[Congressional Record Volume 143, Number 142 (Tuesday, October 21, 1997)]
[Senate]
[Pages S10879-S10881]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                               ENCRYPTION

  Mr. LOTT. Mr. President, I would like to report to my colleagues on 
the activities in the House to establish a new export policy on 
encryption. This is an issue that is still at the top of my list of 
legislation I hope this Congress can resolve within the next 2 months. 
The House's actions last month turned a spotlight on how this issue 
should ultimately be resolved.
  Let me briefly review the issue. Encryption is a mathematical way to 
scramble and unscramble digital computer information during 
transmission and storage. The strength of encryption is a function of 
its size, as measured in computer bits. The more bits an encryption 
system has, the more difficult it is for someone else to illegally 
unscramble or hack into that information.
  Today's computer encryption systems commonly used by businesses range 
from 40 bits in key length to 128 bits. A good hacker, let's say a 
criminal or a business competitor, can readily break into a computer 
system safeguarded by a lower-technology 40-bit encryption system. On 
the other hand, the 128-bit encryption systems are much more complex 
and pose a significant challenge to any would-be hacker.
  Obviously, all of us would prefer to have the 128-bit systems. And 
equally as important, we would like to buy such systems from American 
companies. Firms we can routinely and safely do business with. Foreign 
companies and individuals also want to buy such systems from American 
companies.

[[Page S10880]]

 They admire and respect our technological expertise, and trust our 
business practices. The United States remains the envy of the world in 
terms of producing top-notch encryption and information security 
products.
  However, current regulations prohibit U.S. companies from exporting 
encryption systems stronger than the low-end, 40-bit systems. A few 
exceptions have been made for 56-bit systems. Until recently, it has 
been the administration's view that stronger encryption products are so 
inherently dangerous they should be classified at a level equal to 
munitions, and that the export of strong encryption must be heavily 
restricted.
  While we are restricting our own international commerce, foreign 
companies are now manufacturing and selling stronger, more desirable 
encryption systems, including the top-end 128-bit systems, anywhere in 
the world they want. Clearly, our policy doesn't make sense. Just as 
clearly, our export policies on encryption have not kept up to speed 
with either the ongoing changes in encryption technology or the needs 
and desires of foreign markets for U.S. encryption products.
  My intention is neither to jeopardize our national security nor harm 
law enforcement efforts. I believe we must give due and proper regard 
to the national security and law enforcement implications of any 
changes in our policy regarding export of encryption technology. But it 
is painfully obvious we must modernize our export policies on 
encryption technology, so that U.S. companies can participate in the 
world's encryption marketplace. The legislative initiative on this 
issue has always been about exports, but this summer that changed.
  During the past month, the FBI has attempted to change the debate by 
proposing a series of new mandatory controls on the domestic sale and 
use of encryption products. Let me be clear. There are currently no 
restrictions on the rights of Americans to use encryption to protect 
their personal financial or medical records or their private e-mail 
messages. There have never been domestic limitations, and similarly, 
American businesses have always been free to buy and use the strongest 
possible encryption to protect sensitive information from being stolen 
or changed. But now, the FBI proposes to change all that.
  The FBI wants to require that any company that produces or offers 
encryption security products or services guarantee immediate access to 
plain text information without the knowledge of the user. Their 
proposal would subject software companies and telecommunications 
providers to prison sentences for failure to guarantee immediate access 
to all information on the desktop computers of all Americans. That 
would move us into an entirely new world of surveillance, a very 
intrusive surveillance, where every communication by every individual 
can be accessed by the FBI.
  Where is probable cause? Why has the FBI assumed that all Americans 
are going to be involved in criminal activities? Where is the 
Constitution?
  And how would this proposal possibly help the FBI? According to a 
forthcoming book by the M.I.T. Press, of the tens of thousands of cases 
handled annually by the FBI, only a handful have involved encryption of 
any type, and even fewer involved encryption of computer data. Let's 
face it--despite the movies, the FBI solves its cases with good old-
fashioned police work, questioning potential witnesses, gathering 
material evidence, and using electronic bugging or putting microphones 
on informants. Restricting encryption technology in the U.S. would not 
be very helpful to the FBI.
  The FBI proposal won't work. I have talked with experts in the world 
of software and cryptography, who have explained that the technology 
which would provide compliance with the FBI standard simply does not 
exist. The FBI proposal would force a large unfunded mandate on our 
high technology firms, at a time when there is no practical way to 
accomplish that mandate.
  Rather than solve problems in our export policy, this FBI proposal 
would create a whole new body of law and regulations restricting our 
domestic market.
  This and similar proposals would also have a serious impact on our 
foreign market. Overseas businesses and governments believe that the 
U.S. might use its keys to computer encryption systems to spy on their 
businesses and politicians. Most U.S. software and hardware 
manufacturers believe this is bad for business and that nobody will 
trust the security of U.S. encryption products if this current policy 
continues. In fact, this proposal appears to violate the European 
Union's data-privacy laws, and the European Commission is expected to 
reject it this week.
  So, the FBI proposal would: Invade our privacy; be of minimal use to 
the FBI; would require nonexistent technology; would create new 
administrative burdens; and would seriously damage our foreign markets.
  This is quite a list.
  Mr. President, the FBI proposal is simply wrong. I have learned that 
even the administration does not support this new FBI proposal. So why 
does the FBI believe it must now subject all Americans to more and more 
surveillance?
  This independent action by the FBI has created confusion and mixed 
signals which are troublesome for the Senate as it works on this 
legislation. Perhaps the FBI and the Justice Department need to focus 
immediately on a coordinated encryption position.
  Mr. President, I congratulate the members of the House Commerce 
Committee for rejecting this FBI approach by a vote margin of more than 
2 to 1.
  I am sure all of my colleagues are sympathetic to the fact that 
emerging technologies create new problems for the FBI.
  But we must acknowledge several truths as Congress goes forward to 
find this new policy solution. People increasingly need strong 
information security through encryption and other means to protect 
their personal and business information. This demand will grow, and 
somebody will meet it. In the long term, it is clearly in our national 
interest that U.S. companies meet the market demand. Individuals and 
businesses will either obtain that protection from U.S. firms or from 
foreign firms. I firmly believe that all of our colleagues want 
American firms to successfully compete for this business. Today there 
are hundreds of suppliers of strong encryption in the world 
marketplace. Strong encryption can be easily downloaded off the 
Internet. Even if Congress wanted to police or eliminate encryption 
altogether, I am not sure that is doable.
  So, let's deal with reality. Clamping down on the constitutional 
rights of American citizens, in an attempt to limit the use of a 
technology, is the wrong solution. The wrong solution. This is 
especially true with encryption technology because it has so many 
beneficial purposes. It prevents hackers and espionage agents from 
stealing valuable information, or worse, from breaking into our own 
computer networks. It prevents them from disrupting our power supply, 
our financial markets, and our air traffic control system. This is 
scary--and precisely why we want this technology to be more available.
  Only a balanced solution is acceptable. Ultimately, Congress must 
empower Americans to protect their own information. Americans should 
not be forced to only communicate in ways that simply make it more 
convenient for law enforcement officials. This is not our national 
tradition. It is not consistent with our heritage. It should not become 
a new trend.
  Mr. President, I would like to establish a framework to resolve this 
difficult issue. I hope to discuss it with the chairmen and ranking 
members of the key committees. I especially look forward to working 
with the chairman of the Commerce, Science and Transportation 
Subcommittee on Communications, Senator Burns. He was the first to 
identify this issue and try to solve it legislatively. His approach on 
this issue has always been fair and equitable, attempting to balance 
industry wants with law enforcement requirements.
  I believe there are other possible ideas which could lead to a 
consensus resolution of the encryption issue. It is my hope that 
industry and law enforcement can come together to address these issues, 
not add more complexity and problems. The bill passed by the House 
Commerce Committee included a provision establishing a National 
Encryption Technology Center. It

[[Page S10881]]

would be funded by in-kind contributions of hardware, software, and 
technological expertise. The National Encryption Technology Center 
would help the FBI stay on top of encryption and other emerging 
computer technologies. This is a big step. This is a big step in the 
right direction.
  It is time to build on that positive news to resolve encryption 
policy.
  Mr. President, there is an op-ed piece which appeared in the Wall 
Street Journal on Friday, September 26. It is well written and 
informative, despite the fact that its author is a good friend of mine. 
Mr. Jim Barksdale is the president and CEO of Netscape Communications 
and is well-versed in encryption technology. Mr. Barksdale's company 
does not make encryption products; they license such products from 
others. They sell Internet and business software and, as Jim has told 
me many times, his customers require strong encryption features and 
will buy those products either from us or foreign companies.
  Again, let's deal with reality. The credit union manager in 
Massachusetts, the real estate agent in Mississippi, the father writing 
an e-mail letter to his daughter attending a California university, 
each want privacy and security when using the computer. They will buy 
the best systems available to ensure that privacy and security. And, in 
just the same way, the banker in Brussels, Belgium, the rancher in 
Argentina, and the mother writing e-mail to her daughter in a 
university in Calcutta, India, each of these people also want privacy 
and security. They also will buy the best systems available to ensure 
that privacy and security. And they want encryption systems they 
trust--American systems. That's what this debate is about.
  Mr. President, if Congress does not modernize our export controls, we 
run the real risk of destroying the American encryption industry. And 
we risk giving a significant and unfair advantage to our foreign 
business competitors.

                          ____________________