Return to Home PageContact Senator LeahySenator Leahy's Privacy PolicySearch Senator Leahy's Website
Vermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick Leahy
Vermont's US Senator, Patrick LeahyWelcome Audio MessageimageVideo MessageVideo Messageimage
Press Releases & Statements Senator Leahy's Biography Constituent Services Major Issues For Vermonters Senator Leahy's Office


Image


Statement at the Hearing of the Committee on the Judiciary on "Encryption, Key Recovery and Privacy Protection in the Information Age"

July 9, 1997


I have followed the encryption issue closely for some years now. Cryptography is important for our economy, our privacy and our national security and will only become more critical with our increasing reliance on computers, computer networks and other digital communications and electronic media.

Until now, much of Washington, Capitol Hill included, has enjoyed standing blessedly clear of this debate. For many of my colleagues, and for many in the Administration, the word "encryption" has been just about as baffling as a bit of computer code. Even if many of us still struggle to understand how encryption works, appreciating the importance of this technology is an imperative of our inexorable transition into what we call the Information Age.

Over the years, as I have questioned each iteration of the Administration’s encryption policy, I have made clear that this is not a black-and-white issue. Some have tried to simplify this debate as one in which you are either for law enforcement and national security or for Internet freedom. Characterizing the debate in these simplistic terms is neither productive nor accurate. As with other new and advanced technologies that implicate both law enforcement and civil liberties interests, the solution will only be reached by balancing all legitimate interests. This year, the Administration has finally come around to my view that settling the encryption issue and finding the right solution is best accomplished in the legislative arena.

All of us care deeply about our national security, and no one wants to make it any easier for criminals and terrorists to commit criminal acts. We should not lose sight of the fact that oftentimes the best defense is a strong offense. Taking affirmative steps to use strong encryption can aid law enforcement and protect national security by limiting the threat of industrial espionage and foreign spying, and reducing the vulnerability of electronic information to online snoops and breaches of privacy. Furthermore, adopting an encryption policy that protects the global competitiveness of our high-tech industries will serve our national security interests better in the long run than driving encryption expertise and markets overseas.

At a hearing I chaired four years ago on the Clipper Chip proposal, Justice Department witnesses told the Judiciary Subcommittee on Technology and the Law that no legislation was necessary to implement a law enforcement solution to the encryption problem or to clarify obligations or liabilities of key holders. They said that "current export controls must remain in place" at 40-bit encryption. They were reluctant to consider anyone other than government agencies as key holders. They were optimistic that the government-developed and implemented Clipper Chip encryption scheme would be popular in the marketplace because it represented such strong encryption.

Well, Clipper Chip turned out to be a marketplace flop. By contrast to the situation four years ago, now the Administration is actively pursuing a legislative solution. Export controls have been relaxed to permit U.S. firms to sell abroad 56-bit encryption on condition that they promise to develop key recovery systems. Under a new policy, banks and other financial institutions will be able to export encryption of any length, with or without key recovery, for use by their customers world-wide.

I mention these changes in Administration encryption policy both to commend the Administration for the progress made and to caution my colleagues that we must continue to ask hard questions to move this debate forward and get us closer to finding the right solution.

Some things have not changed. At the 1994 Clipper Chip hearing, the Administration witnesses could not answer critical questions about how much Clipper Chip would cost, how exactly foreign governments would get access to the private decryption keys of American citizens and businesses, and how secure the Clipper Chip system would be from abuse, mistakes and misuse.

We have had expert cryptographers raise some of the same questions about the costs and security risks of the key recovery scheme currently being pushed by the Administration. I hope we can begin to get better answers here today.

The Administration pushed forward with Clipper Chip before completing internal reviews thoroughly testing how that system would work when implemented nationally. Now the Administration is pushing forward with a key recovery scheme for the government and the private sector, before even seeing the results from the 10 ongoing key recovery pilot projects the government is funding at a cost of $7.8 million.

Asking hard questions about key recovery encryption should not be misinterpreted as rigid opposition to such systems. There has been one key recovery bill pending in the Senate in the last Congress and for most of this one. That is the "Encrypted Communications Privacy Act," which I introduced with Senator Burns and others colleagues from both sides of the aisle. It is pending before this Committee as S.376.

Today we are going to hear significant questions raised about the costs, vulnerabilities and feasibility of the key recovery system envisioned by the Administration and reflected in the Commerce Committee bill. I have always believed that there will be a use for a market-driven, user-friendly, cost-effective form of key recovery, so that businesses and individuals can recover encrypted data that is important to them. No business wants to lose access to important confidential financial information because the employee who encrypted it took a holiday or got hit by a bus. At the same time, law enforcement access should be accommodated subject to appropriate procedures to safeguard privacy and civil liberties. That is the thrust of the Leahy-Burns encryption bill.

However, government-dictated recovery systems are radically different in nature. The Administration’s insistence on burdensome regulation of key recovery systems, guaranteed access to both encrypted communications and stored files, access to keys by both domestic and foreign law enforcement agencies without court orders, and no notice ever of key disclosures to the owners of those keys, all pose significant obstacles to a market-driven approach to the development of key recovery systems.

Last month, the Commerce Committee reported a bill, S.909, introduced two days earlier with the backing of the Administration. The Chairman and I have requested sequential referral of this bill, which creates 15 new federal crimes, addresses intellectual property uses of encryption, and encompasses several other issues within this Committee’s jurisdiction. I have already heard significant questions raised about provisions in that bill, and I have a few myself. For example, I am concerned about the wisdom of granting the Secretary of Commerce the power to subject American citizens to criminal and civil penalties for violating regulations that we have not seen, and which do not even exist yet.

The Chairman and I would like the cooperation of the Administration and, specifically, the FBI and the NSA, as well as the other interested stakeholders in this debate, to sit down with us and discuss the compromises necessary to find a real solution, at last, to the encryption issue.

Back
U.S. Postal Address Please select a destination: