Hearing On "Privacy In The Digital Age: Encryption And Mandatory Access" Subcommittee On Constitution, Federalism, And Property Rights

March 17, 1998

Cryptography is important for our economy, our national security and our privacy, and it will only become more critical with our increasing reliance on computers, computer networks and other digital communications and electronic media. Even if many of us still struggle to understand how encryption works, appreciating the importance of this technology is an imperative of our inexorable transition into what we call the Information Age.

PRIVACY

Some have tried to simplify the encryption debate as one in which you are either for law enforcement and national security or for Internet freedom. Characterizing the debate in these simplistic terms is neither productive nor accurate. This is not a black-and-white issue. As with other new and advanced technologies that engage both law enforcement and civil liberties interests, the solution in this policy debate will only be reached by balancing all legitimate interests. The starting point is our Constitution and the Bill of Rights, which confirms our right to speak freely, associate with whom we wish, to refuse to incriminate ourselves, and to be left alone.

We hear almost daily reports about the threats to privacy from the growth of interconnected computer networks and computer databases. The exponential growth in use of the Internet and similar interactive communications technologies by Americans to obtain critical medical services, to conduct business, and to be entertained and communicate with their friends raises special concerns about the privacy and confidentiality of those communications. Encryption technology offers an effective way to ensure that only the people we choose can read our communications or our e-mail, review our medical records, or take money out of our bank account. For those who want to protect the fruits of their intellectual endeavors, encryption also provides a technical means to enforce yet another important constitutional right, the copyright.

In some places in the world, protecting the confidentiality of encrypted files can be a matter of life and death. I have read horror stories sent to me over the Internet about how human rights groups in the Balkans have had their computers confiscated during raids by security police seeking to root out the identities of people who have complained about abuses. Thanks to the PGP encryption software, the encrypted files were undecipherable by the police and the names of the people who entrusted their lives to the human rights groups were safe.

I congratulate Chairman Ashcroft and the Ranking Member, Senator Feingold, for convening this hearing and providing a forum to discuss the important privacy and constitutional interests at stake in the encryption debate. How we resolve this debate today will have important repercussions for the exercise of our constitutional rights tomorrow. Every American, not just those in the software industry and not just those in law enforcement agencies, has a stake in the outcome.

FBI "WISH LIST"

At the heart of the encryption debate is the power this technology gives computer users to choose who may access their communications and stored records, to the exclusion of all others. For the same reason that encryption is a powerful privacy enhancing tool, it also poses challenges for law enforcement. Law enforcement agencies want access even when we do not choose to give it.

The FBI has made clear that law enforcement will settle for no less than immediate access to the plaintext of encrypted communications and stored data, and, absent industry capitulation, will seek legislation to this effect. Indeed, while much of this debate has focused on relaxation of export controls, the FBI has upped the ante. Recognizing that the encryption genie is out of the bottle, the FBI now wants to stuff it back in with import restrictions and domestic controls on encryption.

In response to written questions I posed to the FBI in connection with the Judiciary Committee's encryption hearing on June 25, 1997, the FBI stated:

"Without the adoption of legislation which provides that encryption products manufactured or imported into the U.S. include features that allow for the immediate access to the `plaintext' of encrypted criminal-related information (both transmitted and stored), pursuant to lawful court order, investigations and subsequent prosecution of criminal activity will continue to be thwarted...[I]f the current voluntary efforts are not successful,... it is the responsibility of the FBI... to seek alternative approaches to alleviate the problems caused by encryption. This would include legislative remedies which effectively address law enforcement concerns regarding the import of robust encryption products, as well as encryption products manufactured for use in the U.S." (Emphasis supplied).

The Administration's recent letter of March 4, 1998, from the Vice President is fully consistent with this position. While indicating that the Administration prefers a "good faith dialogue" and "cooperative solutions" over "seeking to legislate domestic controls," the latter approach is nowhere ruled out.

LEAHY ENCRYPTION BILLS

Our country is certainly not alone in grappling with the tension between what encryption has to offer for privacy and confidentiality, and the challenge this poses for public safety. The

Organization For Economic Co-Operation and Development (OECD) recently issued a report on Cryptography Policy that summarizes many of the issues that need to be addressed. For example, if lawful access is to be preserved to encrypted information, how should this be done? As the OECD noted, "other issues that may need to be addressed include where keys will be stored, who will be allowed to hold keys, and what will be the responsibilities and the liabilities of keyholders."

At the beginning of this Congress I introduced with Senator Burns two encryption bills, one of which, the "Encrypted Communications Privacy Act", S. 376, proposes answers to these questions that our society and others around the world are facing. This bill is pending in the Judiciary Committee and was endorsed most recently by the U.S. Chamber of Commerce.

This legislation would ensure the right of Americans to choose how to protect their privacy and promote the global competitiveness of American companies. It calls for an overhaul of our export restrictions on encryption and prohibits a government-mandated key escrow encryption system. For those business or individual users who choose to use an encryption method with a recoverable key stored with another party, the bill would set up stringent procedures for law enforcement and foreign governments to follow to obtain decoding keys or decryption assistance to read the plaintext of encrypted communications obtained under court order or other lawful process.

There may be a market for a user-friendly, cost-effective form of key recovery with user choice on key holder, so that businesses and individuals can recover encrypted data that is important to them. Law enforcement access to those keys should be accommodated subject to appropriate procedures to safeguard privacy and civil liberties. That is the thrust of my encryption bill.

By contrast with the voluntary, market-driven approach of my bill, the Administration has so far insisted on burdensome regulation of key recovery systems, guaranteed access to both encrypted communications and stored files, access to keys by both domestic and foreign law enforcement agencies on a minimal showing, and no notice of key disclosures to the owners of those keys. These conditions pose significant obstacles to a market-driven approach in the development of key recovery systems.

Americans should be free to choose any encryption method that suits their needs to protect the privacy of their online communications and computer files. Government efforts to dictate to Americans the type of encryption they should use will be fruitless. If consumers have no need for the government-sanctioned encryption, they simply will not use it. The marketplace has a decisive voice in this issue, as the failure of the Clipper Chip clearly demonstrated.

Furthermore, key recovery will simply not be widely accepted in the marketplace, even for use on stored data, without having in place privacy safeguards defining how and under what circumstances law enforcement agents and others may get access to decryption keys or decryption assistance. Many users have legitimate concerns about investing in, let alone using, key recovery products without clear answers on how the FBI, or foreign governments -- including those with bad human rights records or a history of economic espionage -- will get access to their keys. We need clarity on these fundamental privacy issues.

Moreover, costs will be associated with keeping secure the highly confidential decryption keys that a key recovery system will generate. Not every computer user will be able to, or will want to, bear those costs, particularly over long periods of time. How much would such a system increase the cost of using strong encryption? These practical considerations about key recovery systems make compelled or coerced adoption of such schemes entirely inappropriate and downright foolhardy.

NEEDED: STRONG ENCRYPTION

We are mindful of the national security and law enforcement concerns that have dictated the Administration's policy choices on encryption. These agencies fear that the widespread use of strong encryption will undercut their ability to eavesdrop on terrorists or other criminals, or decipher computer files containing material evidence of a crime. But in trying to stuff the encryption genie back into the bottle with policies that threaten privacy, the FBI is short-sighted.

Strong encryption is a significant crime-prevention tool to stop online theft, vandalism and snooping. Just last month, we learned that Defense Department computers had been the target of a synchronized cyber-attack. The vulnerability of our government computer systems puts vast amounts of sensitive government information at risk of unauthorized access and disclosure.

Government computer systems are not the only ones at risk. Computer security is not just a law enforcement issue; it is also an economic one. Breaches of computer security are resulting in direct financial losses to American companies from the theft of trade secret and proprietary information. This hurts our economy. We should keep in mind the adage that "the best defense is a good offense." Americans and American firms must be encouraged to take preventive measures and use encryption to protect their computer information and systems.

We need to encourage -- and not stand in the way of -- the use of strong encryption and other technical solutions to protecting our computer systems. Encouraging the use of strong encryption is a plus for both our law enforcement and national security agencies. Strong encryption protects Americans and American businesses from industrial espionage and foreign spying, and strong encryption reduces the vulnerability of electronic information to online snoops and breaches of privacy. Also, importantly, adopting an encryption policy that protects the global competitiveness of our high-tech industries will serve our national security interests better in the long run than driving encryption expertise and markets overseas.

I look forward to working with the Chairman and other Members of this Committee to craft a constructive American encryption policy that gets the government out of the way of better privacy protection for our electronic communications and information. Our national encryption policy has focused almost entirely on the needs of our law enforcement and national security agencies, neglecting the needs of individuals, businesses and our economy. We have a legislative stalemate right now that needs to be resolved, and I hope it can still be resolved in this congressional session. We need to bring some common sense and better balance to this issue.