[Congressional Record Volume 143, Number 156 (Saturday, November 8, 1997)]
[Extensions of Remarks]
[Pages E2243-E2244]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]


                  NEED FOR A NEW POLICY ON ENCRYPTION

                                 ______
                                 

                             HON. TOM DeLAY

                                of texas

                    in the house of representatives

                        Friday, November 7, 1997

  Mr. DeLay. Mr. Speaker, I would like to call to my colleagues' 
attention the need for a new policy on encryption. A simple policy that 
lets American computer users continue to buy whatever encryption they 
want and that lets American companies remain internationally 
competitive by modernizing existing export controls.
  The administration has failed year after year to address this issue--
stonewalling, making minor export control modifications years after 
they were necessary, and even preparing to take away the ability of 
Americans in this country to protect sensitive and confidential 
electronic information.
  I am concerned that it we do not take rational and effective action 
soon, our ability to use American ingenuity to keep at the forefront of 
worldwide economic growth through information technology will be 
irreparably harmed because of our inability to protect our Nation's 
primary source of strength--our citizens' knowledge and ideas. That 
being the case, I believe the Security and Freedom through Encryption 
[SAFE] Act, H.R. 695, should be a priority for the second session of 
this Congress.


          Strong, Secure Protection Over Networks Is Critical

  Information has become power in the 21st century. We need to protect 
our information in order to protect our national and economic security. 
Every technological advance is encouraging individuals, companies, and 
governments to become more networked--whether to work with others, 
communicate and share documents within a company, or to access work 
from home. If we do not take necessary and adequate precautions, these 
computer networks eventually may create a danger. Foreign competitors, 
foreign powers, terrorists, and just plain criminals may exploit their 
knowledge of technology to gain access to more information than ever 
before in order to steal information or to injure people.


The Administration's Export Policy Has Hamstringed And Harmed Americans

  Encryption is simply a fancy name for scrambling information so that 
it may not be understood by the casual reader or listener. Computer 
software or hardware scrambles information using a key. The longer the 
key, the more options for scrambling information and the more 
protection is provided to protect the information from knowledgeable 
computer hackers seeking to descramble or decrypt the information.
  In 1992 the administration permitted U.S. companies to freely export 
40-bit key length encryption products. Fire years later the 
administration still limits mass market exports in general to 40-bits.
  The only way that the administration permits companies to increase 
this encryption strength to even a slightly stronger 56-bits is to 
agree to build back door government access features into future 
products.
  It is hard to believe that what would protect information in 1992 
could still be considered reasonable protection for information in 
1997. One very smart student in California proved that 40-bit strength 
encryption could be broken by trying every key combination in just a 
few hours. Several smart U.S. cryptographers got together and 
calculated that a government willing to spend some money could break 
40-bit encryption, or even 56-bits, in a [minute fraction] of a second.
  Importantly, an unfortunate side-effect of the administration's 
export control policy is that it also has limited the strength of 
encryption that Americans have access to from their corner software 
store. I understand that American software companies earn over one-half 
of their total revenues from their software exports. So that they do 
not face a marketing nightmare as well as the expense of developing two 
different products--one for the United States and one for overseas--
these software companies have in general developed only one version of 
a product. Thus, most U.S. companies are also stuck at the unprotected 
40-bit level.


           Foreign Vendors Supply Strong, 128-Bit Encryption

  Our administration has created a huge window of opportunity for 
foreign hardware and software vendors to fill the void created by these 
antiquated export controls. Several foreign companies provide strong, 
128-bit encryption. They quite often market their products as add-ons 
or replacements for export-crippled U.S. products. Would you really 
want to buy a 40-bit or even a 56-bit version of a software product 
when you knew that your competitor had a 128-bit product?
  While the U.S. computer industry has had a strong lead in developing 
hardware and software products, we can no longer rely on this advantage 
to ensure that foreign vendors do not use the opening of supplying 
encryption software to start to provide foreign consumers with other 
programs, such as stronger, 128-bit Internet browsers.
  Thus, I believe that if a comparable product is available overseas, 
then we should not hamstring America's companies from providing the 
same product. If a foreigner can and will purchase a 128-bit encryption 
product overseas, I would prefer that they bought it from an American 
company. I believe that this is better for our economy, and ultimately 
better for our national security. Otherwise, the result will be that 
all encryption expertise will move off-shore as well as encryption 
sales.


 What Louis Freeh and His Lobby Machine Want and Why It Does Not Work 
                      Domestic Encryption Controls

  After testifying at House Judiciary and House Commerce regarding 
export controls, Louis Freeh finally came out of the closet and

[[Page E2244]]

divulged that he had not been discussing export controls, he had been 
talking about domestic controls on encryption designed by Americans for 
Americans. Mr. Freeh and his 80 lobbyists apparently never thought to 
bring this up so that it could be part of the Judiciary Committee's 
hearings on the legislation from the very beginning.

  Why? Perhaps he knew the reception he would receive to the proposal 
that Americans should no longer be able to design, manufacture or 
import encryption unless the encryption technique ensured that a 
government approved third party could have access to the information 
without the user's knowledge. Thus, he would prefer that every time an 
American encrypts information to store it on a computer or to send it 
over the Internet, a third party must be able to access the information 
and the user would never know that the information had been accessed. 
This would change over 200 years of free speech.


          Impact of Requiring FBI's Proposed Domestic Controls

  I am a strong proponent of law enforcement. But I do not believe that 
we should adopt a system that our best and brightest say will be nearly 
impossible to design, hard to keep secure and probably very costly to 
consumers.
  To my knowledge, no one has ever built or even begun to test the 
reliability, security, and costs of such a system. I have seen a report 
by another group of extremely well-known American scientists who tell 
me that they have no idea of how to design and implement this proposed 
domestic key recovery system. They also say that such a system could 
create greater vulnerability for its users. Apparently encryption 
techniques are not foolproof, and adding sufficient complexity to 
permit third party access will make the encryption even less secure. It 
also appears to be highly dependent upon the honesty and integrity of 
those third parties who have access to the information. Who, 
ultimately, do we trust?
  I understand that while advances in technology have generally 
provided the FBI and other law enforcement with more investigatory 
tools, this one advance may make it more difficult for them. I propose 
instead that we look at methods that will help law enforcement to 
combat these new hurdles, rather than choosing the more simplistic 
approach of building law enforcement access into each and every 
encryption product.
  I also can only image the bureaucracy necessary to handle the 
magnitude of information regarding encryption keys. It would have to 
rival many agencies we have spent years trying to reduce in size--the 
Internal Revenue Service and the Department of Commerce to name just a 
few.
  While we are expending all of our efforts trying to lessen government 
intrusion in our lives, domestic encryption controls as proposed by Mr. 
Freeh would create probably the largest intrusion yet.
  Finally, I have a basic concern about requiring American citizens to 
provide access to their information if they decide to encrypt it. If I 
write a letter in the privacy of my own home and leave it in my desk 
drawer, I do not have to provide a copy of my house key and desk drawer 
key with the local police so that they may look at it easily without my 
knowledge. I do not see why this should change if I write this letter 
on my computer and decide to encrypt it. Why should this act require me 
to let others have the capability of viewing it without my knowledge? I 
agree with the constitutional law professors who stated that this would 
have a ``chilling effect'' on American speech.


Foreigners Simply Will Not Purchase And Criminals Will Not Use American 
          Designed Mandatory Key Recovery Encryption Products

  Ultimately, foreigners will not purchase or use American encryption 
products if they provide mandatory third party access to information. 
Neither will criminals. They know that the encryption technique is 
strongly desired by American law enforcement because law enforcement 
can monitor or otherwise access the information. Why would they 
voluntarily use such a product when they can use a 128-bit product they 
can obtain today over the Internet from tens of countries.
  The FBI alleges that all foreign governments are eager to adopt 
similar controls on their citizens. While this is true of France, it is 
not true of the European Union for example, which categorically 
rejected the administration's proposal for a worldwide key recovery 
infrastructure requirement.
  The only impact of the FBI proposal is that normal, law abiding 
American citizens will use American designed encryption programs. 
Foreigners will turn to foreign sources for their nonkey recovery 
products, and criminals will certainly turn to the same foreign 
sources. Thus, the FBI proposal does not address the real problem 
created by encryption technology. I do not want to put in place a 
large, costly bureaucracy that will not permit law enforcement to bet 
the information it believes necessary.


                        What is Best for America

  The United States should not try to control the export of something 
that by its very nature is uncontrollable. The United States should 
also not take a lead in forcing its citizens to adopt a costly 
technology that will insure easy monitoring and intrusion by law 
enforcement. Our constitutional guarantees of free speech and our 
rights to privacy should not be in any way lessened in order to 
accomplish Louis Freeh's desire for a fourth amendment for the 21st 
century. We in Congress should act now to relax export controls on 
encryption technology and to ensure that Americans remain free to speak 
in whatever manner they desire, using whatever encryption they choose.

                          ____________________