[Congressional Record Volume 144, Number 79 (Wednesday, June 17, 1998)]
[Senate]
[Pages S6437-S6440]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                               ENCRYPTION

  Mr. LOTT. Mr. President, I rise today out of concern for our nation's 
computer and electronic industries. As you are well aware, the 
Administration's

[[Page S6438]]

export policies prohibit American companies from selling state-of-the-
art encryption technology abroad without recovery keys and back door 
access. Encryption is a series of mathematical formulas that scramble 
and unscramble data and communications. It is used to thwart computer 
hackers, industrial and foreign espionage agents, and criminals from 
gaining access to and reading sensitive personal, business, and 
military communications. The higher the bit-key length, the more 
difficult it is for unauthorized persons to break the code. Technically 
advanced encryption ensures that an individual's medical, financial, 
business, personal records and electronic-mail cannot be accessed 
without their consent. The Administration is now promoting the 
deployment of recovery keys so designated third parties would be able 
to access and share with law enforcement the computer data and 
communications of American citizens without their knowledge. Currently, 
government mandated key escrow is not required and is opposed by the 
computer industry, privacy advocates, legal scholars, and by many 
members of Congress.
  Mr. LEAHY. While current law does not mandate any key recovery, the 
current Administration, just as past Administrations, uses the export 
control regime to ``dumb down'' the encryption available for widespread 
integration into high-tech products intended for both domestic use and 
for export to foreign customers. Export regulations in place now are 
being used expressly to coerce the development and use of encryption 
products capable of giving law enforcement surreptitious access to 
plaintext by conditioning the export of 56-bit DES encryption on 
development of key recovery features.
  These regulations are scheduled to sunset in December 1998, at which 
time export of even 56-bit strength encryption will no longer be 
permitted. I understand that the Administration is already undertaking 
discussions with industry on what will happen upon sunset of these 
regulations. I have long contended that taking unilateral steps will 
not resolve this issue, but instead could delay building the consensus 
we so urgently need. This issue simply cannot by resolved by Executive 
fiat.
  Mr. ASHCROFT. Mr. President, I have been involved in the debate 
regarding encryption technology and privacy for more than three years 
now. In the course of that time I have not seen any real attempt by the 
White House to resolve this problem. In fact, over the course of that 
time the Administration has moved further from negotiation by taking 
increasingly extreme positions on this critical national issue.
  Mr. CRAIG. Mr. President, as you have heard, current U.S. policy 
allows only encryption below the 56-bit key length to be sold abroad. 
For a long time now, software companies have argued that this level of 
encryption is so low it provides little security for the information 
being transmitted over the ``super highway.'' This policy also states 
that, in the production of encryption stronger than 56-bit, software 
companies must provide some type of ``backdoor'' access to ensure law 
enforcement can decode encrypted material.
  Addressing this from an economic perspective, customers--especially 
foreign customers--are unwilling to purchase American encryption 
products with backdoors and third-party access. This is particularly 
true since they can buy stronger encryption overseas from either 
foreign-owned companies or American owned companies on foreign soil 
without these invasive features.
  Mr. WYDEN. Since coming to the Senate, I have worked side-by-side 
with Senators Burns, Ashcroft, Leahy and others on the critical issue 
of encryption. Our common goal has been to craft a policy that puts the 
United States squarely out front of the crypto-curve, rather than locks 
us permanently behind it. A one-size-fits-all government policy simply 
won't work in this digital era. We all recognize and acknowledge the 
legitimate needs of law enforcement and the national security 
communities, but tying the hands of America's high technology industry 
in the process will serve neither those needs, nor the national 
interest in maintaining our competitive edge in the fiercely 
competitive global marketplace. It's time to move forward with 
comprehensive encryption reform legislation.
  Mr. BURNS. I would like to point out that the government's plan for 
encryption--whether they call it ``key escrow'' or ``key recovery'' or 
``plaintext access''--simply won't work. Eleven of the world's most 
prominent computer security experts have told us government mandated 
key recovery won't work because it won't be secure, as explained in a 
study published this week by the Center for Democracy and Technology. 
Key escrow also won't work because it will cost billions, as revealed 
in a recent study published by the Business Software Alliance. We have 
also been told that the kind of system the Administration wants is not 
technically feasible. Additionally, constitutional scholars testified 
that government mandated key escrow, third party recovery probably 
violates the Bill of Rights.
  Mr. LOTT. Even though a national recovery system would be technically 
unfeasible, costly, and violates an individual's privacy rights, the 
Administration continues to require key escrow as a precondition for 
relaxing America's encryption policy. Again, Mr. President, I would 
point out that state-of-the-art encryption is available in the 
international marketplace without key recovery and without backdoor 
access. This backdoor door requirement is simply backward thinking 
policy. It does not make sense to hold the computer industry hostage to 
force the creation of such an unworkable system.
  Mr. BURNS. The Majority Leader is absolutely right. We do not need 
experts to tell us key recovery will not work. All that is needed is a 
little common sense to understand that no one will buy systems with 
backdoor access. Criminals will not escrow their keys and terrorists 
will find keyless systems from America's foreign competitors. There is 
nothing we can do to stop undesirables from using strong, unescrowed 
encryption.
  Mr. LOTT. Even though advanced encryption products are widely 
available across the globe, the White House continues to stall 
Congressional and industry attempts to reach a sensible market oriented 
solution to the nation's outdated encryption export regime. This 
stonewalling tactic will only cede even more of our nation's technology 
market to foreign competitors and America will lose forever its ability 
to sell encryption technology at home and abroad.
  It is time to change America's export policy before it is too late. 
If the Administration will not do what is right, reform its export 
regime, then Congress must enact encryption reform during this session.
  Mr. LEAHY. The Majority Leader is correct that reform of our 
encryption policy is needed. The Attorney General came to the Hill in 
March and asked for a legislative moratorium on encryption matters. 
This request was made because the Administration wanted to talk with 
the information technology industry about developing means for law 
enforcement to gain surreptitious access to plaintext scrambled by 
strong encryption. According to eleven of the world's leading 
cryptographers in a report reissued on June 8, the technical risks and 
costs of such backdoors ``will exacerbate, not alleviate, the potential 
for crime and information terrorism'' for America's computer users and 
our critical infrastructures.
  In the Senate we have a name for debate that delays action on 
legislative matters. We call it a filibuster. On encryption policy, the 
Administration has been willing to talk, but not to forge a real 
solution. That amounts to a filibuster. The longer we go without a 
sensible policy, the more jobs will be lost, the more we risk eroding 
our privacy rights on the Internet, and the more we leave our critical 
infrastructures vulnerable.
  Mr. BURNS. We can readily see that the current U.S. policy on 
encryption jeopardizes the privacy of individuals, the security of the 
Internet, and the competitiveness of U.S. industry. We have been 
debating this issue since the Administration's introduction of the ill-
fated Clipper chip proposal over five years ago. Yet no substantial 
change in Administration policy has taken place. It is time for us to 
take action.
  I first introduced comprehensive encryption reform legislation in the

[[Page S6439]]

form of the Pro-CODE bill over two years ago, then reintroduced it in 
this Congress with the cosponsorship of the Majority Leader, Senators 
Ashcroft, Leahy, Wyden, and others. Along with Senators Ashcroft, 
Leahy, and others, I am also an original cosponsor of the E-PRIVACY 
bill, which would foster the use of strong encryption and global 
competitiveness. We have held numerous hearings on the issue. Yet 
despite the increasingly desperate drumbeat of criticism from industry, 
individuals, and privacy groups, from across the political spectrum, 
the Administration's policy has remained fundamentally unchanged.
  Mr. LEAHY. Since the hearing I chaired in May 1994 on the 
Administration's ``Clipper Chip'' proposal, the Administration has 
taken some steps in the right direction. Clipper Chip is now dead, and 
the Administration has transferred authority over the export of 
encryption products from the State Department to the Commerce 
Department, as called for in legislation I introduced in the last 
Congress with Senators Burns, Wyden and others. Furthermore, the 
Administration has permitted the export of up to 56-bit DES encryption, 
at least until the end of this year. But these actions are simply not 
enough for our high-tech industries to maintain their leading edge in 
the global marketplace.
  Mr. ASHCROFT. Our technology companies need to be able to compete 
effectively. Without reasonable export laws our technology sector will 
be seriously harmed. More encryption companies will leave the country 
so they are free to sell their products around the globe as well as 
within the United States. Make no mistake, the market will not be 
denied. Today, robust encryption products from Canada, Japan, Germany 
and elsewhere are being sold on the world market. You have heard of the 
companies that are manufacturing and selling encryption. They are 
Nortel, Nippon and Seimens. These are not upstart companies. They are 
substantial players on the international scene, and they offer 
encryption products that are technically and financially competitive 
with those produced in the U.S.

  Mr. LOTT. That's right. In fact, a recent survey conducted by Trusted 
Information Systems found that hundreds of foreign companies sell over 
600 encryption products from 29 countries. It is even possible to 
download some of the strongest technology available, 128-bit key length 
encryption, off of the Internet. Clearly, America's policy of 
restricting the sale of American encryption software and hardware has 
not impacted the availability and use of this technology throughout the 
globe.
  No one disputes the fact that the development and use of robust 
encryption worldwide will continue with or without U.S. business 
participation. What is particularly disturbing to me is that export 
controls, instead of achieving their intended purpose, have only served 
to deny America's premier computer industry the opportunity to compete 
on a level playing field with foreign competitors. Costing our economy 
and our nation billions of dollars and the loss of countless American 
jobs in the process. Given the wide availability of encryption 
technology, continuing to restrict U.S. access to foreign markets makes 
no sense.
  Mr. ASHCROFT. That is absolutely correct. The Administration's 
encryption policy is, in effect, a tax on American consumers. We owe it 
to these customers and the innovators in the software industry to 
reform this encryption policy now. From the birth of the United States, 
this country has been a world leader in innovation, creativity, 
entrepreneurship, vision and opportunity. Today all of these American 
attributes are on display in our technology sector. Whether in 
telecommunications, or computer hardware or software, the United States 
has maintained a leadership position because of the opportunities 
afforded to people with the vision, determination and responsibility to 
reach for their highest and best. We must work diligently to ensure 
that ample opportunities are maintained in this country for our 
technology sector to continue to thrive and innovate. If companies are 
stifled and cannot compete, then the people, the ideas, the jobs, and 
the economic growth will simply go elsewhere.
  Mr. BURNS. In the computer business these days, they talk about 
``Internet time.'' In the Internet industry, where product life cycles 
can be as low as 6 months, the world changes rapidly. Yet we have been 
debating this issue for over five years now, while America's sensitive 
communications go unsecured, our critical information infrastructures 
go unprotected, and our electronic commerce jobs get shipped overseas. 
It is time for the Congress to act.
  Mr. ASHCROFT. If this issue is not resolved, and resolved soon, we 
will lose this industry, we will lose our leadership position in 
technology, and our national security will suffer. We have a choice to 
make as policy makers--do we allow our companies to compete 
internationally or do we force them, by our antiquated and ill-
conceived government policy, to move overseas. We cannot simply ignore 
the reality that robust encryption exists in the international 
marketplace now. Instead, we must allow our companies to compete, and 
do so now. We cannot allow extraneous issues to stand in the way of 
remedying the deficiencies with our current approach to encryption. We 
must recognize that keeping the encryption industry on American shores 
is the best way to ensure national security. We would not think of 
allowing all our defense industries to move abroad. By the same token, 
we should not force the encryption industry abroad through outdated 
policies. Simply put, strong encryption means a strong economy and a 
strong country. This concern is just one of the many reasons we need to 
pass effective encryption legislation this year and just one of the 
reasons that Senator Leahy and I recently drafted the E-PRIVACY bill, 
S. 2067.
  Mr. LEAHY. I join with my colleagues from both sides of the aisle in 
calling for passage of good encryption legislation that promotes 
computer privacy, fosters the global competitiveness of our high-tech 
industries, and encourages the widespread use of strong encryption as 
an online crime prevention and anti-terrorism tool. The E-PRIVACY bill 
that I have sponsored with Senator Ashcroft, Senator Burns and others, 
satisfies these goals. Prompt Senate consideration of encryption 
legislation is sorely needed to protect America's economy and security.
  Mr. CRAIG. Mr. President, the E-PRIVACY bill seeks to protect 
individual privacy, while at the same time addressing national security 
and law enforcement interests. It would also modernize export controls 
on commercial encryption products.
  The E-Privacy Act specifically addresses the concerns of law 
enforcement. First and foremost, it makes it a crime to intentionally 
use encryption to conceal incriminating communications or information. 
It also provides that with an official subpoena, existing wiretap 
authority can be used to obtain communications decryption keys/
assistance from third parties.
  Mrs. MURRAY. Mr. President, I want to thank Senator Leahy, Senator 
Burns and Senator Ashcroft as well as Senator Lott and Senator Daschle 
for their work and leadership on the issue of encryption. I am proud to 
be an original cosponsor of S. 2067, the E-PRIVACY Act.
  This is my sixth year as a member of the Senate and the sixth year I 
have advocated for reasonable legislation on encryption. Sadly, the 
Administration has not been a constructive player in this debate. It is 
time for the United States to acknowledge that we no longer exclusively 
control the pace of technology. Purchasers around the world can 
download software off of the Internet from any country by simply 
accessing a website. Foreign purchasers have turned to Russian, German, 
Swiss and other foreign vendors for their encryption needs.
  Washington state and American companies deserve the opportunity to 
compete free from unreasonable government restrictions. Their role in 
the international marketplace should be determined by their ingenuity 
and creativity rather than an outdated, ineffectual system of export 
controls. The time to act is now. I urge the Senate to consider the E-
PRIVACY Act at the earliest opportunity.
  Mr. BURNS. The basic facts remain the same. People need strong, 
unescrowed encryption to protect themselves online in the information

[[Page S6440]]

age. Law enforcement has legitimate concerns about the spread of this 
technology, and we must work to provide them the tools and expertise 
they need to keep up with advances in encryption technology. We cannot 
stop time, however. The genie is out of the bottle. As Bill Gates, the 
CEO of Microsoft, recently said, ``Encryption technology is widely 
available outside the United States and inside the United States, and 
that's just a fact of life.''
  Mr. CRAIG. With the rapid expansion of the ``super highway'' and 
Internet commerce it is crucial we bring encryption legislation to the 
forefront. A secure, private and trusted national and global 
information infrastructure is essential to promote citizens' privacy 
and economic growth.
  Mr. BURNS. As my colleagues recognize, technically advanced and 
unobtrusive encryption is fundamental to ensuring the kind of privacy 
Americans will need and desire in the years to come. Congress must 
choose a future where individuals and companies will have the tools 
they need to protect their privacy, not a future where people fear the 
use electronic commerce because they have no security.
  I commend the Majority Leader, Senators Ashcroft, Leahy, Craig, 
Wyden, and Murray for their vision and bipartisan leadership on this 
issue. I hope that Congress will be able to move forward with real 
encryption reform legislation that protects the privacy and security of 
Americans in the Information Age, before it is too late.
  Mr. LOTT. I think it is worth repeating to my colleagues that the 
Administration's approach to encryption makes no sense. It is not good 
policy. Continuing to restrict the foreign sale of American encryption 
technology that is already available abroad, or will soon be available, 
is anti-business, anti-consumer, anti-jobs, and anti-innovation.
  The time for a change in America's export regime is long overdue. 
Unfortunately, the Administration continues to support its outmoded and 
competition-adverse encryption control policy. That is why this 
Congress needs to find a legislative solution to this issue.
  If America's export controls are not relaxed now, then Congress 
places in peril our entire technology industry. Not just those 
companies that create and market encryption products and services, but 
virtually every company involved in the development and sale of 
computer hardware and software. Congress cannot and will not put 
America's entire technological base at risk for an ineffective and 
outmoded export policy on encryption.

                          ____________________