[Congressional Record Volume 145, Number 52 (Thursday, April 15, 1999)]
[Senate]
[Pages S3771-S3772]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                            THE PROTECT ACT

  Mr. McCAIN. Mr. President, yesterday I introduced a bill to ``Promote 
Reliable On-Line Transactions to Encourage Commerce and Trade,'' the 
PROTECT Act. This legislation seeks to promote electronic commerce by 
encouraging and facilitating the use of encryption in interstate 
commerce consistent with the protection of United States law 
enforcement and national security goals and missions.
  During the last Congress, there was a very intense debate surrounding 
the encryption issue. That debate, as with any discussion regarding 
encryption technology, centered around the challenge of balancing free 
trade objectives with national security and law enforcement interests. 
There were various proposals put forward. None, however, emerged as a 
viable solution. In the end, the debate became polarized, as many 
became entrenched upon basic approaches, losing sight of the overall 
policy objectives upon which everyone generally agreed.
  It was my objective to get outside the box of last year's debate. In 
the past, balancing commercial and national security interests has been 
treated as a zero sum game, as if the only way to forward commercial 
interest was at the expense of national security, or vice versa. This 
is simply not the case. Certainly, advanced encryption technologies 
present a unique set of challenges for the national security and law 
enforcement community. However, these challenges are not 
insurmountable.
  What the PROTECT Act does, is to lay out a forward-looking approach 
to encryption exportation, a course that puts into place a rational, 
fact-based procedure for making export decisions, that places high 
priority on bringing the national security and law enforcement 
community up to speed in a digital age, and that ultimately provides a 
national security backstop to make certain that advanced encryption 
products do not fall into the hands of those who would threaten the 
national security interests of the United States.
  Title I of the legislation deals with domestic encryption. The bill 
establishes that private sector use, development, manufacture, sale, 
distribution and import of encryption products, standards and services 
shall be voluntary and market driven. Further, the government is 
prevented from tying encryption used for confidentiality to encryption 
used for authentification. It is established that it is lawful for any 
person in the United States, and for any U.S. person in a foreign 
country, to develop, manufacture, sell, distribute, import, or use any 
encryption product.
  The PROTECT Act prohibits mandatory government access to plaintext. 
The bill prohibits the government from standards setting or creating 
approvals or incentives for providing government access to plaintext, 
while preserving existing authority for law enforcement and national 
security agencies to obtain access to information under existing law.
  Title II of the legislation deals with government procurement 
procedures.

[[Page S3772]]

The bill makes clear that it shall be the policy of the Federal 
government to permit the public to interact with the government through 
commercial networks and infrastructure and protect the privacy and 
security of any electronic communications and stored information 
obtained by the public.
  The Federal government is encouraged to purchase encryption products 
for its own use, but is required to ensure that such products will 
interoperate with other commercial encryption products, and the 
government is prohibited from requiring citizens to use a specific 
encryption product to interact with the government.
  Title II of the PROTECT Act authorizes and directs NIST to complete 
establishment of the Advanced Encrytion Standard by January 1, 2002. 
Further, the bill ensures the process is led by the private sector and 
open to comment. Beyond the NIST role in establishing the AES, the 
Commerce Department is expressly prohibited from setting encryption 
standards--including U.S. export controls--for private computers.
  A critical component of the PROTECT Act is improving the government's 
technological capabilities. Much of the concern from law enforcement 
and national security agencies is rooted in the unfortunate reality 
that the government lags desperately behind in their understanding of 
advanced technologies, and their ability to achieve goals and missions 
in the digital age.
  This legislation expands NIST's Information Technology Laboratory 
duties to include: (a) obtaining information regarding the most current 
hardware, software, telecommunications and other capabilities to 
understand how to access information transmitted across networks; (b) 
researching and developing new and emerging techniques and technologies 
to facilitate access to communications and electronic information; (c) 
researching and developing methods to detect and prevent unwanted 
intrusions into commercial computer networks; (d) providing assistance 
in responding to information security threats at the request of other 
Federal agencies and law enforcement; (e) facilitating the development 
and adoption of ``best information security practices'' between the 
agencies and the private sector.
  The duties of the Computer System Security and Privacy Board are 
expanded to include providing a forum for communication and 
coordination between industry and the Federal government regarding 
information security issues, and fostering dissemination of general, 
nonproprietary and nonconfidential developments in important 
information security technologies to appropriate federal agencies.
  Title V of the legislation deals with the export of encryption 
products. The Secretary of Commerce is granted sole jurisdiction over 
commercial encryption products, except those specifically designed or 
modified for military use, including command and control and 
intelligence applications. The legislation clarifies that the U.S. 
government may continue to impose export controls on all encryption 
products to terrorist countries, and embargoed countries; that the U.S. 
government may continue to prohibit exports of particular encryption 
products to specific individuals, organizations, country, or countries; 
and that encryption products remain subject to all export controls 
imposed for any reason other than the existence of encryption in the 
product.

  Encryption products utilizing a key length of 64 bits or less are 
decontrolled. Further, certain additional products may be exported or 
reexported under license exception. These include: recoverable 
products; encryption products to legitimate and responsible entities or 
organizations and their strategic partners, including on-line 
merchants; encryption products sold or licensed to foreign governments 
that are members of NATO, ASEAN, and OECD; computer hardware or 
computer software that does not itself provide encryption capabilities, 
but that incorporates APIs of interaction with encryption products; and 
technical assistance or technical data associated with the installation 
and maintenance of encryption products.
  The Commerce Department is required to make encryption products and 
related computer services eligible for a license exception after a 15-
day, one-time technical review. Exporters may export encryption 
products if no action is taken within the 15-day period.
  A formal process is established whereby encryption products employing 
a key length greater than 64 bits may be granted an exemption from 
export controls. Under the procedures established by this legislation, 
encryption products may be exported under license exception if: the 
Secretary of Commerce determines that the product or service is 
exportable under the Export Administration Act, or if the Encryption 
Export Advisory Board created under this Act determines, and the 
Secretary agrees, that the product or services is, generally available, 
publicly available, or a comparable encryption product is available, or 
will be available in 12 months, from a foreign supplier.
  As referenced, the PROTECT Act creates an Encryption Export Advisory 
Board to make recommendations regarding general, public and foreign 
availability of encryption products to the Secretary of Commerce who 
must make such decisions to allow an exemption. The Secretary's 
decision is subject to judicial review. The President may override any 
decision of the Board or Secretary for purposes of national security 
without judicial review. This process is critical. It ensures that the 
manufacturer or exporter of an encryption product may rely upon the 
Board's determination that the product is generally or publicly 
available or that a comparable foreign product is available, and may 
thus export the product without consequences. However, a critical 
national security backstop is provided. Regardless of the 
recommendation of the board, or the decision of the Secretary, the 
President is granted the absolute authority to deny the export of 
encryption technology in order to protect U.S. national security 
interest. However, a process of review is established whereby market-
availability, and other relevant information may be gathered and 
presented in order to ensue that such determinations are informed and 
rational.
  Any products with greater than a 64 bit key length that has been 
granted previous exemptions by the administration are grandfathered, 
and decontrolled for export. Upon adoption of the AES, but not later 
than January 1, 2002, the Secretary must decontrol encryption products 
if the encryption employed is the AES or its equivalent.
  Finally, the PROTECT Act prohibits the Secretary from imposing any 
reporting requirements on any encryption product not subject to U.S. 
export controls or exported under a license exception.
  Mr. President, as I have stated, my purpose in putting this 
legislation together was to get outside the zero sum game thinking that 
has become so indicative of the debate surrounding the encryption 
export controls. I would like to commend the outstanding and creative 
leadership of Senator Burns on this issue. He is a leader on technology 
issues in the Senate, and has played an invaluable role in developing 
this approach. I look forward to working with him, and our other 
original cosponsor in building the support necessary to see the PROTECT 
Act signed into law during this Congress.

                          ____________________