    Mr. Reinsch. No.
    Mr. Menendez. If you want to, you could not.
    Mr. Reinsch. Except via--there is a whole list in that 
category, more than the ones I mentioned, but outside of what I 
assume is on your chart, the only way high-level encryption, 
128-bit or whatever, could be exported would be pursuant to an 
individual license that we would issue. An exporter can apply 
for anything they want and we will consider any application 
they submit, but it would take an individual license outside of 
those categories.
    Mr. Menendez. My point, Mr. Secretary--and for members of 
the panel, maybe you can help me here, elucidate to me--the 
point is whether you buy it here or domestically and you have 
this capacity and you illegally--because we are talking about 
illicit activities that we are concerned about and national 
securities and espionage and all of that--bottom line is 
whether you buy it domestically or whether you buy it abroad 
and use it for an illicit purpose here in the United States, 
what is it that we accomplish in terms of controlling the 
technology that is readily available and that can be used by 
anyone who seeks to do so illicitly for espionage or terrorism, 
for anything. I listened to the line of questioning of our 
distinguished Chairman and, all of those things can be 
accomplished by someone who wants to break the law and use and 
seek the technology abroad. Tell me what it is that--how do we 
circumvent all of that?
    Ms. McNamara. Let me try and answer that question and then 
any of my colleagues can chime in behind, sir. Let me first 
address the issue that you raised about nations overseas. As 
you heard Mr. Reinsch say and I said as well, in December of 
last year, 33 nations signed up to the Wassenaar agreement. 
What that does is permits those 33 nations to have an umbrella 
arrangement or agreement which allows them then to invoke 
export controls in their own individual countries. They are 
doing that and they are abiding by it.
    Some of those nations without Wassenaar had their own 
export control regime and they are abiding by that. The 33 
nations that signed up to the Wassenaar agreement are the 33 
nations which are today the world's predominant producers of 
encryption, save one or two, and even those, although not 
members of Wassenaar, do have their own export control 
regulatory regime which they invoke for the export of 
encryption from their own national producers.
    The export of, or the individuals who, as you point out, 
illegally use or apply for the use of encryption, on an 
individual basis, we are never going to stop all of that. What 
we are attempting to talk about here is the actual broad use of 
encryption or the incentive for the broad export of encryption 
from this country.
    Encryption today is not being used broadly. Encryption 
today is, for the most part, being used by individuals for 
applications that are approved under our export control regime 
for business, for banking, for online commerce. All of that 
export, without requiring key recovery features, I might add, 
is available under today's export control regime from this 
country as of last September. That was reinforced and 
reendorsed by the Wassenaar agreements.
    When we look at the international use of encryption, I will 
tell you that we expect to see the broad use of encryption 
internationally when three conditions are met. Those three 
conditions are it becomes inexpensive--and I will grant you, it 
is becoming inexpensive--it becomes easy to use--and, in some 
cases, it is in fact easy to use. In other cases it is not--and 
what will be required for the broad international use of 
encryption is a security management infrastructure which will 
allow the registering of keys, the authentication of users, and 
the free and open exchange of encryption across international 
boundaries. Those international security management 
infrastructures do not exist today, globally. So we are not 
seeing the broad use of encryption.
    Mr. Menendez. I appreciate your answer. My concern, 
however, remains, I think, unanswered. That is, maybe you 
cannot answer it. Not that you don't want to answer it. Maybe 
it cannot be answered. That is this, that, listening to your 
answer, Wassenaar, as I understand it, is ultimately not 
binding, but even to the extent that, while it is predominate 
of the countries, it is not exclusive. To the extent that you 
have access in those countries, domestically, as we would have 
access here domestically; and to the extent that you have 
acknowledged that it is becoming more and more inexpensive and 
easier to use, ultimately it just seems to me that those--
forgetting about the broad base appeal that we seek to divert 
for the time being--ultimately, those who want to use such 
encryption opportunities to do something illicitly, to do 
something in terms of how this panel has described their 
concerns about it, ultimately have the wherewithal to do it 
now. So I don't know exactly what we stop here except American 
companies from being competitive in the world because those who 
want to do it will do it.
    Last, even to those that you have given presumptions of 
approval to, to American subsidiaries abroad that have foreign 
nationals working for them. It does not give me a sense of 
rhyme or reason. I get the sense that, we want to try to stop 
what we cannot stop and we are just hoping to buy time here at 
the end of the day. I may be wrong in that perception, but that 
is certainly the perception I have.
    Mr. Lee. Mr. Menendez, if I may address that briefly from 
the law enforcement perspective, our position is not that the 
policy is a failure if there is one single illicit or bad 
person using encryption. We fully understand that people are 
going to go to great lengths to use encryption that we probably 
will never be able to read. The issue for us is that we are 
starting to get into a world where everyone will be using 
encryption and the policy issue, both for the world of exports 
and for the United States, is what will that world look like? 
Will it be a world where there is some possibility that the 
wiretaps that Mr. Voegtlin and I have spoken about will have 
some value, some meaning to protect public safety? Or will it 
be a world where those wiretaps are completely useless? That is 
the overarching policy issue, not whether a criminal or a 
terrorist could--indeed they can and they do. We are seeing 
that increasingly--not whether they can, in an isolated case, 
find encryption that frustrates us. The question is, as 
encryption becomes much more pervasive so that people don't 
have to go to any effort whatsoever to use it, what kind of a 
world will we live in?
    Mr. Menendez. My concern, Mr. Lee, is that what you are 
concerned about already is becoming a reality, notwithstanding 
anything that we are doing right now. I thank the Chair Lady.
    Ms. Ros-Lehtinen. Thank you so much, Mr. Menendez. Mr. 
Bereuter.
    Mr. Bereuter. Thank you, Madam chairman. Thank you for your 
testimony. Mr. Reinsch, the reference has been made to the 
dialogue the Administration had been engaging in with the 
industry. I believe it may have first been started or at least 
noticeably progressing when it was initiated by John Deutsch, 
the Director of the Central Intelligence Agency. It seems to me 
that he maintained a successful back channel communication with 
the group of top industrial CEO's. They were moving ahead in 
what appeared to be very useful negotiations to strike a useful 
balance. When Deutsch left, Deputy Attorney General Jamie 
Gorelick continued that process and she has been now for well 
over a year.
    It seems to me, looking at it from the outside, that the 
discussions have withered away and do not appear to have the 
attention or the focus of the necessary officials in the 
Administration. In its place appears to be unilateral 
declarations. The Administration, through a new policy unveiled 
by Vice President Gore, implemented new regulations. Industry, 
not satisfied with this action, is lobbying for enactment of 
the SAFE legislation. I was always interested in the past to 
see representatives, actual employees of the software 
companies, coming up here, and lobbyists paid by them to 
represent those software companies on this issue oftentimes 
unaware of what had happened with negotiations with the top-
level CEO's in their own companies.
    I think this matter of encryption control is a very serious 
matter, yet it appears the issue has been left to drift off the 
legislative cliff. We need, I think, to find a balance, an 
option that works in the real world. That would entail intense, 
very high-level negotiations and compromise, it seems to me, 
much like the negotiations were leading to, I thought, that 
Deutsch was leading.
    So my questions, to begin with, are what steps are being 
taken to reengage at the highest level industrial CEO's to find 
a realistic, workable balance, or is something going on that 
you can't talk about here or that you can talk about here? Who 
is the Administration's point person in this dialogue? When was 
the last dialogue meeting with top leadership of the software 
companies? When is the next meeting? Is anything like this 
happening?
    Mr. Reinsch. I can make some comments, Mr. Bereuter, 
without going into all the details of 2 of 3 years of history 
on this which I see in some respects similar to your points and 
in some respects, I think, different than the points you have 
made. I don't think we have become unengaged, if you will.
    I think after Mr. Deutsch's departure from the government, 
the dialogue has ensued really on two levels. There was a 
direct dialogue with law enforcement and with the Justice 
Department and the FBI, which I think Mr. Lee could comment on 
separately, which was designed to put those two groups in 
direct contact for discussions, in many respects, at a 
technical level of how they could help each other and how they 
could try to advance the ball from that point of view.
    Mr. Bereuter. With the industry? A dialogue with the 
industry?
    Mr. Reinsch. That is correct. I am sorry. Yes, with the 
industry.
    In addition, we have continued the dialogue at senior 
levels, both with individual executives and also with several 
large groups, both hardware and software, that have become the 
representatives, if you will, of that point of view. Throughout 
this dialogue, whether before or after Mr. Deutsch's departure 
from the government, at no time has the industry abandoned or 
dropped its goal of passing Mr. Goodlatte's bill and we don't 
assume that there is anything that we can do that will cause 
them to change their mind. When Mr. Goodlatte is offering them 
the whole pie, I wouldn't expect them to deny the opportunity.
    At the same time, I think that what we have done with them 
has been very successful in addressing a lot of the problems 
they have identified, and I think if you go back and look at 
their reaction, you can ask the following panel. Ask Mr. Smith, 
who will be on after me and some others about their reaction 
after the Vice President's announcement in September. I think 
you will find that it was quite a positive reaction and a 
welcoming reaction as a product of some constructive dialogue 
we had at that time. Their final sentence was, this is great, 
we want more. We respect that. But I think it has been a 
successful relationship. It goes on.
    I think the next encounter is likely to be the 10th of June 
when we have a group of CSPP CEO's coming to town on several 
subjects. Computers is probably at the top of their agenda, but 
I am sure encryption will not be far behind and I am sure they 
will be meeting with representatives of the Administration. I 
understand they will be up here as well. I think that will be a 
chance to renew the dialogue collectively, but there are 
frequent opportunities for one-on-one or smaller group 
discussions. My secretary, Mr. Daley, has been to California 
several times in the last 3 or 4 months, as have I. We have 
these discussions every time we go.
    Mr. Bereuter. Secretary Reinsch, I would expect that 
seeking the whole pie, Mr. Goodlatte's legislation, would be a 
good negotiating tactic. I wouldn't deem it impossible to find 
something that is balanced despite their almost unanimous 
support for it.
    Director McNamara, my understanding is that the Wassenaar 
agreement still allows the export to countries that set 
different standards. I can't understand really, in that 
situation, how you are able to achieve your purposes in 
protecting the national security or how law enforcement is able 
to pursue at the local, national, or State level their 
objectives when you have got this differential under Wassenaar. 
What am I missing here? Is that a problem or am I wrong about 
the impact of Wassenaar on the exports to the various 
countries?
    Ms. McNamara. The existence of Wassenaar allows countries 
to actually have something to connect an export control regime 
to in those countries that didn't have a regulatory 
underpinning in their countries. It is all up to national 
discretion, as it is in our----
    Mr. Bereuter. It is differential in its application, isn't 
it, Director McNamara?
    Ms. McNamara. I am sorry, sir?
    Mr. Bereuter. It is differential in its application, 
country-to-country?
    Ms. McNamara. Yes. Country-to-country, as it is here. But 
it is fundamentally based on end-use and end-user and there are 
agreements that are in common, like preventing the export of 
encryption to terrorists and we can do, actually, a comparison 
for you, sir, if that would be helpful.
    Mr. Bereuter. It does seem to me that the end-user approach 
is unenforceable in reality. Secretary Reinsch, one final 
question. You mentioned in your written testimony at least that 
you believe the Goodlatte bill, as drafted, could inhibit the 
development of key recovery even as a viable commercial option 
for those corporation end-users that want it in order to 
guarantee access to their data. Could you elaborate on that?
    Mr. Reinsch. Yes, Mr. Bereuter, if I can find the 
provision. I think if you look at--I wouldn't say, by the way, 
that--I tried to phrase that statement in my testimony 
carefully because I wouldn't say that the problem is as big in 
this bill as it is in some other ones that have been 
introduced, but I think if you look at, in general, the 
provisions on page--in my draft, which I think is the one with 
all the cosponsors on the front, the provisions on page five 
and page six of the bill. We would interpret them as 
significantly discouraging the use of key recovery. I would not 
go so far as to say the bill prohibits that, but we think it 
has an inhibiting effect.
    Mr. Bereuter. You did say inhibit and that is the word I 
tried to use in your quote. I will look at those. Thank you 
very much. Thank you, Madam chairman.
    Ms. Ros-Lehtinen. Thank you. Mr. Goodlatte, we are going to 
recognize you in a moment even though you are not a Member of 
our Committee. Mr. Delahunt.
    Mr. Delahunt. Yes, thank you, Madam chairwoman. I have had 
the benefit of this testimony in my capacity on the Judiciary 
Committee and I have had an opportunity to engage in some 
dialogue. I would just make some observations. I think that 
both Mr. Bereuter and Mr. Menendez have articulated some of the 
concerns I know that you have heard from me in terms of those 
who are sophisticated and have an intent to indulge in illicit 
activity, you simply can't deter them, given the realities of 
foreign availability. I think this is the problem that we are 
wrestling with. I think, if I am correct, Director McNamara, I 
think you just acknowledged that earlier in your testimony? I 
don't want to put words in your mouth, but that was the 
conclusion that I draw.
    Ms. McNamara. We are never going to stop everyone from 
breaking the law. That is true, sir. But coming down in the 
car, I happened to be thinking that just because somebody 
speeds through a school zone doesn't necessarily mean we raise 
the speed limit in the school zone.
    Mr. Delahunt. Right.
    Ms. McNamara. There are some products available overseas. I 
would appreciate it if you accept Mr. Gilman's earlier offer 
when he announced the classified session on Thursday and I 
would be happy to talk about this in more detail at that 
session.
    Mr. Delahunt. I hope to accept that invitation, but I am 
just saying for those who are unable to go to that particular 
briefing. I think that the concern that I have from a national 
security perspective, if the development of encryption 
technology in this country is impeded--put aside for a moment 
the adverse impact in terms of our balance, in terms of our 
economy--what we are going to have is these cutting-edge 
encryption technologies far surpassing what we have available 
to us. If the marketplace is really driving this issue. I think 
I understand where you are heading. I think, particularly, I am 
addressing this to Ms. McNamara, not just because you are a 
former resident of Massachusetts, because I know you have 
strong feelings about this particular issue.
    Ms. McNamara. About Massachusetts, sir.
    Mr. Delahunt. About Massachusetts, obviously. Don't worry, 
they won't tear down Fenway Park. I can assure you that.
    But my point is, particularly from a national security 
perspective, we are dealing with a level, I presume, of 
sophistication in terms of potential adversaries where they 
will take advantage of cutting-edge technologies that are 
available in the marketplace. This is the bottom line in terms 
of the concerns that I have and, at the same time, 
disadvantaging our, commercial interests as far as competing in 
the global economy.
    Ms. McNamara. As Mr. Reinsch said, if I may, as Mr. Reinsch 
said and I said in my testimony, we do not want to impede the 
creativity of U.S. industry. That is not our goal. We want to 
see U.S. industry succeed and we want to see them succeed 
overseas. What this bill does, though, is eliminate all control 
mechanisms on exports.
    Now when we say that, what we want to see is a regulatory 
process where, outside of those sectors who have broad relief 
and therefore have--they can sell their products anywhere in 
certain sectors and for electronic commerce for certain 
purposes, we want to see a review process and we want to see 
who the end-user and the end-use is going to be so we can 
understand the product.
    Mr. Delahunt. I don't disagree with what you are saying in 
the stated goal. But, at the same time, I think what we have to 
remember--you refer to Wassenaar and it is discretionary and I 
don't think we ever level off that playing field until we have 
an enforceable multilateral export control regime. I just don't 
see--that all nations will respect and that do not disadvantage 
commercial interests and we are not going to do this with an 
agreement, that is related to the Wassenaar compact.
    Mr. Reinsch. I think--if I could comment, Mr. Delahunt--
what intrigues me about this line of argument--and it was 
similar to the one that Mr. Menendez was putting forward--is 
the interesting question is what do we do in the interim before 
we reach that point. We may never reach that point, but let us 
assume that we are striving for an effective multilateral 
arrangement, which would deal with this.
    Mr. Delahunt. Right.
    Mr. Reinsch. I think that is a fair statement. What do we 
do between now and then? It seems to me that the suggestion you 
are making is almost that because we cannot succeed completely, 
we should give up. I think we are not prepared to give up 
simply because we are not going to be perfect.
    Mr. Delahunt. Again, I think you have got to deal with the 
realities on the ground. Mr. Lee and Chief, you say there are 
incidents that have occurred in terms of encryption. Can you 
quantify them? Give us some hard data in terms of--Chief.
    Mr. Voegtlin. Actually, like, Mr. Menendez, I am not a 
rocket scientist nor am I police chief. I just represent the 
police chiefs. As a matter of fact, in preparing for this 
testimony today, I was on the phone with State police directors 
in some of the largest States in the country asking them to 
quantify the number of incidents. It kind of goes to the point 
that you are making. What they told me is that right now, since 
this is in a growing area, most of the evidence that they could 
give me is anecdotal, but I think it speaks to the larger issue 
of what you are talking about, that it is already out, that the 
cow has left the barn or the horse has left the barn on this 
issue.
    But--and this is going back to me not being a rocket 
scientist--from what we understand here, there are questions 
about reliability, as Chairman Gilman mentioned, with foreign-
made products, that there is not a whole lot of robust 
nonrecoverable encryption out there right now that is being 
used.
    Mr. Delahunt. Let me just regain my time and I know my time 
is expiring and I just would ask for a minute's worth of 
followup here. The reality is, I compared it during the hearing 
in the Judiciary Committee to an imaginary line. You simply buy 
it here. You don't even have to get on the plane and go across, 
the ocean. Just download it and it is available instantaneously 
all over the world. The criminal element that most chiefs of 
police deal with on a regular basis--I served in the law 
enforcement community for 21 years and when they start using 
encryption, that comes as a surprise to me.
    Mr. Voegtlin. That is----
    Mr. Delahunt. These violent criminals--and I think that is 
the concern that most Americans have in terms of traditional 
street crimes which local chiefs of police and State police and 
local prosecutors deal with--God forbid they start using 
encryption because we are in real trouble.
    Mr. Voegtlin. Congressman, and if I can----
    Mr. Delahunt. I am talking about the, you know----
    Mr. Voegtlin. I know who you----
    Mr. Delahunt. Most of us aren't rocket scientists.
    Mr. Voegtlin. Right.
    Mr. Delahunt. Most of us have difficulty logging on.
    Mr. Voegtlin. That is exactly the point that we are trying 
to make in that when encryption, highly robust encryption, 
becomes widespread, when the United States--which is a market 
leader in this area and would be with this legislation--takes 
the lead in the manufacture and distribution of this robust, 
unbreakable encryption, it will become easier for those street-
level thugs to use encryption. The problem will become more 
widespread and----
    Mr. Delahunt. With all due----
    Mr. Voegtlin [continuing]. Let me just finish.
    Mr. Delahunt. OK.
    Mr. Voegtlin. In the opinion of the International 
Association of Chiefs of Police, what you are facing is a 
choice: whether or not you want to take this kind of software, 
make it available widespread to increase its use, to allow 
people on a low-level of crime--I know we are always going to 
be dealing with folks who are drug lords who have unlimited 
resources--but when you start putting it on the street level, 
it becomes more widespread and that is our concern.
    Mr. Delahunt. With all due respect to your position, I 
wasn't a chief-of-police, I was a chief prosecutor in a major 
jurisdiction. I daresay, that, availability to the street-level 
criminal simply is an argument that is disingenuous, with all 
due respect. I can't accept that argument. I know better. I 
know better. I yield back and thank the Chair.
    Ms. Ros-Lehtinen. Thank you so much, Mr. Delahunt. Mr. 
Goodlatte, if we could recognize Mr. Gilman for one question 
before we turn to Mr. Goodlatte.
    Mr. Gilman. Just one question in response to what the 
testimony has been. The gentleman made the point that there are 
always people willing to do illicit acts and use means to 
conceal them, but is that a reason to throw in the towel and 
see encryption devices on every street corner in the hands of 
every petty drug dealer? Isn't the issue here proliferation of 
unaccessible encryption?
    Mr. Voegtlin. Absolutely. That is exactly what we are 
talking about--is when this becomes proliferated. When this is 
widespread, the problems will multiply and State and local law 
enforcement, which is only dealing with it on an anecdotal 
level at the moment, will deal with it over and over again. The 
resources of the State and local law enforcement agencies are 
obviously less than the Federal Government. If they are already 
dealing with it, imagine what it will be in 10 years when even 
local dealers dealing with distribution networks on the street 
level are able to communicate in absolute security that law 
enforcement has no idea what they are talking about.
    Mr. Gilman. Mr. Lee, would you care to comment on that 
issue?
    Mr. Lee. I would only add, Mr. Chairman, that I think you 
have really pinpointed the issue and the public policy dilemma 
for all of us. One of the things that I mentioned in my opening 
statement is that we have been having very productive 
discussions at a number of levels with law enforcement, arising 
from the CEO interaction and, in large part, it is to look at 
where industry sees the marketplace going and how we can better 
understand their needs, how they can better understand public 
safety needs, and what the possibilities are for a convergence 
of those interests. That has been a very productive dialogue 
and I think it is one way that we are, with industry, 
addressing the question: How are we going to shape the way the 
market looks? How are we going to stand up together and make 
sure that all of the interests that Mr. Reinsch has mentioned 
here as having to be balanced, make sure they are all balanced? 
That is the challenge for all of us.
    Mr. Gilman. Thank you.
    Ms. Ros-Lehtinen. Thank you, Mr. Gilman. Mr. Goodlatte.
    Mr. Goodlatte. Thank you, Madam chairman. First, I would 
like to note that, as someone who was born and grew up in the 
Commonwealth of Massachusetts, I am glad to find that I have 
something in common with Ms. McNamara. I am sorry we don't 
agree on this legislation, but we do agree on something that 
Congressman Menendez said earlier, and I think it is absolutely 
correct--and that is we are all concerned about national 
security and law enforcement issues.
    The issue here is not whether or even when strong 
encryption is going to be available. It is available now and it 
is going to be widespread very soon. The issue is how we are 
going to deal with it and whether we are, as a nation, going to 
cede this market to dozens of foreign countries and literally 
hundreds of foreign companies who are already starting up and 
producing this product. There are 650 strong encryption 
products available in the United States from foreign sources 
that could not be exported if a U.S. company made the same 
product and attempted to sell it overseas. That is a serious 
problem and one that our competitors overseas are well-aware 
of.
    The problem with the Wassenaar agreement is that it is 
Swiss cheese. It is something that is loaded with loopholes. 
The gentleman from Nebraska is exactly right. It can be applied 
differentially in different countries. It is being done. The 
aspect of this related to recoverable encryption is one that is 
being rejected. Madam chairman, if I may, I would make a part 
of the record an article from the National Journal of 
Technology Daily pointing out that the French who were 
previously cited in previous hearings as one of our strongest 
allies in this effort to control encryption have abandoned key 
recovery.
    Ms. Ros-Lehtinen. Without objection.
    Mr. Goodlatte. Then the following day an article, also in 
Tech Daily, pointing out that the British government has 
abandoned key escrow or key recovery, leaving us with a 
situation where, as more and more countries do this--and I 
don't know of any that has attempted to implement a key 
recovery scheme--we are going to be put in a position where we 
are holding back the ability to make strong encryption 
available to people who want to use it, except if they want to 
download it from the Internet, buy it from foreign sources and 
the only folks who are going to be impacted negatively by this 
are the U.S. companies who aren't going to break the law. They 
are not going to violate our export control laws, but dozens of 
great companies from IBM to Microsoft to Sun Microsystems to 
the list goes on and on and on, they are going to be competing 
with one hand tied behind their back. So the effect is going to 
be they either send the business offshore or they cede this 
business to foreign competition.
    Now, with regard to recoverable encryption, the gentleman 
from the Commerce Department has indicated that you are not 
calling for a key recovery system, but the gentleman from the 
Justice Department keeps referring to recoverable encryption. 
During the hearing in the Judiciary Committee, I asked him what 
he meant by recoverable encryption if it wasn't key recovery 
and he said that there are many technologies that aren't 
strictly speaking key recovery that do promote the interests of 
law enforcement as well as other government interests.
    If you are not referring to key recovery, Mr. Lee, what are 
you referring to? You have still, in spite of having agreed to 
respond to that, not responded to that in any substantive way 
to give us other ideas of what you mean, if it is not key 
recovery. It might be the Clipper Chip, which is a notorious 
proposal of the Justice Department of a few years back where 
the chip was embedded into the computer itself and was 
thoroughly rejected by everybody involved in the process. But 
what are you referring to?
    Mr. Lee. It is not the Clipper Chip. I was referring to a 
variety of technologies which are going to depend on the 
application, on the market sector, on the end-user, on the 
business need. What each of those technologies have in common 
is that they provide some capability to provide plain text upon 
presentation of a lawfully authorized court warrant.
    Some of the examples that we have given--I obviously don't 
want to get into proprietary information or favoring particular 
companies, but--for example, the consortium of private doorbell 
companies that came to us and proposed a method, which 
Secretary Reinsch can elaborate on, which would allow the 
export of strong encryption while also meeting law enforcement 
needs. There are many others. They are detailed on various web 
sites. I don't have an exhaustive catalog of them here, Mr. 
Goodlatte, but there are a variety of different products.
    Again, no one of them is--there is no such thing as a key 
recovery system. That is a term that we were using to refer, 
perhaps unartfully, to the concept that a product which is 
designed and marketed to meet a business need also supports the 
needs of law enforcement. That is all we are after. We are not 
wedded to any particular technology or product or application.
    Mr. Goodlatte. But you would mandate that every company 
that wants to manufacture and export a product in the United 
States for sale overseas have that type of device attached to 
it in spite of the fact that we are confronted with a flood of 
foreign competition that would not have that mandated to it 
and, in fact, would be advertising that they have a product 
that is secure that U.S. companies cannot offer. In fact they 
are advertising that fact right now.
    Mr. Lee. Sir, we would not mandate that. As Secretary 
Reinsch and the other panel members have testified, in pursuant 
to the encryption export updates last September, there were a 
number of encryption products for a number of very important 
sectors, very significant parts of the world economy where 
encryption does not have to provide those kinds of 
capabilities. Also----
    Mr. Goodlatte. So you would not object to the provisions in 
this bill which prohibits the government from mandating key 
recovery or key escrow?
    Mr. Lee. That wasn't my testimony, sir.
    Mr. Goodlatte. Please clarify then.
    Mr. Lee. We have testified, both in our written statements 
and in our verbal testimony, that we are concerned that 
provisions in H.R. 850 would inhibit the government from 
encouraging the use of key recovery, key escrow, other types of 
plain text availability systems, both for its internal use and 
for people seeking to do business with the government. You also 
have Secretary Reinsch's testimony on that point.
    Mr. Goodlatte. What do you mean by the word ``encourage?''
    Mr. Lee. The government has a number of statutory 
obligations to make information available to its citizens: 
document retention programs, government public-right-to-know 
information, all the information that the government has is 
held in trust. If that information is encrypted, we have a 
responsibility, which is set out in statute, to make sure that, 
at the appropriate time, that information will be made 
available to the public. So that is the kind of obligation 
where some kind of plain text recovery system is going to be 
necessary to meet that obligation. Again, contractors, others 
who are collecting information for that purpose would----
    Mr. Goodlatte. There is nothing in the legislation which 
prohibits the government from having its own key recovery 
system for its own record keeping purposes. But we do prohibit 
the government from mandating that anybody who does business 
with the government, which is virtually every business and 
every citizen in the United States, from using a system that 
requires a key recovery system to be attached to it. If they 
prefer for their own security and their own privacy to not have 
a key recovery system, as many people do, we do not allow the 
government to mandate that. But we do not prohibit the 
government from having its own key recovery system for its own 
purposes. Nor do we prohibit any private business from doing 
that for those who choose to do it. It is not the business of 
the government to mandate to people whether they should have 
key recovery or not have key recovery.
    The problem with it is if you mandate it and other creators 
of products in other countries do not. They have a tremendous 
market dominating advantage in selling a whole array of 
hardware and software products that are going to be using 
strong encryption when they can say that they can guarantee you 
that no one, the U.S. Government or anyone else has a key to 
that system.
    Mr. Lee. The government does a number of its business 
through contractors and one of the concerns we have is that 
this would prevent the government from doing its business in 
the way that the government deemed most appropriate when the 
contract is----
    Mr. Goodlatte. So you would insidiously put key recovery 
into the entire country by saying that if you want to do 
business with the U.S. Government, you have got to have key 
recovery. That is what you mean by encourage. When you say you 
really don't want to mandate key recovery, but you want to 
encourage it by saying if you want to do business with the 
government online--which everybody will be doing in the near 
future--you are going to require that they have a system that, 
if they do business with the government, has a key recovery 
feature. Is that what you are saying?
    Mr. Lee. I guess, a couple of points in response, if I may. 
It wasn't my testimony that the government is going to be 
seeking to do those things. I have testified what the 
government's position is, as have the other panelists. The 
government's policy, the Administration's policy, is that there 
are not restrictions on the use of encryption. What I did 
testify, Mr. Goodlatte, was that, to fulfill its statutory 
obligations in the way that it deems best, the government may 
decide, if it is necessary, to have some form of key recovery.
    Mr. Goodlatte. Require contractors doing business with the 
government to use key recovery as well?
    Mr. Lee. In order to fulfill statutory obligations such as 
record keeping, that may be a possibility. I wouldn't----
    Mr. Goodlatte. When you say contractors, would that be 
other people doing business with the government like taxpayers 
filing tax returns?
    Mr. Lee. I was dealing with the situation of contractors. 
Again----
    Mr. Goodlatte. Where would you draw the line? I just want 
to make it clear why this bill draws the line at saying we are 
not going to be mandate because of the fact that this is an 
all-encompassing thing. Once you start down that road of 
saying, if you want to do business with the government, you 
have got to use key recovery, you can, very shortly, require 
that virtually every system of communications that we have in 
the country have key recovery, not by mandating it, but by, to 
use your phrase, encouraging it because if you want to 
communicate with the government in this fashion, you have got 
to do that.
    Mr. Lee. I think with the possible exception of Washington, 
D.C., we may have a difference of opinion of the impact of the 
U.S. Government on the overall economy.
    Mr. Goodlatte. I don't know many law-abiding citizens who 
don't file tax returns or don't have to communicate with the 
government on a whole host of other issues that are vitally 
important to them from social security and Medicare to census 
taking to--the list goes on and on and on.
    Mr. Lee. I also respectfully disagree that the government 
is trying to do something insidious here. What we are trying to 
do is to make sure that we fulfill our statutory obligations.
    Mr. Goodlatte. I don't--certainly there is no statutory 
obligation to impose key recovery because, at this point in 
time--and I hope forever in the future--we do not have any kind 
of domestic limitations on the use of strong encryption or the 
requirement that you use a key recovery system to protect your 
privacy, to protect your property, which is what strong 
encryption is designed to do. Thank you, Madam chairman.
    Ms. Ros-Lehtinen. Thank you so much. Mr. Sherman.
    Mr. Gilman. Madam chairman, before I go----
    Ms. Ros-Lehtinen. Yes, Mr. Gilman.
    Mr. Gilman. Can I just make a unanimous consent----
    Ms. Ros-Lehtinen. Absolutely.
    Mr. Gilman [continuing]. The May 11th letter from the 
president of B'nai Brith, Richard Heideman, on encryption 
issues be made part of the record.
    Ms. Ros-Lehtinen. Without objection.
    Mr. Gilman. Thank you, Madam.
    Ms. Ros-Lehtinen. Thank you.
    Mr. Sherman. Madam chairman, I would like to pick up on the 
questions being asked by the honorable gentleman from Virginia. 
Mr. Lee, maybe you could just put our minds to rest. Will this 
Administration ever say that, in order for a bank to have any 
deposits of the U.S. Government, that it must divulge the key 
recovery information as a condition for having U.S. Government 
deposits? Are you keeping open that hammer that you would use 
to deprive Americans of their privacy?
    Mr. Lee. I have testified, as have my fellow panelists, 
that it is the Administration's policy not to seek mandatory 
regulation of key recovery.
    Mr. Sherman. I am not talking mandatory. I am saying, as 
you may know, the U.S. Government sends out an awful lot of 
social security checks. Those are being sent out by wire to 
banks across this country. Will the Administration ever tell 
banks that they must divulge the key information in order to be 
eligible to receive such wired social security deposits?
    Mr. Lee. I think the wise thing for me to do would be to 
defer that question to Secretary Reinsch.
    Mr. Sherman. You've shown tremendous wisdom.
    Ms. Ros-Lehtinen. He's a country lawyer.
    Mr. Sherman. Now let us see whether the Secretary will show 
wisdom. Can you put our minds to rest or are you going to----
    Mr. Reinsch. All I can say, Mr. Sherman, is that I have 
been involved in, as far as I know, most of the discussions 
that have gone on this issue for the last 3 years and nobody 
has even thought about that. Nobody has even----
    Mr. Sherman. Nobody has thought of it. Can you tell us 
how----
    Mr. Reinsch. Nobody has thought of that. Nobody has 
suggested it.
    Mr. Sherman [continuing]. That gentleman from Virginia has 
thought of it. Can you put our minds to rest or could we face 
that mechanism of trying to force the divulging of key----
    Mr. Reinsch. I can only tell you what I have said because I 
am not in the bank regulatory business. If you want to know 
what is contemplated with respect to bank regulation, you will 
have to have ask the bank regulators. I haven't talked to them 
about this. As far as I know it has never occurred to them and 
it is not on their agenda, but I certainly wouldn't presume to 
speak for them.
    Mr. Sherman. But you are representing the Administration 
here in terms of a desire to have access to a key that would 
allow you to decode encrypted information. In that capacity, 
will you be pressing to use all of the levers of the 
Administration to try to compel domestic organizations doing 
domestic business with American citizens, will you try to 
penalize them or take away their right to do business with, for 
example, social security recipients because they do not divulge 
the key?
    Mr. Reinsch. As far as I know, we have no intention of 
doing that. But let me stress, at the same time, what Mr. Lee 
said. The issue here isn't keys, from a law enforcement point 
of view, the issue here is data and access to data. Key 
recovery and the existence of the key is one means of achieving 
the objective. The Department of Justice and other law 
enforcement entities have, as far as I know--and have said this 
many times and I think Mr. Lee said it today--have no interest 
in trying to expand their capacity to obtain private 
information beyond what existing laws and existing courts 
permit them to do.
    What we are trying to deal with here is simply a means of 
how do you apply existing court rulings and legislation with 
respect to law enforcement access to private information to a 
new technology? We are not trying to expand the right of 
access. I think the best way to look at this debate is to focus 
on the information and----
    Mr. Sherman. Excuse me, I have a limited amount of time. 
You have gone well beyond the question I asked.
    There is, I think, no prospect of getting Congress to give 
the Administration or any Administration domestically what you 
are seeking internationally. Do you disagree or will you be 
proposing legislation that would prevent someone from buying 
encryption, strong encryption, at their local software store?
    Mr. Reinsch. We have testified to that many times and it is 
in my statement. We have no intention of doing that.
    Mr. Sherman. So what we have is a situation where you can't 
go after what you would like domestically, so you want to 
punish the U.S. software industry by putting it at a 
disadvantage vis-a-vis its foreign competitors. Not 
surprisingly, our foreign competitors and their governments 
have welcomed this effort and have engaged in a little dance at 
Wassenaar where they pretend to be interested in preventing 
their companies from marketing strong encryption worldwide and 
we fall for it and are now in a process of giving away what may 
be the world's most important industry to our foreign 
competitors. Then you come to us and you show us how beautiful 
our economic competitors' dance at Wassenaar and give us that 
as a reason why we should bludgeon our own industry and make it 
more difficult for them to compete worldwide.
    I know there is a question in there somewhere.
    Mr. Reinsch. Was there a question in there, Mr. Sherman?
    Mr. Sherman. There will be a question, I assure you, Mr. 
Secretary.
    Mr. Reinsch. All right.
    Mr. Sherman. That question is: For Mr. Voegtlin--Gene, I am 
mispronouncing your name.
    Mr. Voegtlin. Voegtlin.
    Mr. Sherman. Voegtlin. That is: You talk about how you 
don't want street thugs communicating with each other, using 
encryption you cannot decode. Is there any prospect of 
preventing that when, in fact, your colleagues here 
representing the Administration won't even propose legislation 
that would prevent any American, criminal or otherwise, from 
getting all kinds of encryption from their local software 
store?
    Mr. Voegtlin. As you say, they represent the 
Administration. I do not.
    Mr. Sherman. Will you be proposing the legislation that 
they are unwilling to propose?
    Mr. Voegtlin. If I could, I don't know if we would. But I 
will say this and I would like to get this as clear as I can. 
The folks that I represent view this as an issue of great 
importance and, to them, a simple choice. You have a choice--
they understand the need for encryption. They agree that it has 
legitimate uses. But they are more concerned about trying to--
and trying to do their jobs and how encryption prevents them 
from doing it.
    If they had the answer to this issue, I wouldn't be up 
here. Actually, I would be a very rich man. I am not, so they 
don't. But what I think you are all confronting here is a basic 
choice. You need to find some kind of balance between strong 
recoverable encryption that can fulfill the vast majority of 
legitimate uses and strong unbreakable encryption that could be 
put to insidious, dangerous, frightening uses.
    I know that is an answer that doesn't answer. But, again, I 
don't have the answer for you. All I can try to tell you is 
that we are facing----
    Mr. Sherman. I agree with you completely. I agree with you 
completely. I don't have the answer. You don't have the answer. 
There are elements of the Administration so angry that there 
isn't an answer that they would just like to bludgeon the hell 
out of the U.S. software industry. They are, of course, 
encouraged by our foreign competitors. But it is certainly not 
an answer to say that we are going to allow something to be 
purchased at every software store in America, but we are going 
to prevent legitimate people from exporting that same software.
    Because I will ask you, speaking on behalf of the police 
chiefs, do you know of any mechanism that the police chiefs can 
use to prevent anything that is purchasable at every software 
store in America from being exported, either physically or over 
the line to criminal figures in other countries? Do you have 
any prospect at all of preventing that?
    Mr. Voegtlin. I have no information myself. I would be glad 
to check with our Committees that deal with terrorism, 
international crime, and organized crime and see if any of 
those experts have an answer.
    Mr. Reinsch. Actually, Mr. Sherman, if I could comment. 
That is my job. The other half of what BXA does is enforce the 
Export Administration Act and that is what we try to do. The 
answer to your question is, in the circumstances you have 
described, it is extraordinarily difficult. There is no 
question about that.
    Mr. Sherman. Is extraordinarily difficult, is that 
Washington talk for completely impossible?
    Mr. Reinsch. It is not.
    I try to avoid Washington talk.
    Mr. Sherman. Again, if I were to walk into Egghead, buy 
something, and send it over the Internet to somebody in Canada, 
wouldn't you think that would be like completely impossible for 
you to stop me?
    Mr. Reinsch. What we have said about this many times and 
what Ms. McNamara said earlier is, if somebody wants to defeat 
the system, they can do that. There is no question about that. 
We have never denied that. I would not go so far as to say it 
is clearly impossible. We have a number of investigations going 
on. We do catch people. Never underestimate the stupidity of 
some of the people we have to deal with.
    I didn't say that.
    Mr. Sherman. It is a shame that you do have to deal with 
Congress.
    Again, I think that you are----
    Ms. Ros-Lehtinen. He is not going to name names.
    Mr. Sherman. I think my time has expired.
    Ms. Ros-Lehtinen. Thank you, Mr. Sherman.
    Mr. Burr. Let us move on.
    Mr. Burr. Mr. Secretary, your comments are shared.
    Mr. Reinsch. We may be talking about different people, 
though, Mr. Burr.
    Mr. Burr. I feel confident we are. Mr. Secretary, I would 
like to read some statements to you and ask you some questions 
relevant to those statements. The first is, and I quote, ``As 
the line between military and civilian technology becomes 
increasingly blurred, what remains clear is that a second-class 
commercial satellite industry means a second-class military 
satellite industry as well. The same companies make both 
products and they depend on export for their health and for the 
revenues that allow them to develop the next generation of 
products.'' If we replaced the word satellite with the word 
encryption, do you think that statement would still stand?
    Mr. Reinsch. First of all, Mr. Burr, I am delighted to see 
that Members of Congress are reading my speeches. It warms my 
heart. I encourage you share that with some of your colleagues. 
I would love to have them look at it.
    I think, as a general statement, yes. I think that 
statement would stand. I think there are a lot of similarities. 
I was thinking when you made your opening comments, which I 
felt were quite thoughtful on this subject, that it would be 
appropriate to apply the comments you made to some other 
situations as well. That does not mean, however, in either of 
those cases, this one or the other one, that the answer is no 
controls. I think it means that the answer is balance and a 
realistic view about what is controllable and what is not and 
what the national security implications of both are.
    Mr. Burr. I hope, from my opening statement and from my 
line of questions, you will understand that I think the 
difficulty that we have or the disconnect with all of our 
witnesses and many of the Members here and I think what we 
struggle to understand is we see this reality of the access 
that the domestic market has today, our inability to limit in 
any way encryption products, yet some belief on the part of the 
Administration and others that there is a way to do it. If 
there is, then share that with us. If there isn't, then, as Mr. 
Sherman said, let us find the best balance to allow our United 
States companies to compete in this global marketplace.
    Let me go on one more statement. ``Some of these satellites 
bring telephone, television, and Internet services to the 
Chinese people. I believe such services are an integral part of 
any effort to bring democracy and freedom to China.'' Could the 
same be said of strong encryption products, which might provide 
those movements for democracy in China to stay behind the 
prying eyes of the Chinese government?
    Mr. Reinsch. Mr. Burr, that is--I would say two things 
about that. I think that is certainly true. I think, at the 
same time, some of your colleagues, particularly those on the 
Armed Services Committee, would make exactly the other point 
here and that is do we want to sell strong encryption to the 
People's Liberation Army so it could be further used to protect 
their own communications from our intelligence and to further 
oppress the Chinese people?
    Mr. Burr. Do we currently allow encryption products to be 
placed on the satellites that we export?
    Mr. Reinsch. The satellites that are launched have 
encryption which might best be described as--and it is an 
outdated encryption--it is encryption that allows us to encrypt 
the signals that control the movement of the satellite.
    Mr. Burr. Does it limit one's access to the information off 
of the satellite?
    Mr. Reinsch. I will defer to our satellite export.
    Mr. Burr. It is not a proprietary question.
    Ms. McNamara. The encryption that has been used on U.S. 
satellites that have been sold overseas, when there is 
encryption used, it is, as Secretary Reinsch describes, for 
telemetering the satellite itself and, for the most part, in 
fact, I believe in all cases with regard to China, always 
remain in the hands of U.S. persons. It does not have anything 
to do with the actual transmission of information over that 
satellite. It is for the control purposes of the satellite and 
when the U.S. persons were there at launch, the U.S. encryption 
that was used was, in fact, retained in the hands of the U.S. 
parties on the ground.
    Mr. Burr. But there is no encryption product in the 
satellite which protects the security of the data that is 
transmitted from the satellite?
    Ms. McNamara. In fact, these are dumb satellites. It is 
what--it is the medium over which people communicate. If the 
communications or the originator of the communications uses 
encryption, then the information being passed over that 
satellite is encrypted. But it is encrypted from the ground, 
not because it transmits over the satellite.
    Mr. Reinsch. If I could comment, Mr. Burr, though, Mr. 
Goodlatte's bill, You have touched on a very central dilemma. 
Mr. Goodlatte's bill would, in effect, permit the sale of 
strong encryption both to Chinese individuals who want to 
encrypt their communications in order to, do things that their 
government would probably rather have them not do and it would 
also permit the sale of that same encryption to other forces in 
the Chinese government who don't want that to happen.
    Mr. Burr. I think the part that possibly Mr. Goodlatte is 
frustrated over is the willingness for the Administration to 
understand the frustration that currently exists when that 
product is available here in this country, can be transmitted 
sold, carried out of the country to be used by people that we 
restrict U.S. companies from marketing like product to. I 
think, to some degree, we are like the ostrich with the common 
practice of the head in the hole. When we have our head in that 
hole, we believe nothing goes on while we are there. The fact 
is, in reality it is, isn't it?
    Mr. Reinsch. If it will make Mr. Goodlatte feel any 
better--and I think he knows this--I am at least as frustrated 
as he is, perhaps for different reasons. But we are working 
very hard to try to prevent the situation that you have 
described from occurring. I have testified in other 
circumstances, I think, in the past before this Committee, that 
I, for one, would say if we were to reach the point at which 
you, in terms of commercial consequences, that you are 
anticipating, I would hope that the Administration would be 
wise enough to see that and adjust its policy.
    I think the disagreement we might have is whether or not 
that point has arrived now and, if not, how quickly it will 
arrive. I think what Ms. McNamara suggested is that, for a 
number of reasons, we find that point somewhat more distant 
than the Members of this Committee probably do.
    Mr. Burr. I hope you understand that my questions are more 
broad than specifically to the encryption issue. If my 
understanding is correct, this time next year, with the Merced 
chip in computers, the off-the-shelf leader model with exceed 
the M-top standards that we currently have requiring export 
licenses. Is that accurate?
    Mr. Reinsch. Oh, no question. In fact, I can tell you, I 
think my latest sound bite on that is if we don't change what 
we are doing by the end of the year, we are going to be 
controlling Sony Play Stations. It is moving that fast. This is 
also something the Administration is working quite hard on and 
we expect to be able to consult with you all and share 
something with you shortly. But I think it is going to come as 
no surprise to you that there will be a substantial number of 
Members in your body who will oppose any changes, 
notwithstanding the point that you have made.
    Mr. Burr. I would agree with your statement that there will 
be quite a few people who oppose it.
    Mr. Reinsch. I am delighted to hear the consistency of your 
point of view. Not all of your colleagues are consistent on 
these two sectors.
    Mr. Burr. My hope is that that consistency is something 
that becomes contagious with the Administration.
    Mr. Reinsch. We strive for it every day.
    Mr. Burr [continuing]. As it relates to the need for these 
technology companies to, one, compete; two, compete on a level 
playing field for the effort to grow to the next generation. 
With that, I will yield back.
    Ms. Ros-Lehtinen. Thank you. Mr. Rohrabacher.
    Mr. Rohrabacher. Yes. Speaking of consistency--and I will 
just put it right out front--I find it a bit appalling that 
representatives of this Administration would be here so 
adamantly arguing for something they claim to be, based in 
national security, like this encryption debate, while, at the 
same time, labeling Communist China, which is, at the very 
least, a potential hostile power--if most of us believe that it 
is a hostile power--by continuing to insist that we call 
Communist China a strategic partner of the United States. So I 
don't want to hear much about consistency in this debate on the 
national security concerns of our country because the overall 
policy toward China is doing far more damage to our national 
security than any of this type of regulation that we are 
talking about today. In fact, if there isn't a change in the 
basic, fundamental approach to China, all of your talk about 
national security is irrelevant.
    What I see here is a lot of activity and a lot of effort 
being put into this effort to--let us, I will just put it right 
out--you are trying to strengthen government's control, not of 
other people who are hostile to the United States, but trying 
to strengthen government's control of ordinary Americans and 
American enterprise. I don't want to--you hear this all of the 
drug dealers are going to do this and the bad guys are going to 
do this, but what do we end up with? Those guys are going to 
end up with encryption anyway. This is the message I am hearing 
all around me is these guys are going to end up--and I realize 
that this is taking to it to absurdism, you might say, but the 
fact is that when encryption is outlawed, only outlaws will 
have encryption. Sorry to put it that way, but after listening 
to the arguments today, I have just come to the conclusion that 
the only impact you are going to have is on honest people and 
on enterprisers and not on people who are hostile to the United 
States.
    You are going to have the doctors in this country. You will 
have their electronic files open and available. You are going 
to have the lawyers, the bankers. I am a former journalist--
trying to tell me that you are going to say you are not making 
it mandatory, but you are going to say it is going to be 
conditional, these restrictions are going to be conditional on 
whether or not people are dealing with the government? 
Journalists have to get up on their computer and dial in to get 
their automatic press releases now. The press releases aren't 
handed out on paper. They come over the electronic processes. 
So in order to get those, the journalists, in order to get 
information from the government, they have got to say that they 
understand that their computers are going to be open to 
government snooping? All in the name of getting the bad guys?
    Let me just note: The government for the last 20 years has 
had all of this control and the ability to go in and snoop as 
you wanted to snoop and the drug war is a joke. You go down 
into any city in the United States of America and any kid can 
get drugs. This is telling us that we have got to open up the 
possibility in the years ahead in the new millennium to have 
this type of power in the hands of the government in order to 
fight the drug war? It is a joke. You have been unsuccessful 
with all that power already. Again, the only people you are 
really going to affect are honest citizens like the doctors and 
the lawyers, the journalists and the rest.
    Let me just note this. In the years ahead, the computer 
systems that we have are going to serve as the basis of 
American prosperity. Like it or not, that is the world that we 
are heading into. The Internet system will be used for 
enterprise and purchases that are the foundation--look at our 
stock market today. Where is the growth? Where is the faith in 
the investors? It is in these Internet stocks. What you are 
talking about is a threat to that foundation in order to make 
sure the government has the power to snoop. Yes, we need 
certain powers in the hands of the government to tackle the bad 
guys. But, as I say, I don't see this as any type of threat to 
the bad guys because the bad guys will be the ones to get it 
and the good guys will be the ones who follow the law.
    Here is my question. That is my statement. Here is my 
question? I want to ask Mr. Lee this. Now your title, Mr. Lee, 
is what?
    Mr. Lee. I am an associate deputy attorney general at the 
Department of Justice.
    Mr. Rohrabacher. For?
    Mr. Lee. The titles don't actually say for X or Y, but I 
work in part on national security and international matters.
    Mr. Rohrabacher. Was it you or your office that denied the 
effort to get a wiretap on the suspect in the Los Alamos theft?
    Mr. Lee. As other officials of the Department of Justice 
have testified, there is a process set up where the counsel for 
the Office of Intelligence, Policy, and Review reviews requests 
from the FBI for that kind of search warrant.
    Mr. Rohrabacher. Yes. So was it you or your office that 
denied that request for a search warrant for a wiretap? I 
understand that Mr. Lee who was the suspect in the case was the 
only wiretap that was denied. Is that from your office?
    Mr. Lee. Again--sir, I was not involved in that decision.
    Mr. Rohrabacher. Was that your office?
    Mr. Lee. There has been public testimony which, again, I 
don't have the transcript in front of me, so I want to be 
careful not to be inaccurate in any respect, but there has been 
public testimony that the Attorney General asked a member of 
the deputy attorney general's office to review that matter. 
That was not me. I don't have any further firsthand 
information.
    Mr. Rohrabacher. That wasn't my question. Was it your 
office? You are the head of an office. Was it your office that 
denied that request?
    Mr. Lee. Again, the public testimony is that the prior 
incumbent of my office had a role in evaluating that request. I 
do not have firsthand information and so I don't think it would 
be appropriate for me to try to characterize it any further.
    Mr. Rohrabacher. I will take that as a yes. Let me suggest, 
as I did in my opening statement, when you have a wrong headed 
Administration that has wrong headed policies toward people who 
are hostile to the United States of America, no matter what we 
do on this encryption, no matter what powers that we grant to 
the government, we are not going to be safe. I feel, in fact, 
very hesitant to grant the type of enormous powers, as we come 
into this new age of electronics and computers, to grant this 
enormous power to the Federal Government, especially one that 
is represented by an Administration that is totally going the 
wrong way on national security issues.
    With that, I yield back my time.
    Ms. Ros-Lehtinen. Thank you. Mr. Cooksey.
    Mr. Cooksey. Thank you, Madam chairman. Earlier today, I 
believe there was a question about the effect of H.R. 850 on 
local law enforcement. It was mentioned that there was concern 
about this effect.
    I have a letter here from the Louisiana Sheriffs' 
Association specifically endorsing H.R. 850 and rejecting the 
escrowing of the encryption keys. I will ask this question of 
any one of you that is willing to answer it. Can anyone explain 
to me why the sheriffs in my area are not concerned about the 
effect of this bill? I will take a response from any one of you 
or all of you.
    Mr. Voegtlin. I can't speak to the rationale of the 
Louisiana Sheriffs' Association. Perhaps if you talk to folks 
at the National Sheriffs' Association, they would be able to 
fill you in. I can't speak to their concerns. I know, on behalf 
of my membership, the 17,000 members that make up the IACP, 
that they have expressed, both through numerous Committee 
hearings and numerous membership resolutions that have been 
passed, that they are very concerned about this issue and its 
impact on their ability to perform at the State and local 
level. I can't answer for the sheriffs.
    Mr. Cooksey. Would anyone else like to try? In their 
resolution--and I will read a couple of them--they said the 
legislation proposed by the FBI would require all users of an 
encryption to deposit a key with a key escrow agent that would 
be available to FBI access. The FBI access would create and 
maintain a dangerous and unnecessary vulnerability to 
Louisiana's information computer infrastructure while failing 
to offer any increased level of protection these systems 
require. While the FBI's efforts toward recovering information 
about criminal cases through high security encryption are well-
intentioned, the key escrow plan poses too many severe threats 
to public safety, confidentiality, and legitimate computer 
users that far outweigh the isolated benefits it may provide.
    There is another resolution. Does anyone want to answer it 
now?
    Mr. Lee. Sir, it is hard to answer without having read the 
letter which I have not had the benefit of doing. Again, the 
Administration is not proposing some massive central data base 
where everyone's keys would be kept. We have been quite clear 
and consistent that, really, a variety of private agents who 
would be serving people's whole range of security services for 
business needs is what is envisioned and that is what we want 
to work with industry on developing. One of the needs that we 
think this set of services will have to address is the needs 
that businesses have for the recovery of their information and 
plain text.
    Mr. Cooksey. Do you think each one of those could be 
subject to hackers, to being broken into? Is that possible?
    Mr. Lee. It is certainly possible.
    Mr. Cooksey. Is it probable? I see someone out in the 
audience shaking their head yes.
    Mr. Lee. I don't have the information to answer that, sir.
    Mr. Cooksey. Let me just state that I feel very strongly on 
law enforcement. I have a very close working relationship with 
law enforcement people in our area. We have some real 
professionals, particularly some people from the Department of 
Justice, the FBI. We have got some top people. But I quite 
frankly don't feel that you see the same level of loyalty to 
the principles of law enforcement in some of the political 
appointees in your Department and it is really a disappointment 
to me.
    I am not a career politician. I am a physician. I don't 
want to be a career politician and I quite frankly hold a lot 
of the politicians in real contempt because of the 
inconsistencies I see. Here I see the potential for some more 
inconsistencies, but, that said, thank you, Madam chairman.
    Ms. Ros-Lehtinen. Thank you so much. Mr. Campbell.
    Mr. Campbell. Madam chair, out of courtesy to the next 
panel and the fact that I haven't heard all of the testimony, I 
will yield and thank you and thank the panel.
    Ms. Ros-Lehtinen. Thank you so much. I will also furnish my 
questions in writing in courtesy of the second set of 
panelists. But we thank you very much for your patience and we 
appreciate you being with us today and we will look forward to 
continuing this dialogue as this bill goes through the process. 
Thank you so much to all of you.
    I would like to introduce the second set of panelists. We 
will start with Ira Rubinstein, who is senior corporate 
attorney for Microsoft Corporation. Prior to joining Microsoft, 
Mr. Rubinstein was an associate with different law firms and is 
currently a Member of the President's Export Council 
Subcommittee on Encryption and serves on the Steering Committee 
for Americans for Computer Privacy. Mr. Rubinstein is the 
author of numerous publications addressing export controls and 
encryption software.
    Mr. Jeffrey Smith is a partner at the firm of Arnold and 
Porter in the firm's Legislative and Government Contracts 
Practices Division and serves as general counsel for Americans 
for Computer Privacy. From 1995 to 1996, he served as general 
counsel of the Central Intelligence Agency. Prior to that, he 
was appointed by then-Secretary of Defense William Perry to the 
Commission to Review the Roles and Missions of the Armed 
Services. Mr. Smith has also served in various capacities 
within Congress, including general counsel of the Senate Armed 
Services Committee.
    David Weiss is Vice President of product marketing at 
CITRIX Systems. In this capacity, he is responsible for mapping 
the company's long-term product strategy and direction. He was 
instrumental in the release of the industry's first Windows 
application and launching Internet technology and, prior to 
joining the firm, he was a founding Member and Director in 
marketing for Business Matters, Inc., a financial modeling 
software company. This corporation, CITRIX, I am proud to say 
is located in my hometown of South Florida and we are happy to 
have David with us today. Thank you.
    Mr. Alan Davidson is the Staff Counsel for the Center for 
Democracy and Technology, a nonprofit, Washington-based 
organization that works to promote civil liberties on the 
Internet. Mr. Davidson is currently leading the efforts to 
promote encryption policies that protect privacy and, prior to 
joining the legal profession, Mr. Davidson was a computer 
scientist. He worked as a senior consultant and designed the 
information systems for NASA's space station freedom projects. 
He also worked on technology and policy issues at the U.S. 
Congress Office of Technology Assessment.
    Ms. Dinah PoKempner is the Deputy General Counsel of Human 
Rights Watch, one of the largest human rights monitoring 
organizations in the world. Ms. PoKempner has performed field 
research in Cambodia, Vietnam, Hong Kong, Bosnia, and Croatia 
for the organization and currently directs institutional policy 
in various areas, including electronics, communications, and 
international law.
    Mr. Edward Black is the President and CEO of the Computer 
and Communications Industry Association, an international trade 
association comprised of leading computer, communications, and 
networking equipment manufacturers, software providers, 
telecommunications, and online service providers. Prior to 
being named president in earlier 1995, he served as vice 
president and general counsel for CCIA since the mid-1980's. He 
currently serves as the Chair of the State Department's 
Advisory Committee on International Communications and 
Information Policy.
    We thank all of you for being here today. We will be glad 
to put all of your statements in the record and we ask you to 
please be as brief as possible.
    Mr. Rubinstein.

    STATEMENT OF IRA RUBINSTEIN, SENIOR CORPORATE ATTORNEY, 
                     MICROSOFT CORPORATION

    Mr. Rubinstein. Good afternoon, Madam chairman. I greatly 
appreciate the opportunity to appear today before the Committee 
on behalf of Microsoft and the business software lines of BSA. 
I especially wanted to thank you, Madam chairman, for your 
support of the SAFE Act in this and prior Congresses. I also 
want to thank the other Committee Members who cosponsored the 
bill this year.
    American software and hardware companies have succeeded 
because we have responded to the needs of computer users 
worldwide. One of the most important features users are 
demanding is the ability to protect their electronic 
information and communications securely. American companies 
have innovative products that can meet this demand and compete 
internationally, but there is one thing in our way: the 
continued application of over broad and restrictive U.S. export 
controls.
    BSA strongly supports the SAFE Act because it modernizes 
and liberalizes U.S. export controls. We urge the Committee to 
report the SAFE Act without amendment and we look forward to 
its passage in the House this year.
    I want to emphasize three points today. First, any effort 
to control mass-market products based on key lengths is doomed 
to failure. Eight years ago in a 1991 study, the National 
Academy of Science discussed the nature of mass-market software 
and the futility of trying to control it. The NAS concluded, 
``The widespread availability of such software, coupled with 
its difficulty of detection and ease of reproduction makes any 
attempts at controls impossible,''.
    These observations and conclusions were true in 1991 and 
remain true today. If anything, they are even more true, given 
the rise of the Internet and the other means for electronically 
distributing software to mass-market customers on a worldwide 
basis. The addition of encryption functionality to mass-market 
products does not somehow alter these characteristics. Products 
that are not controllable at 56-bit key length do not become 
controllable at longer key lengths.
    My second point is that export controls create competitive 
advantages that foreign firms have been very successful in 
exploiting. Their entry point is U.S. export controls. Because 
U.S. firms are unable to satisfy customer demand for 128-bit 
encryption, non-U.S. firms create and freely distribute so-
called step-up software whose sole purpose is to increase the 
key lengths of U.S. products from 40 bits or 56 bits to 128 
bits. At the same time, these foreign firms develop powerful 
service software and related applications for Internet banking, 
e-commerce, and secure messaging. They also develop consulting 
expertise to service key customers such as banks, ISP's, telcos 
and online merchants. These are all the pieces needed to offer 
a complete package of 128-bit encryption to foreign customers 
and U.S. firms can't compete with this.
    This approach has spawned several of the fastest growing 
and most successful non-U.S. software firms focusing on the 
Internet market. In the interests of time, I will just 
highlight one of them, a firm called Baltimore Technologies, 
which is an Irish company which recently merged with Zergo, a 
U.K. company, and now offers a complete line of e-commerce and 
enterprise security products. At this point, I would like to 
show you exactly how Baltimore markets its products over the 
Internet.
    [Slide.]
    These slides, these are slides of what you would see if you 
visited their web site. It is not a live connection, in the 
interests of making it go quickly. The first page is their 
homepage. You see in the upper lefthand corner that it is the 
Zergo homepage and it lists products and services and other 
information that you can find there.
    [Slide.]
    The next page includes in its marketing materials the very 
statement of the problem that we are here today to discuss. I 
will read it quickly. ``U.S. export restrictions dictate that 
most web service and browsers cannot perform 128-bit encryption 
for security. Instead, export versions of browsers, like 
Internet Explorer and Netscape Navigator and export versions of 
web servers like Netscape Enterprise Server and Microsoft 
Internet Information Server, are limited to 40 bits of 
encryption, which is not secure enough for most applications.'' 
So here is the marketing material of a very successful foreign 
firm citing U.S. export controls.
    The success of these foreign companies threatens the growth 
of U.S. software firms and their contribution to the U.S. 
economy. It also threatens American technological leadership, 
the loss or diminution of which directly threatens U.S. 
national security and law enforcement objectives as well.
    Let me conclude with a final point and that is that the 
SAFE Act strikes the right policy balance by promoting the use 
of encryption for several purposes: to prevent crime by 
protecting sensitive communications data; to promote national 
security by protecting the nation's critical infrastructure; to 
protect e-commerce; and to protect individual privacy. Thank 
you, Madam chairwoman.
    Ms. Ros-Lehtinen. Thank you so much for your testimony. Mr. 
Smith.

  STATEMENT OF JEFFREY SMITH, GENERAL COUNSEL, AMERICANS FOR 
                        COMPUTER PRIVACY

    Mr. Jeffrey Smith. Thank you, Madam chair, and Members of 
the Subcommittee for the opportunity to testify on H.R. 850, 
the SAFE Act, sponsored by Representatives Goodlatte and 
Lofgren and cosponsored by a bipartisan group of over 250 House 
Members. I serve as counsel to the Americans for Computer 
Privacy, a coalition of 3,500 individuals, 40 trade 
associations, and over 100 companies representing a wide range 
of companies. We support policies that allow strong encryption 
and we specifically endorse the enactment of the SAFE Act and 
we respectfully urge the Subcommittee to report it without 
amendments for full Committee consideration.
    As Vice President Gore said in September 1998 when he 
announced the current Administration policy, developing a 
national encryption policy is one of the most difficult issues 
facing the country. It requires balancing many competing 
objectives, all of which are of great importance to the nation. 
Strong encryption is essential to protecting our Nation's 
infrastructure, ensuring the privacy of electronic 
communications, protecting our national security interests, 
safeguarding the public, and maintaining U.S. leadership in the 
development of information technology.
    The challenge is how to do that. The question this 
Subcommittee must address is what is the best policy to achieve 
these objectives? It is the firm view of ACP and its Members 
that, given the breathtaking pace at which information 
technology, including cryptography, is developing around the 
globe, the only way to achieve these goals, in the long run, is 
to adopt policies that will assure American industry continues 
to lead the world in information technology.
    It is often said that the first responsibility of 
government is national defense and it seems to us that the 
President, Congress, and industry collectively have a 
responsibility to ensure that in the future our law enforcement 
and intelligence agencies have the ability to continue to 
protect this nation as they do today. Indeed, they will 
probably need additional resources and technical help to meet 
the challenges of the next century. But those challenges are 
far greater if they are forced to face a world in which the 
majority of communications pass-over systems that are foreign-
designed, foreign-built, foreign-installed, and incorporate 
foreign encryption. We are concerned that the current policy of 
this government risks just such an outcome.
    We have worked hard over the last couple of years with the 
Administration to help fashion its new policy and we are 
grateful for the new policy, but we think further steps are 
needed and we urge the enactment of the SAFE Act. With that, I 
will yield the rest of my time, Madam chairman.
    Ms. Ros-Lehtinen. Thank you so much. We appreciate it, Mr. 
Smith.
    Mr. Weiss.

STATEMENT OF DAVID WEISS, VICE PRESIDENT OF PRODUCT MARKETING, 
                       CITRIX CORPORATION

    Mr. Weiss. Thank you. I will try to be as brief. Good 
afternoon, Madam chairwoman, and greetings from the Sunshine 
State, and Members of the Subcommittee, thank you for the 
opportunity to speak with you this afternoon regarding this 
important topic. My name is David Weiss. I am the Vice 
President of product marketing for CITRIX.
    Ms. Ros-Lehtinen. Now, because you are a constituent, take 
all the time you like.
    Mr. Weiss. Thank you very much. I am pleased to be 
testifying this afternoon on behalf of the Software Information 
Industry Association, SIIA, the result of a merger between the 
Software Publishers' Association and the Information Industry 
Association. SIIA represents 1,400 member companies engaged in 
every aspect of electronic commerce and has long supported 
efforts to liberalize encryption export controls and H.R. 850, 
the SAFE Act.
    CITRIX is the worldwide leader in server-based computing. 
Our products enable individuals to access applications which 
are running on their corporate networks while traveling at home 
or from anywhere in the world. Since 1989, we have worked hard 
to ensure that we provide cost-effective products to allow 
businesses to deliver access to their mission-critical 
applications to their employees and partners reliably and 
efficiently. Our products allow companies and organizations to 
share their corporate network resources with all of their 
employees, regardless of their physical location.
    In today's fast-paced economy, companies must be able to 
communicate and share information with their employees 
securely. Companies like mine have worked hard to develop 
technology and products that meet these critical needs, 
providing both individuals and businesses with the tools they 
need to remain competitive. Encryption has become a requirement 
for the technologies we developed. Without these capabilities, 
we cannot assure customers that our products incorporate 
reliable security to protect their corporate communications and 
proprietary information. Encryption helps individuals and 
businesses meet the challenges that we face in the online 
environment, while assuring that we are able to take advantage 
of its key benefits.
    CITRIX products enable communications and information 
sharing, usually within a company and generally involving vital 
applications. For most of our customers, the ability to 
communicate privately with business colleagues is critical. 
Many use CITRIX products to share sensitive information and 
require our products to protect that data from misappropriation 
by unauthorized parties or misuse by otherwise authorized but 
negligent or malicious parties.
    Encryption is the only practical means by which parties to 
an online communication can trust that each is who he claims to 
be and that the information is only available to its intended 
recipients. It is the only practical way to guarantee that the 
communication between those parties remains protected. Such 
capabilities are critical for both businesses and individuals 
seeking to take advantage to use the Internet. Without robust 
tools, no one can be assured that their online activities 
remain private and that their online transactions are 
trustworthy.
    Companies are rapidly developing innovative technologies 
and applications for use on public networks and users are just 
rapidly integrating these capabilities into their everyday 
lives. To ensure that this market continues to grow, consumer 
concerns like security, authentication, and privacy must be 
addressed. Without encryption, we simply can't do it. We must 
be able to use and widely deploy encryption if we are to help 
users protect against the inherent vulnerabilities of public 
networks. In order for our customers to be able to communicate 
securely, our products offer a variety of encryption 
technologies, some of which cannot be exported under the 
current regulations.
    The impact on our company and all of U.S. industry is 
significant. Companies are forced to choose between 
incorporating encryption into their products to meet the 
consumers' requirements or creating multiple product lines. If 
the company does not incorporate the strong security features 
that so many businesses demand, their products will fail in the 
marketplace. If the manufacturer does choose to incorporate 
strong encryption, it forgoes the lucrative foreign marketplace 
and many companies, especially many young Internet startup 
firms that are shaping the electronic commerce marketplace 
cannot afford to create multiple product lines.
    Given the time constraints, I just want to say that on 
behalf of CITRIX and the SIIA, we strongly endorse H.R. 850 and 
I will yield the rest of my time.
    Ms. Ros-Lehtinen. Thank you so much, David. To the panelist 
and our Congressional Members and our visitors, I have asked 
that Congressman Campbell be kind enough to Chair the remainder 
of the hearing. I have to go to the Floor and await my turn to 
speak on the Central America aid package so I have read your 
testimony and I look forward to sending you some questions in 
writing. Thank you so much. Thank you, Tom.
    Mr. Campbell. [presiding] Mr. Davidson.
    Mr. Davidson.

STATEMENT OF ALAN DAVIDSON, STAFF COUNSEL, CENTER FOR DEMOCRACY 
                         AND TECHNOLOGY

    Mr. Davidson. Thank you. Good afternoon and I would like to 
thank you for this opportunity to testify in front of the 
Subcommittee on behalf of the Center for Democracy and 
Technology. CDT has supported the SAFE Act since it was first 
introduced in the 104th Congress. While we are pleased to be 
here testifying once again in front of this Subcommittee, it is 
unfortunate that we are here making many of the same arguments 
that we were making 2 years ago. I would like to take the 
chance to thank the Chair and Mr. Goodlatte and the other 
sponsors of the SAFE Act and supporters of the SAFE Act for 
their continued support for privacy online.
    I would like to make, briefly, three quick points today. 
The first is that the current U.S. policy harms personal 
privacy, that U.S. policy is failing in the international 
marketplace and that it is time to move on because a new, more 
comprehensive encryption relief package like SAFE offers is 
ultimately going to be better for public safety and individual 
privacy.
    CDT is here today because current U.S. policy does violence 
to our constitutional liberties here in the United States and 
to individual privacy around the world. We live in an era of 
eroding personal privacy where more and more of our personal 
data is available in electronic form and particularly on the 
Internet. Encryption is the essential tool to protecting the 
security of our data in this open, decentralized, global 
network. The U.S. export controls keep people from getting the 
encryption they need and protecting their privacy online. Most 
directly, export controls limit the availability of good, U.S. 
encryption products around the world, particularly in the mass-
market products that most individuals use.
    Export controls also affect the security of people in the 
United States when they communicate abroad with people who 
don't have access to those strong products. Finally, encryption 
products affect the security of the infrastructure by dumbing 
down our security infrastructure and keeping us from making 
encryption something that is easily available to people around 
the world, including in the United States. In summary, 
encryption leaves us in the worst of both worlds. Sophisticated 
criminals, terrorists, rogue governments have access to it, but 
law-abiding individuals do not have security and privacy 
protected by the tools that they need.
    The second point I wanted to make was that U.S. encryption 
policy is failing in the international arena. We were told 2 
years ago that the world was on the verge of adopting key 
recovery and export controls. In fact, the marketplace has 
failed to embrace key recovery. The world community has failed 
to embrace export controls and key recovery as well. In fact, 
as we have heard in testimony, many countries, including 
countries like Ireland, Canada, and Finland, are moving in the 
opposite direction. Even some of the staunchest U.S. allies, 
the U.K. and France, have failed to completely embrace U.S. 
encryption policy.
    U.S. encryption policy is failing in the courts. Just 
earlier this month, the Ninth Circuit Court of Appeals found 
that export controls on encryption source code were 
unconstitutional violations of the First Amendment. The court 
ruled that these were prior restraints on free expression that 
rest boundless discretion in government officials. I think that 
the court recognized something that the Administration hasn't, 
that you can't stop the spread of ideas at the border and that 
especially you can't do it without doing violence to our First 
Amendment.
    I think it is time for our U.S. encryption policy to move 
on. We are setting the ground rules today for how much privacy 
people will have as they move their lives online. On balance, 
we believe that strong encryption both serves individual 
privacy and protects public safety and that kind of change is 
not going to happen without your help. While we remain 
concerned about certain criminal provisions in the SAFE Act, we 
believe that, on the balance, the bill is a dramatic step 
forward for individual privacy and public safety and I would 
encourage you all to support its rapid passage without any 
weakening amendments.
    Mr. Campbell. Thank you, Mr. Davidson.
    Ms. PoKempner.

  STATEMENT OF DINAH POKEMPNER, DEPUTY GENERAL COUNSEL, HUMAN 
                          RIGHTS WATCH

    Ms. PoKempner. Thank you. I appreciate very much the 
opportunity to come before this Committee. I am Dinah 
PoKempner, deputy general counsel of Human Rights Watch, one of 
the largest human rights research and reporting organizations 
in the world. We have used encryption for many years and I am 
going to present two examples from my testimony. There has been 
a great deal of discussion at this hearing about, on the one 
hand, the economic interest inherent in encryption and, on the 
other hand, law enforcement and national security.
    I am going to tell you a little bit about human rights 
applications of encryption and, in particular, dwell on two 
examples. Now the Internet revolution changed human rights 
advocacy dramatically. We can now report on things in real-
time. We can reach massive audiences very inexpensively and 
really mobilize popular opinion and action as never before. But 
we have a problem. Electronic communications are inherently 
insecure and this can have deadly consequences for human rights 
activists. Every year, human rights activists are attacked, 
jailed, disappeared, and killed. We document this in our world 
report. In 1998, we counted 10 such killings before the report 
went to press.
    So, for this reason, our researchers routinely use 
encryption when they are in dangerous places like Bosnia, 
China, Lebanon, Rwanda, Kashmir, Hong Kong, and Belgrade. I am 
going to give you a couple of examples. We have had a 
researcher who was arrested last year in the Kinshasa airport 
and detained for 24 hours while guards threatened to beat him. 
Fortunately, all of his research was encrypted. By the way, he 
was on a human rights investigation mission for which he had 
obtained a visa. It was perfectly transparent and obvious what 
he was doing. Yet, the government arrested him to get his 
information. Fortunately, because he felt secure his 
information was safe, he was able to delay until his release 
could be secured.
    We have a situation where the lack of security produced 
absolutely devastating consequences. For example, last year in 
April, a Member of the United Nations Secretary General's 
investigation team who went to gather evidence of massacres of 
Rwandan refugees in the eastern part of what was then former 
Zaire was arrested when he returned to Kinshasa. The Congolese 
authorities meticulously copied his research notes, as well as 
maps and reports that had been given him by local human rights 
activists. This information set off a man hunt for all of this 
official's informants. Many of these human rights activists had 
to go underground to emerge later as refugees and one, Gallican 
Ntirivamunda, has disappeared and is presumed dead.
    In contrast, our researcher, who had gone the year before, 
took pains to every night burn his notes after he had typed 
them into his lap top, encrypted them, and transmitted them. 
So, as this example might give you an idea, global access to 
strong encryption is vital, not just access for United States 
residents and citizens.
    I am going to give you one more example that will point out 
some of the problems that export controls can bring up and that 
is what is going on in Kosovo. It is very difficult. The strong 
encryption is available right now, but it is really difficult 
to master it, download it, familiarize yourself, and exchange 
keys when you are in the middle of a war. That is what is going 
on right now in Kosovo. People who want to report abuses can't 
communicate securely. The Serbian government is believed to 
have sophisticated Russian technology that enables them to 
crack code.
    So privacy advocates teamed up with a private company 
called the Anonymizer to create a gateway that allows people 
living in former Yugoslavia to access the Anonymizer and, 
through the Anonymizer, have confidential and encrypted 
communications. But there is a problem which one of the other 
panelists alluded to. If you have a browser that is export 
strength, this is not secure. Your communications can be 
intercepted. So you have to still do yet another step of going 
to another site, downloading yet more software to upgrade your 
browser. It still doesn't solve the problem of secure 
communications in the most difficult circumstances, in crisis 
situations.
    This is what I wanted to point out is that export controls, 
among other things, inhibit the development of products that 
would be most useful to human rights activists. That is, mass-
market strong encryption that is ubiquitous, that is built-in, 
that is easy-to-use, that you don't have to be a computer 
expert or adept to use. I am certainly not one and most human 
rights activists aren't adept either.
    I am going to end that with the thought that when we talk 
about the kinds of policies the United States is going to 
adopt, it is going to be looked at as a global leader. It is 
going to be looked at as a model. Will we adopt policies that 
will allow our government to continue to protest abuses of 
human rights advocates and suppression of human rights abuses? 
Are we going to hold encryption hostage to the fear of 
sophisticated terrorists and criminals who are going to use it 
no matter what the legality is and then deprive law-abiding 
citizens and human rights activists of its benefits.
    I will just finish by saying that what I would like you to 
keep in mind is that what is at stake is more than just our 
market share, more than abstract principles of privacy and free 
expression against, say, the tangible reality of terrorism. 
There are actual lives of human rights advocates at stake and 
that is what I would like you to keep in mind.
    Mr. Campbell. Thank you very much. I only regret that the 
Administration spokespersons are not here to listen to you as 
you listened to them.
    Mr. Black.

    STATEMENT OF ED BLACK, PRESIDENT AND CEO, COMPUTER AND 
              COMMUNICATIONS INDUSTRY ASSOCIATION

    Mr. Black. Thank you for the opportunity to testify before 
you today and I apologize for my not-yet-disappeared 
laryngitis. Encryption is a subject of vital importance to the 
members of the Computer and Communications Industry Association 
and to all of our industry. I have to take a quick aside and 
say as a citizen, however, I think Dinah's comments are just so 
right-on and that is a key part of this that we should never 
focus on. We will focus on the business aspects, but it is hard 
not to think of the importance to freedom and democracy of real 
meaningful encryption available to people around the world.
    Like the current key recovery requirements, the 
Administration's original Clipper Chip proposal would have 
mandated that all encryption products contain a back door for 
law enforcement and national security agencies to give them 
access to the plain text of any communication or computer file 
upon request. Not surprisingly, CCIA members continue to oppose 
the Administration's policy, as do most of the high-tech 
industry, most of the broader business community, and privacy 
groups. The Administration supporters on the Hill, we think, 
are also few and dwindling in number.
    Because of CCIA's members support for the SAFE bill, which 
we think is an excellent bill which we congratulate Mr. 
Goodlatte and Congresswoman Lofgren on, we believe that it is 
possible that--we will use the word ``proliferation''--
proliferation of encryption is going to happen, is important to 
happen. We think the use of strong encryption around the world 
is essential to reaching the full potential of electronic 
communications and commerce. We all recognize that the 
relaxation of encryption export restrictions is of critical 
importance if we are to fully realize the information age we 
have just entered.
    I want to address quickly the Administration's contention 
that it does not control or seek to control domestic use or 
sale of encryption. The National Security Agency has testified 
on numerous occasions that the full implementation of the 
Administration's key recovery plan would have no impact on 
their ability to carry out their national security mission. The 
only logical inference is that the key recovery export policy 
is designed to benefit domestic law enforcement agencies while 
avoiding the political and constitutional pitfalls of direct 
domestic restrictions.
    Another fallacy of the government's policy is that the 
United States has some monopoly on the science of cryptography 
or the production of encryption tools. This is hard to justify 
in light of the government's own efforts to replace the current 
DES encryption standard with a new advanced encryption 
standard, AES. Of the 15 logarithms submitted in the NIST 
competition, 10 were from organizations outside of the United 
States, including countries such as Australia, Belgium, Canada, 
Costa Rica, England, France, Germany, Israel, Japan, and South 
Korea. At least half of the five finalists are likely to be 
foreign competitors and it is very possible that the next U.S. 
Government standard for encryption will be designed outside of 
our borders.
    To further illustrate the international nature of this 
industry and the futility of our export controls, let me give 
you an example of how the Administration policy has affected 
just one of our member companies. Integrity Solutions is one of 
the world's leading vendors of secured application 
technologies. They are based in San Jose, California. Because 
of our export laws, nearly all of their recent growth in 
staffing and development has been in overseas locations in 
Sweden and the United Kingdom. This was not by design. They 
originally only intended to be based in the U.S. and Sweden, 
but it was a response to the continued restriction of U.S. 
exports on encryption.
    Later this month, it will announced that Integrity, its 
partnership with Major Systems Integrators, will be awarded a 
contract for all certificate authentication technology for the 
Special Administrative Region of Hong Kong. They expect that 
this contract will reap millions of dollars in annual revenues 
and eventually expand to include other Asian nations. 
Unfortunately, none of the revenue will come to the United 
States and none of the jobs that this contract will create will 
go to Americans. Because of our export laws, all of these 
products and services will be shipped out of the United Kingdom 
division. Had the contract not gone to Integrity, it would have 
gone to an Irish company, which would have been the alternative 
winner of the contract.
    My question is: How does our current policy support 
important U.S. interests? We are driving American companies and 
jobs overseas and driving their customers to foreign 
competitors without any significant impact on our national 
security or law enforcement capability. It is just nonsense.
    I wish that I could say that if we experienced further 
relaxations in export controls or even enacted The SAFE bill, 
we would somehow regain these lost jobs and revenue; however, 
Integrity has already established a critical mass of overseas 
presence. They are beyond the point of no return. They will 
continue to derive a majority of the revenue and experience 
nearly all of their growth in foreign countries regardless of 
what we do to our laws. I can only hope that we take quick 
action to prevent this scenario from becoming even more common 
and repeated over and over again until we reach the point where 
a huge portion of this industry has migrated overseas. 
Chairman, Members of the Committee, thank you again for the 
opportunity to testify today.
    Mr. Campbell. Thank you, Mr. Black. The first questioner 
will be Mr. Goodlatte.
    Mr. Goodlatte. I thank you, Mr. Chairman, and I would like 
to echo your observation that it would have been very helpful 
if the Administration's witnesses had been here to hear this 
excellent testimony and, not only that, but the members of the 
media. I think that the intensity of the debate has gone out of 
the hearing because I think we are in great agreement with what 
you have to say.
    I would like to ask you about some of the points that were 
made by the Administration witnesses. First, they made the 
statement that this legislation would not be in compliance with 
the Wassenaar agreement. I would note that the Wassenaar 
agreement has never been ratified by the U.S. Senate. It is 
purely a voluntary effort of the Administration only, but it 
seems to me that the way it is drafted the legislation, which 
provides for an application of export controls in real national 
security instances, does comply. I would ask first, perhaps, 
Mr. Rubinstein if he would comment on the impact of this 
legislation on the Wassenaar agreement.
    Mr. Rubinstein. I think the earlier testimony was that it 
violated Wassenaar by not having adequate review provisions and 
I think that is an incorrect reading of the SAFE Act. There is 
a provision in all of the key export control sections allowing 
for technical review of products prior to export and I think 
that is the key requirement. If there is any difference, 
really, between the SAFE Act and the positions that have 
already been taken by some of the foreign countries that are 
signatories of the Wassenaar arrangement, it is that the SAFE 
Act requires review, but then, otherwise, does not restrict 
export.
    What other countries have done in technical compliance with 
the Wassenaar is to simply impose a licensing requirement, but 
that licensing requirement is one that says strong encryption 
may be exported under general license. So that is, I think, a 
very limited form of compliance and hardly achieves the results 
that were trumpeted when this announcement was first made, 
namely that it levels the playing field. All it really does is 
allow these other countries who already have strong encryption 
vendors in their jurisdictions to comply in appearance by 
saying there is a general license requirement, but then the 
companies are able to export the same products they did prior 
to that arrangement.
    Mr. Goodlatte. Anyone else? Mr. Black?
    Mr. Black. I will pass. I will take some other questions, 
but, for the moment----
    Mr. Goodlatte. Anyone else care to comment on that? If not, 
let me go on to the next--Mr. Davidson.
    Mr. Davidson. Just to say that I think our reading is very 
much the same that it certainly seems that SAFE, on its face, 
does not necessarily come into conflict with Wassenaar, both in 
letter and in spirit. That I think that it was particularly 
interesting to me that Ms. McNamara was careful to say that 
Wassanaar merely permits nations to adopt export controls. It 
does not necessarily require them to adopt export controls and 
are reading is that SAFE does not violate either the letter or 
the spirit of Wassenaar.
    Mr. Black. Maybe if I could take my turn and just respond. 
We have a long experience in the Association of export controls 
and everything from computers to telecom. We have a lot of 
experience with what national discretion means. What we think 
the adoption of your legislation here would in fact put us in 
the position that for decades every other country was in, which 
we would have a standard which might be a little saner and less 
restrictive than other countries. We think it would be very 
consistent with certainly what is the spirit of Wassenaar as it 
will be interpreted by most other countries, which is they are 
going to go off and sell whatever they want without any 
restrictions. So certainly the spirit, we think, would be 
complied with.
    Mr. Goodlatte. Thank you. The Administration's witnesses 
seemed to be divided into two camps: Law enforcement folks 
concerned about recoverable encryption--and I think we have 
pretty well addressed that. The questions asked of that panel. 
Why that will not work. Although we failed to mention the 
enormous cost of it. The cumbersome, perhaps even unworkable 
nature of having a system where billions of keys are stored by 
somebody under some very costly and bureaucratic system.
    But the other issue wasn't touched on as much. That is that 
the National Security folks seemed to be concerned about the 
immediate decontrol--the words used by Barbara McNamara--and I 
think the effort on their part seems to be to delay the 
implementation of strong encryption, and I wonder if you might 
comment on the effect of such a delay. Mr. Smith.
    Mr. Jeffrey Smith. I will take that one if I may. It is our 
sense that NSA is aware that sooner, perhaps rather than later, 
they will face a world of ubiquitous encryption perhaps 
produced outside the United States. I cannot speak for them, 
but my guess is that they recognize that and are hoping that 
delay will somehow permit the market to develop in such a way 
that it permits them to continue to do what they do.
    Our concern is that, as I said in my statement, the current 
policy is driving us much more rapidly toward a world where 
there is, in fact, ubiquitous encryption, but it is not ours. I 
think the consequence of that for the nation, for everything 
that we are trying to achieve, is quite substantial and is why 
the SAFE Act is, in our view, such an important vehicle.
    Mr. Goodlatte. Thank you, Mr. Chairman.
    Mr. Campbell. Thank you, Mr. Goodlatte. The Ranking Member 
of the Committee, the gentleman from New Jersey.
    Mr. Menendez. Thank you, Mr. Chairman. I want to thank the 
panel. I had to step out for a few minutes, but maybe you can 
help me. I was glancing through some of your written testimony 
of that which I may have missed. Is it fair to say that the 
synthesis of your respective testimonies is that, in fact, what 
I was asking the previous panel in terms of what can you really 
control here at the end of day, that the consensus is, I think 
Mr. Smith has just said, that this is available. It is 
available outside. It is available domestically. It is 
available abroad. Ultimately, all those who wish to have access 
for the purposes of doing that which the previous panel is 
concerned about presently have that access right now. Is that a 
fair statement?
    Mr. Black. Yes.
    Mr. Jeffrey Smith. Yes.
    Mr. Weiss. Yes.
    Mr. Davidson. Yes.
    Mr. Rubinstein. Absolutely.
    Mr. Menendez. Second, could you--any of you who choose to 
do so--quantify the potential loss this year if we do not move 
in a manner that would, for example, on Mr. Goodlatte's 
legislation, the regime that would be established there, if we 
don't move in that direction, what are the potential losses to 
American companies? Do you have any sense of quantifying that?
    Mr. Weiss. I can take a very small attempt, looking 
internally at my own company. We are a relatively small 
software company at $250 million. While encryption has not been 
a significant issue in the first 7 years of our existence, over 
the past 3 it has been and I would quantify our loss last year 
due to our inability to either develop or supply strong 
encryption technology to our customers, multinational customers 
or customers outside the United States, as approximately 10 
percent of our revenue. I expect that to grow as a percentage 
substantially as we begin to build the infrastructure 
surrounding the digital age of which my company hopes to 
participate. So that number will only increase as a percent and 
really put a cap on the markets that we can play in.
    Mr. Menendez. Is there any other industry sense of----
    Mr. Rubinstein. It is hard for me to quantify, but I would 
make two observations. One is that a pronounced trend in the 
last few years is the use of PC's for ever more complex and 
demanding computer applications so PC's networked together have 
begun to replace minicomputers and mainframe computers and 
really run the infrastructure of many large organizations and I 
think that has made encryption and security a much more 
important aspect of software sales even for mass-market vendors 
like Microsoft and other members of the BSA.
    Mr. Menendez. Let me ask another question. This is 
hypothetical, but I would like to get a sense of what the 
industry might say. If we were to, the U.S. Government, were to 
fund the appropriate United States agency to work with the 
private sector to do decryption technology, what would the 
industry's response to that be?
    Mr. Jeffrey Smith. If I might address that. Industry has 
acknowledged that the law enforcement and National Security 
Agencies face a real challenge in the future and recognize that 
they may not have the technological skills possessed by 
industry. So as the Administration panel said and as we have 
said in several of our statements, industry is working with 
government to help them reach that understanding. I can't 
comment for how industry would react to a specific proposal to 
provide specific funding to that, but there are some 
suggestions like that, including one from Senator Bob Kerry in 
the Senate that I, as a personal matter, find intriguing. But 
whether industry as a whole would be prepared to support that, 
I certainly can't speculate.
    Mr. Black. If I could, I think we would all like to think 
that there would be a solution like that. In all honesty, I 
think the reality that it is sand going through the fingers and 
I don't think you pick it back up again with open hands. The 
idea of brute force, attack, is there. It is possible at the 
edges, but most of the folks we talk to it really is probably 
not a viable result. Key recovery is not--we have all looked 
for years for some magic bullet that goes down the middle and 
takes care of everybody's concern. We just don't find it.
    Mr. Davidson. I would just like to echo and say that I 
think, first of all, most people in the technical community 
don't think that brute force attacks are going to work at these 
high-strength encryption products. I wanted to address a 
comment that was made by the Justice Department representative 
earlier about the fact that they were still searching for new--
that we are not talking about key recovery anymore. That it is 
really about new kinds of access technologies and I would just 
like to say that, we have been playing the name game on this 
from key escrow to commercial key escrow to key recovery and 
now it is plain text access.
    All of those systems have the same problem which is that 
the same system that allows surreptitious access by government 
also creates a huge vulnerability that allows surreptitious 
access by the people that you are trying to protect yourself 
from by encrypting to begin with. There are a series of real 
security and economic concerns that have been raised about the 
viability of these systems that have gone--are being completely 
unaddressed.
    There is a report that we submitted to the Committee--and 
hopefully you folks have seen this--on the risks of key 
recovery. I would encourage people who are concerned about the 
national security and law enforcement aspects of all of this to 
ask particularly in those classified briefings, perhaps, ask to 
have the questions raised in this report answered because I 
think the problem has been that they can't be answered and that 
we don't have a viable system that provides access and protects 
security and that is why these systems haven't caught on.
    Mr. Menendez. I thank you all for your patience and your--
yes.
    Mr. Rubinstein. If I could add just one point there, there 
was some discussion in the earlier panel of whether the 
dialogue between industry and law enforcement had withered away 
over the last year and I would agree with Mr. Reinsch that it 
has not and, in fact, there has been some very productive 
dialogue going on and going on, quietly, but taking place. At 
the heart of that dialogue, I think, is the recognition by law 
enforcement that there is no magic bullet.
    The precondition for a constructive dialogue is the 
recognition that there is no single solution that industry can 
offer but, instead, what is most important is that law 
enforcement devote more resources to learning about the new 
technology to understanding how it is used and, of course, in 
order to effectively use that, that technology has to be 
developed and produced in the United States.
    Mr. Menendez. Thank you for your testimony. Thank you, Mr. 
Chairman.
    Mr. Campbell. Thank you, Mr. Menendez. It is my turn. I 
have three specific questions and they are first directed to 
Mr. Rubinstein. This example you gave us of Zergo.
    Mr. Rubinstein. Yes.
    Mr. Campbell. Did they cooperate with Microsoft or with 
Netscape in developing their solution?
    Mr. Rubinstein. No. Let me also apologize. When I was 
showing those slides, I failed to show the last slide which was 
the download page and which listed a number of tool kits and 
add-on products that were available from Zergo. In no case did 
Microsoft supply technical assistance nor was it even asked to 
do so because--if I can try to explain this simply as 
possible--if you have a browser that is signing onto a web 
server, what you do is you insert two pieces of software 
between that communication so that the browser talks to this 
first piece, the first piece to a second piece, and then the 
second piece to the existing server. It is those two 
intermediate pieces that secure the communications at 128 bits. 
It just takes that flow and inserts this new connection and it 
decrypts it again.
    Mr. Campbell. I follow.
    Mr. Rubinstein. So there is no need for U.S. cooperation to 
accomplish that.
    Mr. Campbell. Although, at some point, the company, Zergo, 
must have access to Microsoft's code in order to--they just 
have to decompile what Microsoft is using in that first of the 
four steps in order to make a good interface, I assume.
    Mr. Rubinstein. Right, although one of the very significant 
changes in this whole debate that has occurred results from the 
fact that Internet products are built according to 
international standards so, regardless of the specific company 
implementation, as long as those standards are met, the 
standards are readily available. Even reference code is 
available on a worldwide basis.
    Mr. Campbell. Thanks. Let me ask a hypothetical question 
then of any of the panel, but particularly of the attorneys. 
Would it be a violation of the Export Control Act in this 
situation for Netscape or Microsoft to have assisted Zergo in 
that it--you see my question. I am not sure of the answer. You 
tell me you didn't. That is fine. I am pleased.
    Mr. Rubinstein. The answer would be yes. There is a 
specific provision that deals with providing technical 
assistance to a foreign person in the manufacture of 
encryption----
    Mr. Campbell. Thanks for answering. It was the answer I was 
afraid I might get. A question to Mr. Black and Mr. Smith. This 
is a technological question of which I am ignorant. Does the 
ability to deencrypt develop as the ability to encrypt or are 
they different disciplines?
    Mr. Black. They are really the same coin. The skills are, 
there are differences but it really is the ability to do one is 
the same set of skills and you will find the same people able 
to do the other.
    Mr. Campbell. Would you agree, Mr. Smith?
    Mr. Jeffrey Smith. Yes.
    Mr. Campbell. I hit a wall in mathematics at differential 
equations. They didn't make any intuitive sense to me. That is 
when I stopped. I have a sense there is a point of complexity 
at which encryption can become like those differential 
equations so that when it goes to a certain level, the ability 
to deencrypt is just lost. Am I wrong or does deencryption 
actually follow right along with the ability to encrypt so that 
if we go to longer and longer bit length, we will have industry 
capable of eventually breaking that?
    Mr. Black. In the real world, we have seen the development 
of technology that is more and more powerful and, whatever NSA 
says, I think many of us think they have a lot more capability 
than is there. But it still lags behind and lags behind 
substantially and I think we are--most of us think we are at 
point where, for all practical purposes, the ability to use 
brute force deencryption is just not going to be available in 
the future.
    Mr. Davidson. If you will forgive the mathematical 
terminology, the difficulty in decrypting increases 
exponentially with the increase of the bit length. So, for 
example, the difference between a 56-bit key and a 64-bit key, 
it is only 8 bits longer. But it is 256 times more difficult to 
decrypt in terms of the time it takes to do a brute force 
attack. So when you move to something like 128-bit keys, which 
are widely available outside of the United States, you reach a 
point where people start to measure the amount of time it would 
take to decrypt this using, technology that we----
    Mr. Campbell. Thanks.
    Mr. Black. We have a number which is 256, the number of 
possibilities at that level equal the number of particles in 
the universe.
    Mr. Campbell. Subatomic? And 256 is 2 to the 8th power? Is 
that where that came from? I was wondering----
    Mr. Davidson. 256-bit length. I think you are talking about 
keys that are 256-bits long.
    Mr. Campbell. Let me just understand the algorithm. So if 
you increase bit length by X bits, what is the effect on the--
--
    Mr. Davidson. Two to the X. So, for example, each bit 
doubles the amount of times.
    Mr. Campbell. That is what I thought. Two to the eighth. 
That is what I was asking. 256 is 2 to the 8th. You are 
measuring that in terms of time difficulty of deencryption.
    Mr. Davidson. Right. The number of steps; the number of 
things you have to check.
    Mr. Campbell. The number of steps.
    Mr. Davidson. It is really like doing a combination lock 
and trying all of the combinations.
    Mr. Campbell. OK.
    Mr. Black. There is always a chance you will stumble on it 
right at the beginning, but you have to assume you don't.
    Mr. Campbell. Thanks. My last question is to Ms. PoKempner. 
Understand, I am entirely on your side of this. Nevertheless, 
it seems to me the logic of your position would oppose a 
universally accepted agreement, a Wassenaar that really worked, 
whereas every other member of the panel might be able to live 
with that because it would not put an American firm at a 
competitive disadvantage, the burden of your testimony is the 
value of encryption so strong that no government can break into 
it. Am I reading you correctly?
    Ms. PoKempner. I am reluctant to sound like an absolutist 
because I do believe that there are genuine national security 
and law enforcement issues here, but the problem is that 
virtually unbreakable encryption exists. We use it. We use 128-
bit encryption. For practical purposes, no one is going to 
break that very fast. So we live in a universe where that is 
already out there and my concern is that U.S. attempts to 
either influence the Wassanaar arrangement countries policies 
or its own domestic export controls ultimately have the effect 
of taking strong encryption out of the hands of the law-abiding 
people like ourselves who need to use it but don't have any 
deterrent effect on all of the bad guys that are constantly 
paraded before us as the reason for these controls.
    It is a difficult equation. I think that there is a balance 
and a difficult judgment call that has to be made at the point 
where encryption becomes ubiquitous, which I do believe is an 
inevitability. It is just a question of whether the U.S. is 
going to be part of that.
    At that point, obviously, computer-challenged people like 
myself can use it easily and so can the stupid criminals that 
were referred to earlier. So everyone can use it. Then you have 
a question of, in terms of deterring street crime versus 
protecting human rights activists, people who want to 
communicate from totally repressive situations. People who want 
to, preserve their privacy, their medical records, their 
commerce, then you have a very complicated balancing task.
    But I think that is really where the level of debate should 
be. We are not talking about international terrorists versus, 
all the other interests because the international terrorists 
already have access. Believe me, if my colleagues can use it, 
the international terrorists are much more capable.
    Mr. Campbell. I would like you to come back in another 
occasion and tell us what you and Human Rights Watch found in 
the Democratic Republic of Congo. I'm going to be polite to my 
colleague and yield to him in just 1 second. Though if you 
would be--and indulge me, Brad, I didn't speak before and I 
just wanted to kind of put on record my own thought. I will 
take about 30 seconds.
    It would amaze me if the founders who wrote the Fourth 
Amendment were presented with Congress passing a law compelling 
Americans to make their communication more easily intercepted 
by the government. Would it not? That is, it seems to me, what 
we are asking. As to those who say national security and crime, 
I would say--and this is my one polemic, forgive me. Then I 
yield to my friend. My one polemic for today--I can give you 
safe streets, just get rid of that pesky Fifth Amendment and I 
will beat some confessions out of people and I will give you a 
safe a major city in America, every major city safe from street 
crime. But get rid of this warrant requirement because it is 
too tedious; probable cause is a heck of thing----
    So it isn't that we who believe in freedom ignore the other 
side. We believe that our country made that compromise 200-plus 
years ago. I yield to my colleague from California.
    Mr. Sherman. Mr. Chairman, thank you. Thanks especially for 
your technical questions. Like you, I hit a wall in 
mathematics. In my case, I hit it at long division.
    It seems like we are confronted with three levels of 
criminals. There are the street criminals who aren't going to 
use lap tops, let alone encryption. There are the semi-
sophisticated criminals who pretty much transact domestic 
crime--and I would like anybody on the panel to correct me if I 
am wrong--these folks can get all the encryption they want at 
the local software store today and, if they can't, it is just 
because you folks haven't made it yet and you will and you 
don't need to change the law to put really great encryption in 
every Egghead store in America. I see a lot of heads nodding. 
Then you get up to the international criminals who you would 
think would be sophisticated enough to send the encryption that 
they need over the line, buy it from a foreign source.
    I am at a loss to try to figure out who we are trying to 
protect ourselves from. Now, as I understand it, if they get a 
warrant, they can look at your bank records and if you sent a 
message to your bank by encryption, the bank knows how to 
unencrypt it. I see some heads nodding. So this whole--the 
Administration effort is, I think, as the Chairman pointed out, 
an effort to make sure that when we send messages to each other 
we do it in a form that is most easily wiretappable and then 
understandable. Which is--now one could imagine that that would 
be argument. That we would really say we want everything that 
goes over the wire to be interceptable and decipherable. But 
that is not what we are doing. We are saying, well you can 
encrypt, you just can't do it internationally.
    Which seems to--and I will go back to what I said before 
because I thought it needed a little explanation when I thought 
that the Administration was just trying to punish the software 
industry, but it seems like they are just angry that domestic 
messages will be encrypted in ways that they cannot decipher 
and the only handle they have under our legal system is to try 
to punish that industry or throw a temper tantrum by saying, we 
have got this law where we won't let you export it. I don't 
think there is a question in there anywhere.
    Yes, my more senior colleague from California illustrated 
and explained to me just earlier today how I should deal with 
this and that is, I say, don't you agree?
    Mr. Black. Your questioning actually earlier was, I thought 
very much on point where you were trying to get some people in 
the Administration to acknowledge that the concept of mandatory 
and voluntary that there is something in between which is 
called coercion, extortion, and that is really what we see 
going on. They are using the export control rules to try to 
force, coerce people into adopting practices because they don't 
want to say domestically that some people in the Administration 
really want to have the controls. It is really disingenuous, in 
our view, for them to be saying that this kind of heavy 
leverage, put a gun to your head, let us make a deal is not 
really pushing and forcing and mandating it. It is not any 
semblance of voluntary.
    Mr. Sherman. Let me sneak in one more question here and 
then this is really the question: What would it take for a 
foreign company to produce encryption that works well with 
Microsoft and other U.S.-created products and to sell that 
encryption product around the world? Is there any prohibition 
on us importing encryption? Everybody's saying no. I do that so 
the record will actually reflect your head shakes. Mr. 
Davidson, you were about to say something?
    Mr. Davidson. I was going to agree with your earlier 
comment and say I think you are right and your second question 
gets to that also, which is that really what this is about 
seems to be an attempt to slow-down the spread of encryption. 
That is the best that we hope for in this policy and, to some 
extent, it has worked so far. I think what you are hearing from 
us is that now the costs of that policy far outweigh any 
incremental benefits of continuing it, that the costs not only 
to business, but to privacy interests of individuals, to the 
human rights workers around the world and others, you know are 
too high for continuing to pursue this.
    But I will say one other thing which is that I think we 
remain concerned domestically about the ultimate goals of the 
Administration in this area and what I mean by that is that it 
was only 1\1/2\ years ago that the Administration was 
testifying on Capitol Hill and the FBI director was testifying 
that he would like domestic controls on encryption, mandatory, 
key recoverable, and the House Intelligence Committee, in fact, 
passed a version of the SAFE Act that would have imposed that.
    Although it is somewhat reassuring, I guess, to hear the 
Administration officials say that is not current policy, we 
don't feel that this is far off the table. That remains our 
concern and I think the interchange between Chairman Gilman and 
the Justice Department witnesses was about domestic criminals 
using encryption and the only way that they are ever going to 
stop that is by some kind of domestic control. I think that is 
what we remain very fearful of.
    Mr. Sherman. I would like to comment that domestic control 
at least has the advantage of being a logical action--I think 
inconsistent with the Fourth Amendment--but a logical action 
where you are actually achieving a law enforcement purpose 
other than punishing an industry for coming up with technology. 
I yield back.
    Mr. Campbell. I thank the gentleman. We are at the end of 
our hearing, but I would like to offer each of the panelists 1 
minute, if each wishes, to add anything that he or she did not 
have the opportunity to add heretofore. Is there anyone who 
wishes to avail himself or herself of this opportunity? Mr. 
Rubinstein.
    Mr. Rubinstein. Yes. I would like to add one point which is 
that I think the hope of the Administration policy was that key 
escrow or some form of it would become so ubiquitous that 
everybody would use it and only the very small substratum of 
very sophisticated criminals would escape from that and, as the 
Administration readily admits, they can never really do 
anything about that.
    But as the market has rejected that type of key escrow for 
reasons that Congressman Goodlatte alluded to earlier--its 
cost, its complexity, its vulnerability--as the market has 
rejected that and as the Administration has begun to soften its 
message on key recovery and say we are not insisting on any one 
technology; there are many different approaches; et cetera, the 
very logic of their position begins to erode because if there 
are no mandatory controls and if nonrecovery encryption is 
available overseas, then it is no longer apparent what the 
ongoing controls would achieve.
    Mr. Campbell. Read you loud and clear. Anyone else wish to 
speak? Mr. Davidson.
    Mr. Davidson. First of all I would like to say to the 
Chair, I think that the Chair is right about the Bill of Rights 
and the Fourth Amendment as it applies to this area. You are 
very much on point. While we will see and are hopeful about how 
it moves in the courts, I think that that should inform 
Congresses decisions in terms of thinking about encryption. I 
would also commend this Bernstein decision to you from the 
Ninth Circuit. It is quite interesting. The last thing I would 
just say very briefly is I am noticing that Mr. Goodlatte's 
attendance here at the bitter end of this hearing, and his 
commitment to this issue for the last several years and I would 
like to thank him for that because this has been very important 
for individual privacy.
    Mr. Campbell. Appropriate and so noted. Mr. Smith.
    Mr. Jeffrey Smith. One more minute to go back to a point 
Mr. Bereuter made about the conversations between industry and 
the Administration, initially done by John Deutsch when he was 
the Director of Central Intelligence. That dialogue has 
continued. I think my colleague Mr. Rubinstein made the point 
but I think it is important for this Committee to understand 
that there is a continuing dialogue, but it is a very difficult 
one to maintain because one is reluctant to discuss it too much 
in these public sessions. So I think it is something to be 
explored offline.
    Second, to urge this Committee to take the long-run view of 
this policy. Our concern is that the Administration's policy is 
a short-term policy and our strong view is that both the law 
enforcement and national security interests need to be seen by 
Congress in the long-run and that only the kind of solution 
that is proposed by this bill, in our judgment, strikes the 
balance, gives the government what it needs, gives industry and 
citizens what they need.
    Mr. Campbell. Thank you. With that, the meeting of the 
Subcommittee on International Economic Policy and Trade stands 
adjourned.
    [Whereupon, at 5:35, the Subcommittee was adjourned.]
