[Congressional Record Volume 144, Number 94 (Wednesday, July 15, 1998)]
[Senate]
[Pages S8236-S8238]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




            CONGRESS NEEDS TO ACT ON ENCRYPTION LEGISLATION

  Mr. LOTT. Mr. President, I rise to commend the continuing efforts of 
America's computer industry to find a technical solution to the 
encryption issue. On Monday, July 13, a consortium of thirteen high-
tech companies announced an alternative to the Administration's 
proposed key escrow/third party access system. As you will recall, many 
computer and security exports have stated that key escrow would be an 
invasion of privacy, technically unworkable, and cost prohibitive.
  Unlike the key recovery system advocated by the Administration, 
industry's ``private doorbells'' approach would not require sensitive 
encryption keys to be escrowed with third parties in order for law 
enforcement to gain access to computer messages. Instead, the FBI and 
other federal, state, and local agencies would be able to combat crime 
by being provided with court approved, real-time access to communiques 
at the point where they are sent or at the point where the message is 
received. Clearly, high-tech executives have not been sitting on the 
sidelines as the encryption debate continues. As this announcement 
indicates, the computer industry is working hard to find a balanced 
solution that ensures the needs of our law enforcement and national 
security communities while maintaining privacy protections for all U.S. 
citizens. We owe it to them, and to all Americans, to find a balanced 
legislative solution to encryption.
  Mr. LEAHY. Mr. President, I would also like to applaud the computer 
industry's efforts to find alternative technical solutions to help law 
enforcement with the challenge of encrypted data and communications 
without the need to establish a government-mandated key escrow or key 
recovery scheme. With the appropriate privacy safeguards in place, as 
outlined in the E-PRIVACY bill, S.2067, the solution that the companies 
are proposing appears encouraging. American companies are desperate for 
a common sense approach to our export policy on encryption. As you are 
well aware, the Administration, starting with Clipper Chip, has been 
wedded to key escrow schemes to ensure that the FBI can get access to 
plaintext, or unscrambled electronic data. This path has been pursued 
despite the serious questions that experts have raised about the costs, 
privacy risks and lack of consumer interest in such schemes. As

[[Page S8237]]

U.S. companies watch their market share for computer hardware and 
software products erode because of our country's outdated export 
controls on encryption, it is imperative that the Administration direct 
the FBI to consider creative alternatives to key escrow.
  Mr. CRAIG. The recent announcement by several leading companies in 
the computer industry makes it clear that, in addressing both economic 
and law enforcement concerns, it is important to find a balance between 
the two. We must create legislation that addresses consumer demand for 
encrypted products while also meeting the needs of law enforcement--
legislation that fosters a global marketplace dominated by U.S. 
encryption products. Those products, of course, will be a great benefit 
to our national security.
  Mr. BURNS. Industry's plan to allow law enforcement access to the 
plaintext of some encrypted communications demonstrates that market 
solutions can truly address many areas of law enforcement's concerns 
with encryption. At the same time, we should not forget that there is a 
continuing need for legislative privacy protections governing how and 
when law enforcement should have access to encrypted data.
  Mr. LEAHY. I agree, the announcement by the high-tech companies of 
alternative means of access to plaintext to encrypted data demonstrates 
industry's commitment to find solutions that accommodate law 
enforcement interests. It also reiterates the need for privacy 
protection legislation to ensure that law enforcement only gets such 
access with a proper court order. The E-PRIVACY bill, S. 2067, which I 
have sponsored with Senator Ashcroft, and others, would provide that 
privacy protection.
  Mr. BURNS. Yes, these recent developments continue to highlight the 
desperate need for a change in U.S. encryption policy. Last week the 
Administration announced it would make exceptions in encryption export 
policy allowing banks and certain financial institutions to export 
strong encryption, without vulnerable key recovery systems, to their 
subsidiaries in a select group of 40 countries. This is a welcome 
development for those companies that will qualify for this narrow 
exception but it does not provide the same protection of online privacy 
for everyday Americans.
  Mr. LOTT. Americans want and need strong encryption to protect their 
most sensitive data and communications from unauthorized access. Yet 
the Administration continues to pursue an encryption policy that limits 
exports, requires key recovery backdoors for law enforcement, and 
ultimately stifles American innovation. Instead of keeping technology 
out of the hands of criminals, continuing export controls will only 
ensure that U.S. citizens have less protection than other computer 
users throughout the globe. The financial institutions announcement 
confirms what many in Congress have been saying for some time: users of 
electronic commerce will be best served by providing relief from 
current export control regulations. Allowing advanced encryption to be 
exported ensures that sensitive data is protected while helping 
American companies compete globally. Individual consumers, as well as 
multinational financial institutions, will not buy and will not use 
encryption systems when government mandated recovery keys for these 
products are provided to third parties. This system, as many experts 
have reported, creates a host of security risks, making our online 
communications vulnerable to attack by thieves, hackers and other 
criminals.
  Mr. CRAIG. From an economic standpoint, foreign companies are winning 
an increasing number of contracts because consumers are unwilling to 
buy products that ensure third party access or require that keys be 
stored with government certified or operated facilities. This is 
particularly true since they can buy stronger encryption overseas from 
either foreign-owned companies or American owned companies on foreign 
soil. We must act quickly and prudently in addressing this problem.
  Mr. ASHCROFT. Mr. President, for several years we have debated, 
argued and discussed the real economic impact of continuing to follow 
the Administration's wrong-headed policy on encryption. In addition to 
the Administration, several members of Congress on both sides of the 
aisle have refused to consider many of the facts of encryption 
technology and the importance of the technology sector to our robust 
economy. After all these years, we have an historical opportunity to 
debate encryption on the floor of the U.S. Senate.
  Mr. CRAIG. I agree. With the rapid expansion of the ``super highway'' 
and Internet commerce, it is crucial we bring encryption legislation to 
the forefront. A secure, private and trusted national global 
information infrastructure is essential to promote citizens' privacy 
and economic growth.
  Mr. LEAHY. Encryption technology is not only a critical tool for 
protecting the confidentiality of our online communications and the 
privacy of our stored electronic information, it is also the building 
block for digital signatures. The future of electronic commerce 
requires that parties conducting business online be able to trust the 
authenticity of the contracts they enter and that the parties with whom 
they are dealing are who they say they are. In fact, a number of 
States, including my own State of Vermont, are making progress on 
crafting the rules for digital signatures and online commercial 
transactions.
  Mr. BURNS. Encryption is also an essential part of new ``digital 
signature'' techniques used to identify parties and authenticate 
transactions online. These techniques are widely viewed as an essential 
feature of electronic commerce. The use of digital signatures raises 
complex business and privacy issues, but these issues are completely 
separate from the questions raised by encryption used for 
confidentiality. There is a great deal of ongoing activity in the 
private sector and at the state level attempting to sort out these 
complex issues of business use and consumer protection. Federal digital 
signature legislation is clearly needed, but should be dealt with 
separately from encryption reform legislation.
  Mr. ASCHROFT. As in everything regarding the topic of encryption, we 
face some decisions and difficulties. Some would like to weigh down the 
already contentious issue of encryption with other unrelated issues, 
such as digital signatures. Now, at first blush, many may believe that 
these two issues are fundamentally tied, or that one necessarily raises 
the other. However, this is not true. While digital signature products 
may use some sort of encryption, they are not encryption. The potential 
debate on federal level digital signature legislation is a worthy 
debate, the nuances of what potential legislation may look like are 
many, and the differences in arguments regarding digital signatures and 
encryption are great.
  Mr. LEAHY. These are important issues that can and should be 
addressed separately from the immediate need for encryption legislation 
that protects privacy and confidentiality.
  Mr. ASHCROFT. I have heard that some object to even allowing for 
encryption and digital signature legislation to reside in different 
pieces of legislation, even if both were brought to the floor. They 
express their concern that without the inclusion of digital signatures 
that public networks cannot be adequately secure. This argument gives 
me great pause, mainly because it demonstrates a fundamental 
misconception of a digital signature. A digital signature does not 
secure the network but rather secures the signature. Applying the same 
logic to the analog world would dictate that contracts could not be 
written until we could adequately solve for the potential of forgeries. 
Obviously, we have not taken this approach yet individuals enter into 
millions of contracts every year.
  Mr. LEAHY. While digital signature legislation at the Federal level 
may help encourage the development of online commercial transaction 
rules, we must be careful not to stifle the development of efficient 
and inexpensive digital signature services by prematurely regulating --
or granting Federal agencies unfettered authority to regulate--in this 
area. We must particularly avoid creating a federal system for digital 
signatures that will become the national i.d. card for cyberspace. The 
Administration in its ``Framework for Global Electronic Commerce'' got 
it right when it said that ``participants in the marketplace--including 
consumers, business,

[[Page S8238]]

financial institutions, and on-line service providers--should define 
and articulate most of the rules that will govern electronic 
commerce.''

  Mr. ASHCROFT. All that said, encryption and digital signatures do not 
and should not be joined in the same legislation. The opportunity we 
have before us is to bring the encryption debate into the open and to 
pass legislation that adequately addresses the concerns of law 
enforcement, national security, privacy, and system security.
  Mr. ABRAHAM. At the same time, we have the opportunity to affect real 
growth in digital signature technologies by addressing digital 
signature as a separate piece of legislation during this Congress. We 
should not allow differences in encryption policy to stifle innovation 
and improvements in this exciting technology. Digital signature is 
crucial to ensuring the continued dynamic growth of electronic commerce 
in this country. Many in Congress recognize this, industry recognizes 
this, and the Administration agrees.
  Mr. CRAIG. In order to pass legislation in a timely manner it is 
important that it be in a clean bill with only the most essential 
language related to encryption; language that seeks to protect 
individual privacy, while at the same time addressing national security 
and law enforcement concerns.
  Mr. SHELBY. Mr. President, I rise because I have concerns about 
efforts to ease or remove export restrictions on certain hardware and 
software encryption products. Export controls on encryption and on 
other products serve a clearly defined purpose--to protect our nation's 
security. The Intelligence Committee believes that the effects on U.S. 
national security must be the paramount concern when considering any 
proposed change to encryption export policy, and the Committee will 
seek referral of any legislation regarding encryption export policy 
under its jurisdiction established under Senate Resolution 400. With 
our on-going investigation into the possible technology transfers to 
China, the Vice Chairman and I are also concerned that any effort to 
change U.S. export policy on encryption be consistent with the export 
policy review included in our investigation.
  Export restrictions on encryption products assist the Intelligence 
Community in its signals intelligence mission. By collecting and 
analyzing signals intelligence, U.S. intelligence agencies seek to 
understand the policies, intentions, and plans of foreign state and 
nonstate actors. Signals intelligence plays an important role in the 
formation of American foreign and defense policy. It is also a 
significant factor in the U.S. efforts to protect its citizens and 
armed forces against terrorism, the proliferation of weapons of mass 
destruction, narcotics trafficking, international crime and other 
threats to our nation's security.
  While the Committee recognizes the commercial interest in easing or 
removing export restrictions, it believes the safety of our citizens 
and armed forces should be the predominant concern when considering 
U.S. policy towards the export of any product. The Committee supports 
the continued control of encryption products, and believes that a 
comprehensive strategy on encryption export policy can be developed 
that addresses national security concerns as well as the promotion of 
American commercial interests abroad.
  I look forward to working with Senator Lott and others as legislation 
moves through the Senate.
  Mr. ASHCROFT. The bottom line to all of this is that we can move 
encryption legislation in this Congress, with the support of the 
majority leader. To hold up this progress works against national 
security, works against support of our law enforcement and erodes 
individual's privacy protections. We should all diligently work to 
craft an encryption bill that can come to the floor this session.
  Mr. LOTT. I agree with my colleagues. While I strongly support the 
passage of legislation on both encryption and on digital signatures, I 
am convinced that the best approach during this session is to deal with 
these matters in separate bills. Let me say again, that in order to 
pass legislation on both of these issues during this Congress, we must 
recognize that there are significant differences between these 
important and complex policy issues. Digital signature and certificate 
authority have appeared in various proposals in association with 
encryption. However, these matters need to be considered separately 
because they raise different questions and complications.
  A digital signature is a technical method for authenticating the 
identity of a sender or author.
  As its name implies, it is a digital version of a person's written 
signature. Encryption is a means to ensure confidentiality. It is a set 
of algorithms used to scramble and unscramble text in order to keep 
unauthorized person's from reading your computer data and messages. It 
is a technology that protects medical, business, and individual files 
from invasion. Again, encryption for confidentiality, and digital 
signatures for authentication and related certificate authorities, are 
not the same issue. Dealing with encryption and digital signatures in 
one piece of legislation could lead to the demise of such a weighted 
bill. Consequently, I am prepared and committed to moving separate 
bills dealing with these issues during this session. I urge my 
colleagues to support this dual track approach as my colleagues have 
recommended. I share the belief that this is the best chance for 
legislation to be passed in both of these areas during the 105th 
Congress.
  Congress needs to stop debating these issues and enact balanced 
legislation that will ensure the privacy rights of individuals while 
protecting America's public safety, economic, and national security 
interests.
  Mr. BURNS. I commend the Majority Leader and Senators Leahy, Craig, 
Ashcroft, Abraham, and Shelby for their continuing hard work and vision 
on these difficult but critical issues. I hope we will be able to move 
forward legislatively on both encryption reform and digital signatures 
this session.

                          ____________________