[Congressional Record Volume 145, Number 51 (Wednesday, April 14, 1999)]
[Senate]
[Pages S3705-S3707]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. McCAIN (for himself, Mr. Burns, Mr. Wyden, Mr. Leahy, Mr. 
        Abraham, and Mr. Kerry):
  S. 798. A bill to promote electronic commerce by encouraging and 
facilitating the use of encryption in interstate commerce consistent 
with the protection of national security, and for other purposes; to 
the Committee on Commerce, Science, and Transportation.


                  Introduction of the ``PROTECT'' Act

  Mr. BURNS. Mr. President, as the Members of the Senate know, for 
several years I have advocated the enactment of legislation that would 
facilitate the use of strong encryption. Beginning in the 104th 
Congress, I have introduced legislation that would ensure that the 
private sector continues to take the lead in developing innovative 
products to protect the security and confidentiality of our electronic 
information including the ability to export such American products.
  I am pleased to rise today to introduce with my Chairman, Senator 
McCain, the PROTECT ACT of 1999 (Promote Reliable On Line Transactions 
To Encourage Commerce and Trade). The bill reflects a number of 
discussions we have had this year about the importance of encryption in 
the digital age to promote electronic commerce, secure our confidential 
business and sensitive personal information, prevent crime and protect 
our national security by protecting the commercial information systems 
and electronic networks upon which America's critical infrastructures 
increasingly rely. I am extremely pleased to join with him in 
introducing this important legislation.
  While this bill differs in important respects from the PRO-CODE 
legislation I introduced in the previous Congress, I do think it 
accomplishes a number of very important objectives. Specifically, the 
bill:
  Prohibits domestic controls;
  Guarantees that American industry will continue to be able to come up 
with innovative products;

[[Page S3706]]

  Immediately decontrols encryption products using key lengths of 64 
bits or less;
  Permits the immediate exportability of 128 bit encryption in 
recoverable encryption products and in all encryption products to a 
broad group of legitimate and responsible commercial users and to users 
in allied countries;
  Recognizes the futility of unilateral export controls on mass market 
products and where there are foreign alternatives and so permits the 
immediate exportability of strong encryption products whenever a 
public-private advisory board and the Secretary of Commerce determines 
that they are generally available, publicly available, or available 
from foreign suppliers;
  Directs NIST to complete establishment of the Advanced Encryption 
Standard with 128 bit key lengths (the DES successor) by January 1, 
2002 (and ensures that it is led by the private sector and open to 
public comment); and
  Decontrols thereafter products incorporating the AES or its 
equivalent.
  Today, we are in a world that is characterized by the fact that 
nearly everyone has a computer and that those computers are, for the 
most part, connected to one another. In light of that fact, it is 
becoming more and more important to ensure that our communications over 
these computer networks are conducted in a secure way. It is no longer 
possible to say that when we move into the information age, we'll 
secure these networks, because we are already there. We use computers 
in our homes and businesses in a way that couldn't have been imagined 
10 years ago, and these computers are connected through networks, 
making it easier to communicate than ever before. This phenomenon holds 
the promise of transforming life in States like Montana, where health 
care and state-of-the-art education can be delivered over networks to 
people located far away from population centers. These new technologies 
can improve the lives of real people, but only if the security of 
information that moves over these networks is safe and reliable.

  The problem today is that our computer networks are not as secure as 
they could be; it is fairly easy for amateur hackers to break into our 
networks. They can intercept information; they can steal trade secrets 
and intellectual property; they can alter medical records; the list is 
endless. One solution to this, of course, is to let individuals and 
businesses alike to take steps to secure that information. Encryption 
is one technology that accomplishes that.
  I am proud that today I have been able to join with Senator McCain to 
introduce this legislation which will enable Americans to use the 
Internet with confidence and security.
  Mr. LEAHY. Mr. President, this is the third Congress in which I have 
introduced and sponsored legislation to update our country's encryption 
policies. My objective has been to bolster the competitive edge of our 
Nation's high-tech companies, allow Americans to protect their online 
and electronically stored confidential information, trade secrets and 
intellectual property, and promote global electronic commerce. I am 
pleased to join Senators McCain, Wyden and Burns, in this continuing 
effort with the ``Promote Reliable On-Line Transactions to Encourage 
Commerce and Trade (PROTECT) Act of 1999.''
  In May 1996, I chaired a hearing on the Administration's ill-fated 
Clipper Chip key escrow encryption program that drove home the need for 
relaxed export controls on strong encryption. U.S. export controls on 
encryption technology were having a clear negative effect on the 
competitiveness of American hi-tech companies. Moreover, these controls 
were discouraging the use of strong encryption domestically since 
manufacturers generally made and marketed one product for both for 
export and for domestic use here. At that hearing I heard testimony 
about 340 foreign encryption products that were available worldwide--
including for import into the United States--155 of which employed 
encryption in a strength that American companies were prohibited from 
exporting. That number has grown exponentially. As of December, 1997, 
there were 656 foreign encryption products available from 474 vendors 
in 29 different foreign countries.
  American companies certainly do not enjoy a monopoly on encryption 
know-how. The U.S. Commerce Department's National Institute for 
Standard and Technology (NIST) is developing an Advanced Encryption 
Standard (AES) to update the U.S. Data Encryption Standard (DES), the 
current global encryption standard. Only 5 of the 15 AES candidate 
algorithms submitted to NIST for evaluation were proposed from American 
companies or individuals. The remaining proposals came from Australia, 
Canada, France, Germany, Japan, Korea, United Kingdom, Israel, Norway, 
and Belgium.
  In the 104th Congress, I introduced encryption legislation on March 
5, 1996, with Senators Burns, Dole, Murray and others, to help 
Americans better protect their online privacy and allow American 
companies to compete more effectively in the global hi-tech 
marketplace. Specifically, the ``Encrypted Communications Privacy Act 
of 1996,'' S. 1587, would have relaxed export controls on strong 
encryption and promoted the widespread use of encryption to protect the 
security, confidentiality and privacy of online communications and 
stored electronic data. This bill would have legislatively confirmed 
the freedom of Americans to use and sell in the United States any 
encryption technology that most appropriately met their privacy and 
security needs. In addition, this bill would have relaxed export 
controls to allow the export of encryption products when comparable 
strength encryption was available from foreign suppliers, and 
encryption products that were generally available or in the public 
domain.

  In the years since that bill was introduced, the Administration has 
made some positive changes in its export policies. In October 1996, the 
Administration allowed the export of 56-bit DES encryption by companies 
that agreed to develop key recovery systems. This policy was supposed 
to sunset in two years. I strongly criticized this policy at the time, 
warning that this ``sunset'' provision ``does not promote our high-tech 
industries overseas.'' In fact, when the time came last year to return 
to the old export regime that allowed the export of only 40-bit 
encryption, the Administration relented and continues to permit the 
export of 56-bit encryption, with the condition of developing 
encryption programs with recoverable keys.
  The proposals I made in 1996 made sense then, and versions of these 
provisions are incorporated into the PROTECT Act today.
  Specifically, the PROTECT Act would provide immediate relief by 
allowing the export of encryption using key lengths of up to 64 bits. 
In addition, stronger encryption (more than 64-bit key lengths) would 
be exportable under a license exception, upon determination by a new 
Encryption Export Advisory Board that the product or service is 
generally available, publicly available or a comparable product is 
available from a foreign supplier. This determination is subject to 
approval by the Secretary of Commerce and to override by the President 
on national security grounds.
  This relief is important since the time and effort to crack 56-bit 
DES encryption is getting increasingly short. Indeed, earlier this 
year, a group of civilian computer experts broke a 56-bit encrypted 
message in less than 24 hours, beating a July 1998 effort that took 56 
hours.
  The breaking of 56-bit encryption comes as no surprise to those doing 
business, engaging in research, or conducting their personal affairs 
online. While 56-bit encryption may still serve as the global standard, 
this will not be the situation for much longer. 128-bit encryption is 
now the preferred encryption strength.
  For example, in order to access online account information from the 
Thrift Savings Plan for Federal Employees, Members and congressional 
staff must use 128-bit encryption. If you use weaker encryption, a 
screen pops up to say ``you cannot have access to your account 
information because your Web browser does not have Secure Socket Layer 
(SSL) and 128-bit encryption (the strong U.S./Canada-only version).''

  Likewise, the Department of Education has set up a Web site that 
allows prospective students to apply for student financial aid online. 
Significantly, the Education's Department

[[Page S3707]]

states that ``[t]o achieve maximum protection we recommend you use 128-
bit encryption.''
  These are just a couple examples of government agencies or associated 
organizations directing or urging Americans to use 128-bit encryption. 
We should assume that people in other countries are getting the same 
directions and recommendations. Unfortunately, while American companies 
can fill the demand for this strong encryption here, they are not 
permitted to sell it abroad for use by people in other countries.
  Significantly, the PROTECT Act would permit the export of 128-bit 
(and higher) AES products by January 1, 2002. While not providing 
relief as quickly as I have urged in other encryption legislation, 
including the E-PRIVACY Act, S. 2067, in the last Congress, this bill 
moves in the right direction, and provides a sunset for unworkable 
encryption export controls. In my view, this bill would give most 
Internet users access to the strongest tools they need to protect their 
privacy starting in 2002--a long time by Net standards, but time our 
law enforcement and intelligence agencies say they need to address the 
global proliferation of strong encryption.
  Encryption is a critical tool for Americans to protect their privacy 
and safeguard their confidential electronic information, such as credit 
card numbers, personal health information, or private messages, from 
online thieves and snoops. This is important to encourage the continued 
robust growth of electronic commerce. A March 1999 report of the 
Vermont Internet Commerce Research Project that I commissioned analyzed 
barriers to Internet commerce in my home State, and found that ``the 
strongest obstacle among consumers'' was the perceived lack of 
security.
  Focusing on the export regime for encryption technology is only one 
aspect, albeit an important one, in the larger debate over how best to 
protect privacy in a digital and online environment. Legislation to 
provide encryption export relief is a start, but we also have important 
work to do in addressing broader privacy issues, such as establishing 
standards for law enforcement access to decryption assistance. I look 
forward to working with Senators McCain, Wyden and Burns on passage of 
the PROTECT Act as well as other privacy legislation.
  Mr. KERRY. Mr. President, today I join my esteemed colleagues, 
Senators McCain, Burns, Wyden, Leahy and Abraham in introducing 
legislation that will encourage sales of US information technology 
products while at the same time protecting our national security 
interests. The Promote Reliable On-Line Transactions to Encourage 
Commerce and Trade (PROTECT) Act of 1999 is an important first step 
that recognizes that as the Internet becomes more of a presence in 
global commerce, there must be guarantees and assurances that business 
and personal information remains confidential. It also recognizes that 
the US companies are leaders in creating the technology that serves 
this vital purpose, and that these companies are integral to our 
growing economy.
  United States information technology companies have been frustrated 
by what they perceive as too-stringent controls on the export of their 
encryption products. These controls have served a vital purpose in 
protecting national security interests. The realities of the 
marketplace and the technology sector, however, suggest that it time to 
loosen our grip somewhat on the export controls we impose. Although the 
US is the leader in producing high quality, strong encryption products, 
other countries also have the ability to produce comparable products. 
We must recognize this reality and understand that while export 
controls can slow the spread of encrypted products, they cannot stop 
it. Importantly, controls that do not recognize this reality put our 
software industry at a disadvantage as it tries to compete in the 
global market.
  Nothing, of course, is more important than our national security. 
This legislation maintains strong guidelines to ensure that encryption 
technology is not sold to countries that pose a threat to our national 
security. It puts in place a number of reasonable checks to make 
certain that US encryption technology does not get into the wrong 
hands. At the same time, it takes into consideration that where 
encryption products are generally or publicly available, we should not 
unduly limit their sale to responsible entities in NATO, OECD or ASEAN 
countries. To do so would not only cause potential harm to US industry, 
but it could also have an unintended negative impact on our own 
security.
  I applaud Senator McCain for taking this first step towards resolving 
a complicated problem. As we work through this and other legislation 
that attempts to address the issue of encryption exports, I hope we can 
incorporate the best features into the strongest possible bill.
                                 ______