[Congressional Record Volume 144, Number 124 (Thursday, September 17, 1998)]
[Senate]
[Page S10515]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




               ADMINISTRATION'S UPDATED ENCRYPTION POLICY

  Mr. LEAHY. Mr. President, when the Administration first announced the 
encryption policy that has been in effect for the past two years, I 
warned on October 1, 1996, that:

       The general outline of the Administration's plan smacks of 
     the government trying to control the marketplace for high-
     tech products. Only those companies that agree to turn over 
     their business plans to the government and show that they are 
     developing key recovery systems, will be rewarded with 
     permission to sell abroad products with DES encryption, which 
     is the global encryption standard.

  The Administration announced yesterday that it is finally fixing this 
aspect of its encryption policy. New Administration guidelines will 
permit the export of 56-bit DES encryption without a license, after a 
one time technical review, to all users outside the seven terrorist 
countries. No longer will the Administration require businesses to turn 
over business plans and make promises to build key recoverable products 
for the freedom to export 56-bit DES.
  In 1996, I also raised serious questions about the Administration's 
proposal to pull the plug on 56-bit DES exports in two years. I warned 
at the time that this ``sunset'' provision ``does not promote our high-
tech industries overseas.'' I specifically asked,

       Does this mean that U.S. companies selling sophisticated 
     computer systems with DES encryption overseas must warn their 
     customers that the supply may end in two years? Customers 
     both here and abroad want stable suppliers, not those jerked 
     around by their government.

  I am pleased that the Administration has also changed this aspect of 
its policy and adopted an export policy with no ``sunset.'' Instead, 
the Administration will conduct a review of its policy in one year to 
determine how well it is working.
  Indeed, while 56-bit encryption may still serve as the global 
standard, this will not be the situation for much longer. 128-bit 
encryption is now the preferred encryption strength.
  In fact, to access online account information from the Thrift Savings 
Plan for Federal Employees, Members and congressional staff must use 
128-bit encryption. If you use weaker encryption, a screen pops up to 
say ``you cannot have access to your account information because your 
Web browser does not have Secure Socket Layer (SSL) and 128-bit 
encryption (the strong U.S./Canada-only version).''
  Likewise, the Department of Education has set up a Web site that 
allows prospective students to apply for student financial aid online. 
Significantly, the Education Department states that ``[t]o achieve 
maximum protection we recommend you use 128-bit encryption.''
  These are just a couple examples of government agencies or associated 
organizations directing or urging Americans to use 128-bit encryption. 
We should assume that people in other countries are getting the same 
directions and recommendations. Unfortunately, while American companies 
can fill the demand for this strong encryption here, they will still 
not be permitted to sell this strength encryption abroad for use by 
people in other countries.
  Nevertheless, the Administration's new encryption policy announced 
today moves in the right direction to bolster the competitive edge of 
our Nation's high-tech companies, allow American companies to protect 
their confidential and trade secret information and intellectual 
property in communications with subsidiaries abroad, and promote global 
electronic commerce. These are objectives I have sought to achieve in 
encryption legislation that I have introduced and cosponsored with 
bipartisan support in this and the last Congress.
  I remain concerned, however, that privacy safeguards and standards 
for law enforcement access to decryption assistance are ignored in the 
Administration's new policy. These are critical issues that continue to 
require our attention.

                          ____________________