10 November 1997
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[Congressional Record: November 8, 1997 (Extensions)]
[Page E2243-E2244]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr08no97-48]


                  NEED FOR A NEW POLICY ON ENCRYPTION

                                 ______


                             HON. TOM DeLAY

                                of texas

                    in the house of representatives

                        Friday, November 7, 1997

  Mr. DeLay. Mr. Speaker, I would like to call to my colleagues'
attention the need for a new policy on encryption. A simple policy that
lets American computer users continue to buy whatever encryption they
want and that lets American companies remain internationally
competitive by modernizing existing export controls.
  The administration has failed year after year to address this issue--
stonewalling, making minor export control modifications years after
they were necessary, and even preparing to take away the ability of
Americans in this country to protect sensitive and confidential
electronic information.
  I am concerned that it we do not take rational and effective action
soon, our ability to use American ingenuity to keep at the forefront of
worldwide economic growth through information technology will be
irreparably harmed because of our inability to protect our Nation's
primary source of strength--our citizens' knowledge and ideas. That
being the case, I believe the Security and Freedom through Encryption
[SAFE] Act, H.R. 695, should be a priority for the second session of
this Congress.

          Strong, Secure Protection Over Networks Is Critical

  Information has become power in the 21st century. We need to protect
our information in order to protect our national and economic security.
Every technological advance is encouraging individuals, companies, and
governments to become more networked--whether to work with others,
communicate and share documents within a company, or to access work
from home. If we do not take necessary and adequate precautions, these
computer networks eventually may create a danger. Foreign competitors,
foreign powers, terrorists, and just plain criminals may exploit their
knowledge of technology to gain access to more information than ever
before in order to steal information or to injure people.

The Administration's Export Policy Has Hamstringed And Harmed Americans

  Encryption is simply a fancy name for scrambling information so that
it may not be understood by the casual reader or listener. Computer
software or hardware scrambles information using a key. The longer the
key, the more options for scrambling information and the more
protection is provided to protect the information from knowledgeable
computer hackers seeking to descramble or decrypt the information.
  In 1992 the administration permitted U.S. companies to freely export
40-bit key length encryption products. Fire years later the
administration still limits mass market exports in general to 40-bits.
  The only way that the administration permits companies to increase
this encryption strength to even a slightly stronger 56-bits is to
agree to build back door government access features into future
products.
  It is hard to believe that what would protect information in 1992
could still be considered reasonable protection for information in
1997. One very smart student in California proved that 40-bit strength
encryption could be broken by trying every key combination in just a
few hours. Several smart U.S. cryptographers got together and
calculated that a government willing to spend some money could break
40-bit encryption, or even 56-bits, in a [minute fraction] of a second.
  Importantly, an unfortunate side-effect of the administration's
export control policy is that it also has limited the strength of
encryption that Americans have access to from their corner software
store. I understand that American software companies earn over one-half
of their total revenues from their software exports. So that they do
not face a marketing nightmare as well as the expense of developing two
different products--one for the United States and one for overseas--
these software companies have in general developed only one version of
a product. Thus, most U.S. companies are also stuck at the unprotected
40-bit level.

           Foreign Vendors Supply Strong, 128-Bit Encryption

  Our administration has created a huge window of opportunity for
foreign hardware and software vendors to fill the void created by these
antiquated export controls. Several foreign companies provide strong,
128-bit encryption. They quite often market their products as add-ons
or replacements for export-crippled U.S. products. Would you really
want to buy a 40-bit or even a 56-bit version of a software product
when you knew that your competitor had a 128-bit product?
  While the U.S. computer industry has had a strong lead in developing
hardware and software products, we can no longer rely on this advantage
to ensure that foreign vendors do not use the opening of supplying
encryption software to start to provide foreign consumers with other
programs, such as stronger, 128-bit Internet browsers.
  Thus, I believe that if a comparable product is available overseas,
then we should not hamstring America's companies from providing the
same product. If a foreigner can and will purchase a 128-bit encryption
product overseas, I would prefer that they bought it from an American
company. I believe that this is better for our economy, and ultimately
better for our national security. Otherwise, the result will be that
all encryption expertise will move off-shore as well as encryption
sales.

 What Louis Freeh and His Lobby Machine Want and Why It Does Not Work
                      Domestic Encryption Controls

  After testifying at House Judiciary and House Commerce regarding
export controls, Louis Freeh finally came out of the closet and

[[Page E2244]]

divulged that he had not been discussing export controls, he had been
talking about domestic controls on encryption designed by Americans for
Americans. Mr. Freeh and his 80 lobbyists apparently never thought to
bring this up so that it could be part of the Judiciary Committee's
hearings on the legislation from the very beginning.

  Why? Perhaps he knew the reception he would receive to the proposal
that Americans should no longer be able to design, manufacture or
import encryption unless the encryption technique ensured that a
government approved third party could have access to the information
without the user's knowledge. Thus, he would prefer that every time an
American encrypts information to store it on a computer or to send it
over the Internet, a third party must be able to access the information
and the user would never know that the information had been accessed.
This would change over 200 years of free speech.

          Impact of Requiring FBI's Proposed Domestic Controls

  I am a strong proponent of law enforcement. But I do not believe that
we should adopt a system that our best and brightest say will be nearly
impossible to design, hard to keep secure and probably very costly to
consumers.
  To my knowledge, no one has ever built or even begun to test the
reliability, security, and costs of such a system. I have seen a report
by another group of extremely well-known American scientists who tell
me that they have no idea of how to design and implement this proposed
domestic key recovery system. They also say that such a system could
create greater vulnerability for its users. Apparently encryption
techniques are not foolproof, and adding sufficient complexity to
permit third party access will make the encryption even less secure. It
also appears to be highly dependent upon the honesty and integrity of
those third parties who have access to the information. Who,
ultimately, do we trust?
  I understand that while advances in technology have generally
provided the FBI and other law enforcement with more investigatory
tools, this one advance may make it more difficult for them. I propose
instead that we look at methods that will help law enforcement to
combat these new hurdles, rather than choosing the more simplistic
approach of building law enforcement access into each and every
encryption product.
  I also can only image the bureaucracy necessary to handle the
magnitude of information regarding encryption keys. It would have to
rival many agencies we have spent years trying to reduce in size--the
Internal Revenue Service and the Department of Commerce to name just a
few.
  While we are expending all of our efforts trying to lessen government
intrusion in our lives, domestic encryption controls as proposed by Mr.
Freeh would create probably the largest intrusion yet.
  Finally, I have a basic concern about requiring American citizens to
provide access to their information if they decide to encrypt it. If I
write a letter in the privacy of my own home and leave it in my desk
drawer, I do not have to provide a copy of my house key and desk drawer
key with the local police so that they may look at it easily without my
knowledge. I do not see why this should change if I write this letter
on my computer and decide to encrypt it. Why should this act require me
to let others have the capability of viewing it without my knowledge? I
agree with the constitutional law professors who stated that this would
have a ``chilling effect'' on American speech.

Foreigners Simply Will Not Purchase And Criminals Will Not Use American
          Designed Mandatory Key Recovery Encryption Products

  Ultimately, foreigners will not purchase or use American encryption
products if they provide mandatory third party access to information.
Neither will criminals. They know that the encryption technique is
strongly desired by American law enforcement because law enforcement
can monitor or otherwise access the information. Why would they
voluntarily use such a product when they can use a 128-bit product they
can obtain today over the Internet from tens of countries.
  The FBI alleges that all foreign governments are eager to adopt
similar controls on their citizens. While this is true of France, it is
not true of the European Union for example, which categorically
rejected the administration's proposal for a worldwide key recovery
infrastructure requirement.
  The only impact of the FBI proposal is that normal, law abiding
American citizens will use American designed encryption programs.
Foreigners will turn to foreign sources for their nonkey recovery
products, and criminals will certainly turn to the same foreign
sources. Thus, the FBI proposal does not address the real problem
created by encryption technology. I do not want to put in place a
large, costly bureaucracy that will not permit law enforcement to bet
the information it believes necessary.

                        What is Best for America

  The United States should not try to control the export of something
that by its very nature is uncontrollable. The United States should
also not take a lead in forcing its citizens to adopt a costly
technology that will insure easy monitoring and intrusion by law
enforcement. Our constitutional guarantees of free speech and our
rights to privacy should not be in any way lessened in order to
accomplish Louis Freeh's desire for a fourth amendment for the 21st
century. We in Congress should act now to relax export controls on
encryption technology and to ensure that Americans remain free to speak
in whatever manner they desire, using whatever encryption they choose.

                          ____________________
