[House Report 105-108]
[From the U.S. Government Publishing Office]



105th Congress                                            Rept. 105-108
                        HOUSE OF REPRESENTATIVES

 1st Session                                                     Part 3
_______________________________________________________________________


 
       SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT OF 1997

                               __________

                              R E P O R T

                                 OF THE

                     COMMITTEE ON NATIONAL SECURITY

                        HOUSE OF REPRESENTATIVES

                                   ON

                                H.R. 695

                             together with

                   ADDITIONAL AND SUPPLEMENTAL VIEWS

      [Including cost estimate of the Congressional Budget Office]





               September 12, 1997.--Ordered to be printed


                  HOUSE COMMITTEE ON NATIONAL SECURITY
                       One Hundred Fifth Congress

               FLOYD D. SPENCE, South Carolina, Chairman
BOB STUMP, Arizona                   RONALD V. DELLUMS, California
DUNCAN HUNTER, California            IKE SKELTON, Missouri
JOHN R. KASICH, Ohio                 NORMAN SISISKY, Virginia
HERBERT H. BATEMAN, Virginia         JOHN M. SPRATT, Jr., South 
JAMES V. HANSEN, Utah                    Carolina
CURT WELDON, Pennsylvania            SOLOMON P. ORTIZ, Texas
JOEL HEFLEY, Colorado                OWEN PICKETT, Virginia
JIM SAXTON, New Jersey               LANE EVANS, Illinois
STEVE BUYER, Indiana                 GENE TAYLOR, Mississippi
TILLIE K. FOWLER, Florida            NEIL ABERCROMBIE, Hawaii
JOHN M. McHUGH, New York             MARTIN T. MEEHAN, Massachusetts
JAMES TALENT, Missouri               ROBERT A. UNDERWOOD, Guam
TERRY EVERETT, Alabama               JANE HARMAN, California
ROSCOE G. BARTLETT, Maryland         PAUL McHALE, Pennsylvania
HOWARD ``BUCK'' McKEON, California   PATRICK J. KENNEDY, Rhode Island
RON LEWIS, Kentucky                  ROD R. BLAGOJEVICH, Illinois
J.C. WATTS, Jr., Oklahoma            SILVESTRE REYES, Texas
MAC THORNBERRY, Texas                TOM ALLEN, Maine
JOHN N. HOSTETTLER, Indiana          VIC SNYDER, Arkansas
SAXBY CHAMBLISS, Georgia             JIM TURNER, Texas
VAN HILLEARY, Tennessee              F. ALLEN BOYD, Jr., Florida
JOE SCARBOROUGH, Florida             ADAM SMITH, Washington
WALTER B. JONES, Jr., North          LORETTA SANCHEZ, California
    Carolina                         JAMES H. MALONEY, Connecticut
LINDSEY GRAHAM, South Carolina       MIKE McINTYRE, North Carolina
SONNY BONO, California               CIRO D. RODRIGUEZ, Texas
JIM RYUN, Kansas                     CYNTHIA A. McKINNEY, Georgia
MICHAEL PAPPAS, New Jersey
BOB RILEY, Alabama
JIM GIBBONS, Nevada
BILL REDMOND, New Mexico
                    Andrew K. Ellis, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page

Purpose and Background...........................................     2
Legislative History..............................................     6
Section-by-Section Analysis......................................     6
  Section 1--Short Title.........................................     6
  Section 2--Sale and Use of Encryption..........................     6
  Section 3--Exports of Encryption...............................     7
Committee Position...............................................     7
Fiscal Data......................................................     7
  Congressional Budget Office Estimate...........................     7
  Congressional Budget Office Cost Estimate......................     8
  Committee Cost Estimate........................................    10
  Inflation Impact Statement.....................................    10
Oversight Findings...............................................    10
Constitutional Authority Statement...............................    10
Statement of Federal Mandates....................................    10
Roll Call Vote...................................................    11
Changes in Existing Law Made by the Bill, as Reported............    13
Additional views of Patrick J. Kennedy...........................    14
Supplemental views of Jane Harman................................    16
Supplemental views of Loretta Sanchez............................    18


105th Congress                                            Rept. 105-108
                        HOUSE OF REPRESENTATIVES

 1st Session                                                     Part 3
_______________________________________________________________________


       SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT OF 1997

_______________________________________________________________________


               September 12, 1997.--Ordered to be printed

                                _______
                                

  Mr. Spence, from the Committee on National Security, submitted the 
                               following

                              R E P O R T

                             together with

                   ADDITIONAL AND SUPPLEMENTAL VIEWS

                        [To accompany H.R. 695]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on National Security, to whom was referred the 
bill (H.R. 695) to amend title 18, United States Code, to 
affirm the rights of United States persons to use and sell 
encryption and to relax export controls on encryption, having 
considered the same, report favorably thereon with amendments 
and recommend that the bill as amended do pass.
  The amendments are as follows:
  Strike section 3 and insert the following:

 SEC. 3. EXPORTS OF ENCRYPTION.

  (a) Export Control of Encryption Products Not Controlled on 
the United States Munitions List.--The Secretary of Commerce, 
with the concurrence of the Secretary of Defense, shall have 
the authority to control the export of encryption products not 
controlled on the United States Munitions List. Decisions made 
by the Secretary of Commerce with the concurrence of the 
Secretary of Defense with respect to exports of encryption 
products under this section shall not be subject to judicial 
review.
  (b) License Exception For Certain Encryption Products.--
Encryption products with encryption strength equal to or less 
than the level identified in subsection (d) shall be eligible 
for export under a license exception after a 1-time review, if 
the encryption product being exported does not include features 
that would otherwise require licensing under applicable 
regulations, is not destined for countries, end-users, or end-
uses that the Secretary of Commerce has determined by 
regulation, with the concurrence of the Secretary of Defense, 
are ineligible to receive such products, and is otherwise 
qualified for export.
  (c) One-Time Product Review.--The Secretary of Commerce, with 
the concurrence of the Secretary of Defense, shall specify the 
information that must be submitted for the 1-time review 
referred to in subsection (b).
  (d) Eligible Encryption Levels.--
          (1) Initial eligibility level.--Not later than 30 
        days after the date of the enactment of this Act, the 
        President shall notify the Congress of the maximum 
        level of encryption strength that could be exported 
        from the United States under license exception pursuant 
        to this section without harm to the national security 
        of the United States. Such level shall not become 
        effective until 60 days after such notification.
          (2) Annual review of eligibility level.--Not later 
        than 1 year after notifying the Congress of the maximum 
        level of encryption strength under paragraph (1), and 
        annually thereafter, the President shall notify the 
        Congress of the maximum level of encryption strength 
        that could be exported from the United States under 
        license exception pursuant to this section without harm 
        to the national security of the United States. Such 
        level shall not become effective until 60 days after 
        such notification.
          (3) Calculation of 60-day period.--The 60-day period 
        referred to in paragraphs (1) and (2) shall be computed 
        by excluding--
                  (A) the days on which either House is not in 
                session because of an adjournment of more than 
                3 days to a day certain or an adjournment of 
                the Congress sine die; and
                  (B) each Saturday and Sunday, not excluded 
                under subparagraph (A), when either House is 
                not in session.
  (e) Excercise of Existing Authorities.--The Secretary of 
Commerce and the Secretary of Defense may exercise the 
authorities they have under other provisions of law to carry 
out this section.

  Amend the title so as to read:

    A bill to amend title 18, United States Code, to affirm the 
rights of United States persons to use and sell encryption.

                         Purpose and Background

    The explosive growth of the internet and the rise in 
electronic commerce in recent years have led to increased 
concerns over information security. A growing number of 
individuals and businesses now have access to the information 
superhighway and the capability to transmit volumes of personal 
and proprietary data from one user to another nearly 
instantaneously. As technology advances, the risk that the 
secure transmission of this information may be compromised by 
computer ``hackers'' is increasing. Industry has responded to 
this risk by developing products with greater encryption 
capabilities.
    Encryption is a means of scrambling or encoding electronic 
data so that its contents are protected from unauthorized 
interception or disclosure. Many software application programs 
already feature encryption capabilities to afford users a 
degree of privacy and security when conducting electronic 
transactions. For example, Netscape Communications 
Corporation's world wide web browser can transmit information 
in a secure, encrypted mode that allows individuals to order 
products and services by credit card over the internet with a 
reasonable expectation that the personal information they send 
will be protected.
    Currently, the domestic use of encryption products is 
unrestricted. When used by law-abiding citizens and companies, 
encryption can increase public confidence in the security of 
electronic transactions. However, the export of encryption 
capabilities is controlled for important national security and 
foreign policy reasons. In the hands of terrorists or 
criminals, the capability to scramble communications or encode 
information may hinder efforts to thwart planned terrorist acts 
or apprehend international drug smugglers. Moreover, much of 
the U.S. military's battlefield advantage relies on information 
dominance and the ability to decipher enemy communications. 
Unrestricted export of capabilities that make it more difficult 
for the United States to comprehend the plans and activities of 
hostile military forces could significantly degrade the 
technological advantage presently held by U.S. combat forces.
    In particular, the committee notes that the U.S. military 
has made information warfare a key element of U.S. military 
strategy and tactics. U.S. strategy requires that the United 
States be able to protect its own communications from 
interception while exploiting the weaknesses in the information 
systems and communications of potential adversaries. The 
National Defense University Institute for National Strategic 
Studies has identified seven areas of information warfare that 
could play decisive roles in combat, including electronic 
warfare, cyber warfare, command and control warfare, 
intelligence-based warfare, and so-called ``hacker'' warfare. 
The Institute's 1996 Strategic Assessment study noted the 
growing importance of information warfare and the desirability 
for U.S. exploitation of a potential adversary's 
vulnerabilities. The study declared that ``if the United States 
could override an enemy's military computers, it might achieve 
an advantage comparable to neutralizing the enemy's command 
apparatus.'' In addition, it noted the value of attacking an 
adversary's commercial computer systems, i.e., banking, power, 
telecommunications, and safety systems. The ability to ``wreak 
havoc'' on these systems, the study noted, ``would be a 
powerful new instrument of power,'' potentially leading to the 
prompt termination of conflict and a reduction in civilian and 
military casualties. However, the committee is concerned that 
the proliferation of sophisticated encryption capabilities 
overseas may make it more difficult for the United States to 
maintain its military superiority and achieve tactical 
battlefield advantages.
    Because of national security implications, the United 
States has traditionally considered encryption products to be 
sensitive ``munitions'' items and their export has been 
carefully controlled by the Department of State. However, in 
October 1996, the Clinton Administration decided to transfer 
jurisdiction over the export of commercial encryption products 
from the Department of State to the Department of Commerce, 
which is responsible for export controls on ``dual use'' items 
with military and civilian application. In addition, the 
Administration agreed to allow the export of encryption 
products with keys of up to 56 bits in length, beginning in 
January 1997, provided that the exporting companies develop a 
``key recovery'' plan over the next two years that would allow 
access to the keys by government law-enforcement agents or 
intelligence officials, if necessary, in order to decode 
scrambled information.
    The capabilities and security of encryption products 
generally depend on the length of the encryption algorithm or 
electronic ``key'' required to decrypt the data, as measured by 
the number of data ``bits'' in the key. Generally speaking, the 
longer the key (or number of key bits) the more secure the 
encryption program and the more difficult it is to ``break the 
code.'' Prior to this decision, U.S. policy allowed the 
unrestricted export of encryption software with keys up to 40 
bits in length.
    In announcing this liberalized export control policy, Vice 
President Gore stated that it would ``support the growth of 
electronic commerce, increase the security of the global 
information (sic.), and sustain the economic competitiveness of 
U.S. encryption product manufacturers. * * *'' However, an 
Administration talking points paper on the decision noted that 
``this export liberalization poses risks to public safety and 
national security. The Administration is willing to tolerate 
that risk, for a limited period, in order to accelerate the 
development of a global key management infrastructure.'' In 
addition, in a letter to Congress in November 1996, President 
Clinton acknowledged that ``the export of encryption products 
transferred to Department of Commerce control could harm 
national security and foreign policy interests of the United 
States even where comparable products are or appear to be 
available from foreign sources.''
    As received by the committee, H.R. 695 and companion 
legislation in the Senate represent a further attempt to 
significantly liberalize U.S. encryption policy. In particular, 
H.R. 695, as introduced, would have the following effect on 
encryption export controls:
          (1) It would grant the Commerce Department exclusive 
        authority to control exports of all hardware, software, 
        and technology for information security, except that 
        designed for military use, depriving the Secretary of 
        Defense of an appropriate level of involvement on 
        licensing decisions involving national security;
          (2) It would prohibit requiring a government-
        validated license for the export or re-export of 
        commercially-available encryption-capable software or 
        computers using such software; and
          (3) It would direct the Secretary of Commerce to 
        allow the export or re-export of encryption-capable 
        software for non-military end-uses in any country, or 
        computers using such software based on considerations 
        of foreign availability.
    Importantly, the committee notes that section 3 of H.R. 695 
would require the government to approve exports of high 
performance computers (so-called ``supercomputers'') if those 
computers contain encryption products or software that are 
commercially available. In the committee's view, this is one of 
the most serious consequences and flaws of the bill. Under this 
proposed arrangement, any company would be in a position to 
force the government to allow the export of even the most 
powerful supercomputer available in the United States, if they 
first loaded a piece of foreign-available encryption software 
on the supercomputer. As confirmed by Secretary Reinsch in his 
testimony before the committee, this provision would overturn 
the Spence-Dellums amendment to H.R. 1119, the National Defense 
Authorization Act for Fiscal Year 1997, adopted by the House on 
June 19, 1997, by a vote of 332-88. That amendment would 
prevent the inadvertent export of supercomputers to 
questionable end users in countries of proliferation concern.
    The committee believes that the provisions of H.R. 695, as 
introduced, in particular those provisions regarding export 
controls on encryption products, do not adequately address 
these significant national security concerns. In testimony 
before the committee on July 30, 1997, Under Secretary of 
Commerce for Export Administration William Reinsch stated that 
H.R. 695 ``proposes export liberalization far beyond what the 
administration can entertain and which we believe would be 
contrary to our international export control obligations and 
detrimental to our national security.'' With respect to the 
bill's national security implications, William Crowell, Deputy 
Director of the National Security Agency (NSA), testified that 
``the passage of H.R. 695 would negatively impact NSA's 
missions. * * * the immediate decontrol of strong encryption 
products without restriction would make our signals 
intelligence mission much more difficult and ultimately result 
in the loss of intelligence. * * * This would greatly 
complicate our exploitation of foreign targets, including 
military targets.'' Mr. Crowell concluded that H.R. 695 ``will 
do irreparable harm to national security. * * *''
    The Administration also has criticized H.R. 695 on broader 
grounds. For example, the Federal Bureau of Investigation has 
declared that ``it would be irresponsible for the U.S. to adopt 
a policy that consciously unleashes widespread, unbreakable, 
non-key recovery encryption products that undermine law 
enforcement in the United States and worldwide.'' According to 
the Department of Defense, H.R. 695 would ``have a negative 
impact on national security, effective law enforcement and 
public safety.'' The Director of the National Security Agency, 
Lieutenant General Kenneth A. Minihan, has noted that the 
United States obtains ``a substantial amount of significant 
intelligence information from unencrypted sources'' and that 
this information is ``likely to become encrypted with the 
relaxation of crypto export controls.'' In a recent letter to 
Chairman Spence and Ranking Member Dellums, Secretary of 
Defense Cohen stated, ``Passage of legislation which 
effectively decontrols commercial encryption exports would 
undermine U.S. efforts'' to foster a key recovery 
infrastructure that will ``preserve governments' abilities to 
counter worldwide terrorism, narcotics trafficking and 
proliferation.''
    In response to these concerns, the committee agreed to 
amend section 3 of H.R. 695, the section of the bill dealing 
with export controls. Given the committee's jurisdictional 
focus on national security, the committee exclusively limited 
its actions to this section of the bill and did not address the 
effects of H.R. 695 on domestic law enforcement capabilities. 
The committee amendment to section 3 would allow the President, 
subject to 60 day congressional review, to determine the 
maximum level of encryption strength that may be exported 
without a license. Unlicensed export of these products could 
occur after a one-time review. Products above the threshold 
could be exported under an individually validated license, and 
the committee's amendment ensures that the concurrence of the 
Secretary of Defense is obtained prior to the export of such 
more sophisticated encryption software. The amendment also 
ensures that the appropriateness of the threshold level would 
be reviewed on an annual basis.

                          Legislative History

    H.R. 695, the ``Security and Freedom through Encryption 
(SAFE) Act of 1997,'' was introduced by Representative Robert 
Goodlatte (R-VA) on February 12, 1997. The bill was reported in 
May 1997 by the House Committee on the Judiciary. The bill was 
also referred to the Committee on International Relations, the 
Committee on Commerce, the Permanent Select Committee on 
Intelligence, and the Committee on National Security. On July 
22, 1997, the House International Relations Committee approved 
the bill with minor amendments.
    On July 30, 1997, the Committee on National Security held a 
hearing on H.R. 695. Testimony was taken from representatives 
of the Department of Defense, Department of Commerce, and 
industry witnesses. The focus of the hearing was to assess the 
bill's impact on U.S. national security.
    On September 9, 1997, the committee held a mark-up session 
to consider H.R. 695. The committee adopted one amendment to 
the bill dealing with Section 3 on export controls by a 
rollcall vote of 45 to 1. The amended version of the bill was 
reported favorably by a voice vote. The individual rollcall 
result is placed at the end of this report.

                      Section-by-Section Analysis

                         Section 1--Short Title

    This section would establish a short title of the bill as 
the ``Security and Freedom Through Encryption (SAFE) Act.''

                 Section 2--Sale and Use of Encryption

    This section would amend Part I of title 18, United States 
Code by adding a new chapter on ``Encrypted Wire and Electronic 
Communications'' consisting of five sections. This new chapter 
would define encryption and related terms, legalize the use of 
any encryption method by U.S. citizens domestically or abroad, 
and legalize the interstate sale by U.S. citizens of any 
encryption, regardless of algorithm or key length. The new 
chapter would also deny any person the right to control a key 
that is in the lawful possession of another person, except for 
law enforcement purposes, thereby nullifying thegovernment's 
key escrow plan. Finally, the new chapter would establish penalties for 
the unlawful use of encryption in furtherance of a criminal act.

                    Section 3--Exports of Encryption

    As amended, this section would grant the Secretary of 
Commerce authority, with the concurrence of the Secretary of 
Defense, to control exports of encryption technology that is 
not controlled on the U.S. Munitions List. The section also 
would allow for a license exception for the export of 
encryption products with a strength at or below the maximum 
threshold established by the President. Export of these 
products would only occur after a one-time government review. 
The export of encryption products with a strength above the 
threshold determined by the President would be allowed subject 
to existing regulations and procedures. The amendment would not 
impact the current ability of financial institutions to export 
encryption products above the threshold without limitation, for 
use exclusively for banking and financial transactions. This 
section would also direct the President to notify Congress on 
an annual basis of the appropriate threshold for the strength 
of encryption products that may be exported without harm to 
U.S. national security. Current civil and criminal penalties 
for violation of U.S. export control restrictions would 
continue to apply, and would cover the procedures established 
in the committee's amendment.

                           Committee Position

    On September 9, 1997, the Committee on National Security, a 
quorum being present, approved H.R. 695, as amended, by a voice 
vote.

                              Fiscal Data

    Pursuant to clause 7 of rule XIII of the Rules of the House 
of Representatives, the committee attempted to ascertain annual 
outlays resulting from the bill during fiscal year 1998 and the 
four following fiscal years. The results of such efforts are 
reflected in the cost estimate prepared by the Director of the 
Congressional Budget Office under section 403 of the 
Congressional Budget Act of 1974, which is included in this 
report pursuant to clause 2(l)(3)(C) of House rule XI.

                  Congressional Budget Office Estimate

    In compliance with clause 2(l)(3)(C) of rule XI of the 
Rules of the House of Representatives, the cost estimate 
prepared by the Congressional Budget Office and submitted 
pursuant to section 403(a) of the Congressional Budget Act of 
1974 is as follows:

                                                September 11, 1997.
Hon. Floyd Spence,
Chairman, Committee on National Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 695, the Security 
and Freedom Through Encryption (SAFE) Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contacts are Rachel 
Forward (for federal costs); Alyssa Trzeszkowski (for 
revenues); and Pepper Santalucia (for the state and local 
impact).
            Sincerely,
                                         June E. O'Neill, Director.

               congressional budget cost office estimate

    Summary: H.R. 695 would allow individuals in the United 
States to use or sell any encryption product and would prohibit 
states or the federal government from requiring individuals to 
relinquish the key to encryption technologies to any third 
party. The bill also would authorize the President to determine 
which encryption products could be granted an export license 
exception and thus could be exported following a one-time 
product review by the Department of Commerce's Bureau of Export 
Administration (BXA). Other encryption products would be 
subject to more stringent export controls imposed by the 
Secretary of Commerce with the concurrence of the Secretary of 
Defense. H.R. 695 would establish criminal penalties and fines 
for the use of encryption technologies to conceal from law 
enforcement officials incriminating information relating to a 
crime.
    CBO estimates that implementing this bill would not add to 
BXA's costs of reviewing encryption products intended for 
export. Both under current policies and under the provisions of 
H.R. 695, CBO estimates that spending by BXA for reviewing the 
export of nonmilitary encryption products would total about 
$4.5 million over the 1998-2000 period.
    The bill would affect direct spending and receipts 
beginning in fiscal year 1998 through the imposition of 
criminal fines and the resulting spending from the Crime 
Victims Fund. Therefore, pay-as-you-go procedures would apply. 
CBO estimates, however, that the amounts of additional direct 
spending and receipts would not be significant.
    H.R. 695 contains no private-sector mandates as defined in 
the Unfunded Mandates Reform Act of 1995 (UMRA), but it 
contains an intergovernmental mandate on state governments. CBO 
estimates that states would not incur any costs to comply with 
the mandate.

Estimated cost to the Federal Government

    In November 1996, the Administration issued an executive 
order and memorandum that authorized the export of encryption 
products up to 56 bits in length following a one-time product 
review by BXA, contingent on the exporter's commitment to 
develop a key recovery system. H.R. 695 would maintain the 
President's discretion to determine which encryption products 
could be exported following a one-time review by BXA and which 
products would be subject to more stringent export controls by 
theagency. Based on information from BXA, CBO expects that the 
President would not modify the current policy of allowing license 
exceptions for encryption products of up to 56 bits in length. Thus, 
enacting this bill would not significantly change the scope of BXA's 
activities. Assuming appropriation of the necessary amounts, CBO 
estimates that implementing H.R. 695 would result in costs to BXA of 
about $900,000 in each fiscal year, totaling about $4.5 million over 
the 1998-2002 period, about the same as would be expected under current 
law. BXA was authorized to spend $850,000 in fiscal year 1997 to 
control encryption exports.
    Enacting H.R. 695 would affect direct spending and receipts 
through the imposition of criminal fines for encrypting 
incriminating information related to a felony. CBO estimates 
that collections from such fines are likely to be negligible, 
however, because the federal government would probably not 
pursue many cases under the bill. Any such collections would be 
recorded in the budget as governmental receipts, or revenues. 
They would be deposited in the Crime Victims Fund and spent the 
following year. Because the increase in direct spending would 
be the same as the amount of fines collected with a one-year 
lag, the additional direct spending also would be negligible.
    The costs of this legislation fall within budget functions 
370 (commerce and housing credit) and 750 (administration of 
justice).

Pay-as-you-go considerations

    Section 252 of the Balanced Budget and Emergency Deficit 
Control Act of 1985 sets up pay-as-you-go procedures for 
legislation affecting direct spending or receipts. H.R. 695 
would affect direct spending and receipts through the 
imposition of criminal fines and the resulting spending from 
the Crime Victims Fund. CBO estimates, however, that any 
collections and spending resulting from such fines would not be 
significant.

Estimated impact on state, local, and tribal governments

    H.R. 695 would prohibit states from requiring persons to 
make encryption keys available to another person or entity. 
This prohibition would be an intergovernmental mandate as 
defined in UMRA. However, states would bear no costs as the 
result of the mandate because none currently require the 
registration or availability of such keys.

Estimated impact on the private sector

    The bill would impose no new private-sector mandates as 
defined in UMRA.

Previous CBO estimate

    CBO provided cost estimates for H.R. 695 as ordered 
reported by the House Committee on the Judiciary on May 14, 
1997, and as ordered reported by the House Committee on 
International Relations on July 22, 1997. Assuming 
appropriation of the necessary amounts, CBO estimates that 
implementing the Judiciary Committee's version of the bill 
would cost between $5 million and $7 million over the 1998-2002 
period and that implementing the International Relations 
Committee's version would cost about $2.2 million over the same 
period. The estimated cost under current policies and for the 
National Security Committee's version is $4.5 million.
    Estimate prepared by: Federal Costs: Rachel Forward, 
Revenues: Alyssa Trzeszkowski, Impact on State, Local, and 
Tribal Governments: Pepper Santalucia.
    Estimate approved by: Robert A. Sunshine, Deputy Assistant 
Director for Budget Analysis.

                        Committee Cost Estimate

    Pursuant to Clause 7(a) of rule XIII of the Rules of the 
House of Representatives, the committee generally concurs with 
the estimate contained in the report of the Congressional 
Budget Office.

                       Inflation Impact Statement

    Pursuant to clause 2(l)(4) of rule XI of the Rules of the 
House of Representatives, the committee concludes that the bill 
would have no significant inflationary impact.

                           Oversight Findings

    With respect to clause 2(l)(3)(A) of rule XI of the Rules 
of the House of Representatives, this legislation results from 
hearings and other oversight activities conducted by the 
committee pursuant to clause 2(b)(1) of rule X.
    With respect to clause 2(l)(3)(B) of rule XI of the Rules 
of the House of Representatives and section 308(a)(1) of the 
Congressional Budget Act of 1974, this legislation does not 
include any new spending or credit authority, nor does it 
provide for any increase or decrease in tax revenues or 
expenditures. The fiscal features of this legislation are 
addressed in the estimate prepared by the Director of the 
Congressional Budget Office under section 403 of the 
Congressional Budget Act of 1974.
    With respect to clause 2(l)(3)(D) of rule XI of the Rules 
of the House of Representatives, the committee has not received 
a report from the Committee on Government Reform and Oversight 
pertaining to the subject matter of H.R. 695.

                   Constitutional Authority Statement

    Pursuant to clause 2(l)(4) of rule XI of the Rules of the 
House of Representatives, the committee finds the authority for 
this legislation in Article I, section 8 of the United States 
Constitution.

                     Statement of Federal Mandates

    Pursuant to section 423 of Public Law 104-4, this 
legislation contains no federal mandates with respect to state, 
local, and tribal governments, nor with respect to the private 
sector. Similarly, the bill provides no unfunded federal 
intergovernmental mandates.

                             Rollcall Vote

    In accordance with clause 2(l)(2)(B) of rule XI of the 
Rules of the House of Representatives, a rollcall vote was 
taken with respect to the committee's consideration of H.R. 
695. The record of this vote is attached to this report.
    The committee ordered H.R. 695, as amended, reported to the 
House with a favorable recommendation by a voice vote, a quorum 
being present.





         Changes in Existing Law Made by the Bill, as Reported

    The bill was referred to this committee for consideration 
of such provisions of the bill as fall within the jurisdiction 
of this committee pursuant to clause 1(k) of rule X of the 
Rules of the House of Representatives. The changes made to 
existing law by the amendment reported by the Committee on the 
Judiciary are shown in the report filed by that committee 
(Rept. 105-108, Part 1). The amendments made by this committee 
do not make any changes in existing law.

           ADDITIONAL VIEWS OF CONGRESSMAN PATRICK J. KENNEDY

    Mr. Chairman, as a member of the House National Security 
Committee for almost three years, I have voted in favor of 
research and development of advanced technology, I have 
supported procurement of state of the art weapons systems and I 
have advocated greater funding for training and educating our 
armed forces. I am proud of the role our committee plays in 
working to ensure our men and women in uniform are properly 
equipped to meet the many challenges and missions our nation 
asks of them. After having received a classified briefing by 
the National Security Agency, I now believe that if we support 
H.R. 695, the ``Security and Freedom through Encryption Act'', 
as introduced, we would effectively nullify the many important 
national security investments made by this committee.
    Let me be clear, I support providing American businesses 
the opportunity to be competitive in the export of encryption 
products but I also understand the importance of limited export 
controls to the intelligence community and to our country's 
national security. Our national security and our economic 
interests should not be interpreted as mutually exclusive. I am 
convinced that any legislation we pass must strike a balance 
between our national security concerns and our economic 
interests. Unfortunately, H.R. 695, as introduced, fails to 
strike this balance. Rather than providing a means to assess 
the impact of encryption exports on our national security, this 
bill opens the floodgates and threatens to overwhelm our 
intelligence infrastructure.
    I do believe that if we make modifications to H.R. 695, it 
is entirely possible to address some of the more important 
security and economic concerns The amendment offered today by 
Mr. Weldon and Mr. Dellums provides us that chance. The Weldon-
Dellums amendment does not prevent or stop the export of 
encryption products. Rather than the immediate decontrol of 
strong encryption products which would come with H.R. 695, the 
amendment proposes responsible limits for the export of 
encryption technology, limits which are in part determined by a 
product's threat to national security.
    The limits are necessary given the fact that today, a 
significant portion of the intelligence we collect is not 
encrypted. That information we glean is vital to threat 
warning, attack assessment and gaining tactical/information 
supremacy. Should our adversaries suddenly have access to 
strong encryption products, our intelligence community would be 
hampered and severely overwhelmed. Instantly we would put in 
jeopardy our ability to decode and decipher information from 
the predominant threats our country faces today: terrorist 
organizations, rogue nations and drug traffickers.
    It is important to keep in mind that the limits included in 
the amendment are not permanent. The Administration would be 
forced to re-evaluate threshold levels every year in order to 
keep pace with technology. The Congress would then have the 
opportunity to review the appropriateness of the level and 
enact legislation to respond should it so choose. By ensuring 
that the threshold is reviewed on an annual basis, a process is 
created whereby we can assess the impact of the exports on our 
intelligence gathering and assessment capabilities while also 
providing a mechanism to alter the limits when conditions 
permit.
    Both Mr. Weldon and Mr. Dellums should be commended for 
their hard work in crafting a bipartisan amendment to H.R. 695, 
an amendment which seeks to find that delicate balance between 
our national security requirements and ensuring our companies 
are provided the opportunity to compete.

                                                Patrick J. Kennedy.

                 SUPPLEMENTAL VIEWS OF HON. JANE HARMAN

    The debate over H.R. 695 and encryption has shed invaluable 
light on the difficult choices policy makers have to make in 
fashioning a policy where national security concerns and U.S. 
international competitiveness come into direct conflict. To be 
sure, our nation's security must be preeminent, and I don't 
doubt from the committee's hearings on the bill and from my 
conversations that the individuals and the companies which 
comprise the computer software industry designing encryption 
agree with this assessment.
    At the same time, policy makers cannot let security 
concerns unduly restrict the ability of a vibrant and growing 
segment of our economy to compete on international markets--
markets which they currently and rightly dominate. In our zeal 
to protect technologies which have defense and law enforcement 
implications, we should not adopt policies that stifle our own 
domestic enterprises and hand the lead to foreign entities 
beyond our own laws.
    How we balance these competing goals, albeit not equally 
so, is the objective of the amendment offered by my colleagues, 
Mr. Weldon and Mr. Dellums, which the committee approved as a 
substitute to the original title 3 of H.R. 695. I support their 
objective, but am not persuaded that a revision in our export 
control policy is the best means of achieving it. In voting for 
the substitute amendment during the committee's mark-up, I 
outlined some reservations and would like at this time to offer 
some suggestions that would in my view, improve the approach 
the bill takes.
    First, encourage, if not direct, the Administration to 
engage other countries on this issue. Given the availability of 
this technology abroad, and the ease of its dissemination, a 
unilateral export control policy on encryption will not work. 
We must work out a multilateral approach.
    Second, drop the requirement that the Secretary of Commerce 
must have the concurrence of the Secretary of Defense to grant 
a license exception. Including this requirement is a step 
backwards from current policy. Under current export control 
policy there is a mechanism by which national security agencies 
like the Department of Defense can raise specific concerns with 
the Commerce Department as it reviews export license 
applications. No evidence has been presented to suggest that 
the current mechanism is broken and it should be used for 
encryption export licenses as well. Giving the DoD what is in 
effect a veto may result in the denial of export licenses for 
otherwise eligible encryption products.
    Third, provide guidance or outline specific criteria for 
the President to use in setting the maximum level of encryption 
below which license exceptions would be granted. Encryption 
technology develops rapidly and we need to ensure that advances 
made both domestically and abroad are taken into consideration 
so that U.S. companies are not penalized by the setting of an 
artificially low encryption strength level. As such, the 
committee should at minimum specifically require the President 
to conduct a rigorous assessment of the range and quality of 
encryption products available in foreign markets and require he 
explain why that should not be the maximum strength level.
    Fourth, set forth a specific period of time within which 
companies seeking license exceptions for their products can 
expect to have their application reviewed and either approved 
or rejected. During this time frame, the relevant federal 
agencies could examine the encryption technology in question 
and have the applicant respond to any national security 
concerns the technology raises. It is important that this 
period of time be narrowly defined, in order to assure fairness 
and predictability to U.S. companies seeking to market their 
technology in a timely fashion.
    Fifth, set forth specific penalties for companies that seek 
to exploit loopholes or ambiguities or circumvent the limits 
and ensure their enforcement.
    I again commend Messrs. Weldon and Dellums for their 
leadership in fashioning a much improved title 3 for the bill. 
The suggested changes I've outlined above, and other changes I 
hope to offer during the course of the bill's consideration in 
the House, will strike an even better balance in this important 
policy debate.

                                                       Jane Harman.

               SUPPLEMENTAL VIEWS OF HON. LORETTA SANCHEZ

    Many of us when we think of encryption imagine the 
``ENIGMA'' code breaking machines of World War Two or the 
American Indian ``code talkers'' that helped us anticipate and 
defeat Nazi and Imperial Japanese attacks. Those methods were 
mechanical or human-based, and often depended on simple 
arithmetical slight of hand to trick the enemy. Today, 
encryption is complex mathematical algorithms that have become 
an entirely new branch of mathematics involving intense 
academic study.
    Until recently encryption was limited to governments and 
large companies through U.S. export limitations and by the 
limitations of existing hardware and software technologies. All 
that began to change as the desktop computer became more 
prevalent and the computing power available to the average user 
jumped by leaps and bounds every year. When discussing the 
power of the PC observers of the information technology 
industry often predict that the computing power of 
microprocessors would double roughly every 18 months.
    Because of this the rapidly developing speed and growth of 
computers, the age of the ``unbreakable code'' has long since 
passed. Manufacturers of encryption technology are engaged in a 
rapidly accelerating race to develop the newest and strongest 
code that can withstand attacks from the increasingly powerful 
computers of the day. And it isn't just big companies and 
governments that have the technology to break codes. Last 
January, a graduate student broke a 40-bit code in just three-
and-a-half hours, the toughest code form American companies at 
the time were allowed to export.
    Today, American companies are the world leaders in 
encryption technology, but other companies and nations are 
catching up. Strong encryption products and knowledge about the 
science of cryptography is not limited to the United States. A 
savvy computer user anywhere in the world can with just a few 
clicks of the mouse find U.S. export-embargoed encryption. Many 
freelancing code hackers maintain off-shore Internet meeting 
sites to discuss the newest holes in encryption products.
    The proposed export controls which the Administration 
argues helps to keep strong encryption out of the hands of 
foreign adversaries will have little or no effect. Strong 
encryption is available abroad and US companies are being put 
at a competitive disadvantage in the global marketplace.
    With this bleak and seemingly hopeless picture in mind how 
do we protect ourselves from the threat of rogue nations and 
other adversaries cloaking their communications from American 
National Security efforts? The only viable solution is through 
supporting a robust and aggressively competitive cryptography 
industry in the United States. We must ensure that the United 
States continues to maintain the deepest pool of cryptographic 
experts in the world. American export limitations will only 
serve to create a brain drain of these precious resources as 
leading scientists leave our shores for more lucrative and 
accommodating surroundings.
    All of us care about our national security and no one wants 
to make it any easier for criminals and terrorists to commit 
criminal acts. But we must also recognize encryption 
technologies as an increasingly sharp double-edged sword. It 
can also aid law enforcement and protect national security by 
limiting the threat of industrial espionage and foreign spying, 
but only when Americans are able to produce the sharpest swords 
and the strongest encryption.
    I would also like to state for the record that for the 
reasons stated above, I do not support the Dellums-Weldon 
Amendment to H.R. 695, and would have voted against it.

                                                   Loretta Sanchez.

                                
