Return to Home PageContact Senator LeahySenator Leahy's Privacy PolicySearch Senator Leahy's Website
Vermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick Leahy
Vermont's US Senator, Patrick LeahyWelcome Audio MessageimageVideo MessageVideo Messageimage
Press Releases & Statements Senator Leahy's Biography Constituent Services Major Issues For Vermonters Senator Leahy's Office


Image


"ENCRYPTION: THE BEST ON-LINE CRIME PREVENTION TOOL"

July 28, 1997


The Encryption Imperative

The best defense for computer break-ins -- both accidental and intentional -- is a good offense. That is why businesses and individuals who rely on computers and computer networks to conduct their affairs are demanding strong encryption. Encryption is a market imperative; it is where the Internet is going, whether we like it or not. Encryption can be used to protect the integrity and privacy of phone calls, computer files, e-mail messages, electronic medical records, tax records, business trade secrets, intellectual property, credit information, fax transmissions and virtually any other type of electronic information and communication. It is so fundamentally useful in so many ways, in fact, that encryption is part of the Internet’s destiny. Testifying before the Senate Judiciary Committee, Raymond Ozzie, the developer of Lotus Notes, observed: "There is no substitute for good, widespread, strong cryptography when attempting to prevent crime through these networks."

Until now, much of Washington, Capitol Hill included, has enjoyed standing blessedly clear of this encryption debate. For many in Congress, and for many in the Administration, the word "encryption" has been just about as baffling as a bit of computer code. Even if many of us still struggle to understand how encryption works, appreciating the importance of this technology is important in understanding our inexorable transition into the Information Age.

Encryption As A Crimefighting Tool

Over the years, as I have examined and critiqued each iteration of encryption policy from this administration and its predecessors, I have made clear that this is not a black-and-white issue. Some have tried to simplify this debate as one in which you are either for law enforcement and national security or for Internet freedom and market-driven answers. Casting the debate in such simplistic terms is neither productive nor accurate. As with other new and advanced technologies that implicate both law enforcement and civil liberties interests, the solution will only be reached by balancing all legitimate interests. This year the Administration has finally come around to our view that settling the encryption issue and finding the right solution are best accomplished in the legislative arena.

The congressional participants in this debate all care deeply about national security considerations, and no one wants to make it any easier for criminals and terrorists to commit criminal acts. Taking affirmative steps to use strong encryption can aid law enforcement and protect national security by limiting the threat of industrial espionage and foreign spying, and by reducing the vulnerability of electronic information to online crooks and to breaches of privacy.

Don’t Drive U.S. Encryption Know-How Oversees

Furthermore, adopting an encryption policy that protects the global competitiveness of our high-tech industries will serve our national security interests better in the long run than driving encryption expertise and markets overseas. Due to restrictive U.S. export controls on strong encryption, some of our high-tech firms are opting to move manufacturing operations off-shore where they can incorporate strong, non-exportable encryption into sophisticated computer hardware for both American and foreign customers. Other companies are turning to foreign cryptographers to implement strong encryption. Sun Microsystems recently contracted with a Russian firm to market non-exportable encryption software -- not because the expertise was unavailable in the United States, but because of our export controls. America OnLine has been competitively disadvantaged in its overseas operations because it is unable to offer its subscribers in the United Kingdom and Germany online banking services with the strong encryption (128-bit key length) demanded by foreign banks.

The Clipper Chip Debacle

The Clinton Administration has made progress on this issue. At a hearing I chaired four years ago on the Clipper Chip proposal, Administration witnesses told the Judiciary Subcommittee on Technology and the Law that no legislation was necessary to implement a law enforcement solution to the encryption problem or to clarify obligations or liabilities of key holders. They said that "current export controls must remain in place" at 40-bit encryption. They were reluctant to consider anyone other than government agencies as key holders. They were optimistic that the government-developed and implemented Clipper Chip encryption scheme would be popular in the marketplace because it incorporated strong encryption.

The Clipper Chip scenario was a marketplace flop. In contrast to the situation four years ago, the Administration is now pursuing a legislative solution. The Administration has relaxed export controls to permit U.S. firms to sell abroad 56-bit encryption on condition that they promise to develop key recovery systems. Under a new policy, banks and other financial institutions will be able to export encryption of any length, with or without key recovery, for use by their customers world-wide.

These changes in Administration encryption policy show that the Administration, though sometimes willing to improve and adapt it’s encryption policy, is not infallible on the encryption issue and that Congress must continue to ask hard questions to move this debate forward and get us closer to finding the right solution.

Some things have not changed. Even while promoting the Clipper Chip, the Administration could not answer critical questions about how much it would cost, about exactly how foreign governments would get access to the private decryption keys of American citizens and businesses, and about how secure the Clipper Chip system would be from abuse, mistakes and misuse. Similarly, expert cryptographers have raised some of the same practical questions about the costs and security risks of the key recovery scheme currently being pushed by the Administration and reflected, in significant ways, in S. 909, voted on by the Commerce Committee in June. Just as the Administration pushed forward with Clipper Chip before completing internal reviews or thoroughly testing how that system would work when implemented nationally, the Administration now is pushing forward with a key recovery scheme for the government and the private sector, before even seeing the results from 10 ongoing key recovery pilot projects the government is funding at a cost of $7.8 million.

Asking hard questions about key recovery encryption should not be misinterpreted as rigid opposition to such systems. I have always believed that there will be a use for a market-driven, user-friendly, cost-effective form of key recovery, so that businesses and individuals can recover encrypted data that is important to them. No business wants to lose access to important confidential financial information because the employee who encrypted it took a vacation or got hit by a bus. At the same time, law enforcement access should be accommodated, subject to appropriate procedures to safeguard privacy and civil liberties. That is the thrust of the "Encrypted Communications Privacy Act," S.376, which I introduced with Senator Conrad Burns and other colleagues from both sides of the aisle in the last Congress and again this February.

Regulatory Nightmare

The key recovery regime envisioned by the Administration differs radically in nature from our approach. The Administration’s insistence on burdensome regulation of key recovery systems -- on tying the use of encryption for digital signatures to the use of key recovery systems for confidentiality, on market-distorting liability and immunity provisions, on guaranteed access to both encrypted communications and stored files, on access to keys by both domestic and foreign law enforcement agencies without court orders, and on denying any notice at any time of key disclosures to the owners of those keys -- all undermine consumer confidence in the key recovery system and pose significant obstacles to a market-driven approach to the development of key recovery systems.

Solutions Should Protect Privacy

The FBI views key recovery as the encryption solution that best assures law enforcement’s ability to decipher encrypted communications subject to court-authorized wiretaps. This may be so, but using key recovery for communications runs totally contrary to the best security practices, in which deciphering keys are stored for as short a time as possible. For example, the STU-III classified telephone system, familiar to many in Congress, maintains deciphering keys only for the duration of the call. Key recovery compromises this advantage by creating a set of escrowed keys that are stored indefinitely in the service of a single objective: to ensure that law enforcement agencies will be able to decode old communications. The cost of storing those keys securely, together with the increased security risk, would impose significant burdens on all users, for the sake of fewer than 2000 wiretap orders annually. I also have grave concerns over whether those are security risks to which we should be subjecting our most sensitive government communications.

Encryption poses difficult but solvable issues. While Senators McCain, Kerrey, Hollings and others who crafted S.909 should be commended for delving into this important issue and for putting forward a proposal, that bill is not a consensus measure. Testimony before the Senate Judiciary Committee this month showed that neither the Administration nor any elements of the private sector fully endorse that bill. It is time for the Administration, as well as the other interested stakeholders in this debate, to discuss the compromises necessary to find a workable, sensible solution, at last, to the encryption issue.


[Patrick Leahy, Democrat of Vermont, is chief sponsor of The Encrypted Communications Privacy Act, S.376, and is the leading cosponsor of a related bill, The Promotion of Commerce On-Line in the Digital Era Act, S.377, sponsored by Sen. Conrad Burns, R-Mont.]

Back
U.S. Postal Address Please select a destination: