5 September 1997
Source: Declan McCullagh <declan@well.com>

-------------------------------------------------------------------

---------- Forwarded message ----------

SENATE JUDICIARY COMMITTEE
TERRORISM, TECHNOLOGY & GOVERNMENT 
INFORMATION SUBCOMMITTEE

CHAIR: SENATOR JON KYL (R-AZ)
TESTIFYING: FBI DIRECTOR LOUIS FREEH

226 DIRKSEN SENATE OFFICE BUILDING
WEDNESDAY, SEPTEMBER 3, 1997, 2 PM

	SEN. KYL:  The conferences are just coming to a 
close.  As a result, I am informed that the ranking member, 
Senator Feinstein, will be here very shortly; and when she 
arrives, we'll give her the opportunity to make a statement.  So 
we should expect other members shortly.  But in view of the 
agenda that we have, the number of witnesses we want to hear 
from today, I'd like to begin the hearing at this time.
	The purpose of this hearing is to explore how 
encryption is affecting the way that we deal with criminals, 
terrorists and the security needs of our businesses.  Our 
subcommittee, which has the responsibility for technology, 
terrorism and government information, is a fitting focal point 
for an in-depth examination of the ramifications of encryption 
for public safety and national security.
	Three panels of distinguished witnesses will share their 
views on these topics.  In panel one we will hear from the 
director of the Federal Bureau of Investigation on the use of 
encryption by criminals, terrorists and spies and the impact of 
the usage on law enforcement. In panel two we'll learn the 
results of a recent study and some real- life examples of how 
criminals and terrorists are using encryption in an attempt to 
thwart law enforcement efforts.  The last panel will offer 
insights from industry on their specific security concerns.
	The United States is leading the world into the 
information age, an age in which information rather than 
industrial mechanics will likely be a dominant commodity.  As 
the U.S. information-based economy has become more 
efficient via the use of computing and communication 
technologies, our society has become increasingly vulnerable 
because of our dependency on the available and predictable 
operation of these technologies.  Encryption has the potential 
to limit the risks that these dependencies have introduced.  But 
if used unwisely it also has the potential to undermine the 
responsibilities that Congress and the Constitution give to our 
nation's law enforcement and national security agencies.  So 
the issue that I would like to address today is how to get the 
good encryption widely used without allowing it to be used 
against society.  If we do not address the encryption issue 
from this perspective, we will wind up increasing the risks to 
our economy, citizens and national security rather than 
decreasing them.
	There have been other hearings held earlier this year on 
the encryption topic which have looked at important questions 
of commerce and privacy and export control policy.  When I 
examine what has been said to date and what had been 
proposed in some encryption bills, I was struck by the fact that 
some of these efforts seem to be addressing this as a zero-sum 
game:  privacy versus public safety, industry versus 
government.  Too often I've seen the encryption issue 
mischaracterized as one that is about enabling encryption 
exporters to increase profits overseas.  I am offended by the 
notion that public safety should have to take a back seat to 
short-term corporate opportunity; and so are the great majority 
of leaders in the business community.  In fact, I suspect that 
there is a broader community of interests we share as 
Americans that rests on the need to maximize all of these 
goals.  I think that it's fair to say that just about everyone here 
in this room will benefit to some degree from the 
government's ability to deal with encryption used by criminals 
and terrorists.  Law enforcement is already beginning to 
encounter the harmful effects of encryption.  For example, the 
masterminds of the World Trade Center bombing were also 
plotting to blow up 11 U.S.-owned airliners.  Data regarding 
this terrorist plan was found in encrypted computer files found 
after the arrest of these terrorists, and their destructive plan 
was never carried out.
	Such counterculture use of encryption is not limited to 
international terrorists.  Child pornographers for example are 
using encryption to hide pornographic images of children that 
they transmit across the Internet.  With the explosive impact of 
the Internet and computers, we can only expect more cases like 
that � like this.  And that's one reason why I sponsored an 
amendment last year that became law with the Economic 
Espionage Act, requiring the United States Sentencing 
Commission to begin reporting to Congress this year on the 
use of encryption to facilitate or conceal criminal conduct.  I 
will be very interested in seeing the results of that report, as I 
am sure my colleagues are as well. 
	The law enforcement community � locally, nationally 
and abroad � is extremely concerned about this serious threat 
posed by the use of encryption by violent criminals, terrorists, 
child pornographers, drug traffickers and the like since it will 
prevent them from performing their public safety 
responsibilities.  On another score, corporate security 
managers need to protect corporate information and 
communications systems against industrial espionage, and are 
increasingly turning to encryption as part of the answer.  At 
the same time they are concerned about the security of their 
personnel and facilities in the face of criminal and terrorist 
threats.  Not to be overlooked is the concern that rogue 
employees could use encryption as an electronic shredder and 
hold companies hostage by encrypting corporate information 
and withholding the encryption key.
	Finally, our government has long used encryption to 
protect vital government information systems.  In an era of 
information warfare, protecting the nation's critical 
infrastructures against terrorists and other threats will require 
the strategic use of encryption and other protective measures.  
This subcommittee will have the opportunity to hear more 
about this from the director of central intelligence, who has 
offered to meet with us in closed session at a later date.
	In light of these vital concerns, we need to stay 
focused on the goal that I defined moments ago.  That is, how 
to get good encryption widely used without allowing it to be 
used against society.  I believe that we can and must define 
such a balanced encryption policy so that our citizens and 
businesses will continue to thrive as we enter the information 
age, and I hope that our hearing today will be a step in that 
direction.
	Before I introduce our first witness, since Senator 
Feinstein is not here, Senator Leahy, would you like to make 
any comments before we begin?
	SEN. PATRICK LEAHY (D-VT):  I do have a few, if 
I might, Mr. Chairman.  And I put my full statement in the 
record.  But I commend you and Senator Feinstein for holding 
this hearing, because there is a double-edged sword when you 
come to encryption, and you reflect that � it has both good 
and bad use, and we have to figure out how we keep the good 
and get rid of the bad.
	We have the U.S. working group � they're � a 
report by Dorothy Denning and William Baugh on behalf of 
the U.S. Working Group on Organized Crime, concludes that 
no one approach to encryption will be foolproof.  And I think 
one of the problems has been everybody has looked for a 
foolproof approach, and there is none.
	We're all worried about what happens when the 
criminals use encryption to thwart police surveillance, or if 
you have the spies or the terrorist group that you referred to � 
not only here but other places � that is a concern.  And the 
working group I think estimates a somewhere from 50 to 100 
percent increase in the future of criminal groups using 
encryption.  This is all extremely unnerving in one way. But I 
think if you maintain export restrictions on strong encryption 
technology you are not going to have an answer by doing that.  
The working group said that export controls do not keep 
unbreakable encryption out of the hands of criminals entirely.  
Export controls simply make the privacy and valuable 
proprietary information of Americans and American 
businesses more vulnerable to on-line theft and economic 
espionage and other crimes.
	The National Research Council's crises report 
recommended relaxation of export controls.  Encryption we 
know is an effective method for promoting intellectual 
property.  Senator Kyl and I are concerned about software 
piracy and have sponsored legislation, the
	Criminal Copyright Improvement Act, S. 1044, to 
address the problem of large-scale wilful copyright 
infringements on the Internet.  But if you encrypt copyright 
software so that only the legitimate users get access, that's one 
way you combat that intellectual piracy. 
	But if you mandate, even coerce, the use of key 
recovery encryption, that is not the solution.  The working 
group report points out that key recovery systems could 
potentially be abused either by government or by the people 
operating key recovery services.  And when the administration 
makes no secret of its efforts to promote adoption of a global 
key recovery system so that governments around the world 
will have access to the decoding keys, this concerns me 
greatly.  The working group report warns about the security 
risks of this effort, stating, "it's hard to see how a global key 
recovery infrastructure can avoid exploitation by organized 
crime, especially considering the integration of organized 
crime with governments, such as Russia.  If key recovery is 
adopted on a large scale, strong boundaries have to be created" 
� and so on. 
	It brought the same alarm the Leahy-Burns Encrypted 
Communications Act, S. 376, pending before this Judiciary 
Committee � very strict requirements before you could 
release any decryption key to a foreign government.
	I think the administration put the proverbial cat before 
the horse by promoting key recovery without having in place 
privacy safeguards, defining how and under what 
circumstances law enforcement and other users can get 
decryption keys.
	So I think this is a very important hearing.  I look 
back, Director Freeh, to when we had the digital telephony bill 
before us, and I must say, Mr. Chairman � had some 
discussions with the director about this.  We went to as secure 
a venue as we could find, knowing how important this was.  
And I will release a certain amount of secrecy here, Mr. 
Chairman, by saying with that secure venue, with the dirt 
roads near my farm in Vermont where for several days the 
director and I would go out at the crack of dawn and go hiking 
up and down miles of these dirt roads discussing encryption.  
It's one sided � he could discuss it with a great deal more 
breath that I could, but we did this.  And basically I raise the 
fact that the digital telephony bill was a way � which finally 
brought this apparent � we had from the left to the right, from 
civil liberties groups, privacy groups, law enforcement, 
telephone companies � everybody was off in a different 
direction.  We finally got everybody into one room, and just 
basically said, "Okay, how are we going to do this?" � and 
we did it. I think that's what you're trying to do, Mr. 
Chairman, and I commend you for it.
	I would also say, director, that while you were there of 
course we had the terrible situation in New Hampshire and 
Vermont with the firefight with Carl Drega who murdered four 
people, two law enforcement officers, seriously wounded 
John Piper (sp), Border Patrol agent John Piper (sp).  You 
and I went and visited him in the hospital.  You recall that he 
was barely able to speak � all kinds of tubes going on him, 
an oxygen mask, attended by his wife and lovely 10-year-old 
daughter Hannah.  I just want you to know that he went home 
from the hospital and he is in much, much better shape.  His 
family tells me there's going to be a complete recovery, and 
again they thank you for your taking the time to go and visit 
him.  And I thank you, Mr. Chairman.
	SEN. KYL:  Well, thank you, Senator Leahy.  I 
certainly concur with you that taking a walk in the beautiful 
Vermont woods would be preferable to being in a stuffy 
secure facility to discuss these issues � and some by their 
nature do need to be discussed in a classified setting.  But 
fortunately today we are able to discuss a great deal publicly, 
and we are blessed to have as our lead-off witness the director 
of the Federal Bureau of Investigation, Louis Freeh.  We have 
had the opportunity to discuss encryption policy with Director 
Freeh during the course of prior hearings in this committee, 
first at the FBI oversight hearing on June 4th, where the 
director and I discussed the needs of law enforcement as 
pertains to encryption; and, second, at the hearing on key 
recovery infrastructure that the full Judiciary Committee held 
on June 25th.
	To set the stage for today's hearings, we've asked 
Director Freeh to expound on how the use of encryption by 
organized crime and terrorists adversely impacts the FBI's 
very important role in preventing and investigating criminal 
and domestic terrorist activity, as well as the bureau's vital 
counterintelligence responsibilities. We're also eager to gain a 
finer understanding of the way in which the FBI works with 
corporate America in addressing their pressing security 
concerns.
	Before you begin, director, I would like to insert into 
the record a compilation of letters from the secretary of 
defense, the attorney general, the directors of the Secret 
Service, Customs and Drug Enforcement Agency, the Bureau 
of Alcohol, Tobacco and Firearms, the Office of National 
Drug Control Policy and yourself, the International 
Associations of Chiefs of Police and Attorneys General, the 
National Association of Sheriffs and District Attorneys � all 
stating unequivocally that encryption policy must not 
jeopardize national security and public safety.  Without 
objection those will be entered into the record, and on that 
note, Director Freeh, we thank you.  Welcome.
	MR. FREEH:  Thank you, Mr. Chairman.  Senator 
Leahy, good afternoon.  It's a pleasure as always to be before 
the committee.  Let me echo Senator Leahy's compliment to 
you, Mr. Chairman, for holding this hearing, continuing this 
very important discussion and really supplying some 
leadership with respect to an issue which is not a privacy 
versus law enforcement issue, but really a public safety issue 
balanced with the great commercial interests at stake.
	Senator Leahy, as we did discuss on those dirt roads, 
let me compliment you for your leadership in these very 
difficult areas, going back as you noted to the digital telephony 
problem which many people said could not be solved � it was 
too complex, it was too expensive.  Nobody could agree to it.  
And with your leadership you achieved a monumental piece of 
legislation, as far as I am concerned, that balance the law 
enforcement needs with the privacy needs � in fact, 
enhancing privacy concerns in portions of that bill.
	When I became director just about four years ago this 
week � although it seems much longer at times � I was told 
by the technical experts and people who advise the FBI 
director on these matters, that the issue at stake in the next 
couple of years would be the continuing ability to conduct 
court-authorized wiretaps and electronic surveillance, which as 
everyone on this committee well knows is the most important 
and efficient law enforcement technique � not just in the 
criminal area, but in the national security area.  And it is a 
technique which is not only the bailiwick of the federal 
authorities. In 1996 51 percent of the electronic surveillance 
orders int he United States were given to the federal 
government.  The other 49 percent were given to states and 
local prosecutors and police departments. This is a universal 
technique, and one which is reserved for the most difficult 
cases � the complex organized crime cases, crimes of 
terrorism, crimes of financial complexity, violent crimes, and 
on the local and state level kidnapping and other cases where 
that particular technique is required because no other technique 
can obtain the evidence for which there is probable cause.
	I was told as I became the director that there were two 
aspects to the threat against court-authorized electronic 
surveillance.  One was access, and that's the digital telephony 
issue:  Will the common carriers and the manufacturers build 
systems and switches and software which will continue � not 
give, but continue to give us access per court order to 
conversations of a criminal nature?  We had had that ability 
since 1968.  The change from the analog system to the digital 
system threatened to de facto take away that ability because 
there would be no more alligator clips to snap on to easy-
access points, because switches would be made in the 
software.  Against a lot of doubt and a lot of resistance, this 
Congress � Senator Leahy in particular � and many other 
people working on that objective, solved this very complex 
access problem.  And although not completely resolved or 
implemented, we are well on our way to solving that access 
problem and preserving what is the single most important 
technique in law enforcement and national security cases.
	There is another side to the threat to electronic 
surveillance, and that is the problem which encryption poses.  
If we are able to access with a court warrant the conversations 
of criminals and spies and terrorists, but we can't understand 
it, or it's going to take, as my associate Bill Crowell (sp) says, 
26 trillion years to decrypt a message bit, we're out of 
business with respect to that technique.  It is of little use to us 
in the information age when the encryption is so robust that 
even a court order � even an order of an Article 3 
constitutional judge, cannot access that on a real-time basis.  
So that is the issue that we are now debating, and it is, as you 
very well point out, Mr. Chairman, not a debate between 
privacy and law enforcement; it's a public safety question.  
And what the law enforcement components represented in the 
letters that you've just entered in the record have said, is that 
we are in favor of encryption.  In fact, we are in favor of the 
most robust encryption available. 
	We want the American companies � the American 
manufacturers � to remain as they are now the dominant 
industry in the world, controlling about 75 percent of the 
international market.  However, we say that we have to 
balance that economic policy, which is a very important one, 
with the public safety needs of the people that we are obligated 
to protect � both against criminals and against national 
security threats.  If we are unable to access and decrypt real-
time, with a court warrant in hand, conversations of criminals 
and people who would commit horrible crimes � even crimes 
like the one that Senator Leahy refers to � we will be hard up 
to defend the country in many respects.  That is why in my 
previous testimony I have said that unless we have some 
solution to unbreakable encryption we will be devastated with 
respect to our ability to fight crime and terrorism. That is not 
an exaggeration on my part; it is the consensus of many law 
enforcement professionals and technical experts who have 
studied this problem over many, many years.  We seek and 
request a balanced encryption policy � one that will promote 
robust encryption but will provide under very unique and 
infrequent circumstances pursuant to a court order the ability 
of my investigators or other investigators for state and local 
authorities to go in and solve a kidnapping case � to find the 
victim, to prevent an act of terrorism, to dismantle an 
organized crime group or a drug cartel.  Without that technique 
we will be unable to deal with that issue.
	We also believe that the legislative approach is 
necessary because we cannot leave to private industry the task 
of solving this problem for law enforcement.  We have an 
interest for instance in communications in transit � the actual 
discussion of crimes by people for whom we have probable 
cause to believe are committing crimes. Many people in 
industry and many companies who are developing key 
recovery systems on their own � about 30 companies right 
now � are more focused on the stored-data aspect of this 
issue as opposed to the in-transit communications which are of 
immediate importance to law enforcement.  So for that and 
many other reasons we cannot leave the solution to the 
business community, as some would suggest.
	We do believe, as shown by recent events, that many 
companies � many responsible companies for very good 
business objectives are developing their own key recovery 
systems to protect the users of encryption so that they can get 
access to their own products when deprived of those by other 
criminals or people who would steal their secrets.  So we do 
believe that there is a legitimate policy role to be played by the 
government and by the Congress in the form of legislation.
	We have looked at the various pieces of legislation that 
are before the Congress, both in the House and the Senate.  
We think that parts of all of them represent objectives for 
which we would agree. The control of encryption, depriving 
criminals from the use of encryption in the commission of 
criminal acts, restrictions on the government with respect to 
accessing and decrypting materials. However, none of those 
bills in my opinion give law enforcement the minimal 
safeguards which it needs to preserve this technique and use it 
effectively.
	We believe that what is necessary more than anything 
else right now is this balanced approach between robust 
encryption and legitimate court-authorized access.  And I don't 
think that we should be deluded by the argument that the genie 
is out of the bottle, there is nothing we can do � it is 
hopeless.  They said that actually about digital telephony 
problems back in 1994.  We think that a key recovery system 
can be established, that the government can promote it on a 
voluntary basis.  Industry, which is already in many respects 
constructing such an infrastructure, will respond to that 
support, and that we can create the ability to protect people in 
the 21st century.  We are not arguing, nor have we ever 
argued, that we are going to have a 100 percent perfect 
solution.  That's not the case.  John Gotti never implicated 
himself on a telephone conversation with one of his 
confederates, because he was aware of the fact that law 
enforcement agents might be listening to that, and he took 
precautions to protect himself.  Drug cartels, organized crime 
organizations, terrorists, take similar precautions to protect 
themselves.  They will kept encryption that will not be 
accessible in any key recovery context. They will do that, and 
they do it right now.  But what we cannot afford to do is reach 
a situation where all of the potential access points for a court-
ordered access are denied to us because what is proliferated is 
robust encryption without a key recovery infrastructure, 
without any points of access or interest where a court order 
can be effectuated. 
	We think that the Senate bill, the 909 bill, which comes 
the closest to meeting law enforcement's minimal needs, is a 
outstanding initiative � an attempt to deal with this very 
difficult problem.  We have worked, and we will look forward 
to working very closely to add to that bill what we believe to 
be necessary accommodations for law enforcement, and ones 
which will give us a more balanced approach.
	The problem with respect to encryption cannot be dealt 
with merely in the context of export controls.  Encryption 
products limited by export controls do relate directly to the 
national security and foreign policy interests.  However, law 
enforcement, as it must be in the United States, is more 
concerned about the significant and growing threats to public 
safety which could be caused by the proliferation and use 
within the United States of a communications infrastructure 
that supports the use of strong encryption but does not support 
law enforcement's immediate decryption needs.  So we are 
looking to the Congress, as in all the letters reflected in the 
record now, for some type of assistance with respect to 
protection against unbreakable domestic encryption.  And we 
have noted, as I did in my testimony in 909, some very 
positive initiatives in that direction.
	You gave in your opening statement, Mr. Chairman, 
several examples of cases where criminals � pedophiles, 
terrorists � have begun to take advantage of the encryption 
technology to the detriment of law enforcement, as well as the 
people who are ultimately victims of those acts.  We could cite 
many others to you.  Recently a DEA electronic surveillance 
order was completely frustrated by the use of encryption by 
the subjects of that surveillance.  Although there are now very 
few instances of these types of impediments, our own 
experience, and our experience from talking to our state and 
local counterparts, is that this is really just the tip of the 
iceberg. This is the opening of the window which unless 
addressed at this point will pose for us in the very few years 
ahead substantial problems and impediments in the execution 
of court orders � not our own orders, but orders signed by 
judges who have found probable cause for us to seize 
communications or records.  Without some decryption ability 
those records will become meaningless because nobody will 
understand them in time to use them in an appropriate way.
	Over the past few years, law enforcement has grappled 
with this issue.  It is one of the few issues where I can say that 
there is unanimous agreement not just on the federal level, but 
on the state and local level � by the Sheriffs Association, the 
International Association of Chiefs of Police, who passed a 
resolution in this regard � it's going to be a subject of their 
convention next month in Orlando � the National Association 
of District Attorneys, representatives of literally hundreds of 
thousands of law enforcement officers around the country who 
have depended vitally on the effective use of court-authorized 
electronic surveillance to perform their very difficult jobs in the 
most dangerous cases.  We will not be able to protect the 
country in the way that we are expected to do it, in the way 
that we have done it, if we lose this technique.
	We are not asking for any new powers or any new 
authorities. That's another misnomer which I am happy to 
correct once again.  We rely for our request on the Fourth 
Amendment to the Constitution, where the framers in 1791 
balanced the privacy that people were entitled to in their houses 
and their papers with the legitimate need of law enforcement, 
upon a showing of probable cause, to a federal judge in this 
case, the ability to breach that privacy and security because the 
commission of a crime or the planned commission of a crime 
have such a great impact on the safety and the society of the 
community that the framers decided that upon a sufficient 
showing of probable cause and the issuance of a court order, 
that privacy expectation would be overcome and we would be 
allowed to seize evidence of a crime.
	We're not asking for new authority to seize any 
conversations or papers.  The (broad?) requirement would still 
be maintained.  We would still have to procure an order from 
an Article III judge to seize a paper or a conversation.  But we 
would also then be entitled to understand what we've seized.  
If we can seize it but we can't understand it, it becomes a 
(nullity?) and, de facto, we lose that power of search and 
seizure which we've had, which the country has had since 
1791, balanced very carefully against privacy and the 
expectations of privacy.
	So I want to say one more time that we're not asking 
for any new powers or new authorities.  We're asking for a 
Fourth Amendment that works in the information age.  When 
it was designed by the framers, they didn't contemplate, 
obviously, digital telephony and encryption. I think to deprive 
law enforcement of that power, that constitutional power, 
would be a dramatic alteration not only in the Fourth 
Amendment but in the ability of law enforcement officers to do 
their job pursuant to (warrants?).
	There is nothing in any of the recommendations that 
the government has made which enlarges or expands our 
powers in any way. What it does, quite frankly, is ensure that 
the powers that we've used for over 200 years, controlled by 
courts and juries ultimately, are powers which will be viable 
and relative in an information age when people are using 120-
bit encryption.
	As my friend in the NSA tells me, to break 120-bit 
encryption, it would take 26 trillion times the age of the 
universe to decipher one criminal bit or one message bit in 
order to respond and take some appropriate action.  We can't 
function that way.  If the decision is made that electronic 
surveillance and court-authorized electronic surveillance is 
important but not as important as the commercial interests 
which go with robust and unbreakable encryption, it seems to 
me that's a decision that the Congress could make and the 
country could make.  But I think it would be an ill-advised one 
and that we would be paying the price for many years to come 
for the deprivation of what have proven to be the most 
important law enforcement techniques, and techniques which 
are very well controlled.
	There's no argument and there's no body of proof, 
even a small portion, which shows that the federal, state and 
local prosecutors and agents have abused electronic 
surveillance.  In fact, as I (mentioned?), in 1996 there were 
only 1149 electronic surveillance orders in the whole country.  
That's adding up state, local and federal.
	This is a very unique and very infrequently used 
technique.  The impact, however, is that it's used in the most 
important cases.  It was used in the case up in New York 
where individuals were planning to blow up the Holland 
Tunnel and several bridges and infrastructure in New York.  It 
was used in other cases where people were going to blow up 
airlines in the Pacific.  It's used routinely by state and local 
authorities in kidnapping cases, extortion cases.
	We want to preserve that technique.  Obviously we 
want to balance it against the legitimate privacy and 
commercial interests, and we think that the best way to do that 
is legislation which achieves that balance.  And except for 909, 
the other pieces of legislation don't, in my view, attempt to 
balance those two interests at all.  In fact, they're completely 
one-sided with respect to the commercial interests.
	So we're ready to work, as we have done, with the 
committees, with the industry, to try to resolve the situation.  I 
think Senator Leahy is right.  If everybody sits down and 
maybe locks themselves in a room, I think they can agree on 
something.  But I think if we don't, the country is going to 
pay the price in the years to come.
	SEN. KYL:  Director Freeh, thank you very much.  I 
indicated that Senator Feinstein was delayed somewhat at the 
beginning of the hearing.  Senator Feinstein, if you'd like to 
make any comments now before we question Director Freeh, 
this would be the time.
	SEN. DIANNE FEINSTEIN (D-CA):  Thank you 
very much, Mr. Chairman. I would.  I thank you for holding 
this hearing and for your interest in the subject.  Coming from 
California, at least trying very hard to represent a huge and 
burgeoning Silicon Valley industry, this whole issue is a very 
key and critical one.
	I've heard Director Freeh testify on this issue, I 
believe, twice before.  And if I may venture, I think his views 
are fully representative, almost without exception, of the entire 
federal, state and local law enforcement communities of the 
United States.  And I think they have to be given considerable 
weight and due diligence.
	I, for one, am very concerned.  Director Freeh, you've 
pointed out where encryption has been used successfully by 
terrorists, whether it's the Ohmshinrikkio cult in Japan or the 
Manila situation with the airlines or the New York situation.  
Also in California it was used in a multi-county gambling 
enterprise.  I understand the Cali drug cartel uses encryption 
with some of its personnel sources or personnel statements.
	You've mentioned that you think one bill comes close 
to providing some of the guarantees that we need.  The bottom 
line is I think probably nothing other than some form of 
mandatory key recovery really does the job.  The situation that 
I have always had when I talk about this is, "Well, how can 
we compete, then, with other countries that don't have these 
requirements?"
	I mean, I, for one, believe that the public safety issue 
is a paramount issue because everybody's going to stop using 
the telephone or any other forms of communication to 
participate in an act of complicity to commit a crime and use an 
encryption system on a computer.  I mean, that's going to be 
kind of (de reguerre?) unless we have some methodology, and 
two, some infrastructure that's able to protect everybody's 
rights � the right to privacy as well as the right, as you've 
pointed out, for a judge to give an order and for law 
enforcement to be able to punctuate that encryption system and 
pull out of it what it needs to break an important case.
	Whether this can come from something short of 
mandatory key recovery, I don't know.  But I think in effect, 
Mr. Chairman, this is our challenge.  And I suspect we think 
very much alike on this issue. So I look forward to the 
testimony.  And I won't go on now because I have some 
questions after you ask yours that I hope Director Freeh would 
be willing to come forward and state with some specificity in 
what he thinks could provide this kind of balanced system that 
can protect privacy rights as well as public safety.
	SEN. KYL:  Thank you very much, Senator Feinstein.  
Once again, you and I are in complete agreement.  And I also 
would underscore a point you made, and that is that the letters 
which I did insert in the record prior to your arrival uniformly 
state the position that Director Freeh has stated here.  He noted 
that, and in his testimony indicated that the federal and state 
law enforcement is unanimous in its view that there needs to 
be this balanced approach of which he spoke.
	I would like to begin by going directly to the question 
that you just posed and ask it very specifically.  Director 
Freeh, in your prepared statement, and I'll quote from it, you 
say that S. 909 � and incidentally, before I do that, let me 
compliment my colleague, Senator McCain from Arizona, as 
one of the two key authors of that legislation; the other, the 
ranking member of the Intelligence Committee, Senator 
Kerrey, the Intelligence Committee on which I also sit.
	Both of those senators have tried very hard to achieve 
this balanced approach, and they've been pummeled pretty 
hard, particularly by one side, which believes that the 
legislation should be perhaps more oriented toward the 
commercial interests.  But I want to compliment both of them, 
and in particular my colleague from Arizona for his efforts 
here.
	But you say in your testimony that S. 909 still does not 
contain sufficient assurances that the impact on public safety 
and effective law enforcement caused by the widespread use of 
encryption will be adequately addressed.  What are law 
enforcement's needs in this specific regard, and how can the 
proposals put forth in S. 909 be improved to meet those 
needs?
	MR. FREEH:  Senator, the main concern, as I 
expressed in my testimony, for myself and my state and local 
colleagues is domestic access pursuant to a court order.  We 
believe that some export controls are necessary for national 
security reasons and otherwise. But the bulk of our work and 
the entire majority, for the most part, of state and local efforts 
are going to be focused on the domestic use of encryption.
	What we would recommend from a law enforcement 
point of view is that the legislation contain a provision that 
would require the manufacturers of encryption products and 
services, those which will be used in the United States or 
imported into the United States for use, include a feature 
which would allow for the immediate, lawful decryption of the 
communications or the electronic information once that 
information is found by a judge to be in furtherance of a 
criminal activity or a national security matter.
	There are a number of ways that that could be 
implemented, but what we believe we need as a minimum is a 
feature implemented and designed by the manufacturers of the 
products and services here that will allow law enforcement to 
have an immediate lawful decryption of the communications in 
transit or the stored data.  That could be done in a mandatory 
manner.  It could be done in an involuntary manner. But the 
key is that we would have the ability, once we have the court 
order in hand, to get that information and get it real-time 
without waiting for what it would take for a supercomputer to 
give us, which is too long for life or safety reasons.
	SEN. KYL:  Now, S. 909 currently calls for a 
voluntary system of key recovery use so that, theoretically, 
two members of a drug cartel could communicate in an 
encrypted way without ever taking advantage of the system 
that has a key recovery system in it.  On the other hand, for 
most communication or data storage that exists, sooner or later 
even criminals tend, for convenience sake, to need to use the 
system. And in those situations where they're using a system 
where voluntarily key recovery has been provided, then law 
enforcement would have access to that.
	As I understand it, what you are suggesting here � 
and I am aware, by the way, that the Department of Justice, 
the FBI, private industry, many other folks, are trying to work 
together in a way to find just exactly the right language to 
approach this issue.  And I appreciate your efforts and urge 
you to continue that effort.
	As I understand it, what you are suggesting here is that 
whether or not the legislation requires, in a mandatory way, a 
key recovery system, as it would in the limited situation where 
a government contractor is dealing with the federal 
government, or whether it's voluntary, as it is for everyone 
else under S. 909, in either case, at least the manufacturer 
would have to build into the system the capability for a key 
recovery system, should the users decide to take advantage of 
it.  Is that correct?
	MR. FREEH:  That's very � it's very accurately 
descriptive of what I meant.  It's like � maybe this is a bad 
analogy, but an air bag in a car; that the manufacturer is 
required in some states and federally to provide it, and now 
there's discussions about giving the user the ability to activate 
it or deactivate it, depending upon their own assessment of its 
efficacy and their safety needs.  And I think we're talking 
about something very similar.
	SEN. KYL:  I remember back in the early days when 
you could buy a car that either had the tape deck in it or not.  
But if you didn't want to buy the tape deck, there was kind of 
a blank hole in the dashboard, but at least you could put it in 
there if you wanted to. And that's similar to what you're 
suggesting here.
	MR. FREEH:  Yes.  I think the legislation has to begin 
by requiring the manufacturers to have the feature available 
and then take up the larger and maybe more complex 
discussion about how that's enabled.  Is it done voluntary by 
the user?  Is the network provider of the service required to 
have that immediate decryption ability because they're 
providing a public service?  And there's a lot of permutations 
of that which we're trying to work through.  But the key 
concept � you've hit the nail right on the head, Senator.
	SEN. KYL:  And this would be a much easier and less 
expensive requirement in the production of the systems, would 
it not, than that which was required in the digital telephone 
legislation, which actually required constructing a pretty 
sophisticated system by the system constructors?
	MR. FREEH:  Yes, I believe it would be much more 
cost-effective and much more efficient.  In that system, the 
government set standards for the industry to build to and said 
it would pay them so much money to retrofit systems that 
didn't meet those standards.  Here we're not saying the key 
recovery standard X, Y, Z.  We're telling the manufacturers 
that they need to have a feature that would allow immediate 
decryption, and they can do that in the cheapest, most efficient 
way that they can design.  And I think they can do that fairly 
easily.
	SEN. KYL:  I appreciate it very much.  Is there 
anything else that you wish to add in terms of suggestions for 
improving S. 909? Again, I know you're still working on this 
and you may want to wait for another opportunity to expand.  
But if there's anything else that you'd like to add at this time, 
I'd invite you to do so.
	MR. FREEH:  Senator, just the point that I made 
before, that I think it's a worthwhile issue for discussion to 
look at whether network service providers should also be 
required to have some immediate decrypting ability to respond 
to a court order.  We work, as you know, particularly in the 
pedophile cases, with on-line services who give us, when we 
run up against encryption, court-authorized access to 
information that is the subject of crimes.  And that deals in 
many respects with our problem, particularly as networks 
proliferate and more and more people use them for 
communications.  It also maintains the court-authorized 
requirement and it also gives us the balance that I think is 
required in a policy that's going to work.
	SEN. KYL:  And a final point I would make; you've 
made it over and over, and yet whenever I discuss this, people 
seem to misunderstand.  In no way are you asking for any 
additional legal authority for either seizure or wiretap.  Is that 
correct?
	MR. FREEH:  That's correct, Senator.  I mean, maybe 
as an example � I've used this once or twice before � right 
now, if we have a search warrant, we have probable cause that 
someone in a residence, for instance, has evidence of an 
ongoing past or future crime.  The judge signs it.  We go into 
the residence and, say, in the garage or not in the main 
structure, we find a box or a safe.
	Many assistant U.S. attorneys � and I did this myself 
when I was one � (inaudible) � might go back to the court 
and get another warrant to go inside the safe box on the theory 
that it was not within the scope of the original warrant and the 
expectation of privacy might be different; all those legal 
arguments.
	What we're talking about here is maybe two warrants.  
We're going to have the authority to seize the evidence, 
whether it's a conversation or stored data.  And now we need 
another warrant to unlock what we've already seized, because 
if we don't know what it means, it doesn't make any sense.  
So we're not asking for any additional authority.  We're 
maybe going through the requirement two times, which 
actually gives people more protection.
	SEN. KYL:  I think the way you put it was asking for 
a Fourth Amendment that works in the information age.
	MR. FREEH:  Yes, sir.
	SEN. KYL:  I thought that was a good way to put it.  
Senator Feinstein?
	SEN. FEINSTEIN:  I have three questions, if I might, 
Mr. Chairman.
	Presently today, U.S. countries can export 56-bit 
technology only if they've pledged to develop key recovery 
systems within two years. And the McCain-Kerrey legislation 
eliminates export restrictions on 56-bit products, 56-and-
below products.  My question is, do you favor this?
	MR. FREEH:  I think if it's balanced with a key 
recovery system, particularly one which domestically gives up 
some immediate decrypting ability under a court order, I do 
favor it.  I think it's �
	SEN. FEINSTEIN:  So you would say, though, that 
you favor it if there is a key recovery system �
	MR. FREEH:  Yes, ma'am.
	SEN. FEINSTEIN:  � only.
	MR. FREEH:  Exactly.
	SEN. FEINSTEIN:  Okay.  Now, let's go to 128-bit 
encryption products that do not have key recovery.  They're 
currently exported from other countries or imported from other 
countries to international customers.  And they're also 
available domestically.  What would your position be there?
	MR. FREEH:  Well, if we had legislation that required 
the immediate decryptability of any product used, sold or 
distributed in the United States, our domestic law enforcement 
interests would be protected.  If we did not have such 
legislation, obviously the introduction of that type of robust 
encryption into the United States without any key recovery 
requirement or decryption ability would be very, very 
dangerous for us.  We would not be able to, with a court order 
in our hands, decrypt or understand those algorithms.
	Now, it works both ways.  Many other countries � 
France, Russia and Israel in particular � have outlawed the 
importation and use of encryption in their countries because 
they have recognized the same public safety issues that we 
have.  I think once countries that began that type of 
exportation, particularly the United States started to export 
those types of products overseas, you would see great 
resistance from many other countries.
	SEN. FEINSTEIN:  Again, I tend to agree with you.  
Let me go to my third question.  I don't see how anything 
short of mandatory key recovery accomplishes your purpose.  
Am I correct?  Or if not, what specifically would accomplish 
your purpose?  A voluntary system doesn't accomplish your 
purpose because the Cali drug cartel isn't going to participate 
on a computer with a voluntary key encryption system.  
They're going to go to one that doesn't have one.  So how 
does anything short of mandatory key recovery solve the 
problem?
	MR. FREEH:  Mandatory key recovery, to the extent 
that it was implemented, would be the best law enforcement 
solution.  I would not be candid with you if I told you 
anything other than that.
	SEN. FEINSTEIN:  No, I'm just saying not solution.  
How does � it can't solve the problem.  I mean, it's a step 
forward.  Anything is a step forward.  But it still is a massive 
loophole that everyone would take use of.
	MR. FREEH:  But there are massive loopholes right 
now.  I mean, from person to person, from cartel to cartel, the 
encryption products which would defeat law enforcement are 
available and are used.  Our concern is that if we have mass 
proliferation of unbreakable encryption, there are no 
infrastructures that are established to find some recovery 
points along the chain of information flow or storage.
	If the government of the United States, which is the 
largest consumer, I think, of encryption products 
domestically, doesn't require key recovery in the products it 
buys, if we don't ask our on- line services for access, if we 
don't do all the things which are doable, in my view, then 
nothing is going to work because there are going to be no 
alternatives to access.
	I think we can design a system short of mandatory key 
recovery which will work certainly better than no system at all.  
And I think the precepts of 909 and some additions which 
could be added thereto will give law enforcement at least a 
fighting chance, which is really what we're asking for in this 
context, to keep a technique which is very valuable.
	I don't think we'll ever solve the problem 100 percent.  
There are loopholes now.  There will be loopholes even with a 
mandatory key recovery system.  What we want to try to do is 
design an
	infrastructure which will give us as many access points 
for that court order as possible.  And that's the end game that 
we're involved in right now.
	SEN. FEINSTEIN:  See, I think that there's a very 
realistic concern.  You know, if you have information that 
somebody is using computers to practice terrorist acts, it 
seems to me the ability to go to a judge, get a court order and 
be able to punctuate that computer in a timely way is really 
where the public safety is going to be met in a positive way.
	And what I'm kind of concerned about is that every 
time anybody talks about mandatory key recovery, it's as if 
it's something terrible, when the whole world and everybody 
else really ought to come to grips with cyberspace as a whole 
new communication system, and not to afford the same rights 
for law enforcement in cyberspace that they have with the 
telephone.  It's going to just create enormous problems 
downstream.
	MR. FREEH:  Senator, I agree with you.
	SEN. FEINSTEIN:  I mean, I tend to be very robust 
on the side of having a system which exists for every 
computer that it cannot be used for criminal purposes without 
at least some degree of penetration.
	MR. FREEH:  Yes.  No, I agree with you.
	SEN. FEINSTEIN:  But you're being so nice about it, 
and so kind of �
	MR. FREEH:  Well, I would use the word practical.
	SEN. FEINSTEIN:  Maybe you have been beaten up 
more than I have so far.  (Laughter.)  I don't know. 
	MR. FREEH:  The � the position that I think we are 
left to is � look, if I could convince everybody in this town 
� I mean, everybody in this town � that we needed 
mandatory key recovery, and that that was something doable, I 
would certainly work very hard in that regard. I � my sense 
is and my experience, having worked on this for three or four 
years, is that that is not the case � for very good reasons 
people of good faith with legitimate arguments not being able 
to universally accept that system.  So �
	SEN. FEINSTEIN:  Could you go into those reasons 
�
	MR. FREEH:  Sure �
	SEN. FEINSTEIN:  � that you feel are the good faith 
reasons?
	MR. FREEH:  The good faith reasons are that it would 
retard American industry.  As you pointed out, somebody 
overseas faced with a product that has an embedded security 
feature in it, or one that does not, is going to pick the latter 
product.  I don't think that's the case myself.  I think people 
buy software for spreadsheets and other
	features, and not out of concern for embedded security 
features. Every time we pick up our telephone we know that if 
somebody � a sheriff or FBI agent has convinced a judge that 
we are using that phone for criminal purposes somebody is 
going to be listening and recording every word that we make.  
But we still use the phone.  In fact, people still use the phone 
even in the commission of crimes � because it's a convenient 
and available and exclusive infrastructure and network that 
they have to use.
	Another argument is that it's a violation of privacy 
rights.  I think that's a bogus argument.  Nobody is 
advocating or suggesting access to encrypted information 
unless there is a predicate finding by a judge that somebody is 
committing a crime or about to commit a crime.  I think there's 
a lot of arguments that, you know, are made in good faith and 
because the objectives of that particular position support that 
argument.
	But we are talking about, as I think you very accurately 
described, is a new technology, a new environment, a new 
century, and people are going to be communicating on the 
Internet as they communicate now on telephones.  So what we 
are saying is let's transport the Fourth Amendment from the 
18th century to the 21st century, maintaining all the protections 
that the Framers guaranteed in that amendment.  We are not 
advocating anything different.  But the technology is going to 
require real-time access, which we will not get in a system that 
abandons the argument that we need a balanced policy here.
	SEN. FEINSTEIN:  So if it weren't � if those points 
could be satisfied, the two sort of good faith points you've just 
raised, either in an international agreement or some other � in 
some other manner � mandatory key recovery you think 
would be acceptable to everyone?
	MR. FREEH:  Yes.  Yes, I do.
	SEN. FEINSTEIN:  Thank you very much.
	SEN. KYL:  Thank you, Senator Feinstein.  That's an 
excellent point.
	I would like to just ask one final question.  We are all 
absolutely committed to the protection of our constitutional 
rights. And, by the way, encryption helps to advance the 
rights of privacy that are at least implicated in the Constitution 
� or implied. Absent the ability of law enforcement to use 
traditional law enforcement techniques of being able to tap a 
computer just like you would tap a telephone, if a judge is 
convinced that you have cause to believe a crime is being 
committed, is it not true that actually constitutional rights could 
be � I don't want to use the word "jeopardized" � but at 
least under somewhat more threat by virtue of the kinds of 
techniques that law enforcement would have to resort to? In 
other words, if you � if brute force techniques don't work, 
and
	you've certainly made that point, and others have made 
the point too � and you don't have this ability through key 
recovery, what other options do you have for conducting 
authorized surveillance, and what are the implications of those 
options to people's personal privacy?
	MR. FREEH:  Well, I think the implications are very 
serious.  Let me just give you the example of a �
	SEN. KYL:  Or also the risk to law enforcement �
	MR. FREEH:  Yes �
	SEN. KYL:  � which I think is also in play.
	MR. FREEH:  If we convince a � we convince an 
Article 3 judge that someone is using their phone to commit a 
crime, judge issues an order which we serve on the telephone 
company, which allows us access to hear those conversations 
� a key part of the judge's order is what they call the 
minimization provisions, which mean if during the course of a 
conversation the monitors determine that this is an innocent 
conversation, not related to the crimes which are predicated in 
the court order, they shut it off � they turn it off and maybe 
they put it on four or five minutes later to spot check to see if a 
criminal conversation is now taking place.  The reason for that 
is very obvious.  It's to limit the intrusive use and impact of 
that technique � the same with the microphone surveillance.  
If the only way we could get access to decrypted information 
would be a court order which allowed an intrusion into 
someone's home or office so an agent could literally stand 
over the shoulder of the operator to see what was being 
decrypted, that would be an entirely larger intrusion � both 
personally and I think also in its constitutional impact.  It 
would also be very dangerous for the law enforcement agents 
if every time they wanted to get access to decrypted material 
they had to do things which would expose them to greater risk 
and greater harm.  So I think both from a constitutional 
protection point of view and a law enforcement safety point of 
view this is maintaining what we currently use to minimize the 
surveillance of innocent conduct, but also to enable our agents 
to work out there safely.
	SEN. KYL:  Thank you.  Senator Feinstein, did you 
have anything else at this point?
	SEN. FEINSTEIN:  No, I have no other questions.
	SEN. KYL:  Senator Leahy will not be able to return, 
but would like to submit some questions.  And I will simply 
announce for the record that we will keep the record open for a 
reasonable time here. And certainly Senator Leahy will be 
permitted to submit questions, and he may provide some to 
you, Director Freeh.
	Once again we thank you very, very much for your 
testimony here. I want to personally compliment you for your 
dedication to this, for trying to come up with the best answers, 
for your commitment to the Constitution � but also for the 
protection of the people of this country � protection that has 
been entrusted partially to you.  I commend you for your 
service and appreciate your testimony today.
	MR. FREEH:  Thank you, Mr. Chairman.  Thank 
you, senator.

###








