22 September 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[Congressional Record: September 17, 1998 (Senate)]
[Page S10515]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr17se98-135]


               ADMINISTRATION'S UPDATED ENCRYPTION POLICY

  Mr. LEAHY. Mr. President, when the Administration first announced the
encryption policy that has been in effect for the past two years, I
warned on October 1, 1996, that:

       The general outline of the Administration's plan smacks of
     the government trying to control the marketplace for high-
     tech products. Only those companies that agree to turn over
     their business plans to the government and show that they are
     developing key recovery systems, will be rewarded with
     permission to sell abroad products with DES encryption, which
     is the global encryption standard.

  The Administration announced yesterday that it is finally fixing this
aspect of its encryption policy. New Administration guidelines will
permit the export of 56-bit DES encryption without a license, after a
one time technical review, to all users outside the seven terrorist
countries. No longer will the Administration require businesses to turn
over business plans and make promises to build key recoverable products
for the freedom to export 56-bit DES.
  In 1996, I also raised serious questions about the Administration's
proposal to pull the plug on 56-bit DES exports in two years. I warned
at the time that this ``sunset'' provision ``does not promote our high-
tech industries overseas.'' I specifically asked,

       Does this mean that U.S. companies selling sophisticated
     computer systems with DES encryption overseas must warn their
     customers that the supply may end in two years? Customers
     both here and abroad want stable suppliers, not those jerked
     around by their government.

  I am pleased that the Administration has also changed this aspect of
its policy and adopted an export policy with no ``sunset.'' Instead,
the Administration will conduct a review of its policy in one year to
determine how well it is working.
  Indeed, while 56-bit encryption may still serve as the global
standard, this will not be the situation for much longer. 128-bit
encryption is now the preferred encryption strength.
  In fact, to access online account information from the Thrift Savings
Plan for Federal Employees, Members and congressional staff must use
128-bit encryption. If you use weaker encryption, a screen pops up to
say ``you cannot have access to your account information because your
Web browser does not have Secure Socket Layer (SSL) and 128-bit
encryption (the strong U.S./Canada-only version).''
  Likewise, the Department of Education has set up a Web site that
allows prospective students to apply for student financial aid online.
Significantly, the Education Department states that ``[t]o achieve
maximum protection we recommend you use 128-bit encryption.''
  These are just a couple examples of government agencies or associated
organizations directing or urging Americans to use 128-bit encryption.
We should assume that people in other countries are getting the same
directions and recommendations. Unfortunately, while American companies
can fill the demand for this strong encryption here, they will still
not be permitted to sell this strength encryption abroad for use by
people in other countries.
  Nevertheless, the Administration's new encryption policy announced
today moves in the right direction to bolster the competitive edge of
our Nation's high-tech companies, allow American companies to protect
their confidential and trade secret information and intellectual
property in communications with subsidiaries abroad, and promote global
electronic commerce. These are objectives I have sought to achieve in
encryption legislation that I have introduced and cosponsored with
bipartisan support in this and the last Congress.
  I remain concerned, however, that privacy safeguards and standards
for law enforcement access to decryption assistance are ignored in the
Administration's new policy. These are critical issues that continue to
require our attention.

                          ____________________
