[House Report 105-108]
[From the U.S. Government Publishing Office]
105th Congress Rept. 105-108
HOUSE OF REPRESENTATIVES
1st Session Part 2
_______________________________________________________________________
SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
_______
July 25, 1997.--Ordered to be printed
_______________________________________________________________________
Mr. Gilman, from the Committee on International Relations, submitted
the following
R E P O R T
together with
DISSENTING VIEWS
[To accompany H.R. 695]
The Committee on International Relations, to whom was
referred the bill (H.R. 695) to amend title 18, United States
Code, to affirm the rights of United States persons to use and
sell encryption and to relax export controls on encryption,
having considered the same, report favorably thereon with an
amendment and recommend that the bill as amended do pass.
The amendment is as follows:
Strike out all after the enacting clause and insert in lieu
thereof the following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Security and Freedom Through
Encryption (SAFE) Act''.
SEC. 2. SALE AND USE OF ENCRYPTION.
(a) In General.--Part I of title 18, United States Code, is amended
by inserting after chapter 121 the following new chapter:
``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
``2801. Definitions.
``2802. Freedom to use encryption.
``2803. Freedom to sell encryption.
``2804. Prohibition on mandatory key escrow.
``2805. Unlawful use of encryption in furtherance of a criminal act.
``Sec. 2801. Definitions
``As used in this chapter--
``(1) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', `judge of competent jurisdiction', and `electronic
storage' have the meanings given those terms in section 2510 of
this title;
``(2) the terms `encrypt' and `encryption' refer to the
scrambling of wire or electronic information using mathematical
formulas or algorithms in order to preserve the
confidentiality, integrity, or authenticity of, and prevent
unauthorized recipients from accessing or altering, such
information;
``(3) the term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component
thereof, used to decrypt wire or electronic information that
has been encrypted; and
``(4) the term `United States person' means--
``(A) any United States citizen;
``(B) any other person organized under the laws of
any State, the District of Columbia, or any
commonwealth, territory, or possession of the United
States; and
``(C) any person organized under the laws of any
foreign country who is owned or controlled by
individuals or persons described in subparagraphs (A)
and (B).
``Sec. 2802. Freedom to use encryption
``Subject to section 2805, it shall be lawful for any person within
any State, and for any United States person in a foreign country, to
use any encryption, regardless of the encryption algorithm selected,
encryption key length chosen, or implementation technique or medium
used.
``Sec. 2803. Freedom to sell encryption
``Subject to section 2805, it shall be lawful for any person within
any State to sell in interstate commerce any encryption, regardless of
the encryption algorithm selected, encryption key length chosen, or
implementation technique or medium used.
``Sec. 2804. Prohibition on mandatory key escrow
``(a) Prohibition.--No person in lawful possession of a key to
encrypted information may be required by Federal or State law to
relinquish to another person control of that key.
``(b) Exception for Access for Law Enforcement Purposes.--Subsection
(a) shall not affect the authority of any investigative or law
enforcement officer, acting under any law in effect on the effective
date of this chapter, to gain access to encrypted information.
``Sec. 2805. Unlawful use of encryption in furtherance of a criminal
act
``Any person who willfully uses encryption in furtherance of the
commission of a criminal offense for which the person may be prosecuted
in a court of competent jurisdiction--
``(1) in the case of a first offense under this section,
shall be imprisoned for not more than 5 years, or fined in the
amount set forth in this title, or both; and
``(2) in the case of a second or subsequent offense under
this section, shall be imprisoned for not more than 10 years,
or fined in the amount set forth in this title, or both.''.
(b) Conforming Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 33 the following new item:
``122. Encrypted wire and electronic information............ 2801''.
SEC. 3. EXPORTS OF ENCRYPTION.
(a) Amendment to Export Administration Act of 1979.--Section 17 of
the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended
by adding at the end thereof the following new subsection:
``(g) Certain Consumer Products, Computers, and Related Equipment.--
``(1) General rule.--Subject to paragraphs (2), (3), and (4),
the Secretary shall have exclusive authority to control exports
of all computer hardware, software, and technology for
information security (including encryption), except thatwhich
is specifically designed or modified for military use, including
command, control, and intelligence applications.
``(2) Items not requiring licenses.--No validated license may
be required, except pursuant to the Trading With The Enemy Act
or the International Emergency Economic Powers Act (but only to
the extent that the authority of such Act is not exercised to
extend controls imposed under this Act), for the export or
reexport of--
``(A) any consumer product commercially available
within the United States or abroad which--
``(i) includes encryption capabilities which
are inaccessible to the end user; and
``(ii) is not designed for military or
intelligence end use;
``(B) any component or subassembly designed for use
in a consumer product described in subparagraph (A)
which itself contains encryption capabilities and is
not capable of military or intelligence end use in its
condition as exported;
``(C) any software, including software with
encryption capabilities--
``(i) that is generally available, as is, and
is designed for installation by the purchaser;
``(ii) that is in the public domain for which
copyright or other protection is not available
under title 17, United States Code, or that is
available to the public because it is generally
accessible to the interested public in any
form; or
``(iii) that is customized for an otherwise
lawful use by a specific purchaser or group of
purchasers;
``(D) any computing device solely because it
incorporates or employs in any form--
``(i) software (including software with
encryption capabilities) that is exempted from
any requirement for a validated license under
subparagraph (C); or
``(ii) software that is no more technically
complex in its encryption capabilties than
software that is exempted from any requirement
for a validated license under subparagraph (C)
but is not designed for installation by the
purchaser;
``(E) any computer hardware that is generally
available, solely because it has encryption
capabilities; or
``(F) any software or computing device solely on the
basis that it incorporates or employs in any form
interface mechanisms for interaction with other
hardware and software, including hardware, and
software, with encryption capabilities.
``(3) Software with encryption capabilities.--The Secretary
shall authorize the export or reexport of software with
encryption capabilities for nonmilitary end uses in any country
to which exports of software of similar capability are
permitted for use by financial institutions not controlled in
fact by United States persons, unless there is substantial
evidence that such software will be--
``(A) diverted to a military end use or an end use
supporting international terrorism;
``(B) modified for military or terrorist end use; or
``(C) reexported without any authorization by the
United States that may be required under this Act.
``(4) Hardware with encryption capabilities.--The Secretary
shall authorize the export or reexport of computer hardware
with encryption capabilities if the Secretary determines that a
product offering comparable security is commercially available
outside the United States from a foreign supplier, without
effective restrictions.
``(5) Definitions.--As used in this subsection--
``(A) the term `encryption' means the scrambling of
wire or electronic information using mathematical
formulas or algorithms in order to preserve the
confidentiality, integrity, or authenticity of, and
prevent unauthorized recipients from accessing or
altering, such information;
``(B) the term `generally available' means--
``(i) in the case of software (including
software with encryption capabilities),
software that is offered for sale, license, or
transfer to any person without restriction,
whether or not for consideration, including,
but not limited to, over-the-counter retail
sales, mail order transactions, phone order
transactions, electronic distribution, or sale
on approval; and
``(ii) in the case of hardware with
encryption capabilities, hardware that is
offered for sale, license, or transfer to any
person without restriction, whether or not for
consideration, including, but not limited to,
over-the-counter retail sales, mail order
transactions, phone order transactions,
electronic distribution, or sale on approval;
``(C) the term `as is' means, in the case of software
(including software with encryption capabilities), a
software program that is not designed, developed, or
tailored by the software publisher for specific
purchasers, except that such purchasers may supply
certain installation parameters needed by the software
program to function properly with the purchaser's
system and may customize the software program by
choosing among options contained in the software
program;
``(D) the term `is designed for installation by the
purchaser' means, in the case of software (including
software with encryption capabilities) that--
``(i) the software publisher intends for the
purchaser (including any licensee or
transferee), who may not be the actual program
user, to install the software program on a
computing device and has supplied the necessary
instructions to do so, except that the
publisher may also provide telephone help line
services for software installation, electronic
transmission, or basic operations; and
``(ii) the software program is designed for
installation by the purchaser without further
substantial support by the supplier;
``(E) the term `computing device' means a device
which incorporates one or more microprocessor-based
central processing units that can accept, store,
process, or provide output of data; and
``(F) the term `computer hardware', when used in
conjunction with information security, includes, but is
not limited to, computer systems, equipment,
application-specific assemblies, modules, and
integrated circuits.''.
(b) Continuation of Export Administration Act.--For purposes of
carrying out the amendment made by subsection (a), the Export
Administration Act of 1979 shall be deemed to be in effect.
SEC. 4. SENSE OF CONGRESS REGARDING INTERNATIONAL COOPERATION.
(a) Findings.--The Congress finds that--
(1) implementing export restrictions on widely available
technology without the concurrence of all countries capable of
producing, transshipping, or otherwise transferring that
technology is detrimental to the competitiveness of the United
States and should only be imposed on technology and countries
in order to protect the United States against a compelling
national security threat; and
(2) the President has not been able to come to agreement with
other encryption producing countries on export controls on
encryption and has imposed excessively stringent export
controls on this widely available technology.
(b) Sense of Congress.--It is the sense of the Congress that the
President should immediately take the necessary steps to call an
international conference for the purpose of coming to an agreement with
encryption producing countries on policies which will ensure that the
free use and trade of this technology does not hinder mutual security.
Background and Purpose
H.R. 695, the Security and Freedom Through Encryption
(SAFE) Act, represents a strong bipartisan effort to bring U.S.
laws on the export of encryption technology into the present
and future, by looking at the actual technological developments
taking place on the world stage. The SAFE Act enjoys strong
support in the House as reflected by the overwhelming number of
co-sponsors, including a majority of the Members of the
Committee on International Relations.
While differences still remain and the debate continues
between U.S. economic and commercial priorities and individual
civil liberties, on the one hand, and the needs and concerns of
law enforcement and national security agencies, the SAFE Act is
generating the political will to reform the existing regulatory
process to meet today's realities.
Encryption has been defined as referring to the use of
software or hardware to scramble wire or electronic information
using mathematical formulas or algorithms in order to preserve
the confidentiality, integrity, or authenticity of, and prevent
unauthorized recipients from accessing or altering such
information. While anyone can encrypt a message, only an
authorized person can convert a scrambled message back into its
original form.
The basic idea of modern encryption, or cryptography, is
that any message can be represented as a set of numbers (the
plaintext) used to transform the plaintext into a different set
of numbers (the ciphertext). Simply stated, keys consist of a
series of ones and zeros (called ``bits'), and are described in
terms of their ``length'', which is corresponds to the number
of possible combinations that can be used to decode a
particular message. A 40-bit key means that the number of
possible combinations of ones and zeros equals 2 to the 40th
power. It then follows that a 56-bit key is 2 to the 56th
power, which means that it is 2 to the 16th power stronger that
a 40-bit key.
Once the exclusive domain of the national security and
intelligence sectors, encryption now has an expanded
application, impacting the everyday lives of millions of
Americans. Today, banking systems, stock markets, air traffic
control systems, credit bureaus, telephone networks, weather
satellites, social security system, television networks,
civilian and government payrolls, and the Internet are all
directly affected by a flow of data managed by countless
computers and telecommunication networks around the world.
Computer technology now serves as the nervous system of modern
society.
It is increasingly difficult to protect the privacy and
confidentiality of transactions at all levels, and increasingly
important to do so. The Justice Department has estimated that
annual losses related to computer security breaches could be as
high as $7 billion. If this were adjusted to include the number
of undocumented cases by companies reluctant to report such
intrusions, the figure could be even higher. The National
Counterintelligence Center in their ``Annual Report to Congress
on Foreign Economic Collection and Industrial Espionage''
concluded that such ``specialized technical operations
(including computer intrusions, telecommunications targeting
and intercept, and private sector encryption weaknesses)
account for the largest portion of economic and industrial
information lost by corporations.''
Therefore, stronger encryption tools are widely viewed as
the key to providing security and privacy for the information
superhighway.
Current U.S. policy restricts the export of ``strong''
encryption hardware or software products with keys greater than
40 bits long--determined to be gravely inadequate by numerous
experts. The current Administration proposal, which would allow
the export of 56-bit encryption, is viewed as not meeting the
needs of U.S. companies to conduct business in a secure manner
with their suppliers, their business partners, their customers,
and even their affiliated companies outside the United States.
Supporting the need for higher encryption standards is the
fact that, on the same day that the companion legislation--the
McCain-Kerrey bill--was introduced in the Senate calling for a
56-bit limit on encryption exports, a group of independent
programmers and researchers cracked a 56-bit code using
computers linked across the Internet. This successful breaking
of 56-bit encryption clearly demonstrates the anachronistic
nature of current U.S. law and reflects how out-of-touch the
Administration's policy is with the needs of the global
marketplace.
The Administration's proposal would only allow the export
of 56-bit encryption for those who promise to build in ``key
recovery''. ``Key recovery'' or ``key escrow'' essentially
means that when stored data or electronic communications are
encrypted, a third party has a copy of the key needed to
decrypt the information. As presented by proponents of this
policy, escrowed encryption is intended to provide for
encryption protection for legitimate uses but also enable law
enforcement officials to gain access to the key when it is
necessary to decode the plaintext data as part of an
investigation.
This has been interpreted as an attempt to use the export
control process to manipulate and control the market for and
expansion of encryption technology, by making it easy to export
products with key recovery and difficult for those products
without. The logical basis for this policy is flawed as it is
rooted in the wrongful assumption that foreign competitors can
be convinced to alter their policy to parallel what U.S. policy
is calling for. The current policy is not based on fact but on
the optimistic view that the U.S. can influence other countries
not to export strong encryption without an escrow system.
Speculation does not make for good laws. Individually and
as a unit, many of our European allies have clearly illustrated
their commitment to allow market forces andindividual needs to
dictate the levels of encryption. In its April 1997 proposal entitled,
``A European Initiative in Electronic Commerce'', the European Union
stated as key elements of the Initiative to ensure a framework which
``boosts the trust and confidence of businesses for investments and
consumers to make use of electronic commerce by dismantling remaining
legal and regulatory barriers and preventing the creation of new
obstacles.'' It goes on to say that: ``The use of strong encryption
which ensures the confidentiality of both sensitive commercial and of
personal data is one of the foundation stones of electronic commerce .
. . The Community (European Community) shall work at the international
level towards the removal of trade barriers for encryption products.''
Even the more conservative recommendations made in March
1997 by the Council of the Organization for Economic
Cooperation and Development, clearly state that: ``Users should
have access to cryptography that meets their needs, so that
they can trust in the security of information and
communications systems, and the confidentiality and integrity
of data on those systems.'' The Council further underscores
that: ``Government controls on cryptographic methods . . .
should respect user choice to the greatest extent possible . .
. and should not be interpreted as implying that governments
should initiate legislation which limits user choice.''
Finally, they add: ``The development and provision of
cryptographic methods should be determined by the market in an
open and competitive environment. Such an approach would best
ensure that solutions keep pace with changing technology, the
demands of users and evolving threats to communications systems
security.''
While U.S. companies are kept at 40-bit encryption or at
56-bit with the condition that they commit to develop key
recovery, non-U.S. exporters, particularly the countries of the
European Union, are producing packages that include encryption
technology using 128 bits leaving American companies far behind
in the race to capture new markets.
Furthermore, American companies are placed at a competitive
disadvantage by being forced to create and deploy two separate
systems to meet two separate standards. Because of the
nightmare this would create, most U.S. businesses end up making
their exportable products subject to the same restrictions as
their domestic products. By not allowing U.S. industries to
provide secure products in the face of strong foreign
competitors who are not restricted by outdated export controls,
current law is hurting U.S. businesses. No one will buy
encryption products for which the U.S. government can obtain a
key. A recent report by the CEOs of 13 large American
technology companies concluded that the U.S. computer industry
could potentially lose up to $30-60 billion annually by the
year 2000 due to these export controls.
At a fundamental level, evaluating the value of key
recovery systems in and of themselves, eleven of the world's
top cryptographers concluded that key recovery systems would
create new vulnerabilities. A key recovery system would create
serious difficulties as it would require a vast infrastructure
of recovery agents and oversight entities to manage access to
the keys. In their May 1997 report entitled, ``The Risks of Key
Recovery, Key Escrow, and Trusted Third Party Encryption'',
these experts also determined that ``the field of cryptography
has no experience in deploying secure systems of this scope and
complexity'' and that such systems could potentially cost many
billions of dollars.
Key recovery systems do not even meet the national security
needs on which the policy is based on. The Software Publishers
Association has documented hundreds of foreign encryption
products already widely available abroad and which criminals,
terrorists, and foreign governments have access to. It is the
upstanding, law-abiding citizen who suffers.
The fact is that strong encryption helps to further the
goals of law enforcement and national security, more than key
recovery could ever hope to. In its landmark report on
encryption policy, the blue-ribbon National Research Council
concluded the following about the use of strong encryption:
If cryptography can protect the trade secret and
proprietary information of business and thereby reduce
economic espionage (which it can), it also supports in
a most important manner the job of law enforcement. If
cryptography can help protect nationally critical
information systems and networks against unauthorized
penetration (which it can), it also supports the
national security of the United States.
In summary, if U.S. laws are not changed soon, not as
mandated by the Administration's policy or its companion
legislation in the Senate, but as H.R. 695 attempts to do,
world standards for security technology will shift away from
the U.S. as customers buy products from foreign manufacturers.
The U.S. government will not have a view into the security
technology that replaces U.S. technology as the world
standards. U.S. industries will lose control of information
security technologies which are vital to economic security. It
will cost the U.S. economy billions of dollars and hundreds of
thousands of jobs.
On July 7, 1997, German Economics Minister Guenter Rexrodt
called for the removal of restrictions on encryption technology
in his opening remarks for a two-day conference on Internet
commerce attended by 40 government ministers from the European
union, the United States, Russia, Japan and Canada. ``Users can
only protect themselves against having data manipulated,
destroyed or spied on through the use of strong encryption
procedures,'' Rexrodt said, ``that is why we have to use all of
our powers to promote such procedures instead of blocking
them.''
Individual Americans and U.S. businesses should be afforded
the same protection and the same opportunities as other
countries provide their own people and industries.H.R. 695--the
SAFE Act--does just that. It is aimed at correcting the unfair and
unsafe situation that currently exists under current law as it:
prohibits export controls on ``generally available'' commercial
encryption except for military end-users or to identified individuals
or organizations in specific foreign countries; does not require
reporting for companies after export; prohibits mandatory use of key
recovery; denies liability protection and penalties for key holders;
denies foreign government access to keys under specified conditions if
key holder is used voluntarily; prohibits U.S. government and law
enforcement access to keys by court order if key holder is used
voluntarily; codifies existing domestic use policy; gives the Secretary
of Commerce exclusive jurisdiction over export of commercial encryption
except for military end-uses or to identified individuals or
organizations in specific foreign countries.
In essence, H.R. 695 prevents economic espionage while
protecting hundreds of thousands of American jobs by affording
all Americans the freedom to use any type of encryption
anywhere in the world; by allowing any type of encryption to be
sold in the United States; and creates a level playing field by
permitting the export of the generally available software,
hardware, and other encryption-related computer products.
The Committee hopes that other Members realize the need,
value, and importance of H.R. 695 as it works its way through
the legislative process. In the interest of the American
people, of U.S. economic leadership and growth, and of national
security, the Committee hopes that the House will pass the SAFE
Act.
Committee Action
H.R. 695 was introduced by Representative Goodlatte on
February 12, 1997, and referred to the Committee on Judiciary
and in addition to the Committee on International Relations for
a period subsequently to be determined by the Speaker. It was
reported to the House by the Committee on the Judiciary,
amended, on May 22, 1997 (H. Rept. 105-108). On May 22, 1995,
the referral to the Committee on International Relations was
extended through July 11, 1997, and on June 26, 1997, the
referral to the Committee on International Relations was
extended for a period ending not later than July 25, 1997.
On June 26, 1997, the bill was referred, in addition, to
Committees on Commerce, National Security, and the Permanent
Select Committee on Intelligence for a period ending not later
than September 5, 1997, for consideration of such provisions of
the bill and the amendment reported by the Committee on the
Judiciary as fall within the jurisdiction of those committees
pursuant to clause 1(3) and (k), rule X and rule XLVIII,
respectively.
On May 8, 1997, the Subcommittee on International Economic
Policy and Trade held a hearing entitled: ``Encryption:
Individual Right to Privacy vs. National Security.'' Witnesses
for this hearing included: Hon. William Reinsch, Under
Secretary of Commerce, Bureau of Export Administration; Hon.
William Crowell, Deputy Director, National Security Agency;
Hon. Robert Litt, Deputy Assistant Attorney General, Criminal
Division, U.S. Department of Justice; Mr. John Gage, Director,
Science Office, Sun Microsystems, Inc.; Mr. Humphrey Polanen,
General Manager, Network Security Products Group, Sun
Microsystems, Inc.; Jerry Berman, Executive Director, Center
for Democracy and Technology; Tom Parenty, Director of
Security, Sybase Corporation; and Stephen T. Walker, President
and CEO, Chairman of the Board of Directors, Trusted
Information Systems.
On May 29, 1997, the Full Committee held a Members briefing
on H.R. 695, ``the Security and Freedom through Encryption
(SAFE) Act.'' Speakers for the briefing included Hon. Louis
Freeh, Director, Federal Bureau of Investigation and Hon.
William Crowell, Deputy Director, National Security Agency.
On June 4, 1997, the Subcommittee on International Economic
Policy and Trade held a Members Briefing on the future of U.S.-
European trade relations. Speakers for the briefing included:
Hon. David L. Aaron, U.S. Ambassador to the Organization for
Economic Cooperation and Development (OECD); H.E. Hugo Paemen,
Head of the Delegation to the United States of the Commission
of the European Union; and Dr. Dominique vanderMensbrugghe,
Senior Economist, OECD Development Center.
On June 24, 1997, the Subcommittee on International
Economic Policy and Trade held a mark-up of H.R. 695, ``the
Security and Freedom through Encryption (SAFE) Act''. Witnesses
included: Congressman Bob Goodlatte.
Amendment.--An en bloc amendment was offered by Ros-
Lehtinen, Gejdenson, Campbell and Sherman. The amendment
removes the distinction between mass market and customized
software thus ensuring that customized software is also subject
to liberalized export controls. It expands section 3 on exports
of encryption by including consumer products which do not
necessarily fall under the umbrella of ``computing'' products
but which also require and use encryption. It broadens the
scope and definition of ``generally available'' to include
hardware with encryption capabilities. The amendment also adds
a fourth section to the bill in the form of a sense of Congress
regarding international cooperation. The amendment passed by
voice vote.
A motion to report the bill, as amended, to the Full
Committee passed by a roll call vote, as follows:
Voting yes: Ros-Lehtinen, Manzullo, Chabot, Campbell,
Blunt, Brady, Rohrabacher, Gejdenson, Danner, Hilliard,
Sherman, Rothman, Clement, Luther.
Voting no: Bereuter.
Passed: 14-1.
On June 26, 1997, the Full Committee held a classified
Members briefing on the impact of H.R. 695, ``the Security and
Freedom through Encryption (SAFE) Act'' on national security
and law enforcement activities. Speakers for the briefing
included: Hon. Louis Freeh, Director, Federal Bureau of
Investigation; Hon. William Crowell, Deputy Director, National
Security Agency; Hon. William Reinsch, Under Secretary of
Commerce, Bureau of Export Administration.
On July 22, 1997, the Full Committee marked up the bill in
open session, pursuant to notice. The Committee first adopted
the amendment recommended by the Subcommittee on International
Economic Policy by unanimous consent, as original text for the
purposes of amendment. Representatives Goodlatte and Lofgren
and representatives of the Administration (The Hon. William
Reinsch, Under Secretary of Commerce; Mr. Jim Kallstrom,
Federal Bureau of Investigation; Mr. James R. Taylor, National
Security Agency; and Mr. Anthony Bocchichio of the Drug
Enforcement Agency) responded to questions from members during
the course of the markup.
After further consideration, on that date, a quorum being
present, the Full Committee by voice vote ordered the bill
reported to the House with the recommendation that the bill, as
amended, do pass.
Rollcall votes on amendments
In compliance with clause (2)(l)(2)(B) of rule XI of the
Rules of the House of Representatives, the record of committee
roll call votes on final passage or amendments during the full
committee's consideration of H.R. 695 is set out below, as is a
report of the full committee's final action on the bill.
Description of Amendment, Motion, Order, or Other Proposition (votes
during markup of H.R. 695--July 22, 1997)
Vote No. 1.--Gilman amendment provide that certain items
could not be exported if in the opinion of the President they
would endanger the national security.
Voting Yes: Gilman, Leach, Bereuter, Gallegly, Fox,
Hamilton, Berman, Menendez, Brown, Danner, Rothman, Clement,
and Davis.
Voting No: Smith, Ros-Lehtinen, Ballenger, Rorhabacher,
Manzullo, Royce, King, Chabot, Sanford, Houghton, Campbell,
Blunt, Moran, Brady, Gejdenson, Ackerman, Hastings, Hilliard,
Capps, Sherman, Wexler, and Luther.
Ayes, 13. Noes, 22.
Note: The bill was subsequently ordered reported favorably,
amended, by voice vote, a quorum being present, on July 22,
1997.
Section-by-Section Analysis
Section 1. Short Title
This section states that this Act may be cited as the
``Security and Freedom Through Encryption (SAFE) Act''.
Section 2. Sale And Use Of Encryption
This section states that, in general, Part I of Title 18,
United States Code, is amended by adding a new chapter after
chapter 121.
This section also creates ``Chapter 122-Encrypted Wire And
Electronic Information'' which includes sections; 2801.
Definitions., 2802. Freedom To Use Encryption., 2803. Freedom
to Sell Encryption., 2804. Prohibition On Mandatory Key
Escrow., 2805. Unlawful Use Of Encryption in the furtherance of
a criminal act.
Section 2801 is titled ``Definitions'' and provides
definitions for ``person'' ``State'' ``wire communication''
``electronic communication'', ``investigative or law
enforcement officer'', judge of competent jurisdiction'',
``electronic storage'', ``encrypt'', ``encryption'', ``key'',
and ``United States person''. Many of these definitions were
taken explicitly from 18 U.S.C. 2810.
New section 2802 states that it is legal for any person in
the United States or any United States person in a foreign
country, to use any form of encryption regardless of the
algorithm, key length, or technique used in the encryption.
New section 2803 states that it is legal for any person in
the United States to sell in interstate commerce encryption
products using any form of encryption regardless of the
algorithm, key length, or technique used. The Committee intends
that Sections 2802 and 2803 be read as limitations on
government power. They should not be read as overriding
otherwise lawful employer policies concerning employee use of
the employers computer system, nor as limiting the employer's
otherwise lawful means for remedying violations of those
policies.
New section 2804 specifically prohibits requiring any
person in lawful possession of an encryption key to turn that
key over to another person. This section prevents any form of
mandatory key escrow system with an exception for any law
enforcement personnel or a member of the intelligence
community.
New section 2805 make it a crime to use encryption
unlawfully in furtherance of some other crime. This new crime
is punishable with a sentence of 5 years for a first offence
and 10 years. This section requires that for a person to
violate this section that person must be found guilty of some
other federal felony crime and was deliberately using
encryption to avoid detection of that other federal felony
crime.
Subsection 2(b) of H.R. 695 provides for a conforming
amendment to the table of chapters in Title 18.
Section 3. Export of Encryption
Subsection 3(a) of H.R. 695 amends the Export
Administration Act by creating a new subsection (g) entitled
``Computers and Related Equipment,'' to 50 U.S.C. App. 2416.
New subsection (g)1 place all encryption products, except
those specifically designed or modified for military use, under
the jurisdiction of the Secretary of Commerce.
New subsection (g)2 allows encryption software that is
generally available or in the public domain, like mass-market
software products, to be exported freely except pursuant to the
Trading With The Enemy Act or the International Emergency
Economic Powers Act (but only to the to the extent that the
authority of such Act is not exercised to extend controls
imposed under this Act.). The Subcommittee on International
Economic Policy and Trade, on an amendment offered by Chair
Ros-Lehtinen and Ranking Member Gejdenson, and others, amended
Subsection (g)2 on a voice vote in Subcommittee to include
certain other consumer products, or component or subassembly
(provided those components are not capable of military or
intelligence end use in its condition as exported.), which have
encryption capabilities that are inaccessible to the end user
and which are commercially available within the United States
or abroad. These product as discussed by the Subcommittee are
consumer products such as small dish satellite receivers,
digital video disk players, smart cards, Web TV, etc. These
products, which are commercially available within the United
States or abroad, were viewed by the Subcommittee as being
clearly and purely for consumer end-use and not for military
purposes. The Ros-Lehtinen amendment also amended (g)2 to
include customized software for an otherwise lawful purpose by
a specific purchaser or group of purchasers.
New subsection (g)3 requires the Secretary of Commerce to
allow other encryption software to be exported unless there is
substantial evidence that will be put to military or terrorist
uses or that it will be reexported without U.S. authorization.
New subsection (g)4 requires the Secretary to allow the
export of hardware with encryption capabilities when the
Commerce Department finds that it is commercially available
from foreign suppliers without effective restrictions.
New subsection (g)5 provides definitions for this
subsection. The subcommittee amendment offered by Chair Ros-
Lehtinen, and others also amended this subsection to include
the same consumer products added to subsection (g)2.
As the Ros-Lehtinen amendment adopted in the Subcommittee
on International Economic Policy and Trade stated, the
Committee would like to reiterate that, with the ever
increasing use of computer technology and computer information
(hardware and software) in consumer product lines for
protection of privacy, information security, and intellectual
property interests, it intends this legislation to cover all
devices--whether traditional computing devices or convergent
consumer products that incorporate encryption. The applications
covered by this legislation include video, audio, and data
communications systems and telecommunication equipment.
Hardware and software containing encryption, such as encoders,
decoders, and network terminals, which are essential to protect
the video signal, are therefore included under section 3(a) of
this Act. As well as video, audio, data communications systems
containing encryption and decryption capability are used by
cable, satellite, and wireless delivery systems. This
legislation is also intended to include set-top devices and
other terminals where the encryption is not directly available
to the user but is used for purposes such as pay per view, and
hardware such as network computers, telephones or cable modems,
satellite uplinks and downlinks.
Subsection 3(b) of H.R. 695 provides that for the purposes
of carrying out the amendment made by subsection 3(a), the
Export Administration Act shall be deemed to be in effect. This
statement is necessary because Congress failed to reauthorize
the Export Administration Act and it expired in 1994. The
Administration maintains the Export Administration Act policies
by executive order. The Committee plans to reauthorize the
Export Administration Act in this Congress.
Section 4. Sense of Congress Regarding International Cooperation
This section asks on the President to call an international
conference for the purpose ofachieving an agreement among the
encryption producing countries on policies which will ensure that the
free use and trade of this technology does not hinder mutual
technology.
Committee Oversight Findings
In compliance with clause 2(l)(3)(A) of rule XI of the
Rules of the House of Representatives, the Committee reports
the findings and recommendations of the Committee, based on
oversight activities under clause 2(b)(1) of rule X of the
Rules of the House of Representatives, are incorporated in the
descriptive portions of this report.
Committee on Government Reform and Oversight Findings
No findings or recommendations of the Committee on
Government Reform and Oversight were received as referred to in
clause 2(l)(3)(D) of rule XI of the Rules of the House of
Representatives.
Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
Applicability to the Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
Constitutional Authority Statement
In compliance with clause 2(l)(4) of rule XI of the Rules
of the House of Representatives, the Committee cites the
following specific powers granted to the Congress in the
Constitution as authority for enactment of H.R. 695 as reported
by the Committee: Article I, section 8, clause 1 (relating to
providing for the common defense and general welfare of the
United States); and Article I, section 8, clause 18 (relating
to making all laws necessary and proper for carrying into
execution powers vested by the Constitution in the government
of the United States).
New Budget Authority and Tax Expenditures, Congressional Budget Office
Cost Estimate
The Committee expects to adopt a cost estimate of the
Congressional Budget Office as its submission of any new
required information on new budget authority, new spending
authority, new credit authority, or an increase or decrease in
the national debt, which it expects to provide in a
supplemental report.
Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
U.S. Congress,
Congressional Budget Office,
Washington, DC, July 25, 1997.
Hon. Benjamin Gilman,
Chairman, Committee on International Relations,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed mandates statement for H.R. 695, the
Security and Freedom Through Encryption (SAFE) Act. CBO's
analysis of the bill's federal costs will be sent to you as
soon as it is completed.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Pepper
Santalucia (for the state and local impact) and Matt Eyles (for
the private-sector impact).
Sincerely,
Jane E. O'Neill, Director.
Enclosure.
congressional budget office mandates statement
H.R. 695--Security and Freedom Through Encryption (SAFE) Act
H.R. 695 would allow individuals in the United States to
use and sell any form of encryption and would prohibit states
or the federal government from requiring individuals to
relinquish the key to encryption technologies to any third
party. The bill also would prevent the Bureau of Export
Administration in the Department of Commerce from restricting
the export of most nonmilitary encryption products. Finally,
H.R. 695 would establish criminal penalties and fines for the
willful use of encryption technologies in committing criminal
offenses.
The bill would prohibit states from requiring persons to
make encryption keys available to another person or entity.
This prohibition would be an intergovernmental mandate as
defined in the Unfunded Mandates Reform Act of 1995 (UMRA).
However, states would bear no costs as a result of this mandate
because none currently require the registration or availability
of such keys. H.R. 695 contains no private-sector mandates as
defined in UMRA.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3 of rule XIII of the Rules of the
House of Representatives, changes in existing law made by the
bill, as reported, are shown as follows (new matter is printed
in italic and existing law in which no change is proposed is
shown in roman):
TITLE 18, UNITED STATES CODE
* * * * * * *
PART I--CRIMES
Chap. Sec.
1. General provisions......................................... 1
* * * * * * *
122. Encrypted wire and electronic information................... 2801
* * * * * * *
CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION
2801. Definitions.
2802. Freedom to use encryption.
2803. Freedom to sell encryption.
2804. Prohibition on mandatory key escrow.
2805. Unlawful use of encryption in furtherance of a criminal act.
Sec. 2801. Definitions
As used in this chapter--
(1) the terms ``person'', ``State'', ``wire
communication'', ``electronic communication'',
``investigative or law enforcement officer'', ``judge
of competent jurisdiction'', and ``electronic storage''
have the meanings given those terms in section 2510 of
this title;
(2) the terms ``encrypt'' and ``encryption'' refer to
the scrambling of wire or electronic information using
mathematical formulas or algorithms in order to
preserve the confidentiality, integrity, or
authenticity of, and prevent unauthorized recipients
from accessing or altering, such information;
(3) the term ``key'' means the variable information
used in a mathematical formula, code, or algorithm, or
any component thereof, used to decrypt wire or
electronic information that has been encrypted; and
(4) the term ``United States person'' means--
(A) any United States citizen;
(B) any other person organized under the laws
of any State, the District of Columbia, or any
commonwealth, territory, or possession of the
United States; and
(C) any person organized under the laws of
any foreign country who is owned or controlled
by individuals or persons described in
subparagraphs (A) and (B).
Sec. 2802. Freedom to use encryption
Subject to section 2805, it shall be lawful for any person
within any State, and for any United States person in a foreign
country, to use any encryption, regardless of the encryption
algorithm selected, encryption key length chosen, or
implementation technique or medium used.
Sec. 2803. Freedom to sell encryption
Subject to section 2805, it shall be lawful for any person
within any State to sell in interstate commerce any encryption,
regardless of the encryption algorithm selected, encryption key
length chosen, or implementation technique or medium used.
Sec. 2804. Prohibition on mandatory key escrow
(a) Prohibition.--No person in lawful possession of a key to
encrypted information may be required by Federal or State law
to relinquish to another person control of that key.
(b) Exception for Access for Law Enforcement Purposes.--
Subsection (a) shall not affect the authority of any
investigative or law enforcement officer, acting under any law
in effect on the effective date of this chapter, to gain access
to encrypted information.
Sec. 2805. Unlawful use of encryption in furtherance of a criminal act
Any person who willfully uses encryption in furtherance of
the commission of a criminal offense for which the person may
be prosecuted in a court of competent jurisdiction--
(1) in the case of a first offense under this
section, shall be imprisoned for not more than 5 years,
or fined in the amount set forth in this title, or
both; and
(2) in the case of a second or subsequent offense
under this section, shall be imprisoned for not more
than 10 years, or fined in the amount set forth in this
title, or both.
* * * * * * *
----------
SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979
Sec. 17. (a) * * *
* * * * * * *
(g) Certain Consumer Products, Computers, and Related
Equipment.--
(1) General rule.--Subject to paragraphs (2), (3),
and (4), the Secretary shall have exclusive authority
to control exports of all computer hardware, software,
and technology for information security (including
encryption), except that which is specifically designed
or modified for military use, including command,
control, and intelligence applications.
(2) Items not requiring licenses.--No validated
license may be required, except pursuant to the Trading
With The Enemy Act or the International Emergency
Economic Powers Act (but only to the extent that the
authority of such Act is not exercised to extend
controls imposed under this Act), for the export or
reexport of--
(A) any consumer product commercially
available within the United States or abroad
which--
(i) includes encryption capabilities
which are inaccessible to the end user;
and
(ii) is not designed for military or
intelligence end use;
(B) any component or subassembly designed for
use in a consumer product described in
subparagraph (A) which itself contains
encryption capabilities and is not capable of
military or intelligence end use in its
condition as exported;
(C) any software, including software with
encryption capabilities--
(i) that is generally available, as
is, and is designed for installation by
the purchaser;
(ii) that is in the public domain for
which copyright or other protection is
not available under title 17, United
States Code, or that is available to
the public because it is generally
accessible to the interested public in
any form; or
(iii) that is customized for an
otherwise lawful use by a specific
purchaser or group of purchasers;
(D) any computing device solely because it
incorporates or employs in any form--
(i) software (including software with
encryption capabilities) that is
exempted from any requirement for a
validated license under subparagraph
(C); or
(ii) software that is no more
technically complex in its encryption
capabilties than software that is
exempted from any requirement for a
validated license under subparagraph
(C) but is not designed for
installation by the purchaser;
(E) any computer hardware that is generally
available, solely because it has encryption
capabilities; or
(F) any software or computing device solely
on the basis that it incorporates or employs in
any form interface mechanisms for interaction
with other hardware and software, including
hardware, and software, with encryption
capabilities.
(3) Software with encryption capabilities.--The
Secretary shall authorize the export or reexport of
software with encryption capabilities for nonmilitary
end uses in any country to which exports of software of
similar capability are permitted for use by financial
institutions not controlled in fact by United States
persons, unless there is substantial evidence that such
software will be--
(A) diverted to a military end use or an end
use supporting international terrorism;
(B) modified for military or terrorist end
use; or
(C) reexported without any authorization by
the United States that may be required under
this Act.
(4) Hardware with encryption capabilities.--The
Secretary shall authorize the export or reexport of
computer hardware with encryption capabilities if the
Secretary determines that a product offering comparable
security is commercially available outside the United
States from a foreign supplier, without effective
restrictions.
(5) Definitions.--As used in this subsection--
(A) the term ``encryption'' means the
scrambling of wire or electronic information
using mathematical formulas or algorithms in
order to preserve the confidentiality,
integrity, or authenticity of, and prevent
unauthorized recipients from accessing or
altering, such information;
(B) the term ``generally available'' means--
(i) in the case of software
(including software with encryption
capabilities), software that is offered
for sale, license, or transfer to any
person without restriction, whether or
not for consideration, including, but
not limited to, over-the-counter retail
sales, mail order transactions, phone
order transactions, electronic
distribution, or sale on approval; and
(ii) in the case of hardware with
encryption capabilities, hardware that
is offered for sale, license, or
transfer to any person without
restriction, whether or not for
consideration, including, but not
limited to, over-the-counter retail
sales, mail order transactions, phone
order transactions, electronic
distribution, or sale on approval;
(C) the term ``as is'' means, in the case of
software (including software with encryption
capabilities), a software program that is not
designed, developed, or tailored by the
software publisher for specific purchasers,
except that such purchasers may supply certain
installation parameters needed by the software
program to function properly with the
purchaser's system and may customize the
software program by choosing among options
contained in the software program;
(D) the term ``is designed for installation
by the purchaser'' means, in the case of
software (including software with encryption
capabilities) that--
(i) the software publisher intends
for the purchaser (including any
licensee or transferee), who may not be
the actual program user, to install the
software program on a computing device
and has supplied the necessary
instructions to do so, except that the
publisher may also provide telephone
help line services for software
installation, electronic transmission,
or basic operations; and
(ii) the software program is designed
for installation by the purchaser
without further substantial support by
the supplier;
(E) the term ``computing device'' means a
device which incorporates one or more
microprocessor-based central processing units
that can accept, store, process, or provide
output of data; and
(F) the term ``computer hardware'', when used
in conjunction with information security,
includes, but is not limited to, computer
systems, equipment, application-specific
assemblies, modules, and integrated circuits.
DISSENTING VIEWS
While well-intentioned, this bill's one-dimensional focus
on the decontrol of encryption products would upset the vital
balance that U.S. policy seeks to strike between the
competitiveness of American industry and U.S. national security
and law enforcement goals. The bill would prohibit any
licensing or review of exports of encrypted software and
hardware items. Consequently, its implementation would not only
hinder our national security efforts but also undermine the
Administration's ability to forge an international consensus on
the use and implementation of national key recovery policies.
While SAFE Act advocates correctly point out that the
Administration has not yet achieved a multilateral consensus
endorsing its preference for a key management infrastructure
approach on encryption issues, it should be noted that recent
cryptography guidelines adopted by the Organization for
Economic Cooperation and Development have stressed the need to
balance privacy, law enforcement, national security concerns,
and commercial interests. They also underline the fact that
failure to coordinate these policies could cripple the global
information network and impede international trade.
A July policy brief published by the Brookings Institution
by Kenneth Flamm on ``Deciphering the Cryptography Debate''
noted along the same lines that:
``A level playing field, with common global rules of the
game, is needed to avoid giving economic rivals competitive
advantages over one another. The administration made an
important and correct decision in seeking an international
consensus on the key recovery approach to strong encryption and
must be sure to continue to work hard in seeking this common
global approach. While it has yet to achieve such a consensus
within the OECD, many of the key players with the technical
capability to ship advanced cryptography products and affect
global markets--Britain, France and (quietly) Japan--are
supporting the U.S. approach, and if a few more (like Germany
and Israel) can be brought on board, the critical mass around
which the core of an international agreement can be assembled
will exist.''
If enacted in its current form, this bill would undermine
any prospects for achieving such consensus and would compel a
number of the OECD countries to put additional import
restrictions in place blocking the entry of our strongest
encryption products.
We recognize that the development of strong encryption can
play a vital role in the development of electronic commerce and
promoting privacy but the development of key recovery policies
is essential to head off a potential crisis in the years ahead
for our law enforcement authorities. If strong encryption is in
widespread use in the near future, it will make it virtually
impossible to decipher encrypted communications. Brute force
attacks to crack encryption algorithms in that type of
environment are not feasible or realistic, especially in the
time sensitive cases where law enforcement needs access to
encrypted files to save lives.
By removing all controls on the export of any software and
hardware with encryption capabilities, this bill threatens U.S.
national security and law enforcement interests.
With respect to U.S. national security, encrypted
communications make it more difficult for U.S. intelligence
agencies to monitor communications relating to terrorism,
weapons proliferation, military operations, and other threats
to U.S. national security interests. The Administration does
not dispute the contention of U.S. software manufacturers that
encryption products are in use around the world.
But the Administration also points out that these products
are not yet being widely used by individuals, groups, and
governments whose activities pose threats to U.S. security and
safety. As we understand it, the goal of U.S. export control
policy is not to prevent the spread ofencryption worldwide--
something which clearly cannot be done--but to slow down the spread of
these products enough to give U.S.-led diplomacy an opportunity to
achieve increased multilateral cooperation on common export control
policies and on the adoption of a global key management infrastructure.
Such an international key management infrastructure would enable U.S.
intelligence and law enforcement agencies to cooperate with their
counterparts in friendly countries in gaining access to communications
that threaten common security and safety interests.
The elimination of all U.S. controls on encryption exports
will also jeopardize domestic law enforcement. We recognize
that encryption is essential to the fulfillment of the promise
of electronic commerce and to the protection of individual
privacy in a networked world. But encryption also complicates
the mission of U.S. law enforcement agencies, because it can
make it impossible for law enforcement personnel to understand
data and communications to which they have been granted access
under court order or other proper legal authority.
This is why current U.S. policy seeks to promote the
adoption of key recovery features in encryption products used
in the United States. Export controls are a key component of
this policy. Under current practice, U.S. firms are permitted
to export powerful encryption products if they already include
key recovery features or if they pledge to develop such
features during the next two years. If we eliminate all U.S.
export controls, as this bill would do, the federal government
will therefore lose one of its most important means for
promoting the development of key recovery in the U.S. market.
That will harm U.S. law enforcement.
Lawful wiretapping and duly authorized court-ordered access
to information and materials on a timely basis are essential
tools for police and law enforcement authorities. If this
legislation were to be enacted in its present form, the
resultant proliferation of global and interconnected encryption
has the very real potential to deny our local, state and
federal authorities the timely access they now enjoy to data
and other communications, even after a court order has been
issued.
More than one half the annual court-ordered wire taps are
at the state and local level, and of the national total for all
such wire taps, more than 70% are for drug-related cases.
Congressional action on this legislation has the potential to
affect our cities and towns where the devastating impact of
illicit drugs already causes nearly $70 billion in annual
societal costs. We ought not to add to that carnage and
destruction by denying law enforcement one of the most
effective tools against this scourge, timely access to lawful
requests for information needed to combat these crimes.
Attorney General Janet Reno, our nation's chief law
enforcement officer, urged the members of our Committee to
consider the effects of this legislation in her July 18, 1997,
letter to the International Relations Committee. She said that
``* * * the misuse of encryption technology will become a
matter of life and death in many instances. That is why we urge
you to adopt a balanced approach.'' We invite the attention of
Members to correspondence from our Nation's law enforcement and
national security leaders, appended below.
During the full committee's consideration of H. R. 695,
Chairman Gilman offered an amendment which would have helped to
create this necessary balance in the bill. It would have
provided the President the authorities to control the export
and reexport of encrypted items if he determines that they
would adversely affect our national security and our ability to
fight crimes such as drug trafficking, terrorism and espionage.
This amendment was, unfortunately, not adopted.
Other Committees of the House including National Security,
Intelligence and Commerce will now review this legislation
through September 5 before it is considered by the full House
later this year. We urge our colleagues on these Committees as
well as our colleagues on the International Relations and the
Judiciary Committees to review this legislation very carefully
and consider its impact on our society and our ability to fight
terrorism and protect our national security interests.
Benjamin A. Gilman.
Lee H. Hamilton.
Doug Bereuter.
------
Office of the Attorney General,
Washington, DC, July 18, 1997.
Dear Member of Congress: Congress is considering a variety
of legislative proposals concerning encryption. Some of these
proposals would, in effect, make it impossible for the Federal
Bureau of Investigation (FBI), Drug Enforcement Administration
(DEA), Secret Service, Customs Service, Bureau of Alcohol,
Tobacco and Firearms, and other federal, state, and local law
enforcement agencies to lawfully gain access to criminal
telephone conversations or electronically stored evidence
possessed by terrorists, child pornographers, drug kingpins,
spies and other criminals. Since the impact of these proposals
would seriously jeopardize safety and national security, we
collectively urge you to support a different, balanced approach
that strongly supports commercial and privacy interests but
maintains our ability to investigate and prosecute serious
crimes.
We fully recognize that encryption is critical to
communications security and privacy, and that substantial
commercial interests are at stake. Perhaps in recognition of
these facts, all the bills being considered allow market forces
to shape the development of encryption products. We, too, place
substantial reliance on market forces to promote electronic
security and privacy, but believe that we cannot rely solely on
market forces to protect the public safety and national
security. Obviously, the government cannot abdicate its solemn
responsibility to protect public safety and national security.
Currently, of course, encryption is not widely used, and
most data is stored, and transmitted, in the clear. As we move
from a plain text world to an encrypted one, we have a critical
choice to make: we can either (1) choose robust, unbreakable
encryption that protects commerce and privacy but gives
criminals a powerful new weapons, or (2) choose robust,
unbreakable encryption that protects commerce and privacy and
gives law enforcement the ability to protect public safety. The
choice should be obvious and it would be a mistake of historic
proportions to do nothing about the dangers to public safety
posed by encryption without adequate safeguards for law
enforcement.
Let there be no doubt: without encryption safeguards, all
Americans will be endangered. No one disputes this fact; not
industry, not encryption users, no one. We need to take
definitive actions to protect the safety of the public and
security of the nation. That is why law enforcement at all
levels of government--including the Justice Department,
Treasury Department, the National Association of Attorneys
General, International Association of Chiefs of Police, the
Major City Chiefs, the National Sheriffs' Association, and the
National District Attorneys Association--are so concerned about
this issue.
We all agree that without adequate legislation, law
enforcement in the United States will be severely limited in
its ability to combat the worst criminals and terrorists.
Further, law enforcement agrees that the widespread use of
robust non-key recovery encryption ultimately will devastate
our ability to fight crime and prevent terrorism.
Simply stated, technology is rapidly developing to the
point where powerful encryption will become commonplace both
for routine telephone communications and for stored computer
data. Without legislation that accommodates public safety and
national security concerns, society's most dangerous criminals
will be able to communicate safely and electronically store
data without fear of discovery. Court orders to conduct
electronic surveillance and court-authorized search warrants
will be ineffectual, and the Fourth Amendment's carefully-
struck balance between ensuring privacy and protecting public
safety will be forever altered by technology. Technology should
not dictate public policy, and it should promote, rather than
defeat, public safety
We are not suggesting the balance of the Fourth Amendment
be tipped toward law enforcement either. To the contrary, we
only seek the status quo, not the lessening of any legal
standard or the expansion of any law enforcement authority. The
Fourth Amendment protects the privacy and liberties of our
citizens but permits law enforcement to use tightly controlled
investigative techniques to obtain evidence of crimes. The
result has been the freest country in the world with the
strongest economy.
Law enforcement has already confronted encryption in high-
profile espionage, terrorist, and criminal cases. For example:
An international terrorist was plotting to blow up 11
U.S.-owned commercial airliners in the Far East. His
laptop computer, which was seized in Manila, contained
encrypted files concerning this terrorist plot;
A subject in a child pornography case used encryption
in transmitting obscene and pornographic images of
children over the Internet; and
A major international drug trafficking subject
recently used a telephone encryption device to
frustrate court-approved electronic surveillance.
And this is just the tip of the iceberg. Convicted spy Aldrich
Ames, for example, was told by the Russian Intelligence Service
to encrypt computer file information that was to be passed to
them.
Further, today's international drug trafficking
organizations are the most powerful, ruthless and affluent
criminal enterprises we have ever faced. We know from numerous
past investigations that they have utilized their virtually
unlimited wealth to purchase sophisticated electronic equipment
to facilitate their illegal activities. This has included state
of the art communication and encryption devices. They have used
this equipment as part of their command and control process for
their international criminal operations. We believe you share
our concern that criminals will increasingly take advantage of
developing technology to further insulate their violent and
destructive activities.
Requests for cryptographic support pertaining to electronic
surveillance interceptions from FBI Field Offices and other law
enforcement agencies have steadily risen over the past several
years. There has been an increase in the number of instances
where the FBI's and DEA's court-authorized electronic efforts
were frustrated by the use of encryption that did not allow for
law enforcement access.
There have also been numerous other cases where law
enforcement, through the use of electronic surveillance, has
not only solved and successfully prosecuted serious crimes but
has also been able to prevent life-threatening criminal acts.
For example, terrorists in New York were plotting to bomb the
United Nations building, the Lincoln and Holland Tunnels, and
26 Federal Plaza as well as conduct assassinations of political
figures. Court-authorized electronic surveillance enabled the
FBI to disrupt the plot as explosives were being mixed.
Ultimately, the evidence obtained was used to convict the
conspirators. In another example, electronic surveillance was
used to stop and then convict two men who intended to kidnap,
molest, and kill a child. In all of these cases, the use of
encryption might have seriously jeopardized public safety and
resulted in the loss of life.
To preserve law enforcement's abilities, and to preserve
the balance so carefully established by the Constitution, we
believe any encryption legislation must accomplish three goals
in addition to promoting the widespread use of strong
encryption. It must establish:
A viable key management infrastructure that promotes
electronic commerce and enjoys the confidence of
encryption users;
A key management infrastructure that supports a key
recovery scheme that will allow encryption users access
to their own data should the need arise, and that will
permit law enforcement to obtain lawful access to the
plain text of encrypted communications and data; and
An enforcement mechanism that criminalizes both
improper use of encryption key recovery information and
the use of encryption for criminal purposes.
Only one bill, S. 909 (the McCain/Kerrey/Hollings bill),
comes close to meeting these core public safety, law
enforcement, and national security needs. The other bills being
considered by Congress, as currently written, risk great harm
to our ability to enforce the laws and protect our citizens. We
look forward to working to improve the McCain/Kerrey/Hollings
bill.
In sum, while encryption is certainly a commercial interest
of great importance to this Nation, it is not solely a
commercial or business issue. Those of us charged with the
protection of public safety and national security, believe that
the misuse of encryption technology will become a matter of
life and death in many instances. That is why we urge you to
adopt a balanced approach that accomplishes the goals mentioned
above. Only this approach will allow police departments,
attorneys general, district attorneys, sheriffs, and federal
authorities to continue to use their most effective
investigative techniques, with court approval, to fight crime
and espionage and prevent terrorism.
Sincerely your,
Janet Reno, Attorney General; Louis Freeh,
Director, Federal Bureau of Investigation;
Thomas A. Constantine, Director, Drug
Enforcement Administration; Raymond W.
Kelly, Undersecretary for Enforcement, U.S.
Department of Treasury; John W. Magaw,
Director, Bureau of Alcohol, Tobacco and
Firearms; Barry McCaffrey, Director, Office
of National Drug Control Policy; Lewis C.
Merletti, Director, United States Secret
Service; George J. Weise, Commissioner,
United States Customs Service.
------
The Secretary of Defense,
Washington, DC, July 21, 1997.
Dear Member of Congress: Recently you received a letter
from the nation's senior law enforcement officials regarding US
encryption policies. I am writing today to express my strong
support for their views on this important issue.
As you know, the Department of Defense is involved on a
daily basis in countering international terrorism, narcotics
trafficking, and the proliferation of weapons of mass
destruction. The spread of unbreakable encryption, as a
standard feature of mass market communication products,
presents a significant threat to the ability of the US and its
allies to monitor the dangerous groups and individuals involved
in these activities. Passage of legislation which effectively
decontrols commercial encryption exports would undermine U.S.
efforts to foster the use of strong key recovery encryption
domestically and abroad. Key recovery products will preserve
governments' abilities to counter worldwide terrorism,
narcotics trafficking and proliferation.
It is also important to note that the Department of Defense
relies on the Federal Bureau of Investigation for the
apprehension and prosecution of spies. Sadly, there have been
over 60 espionage convictions of federal employees over the
last decade. While these individuals represent a tiny minority
of government employees, the impact of espionage activities on
our nation's security can be enormous. As the recent arrests of
Nicholson, Pitts and Kim clearly indicate, espionage remains a
very serious problem. Any policies that detract from the FBI's
ability to perform its vital counterintelligence function,
including the ability to perform wiretaps, inevitably detract
from the security of the Department of Defense and the nation.
Encryption legislation must also address the nation's
domestic information security needs. Today, approximately 95%
of DoD communications rely on public networks; other parts of
government, and industry, are even more dependent on the
trustworthiness of such networks. Clearly, we must ensure that
encryption legislation addresses these needs. An approach such
as the one contained in S. 909 can go a long way toward
balancing the need for strong encryption with the need to
preserve national security and public safety. I hope that you
will work with the Administration to enact legislation that
addresses these national security concerns as well as the
rights of the American people.
I appreciate your consideration of these views.
Sincerely,
Bill Cohen.
------
International Association of Chiefs of Police,
Alexandria, VA, July 21, 1997.
Dear Member of Congress: Enclosed is a letter sent to you
by the Attorney General, the Director of National Drug Control
Policy and all the federal law enforcement heads concerning
encryption legislation being considered by congress.
Collectively we, the undersigned, represent over 17,000 police
departments including every major city police department, over
3,000 sheriffs departments, nearly every district attorney in
the United States and all of the state Attorneys General. We
fully endorse the position taken by our federal counterparts in
the enclosed letter. As we have stated many times, Congress
must adopt a balanced approach to encryption that fully
addresses public safety concerns or the ability of state and
local law enforcement to fight crime and drugs will be severely
damaged.
Any encryption legislation that does not ensure that law
enforcement can gain timely access to the plaintext of
encrypted conversations and information by established legal
procedures will cause grave harm to public safety. The risk
cannot be left to the uncertainty of market forces or
commercial interests as the current legislative proposals would
require. Without adequate safeguards, the unbridled use of
powerful encryption soon will deprive law enforcement of two of
its most effective tools, court authorized electronic
surveillance and the search and seizure of information stored
in computers. This will substantially tip the balance in the
fight against crime towards society's most dangerous criminals
as the information age develops.
We are in unanimous agreement that congress must adopt
encryption legislation that requires the development,
manufacture, distribution and sale of only key recovery
products and we are opposed to the bills that do not do so.
Only the key recovery approach will ensure that law enforcement
can continue to gain timely access to the plaintext of
encrypted conversations and other evidence of crimes when
authorized by a court to do so. If we lose this ability--and
the bills you are considering will have this result--it will be
a substantial set back for law enforcement at the direct
expense of public safety.
Sincerely yours,
Darrell L. Sanders,
President, International
Association of Chiefs of
Police.
James E. Doyle,
President, National
Association of Attorneys
General.
Fred Scoralic,
President, National
Sheriffs' Association.
William L. Murphy,
President, National District
Attorneys Association.
�