CDT - Sen. Leahy Pro-Code statement

STATEMENT OF SENATOR PATRICK LEAHY (D-VT) ON INTRODUCTION OF
"PROMOTION OF COMMERCE ON-LINE IN THE DIGITAL ERA" (PRO-CODE)
THURSDAY MAY 2, 1996

I am pleased to join a bipartisan group of Senators in supporting legislation to encourage the development and use of strong, privacy-enhancing technologies for the Internet by rolling back the out-dated restrictions on the export of strong cryptography.

As an Internet user myself, I care deeply about protecting individual privacy and encouraging the development of the Net as a secure and trusted communications medium. Current export restrictions only allow American companies to export primarily weak encryption technology. The current strength of encryption the U.S. government will allow out of the country is so weak that, according to a January 1996 study conducted by world-renowned cryptographers, a pedestrian hacker can crack the codes in a matter of hours. A foreign intelligence agency can crack the current 40-bit codes in seconds.

Perhaps more importantly, the increasing use of the Internet and similar interactive communications technologies by Americans to obtain critical medical services, to conduct business, to be entertained and communicate with their friends, raises special concerns about the privacy and confidentiality of those communications. I have long been concerned about these issues, and have worked over the past decade to protect privacy and security for our wire and electronic communications. Encryption technology provides an effective way to ensure that only the people we choose can read our communications.

Encryption is critical for electronic commerce really to flourish on the Internet, and for computer users to trust that their communciations will remain private. Today, I have sent out an open letter to the Internet about this encryption legislation. So that people reading the letter can be assured that it is really me sending it, I am using a popular encryption program called "Pretty Good Privacy", or "PGP", to authenticate my signature. This is yet another practical use of encryption, and an important one for electronic commerce.

Maintaining the privacy and confidentiality of our computer communications and information is very important to all of us both here and abroad. I have read horror stories sent to me over the Internet about how human rights groups in the Balkans have had their computers confiscated during raids by security police seeking to find out the identities of people who have complained about abuses. The human rights groups have been able to get for free from the Internet an encryption program called Pretty Good Privacy (PGP) to protect their computer communications and files. These encrypted files are undecipherable by the police and the names of the people who entrust their lives to the human rights groups are safe.

The encryption bill, called the "Promotion of Commerce On-Line in the Digital Era (PRO-CODE) Act of 1996," which we introduce today, would:

Bar any government-mandated use of any particular encryption system, including key escrow systems and affirm the right of American citizens to use whatever form of encryption they choose domestically;
Loosen export restrictions on encryption products so that American companies are able to export any generally available or mass market encryption products without obtaining government approval; and
Limit the authority of the federal government to set standards for encryption products used by businesses and individuals, particularly standards which result in products with limited key lengths and key escrow.

This is the second encryption bill I have introduced with Senator Burns and other congressional colleagues this year. Both bills call for an overhaul of this country's export restrictions on encryption, and, if enacted, would quickly result in the widespread availability of strong, privacy protecting technologies. Both bills also prohibit a government-mandated key escrow encryption system. While PRO-CODE would limit the authority of the Commerce Department to set encryption standards for use by private individuals and businesses, the first bill we introduced, called the "Encrypted Communications Privacy Act", S.1587, would set up stringent procedures for law enforcement to follow to obtain decoding keys or decryption assistance to read the plaintext of encrypted communications obtained under court order or other lawful process.

To satisfy national security and law enforcement concerns, both bills have important exceptions to restrict encryption exports for military end-uses, or to terrorist designated or embargoed countries, such as Cuba or North Korea.

I know this is not enough to satisfy our national security and law enforcement agencies, who fear that the widespread use of strong encryption will undercut their ability to eavesdrop on terrorists or other criminals.

BUT U.S. EXPORT CONTROLS WILL NOT KEEP ENCRYPTION OUT OF THE HANDS OF CRIMINALS; THESE CONTROLS ONLY HURT LEGITIMATE USERS AND AMERICAN BUSINESS. Any criminal intent on encrypting his computer information or messages to avoid getting caught can go into any Egghead store and buy off-the-shelf Lotus Notes or Norton Utilities encryption program, both of which contain strong encryption that cannot be exported. It is then a simple matter just to slip the software disc into his pocket to smuggle out of the country.

Actually, it is even simpler than that for a foreign terrorist or any criminal to get ahold of strong encryption. They don't even have to leave home. With a computer, a modem and a telephone line, they could download for free off the Internet from anywhere in the world strong encryption, such as Pretty Good Privacy.

Strong encryption has an important use as a crime prevention shield, to stop hackers, industrial spies and thieves from snooping into private computer files and stealing valuable proprietary information. We should be encouraging the use of strong encryption to prevent certain types of computer and online crime.

It is clear that the current policy towards encryption exports is hopelessly outdated, and fails to account for the real needs of individuals and businesses in the global marketplace.
In one recent example, a major high-tech firm had a multi-million dollar contract to sell digital television systems to China put at risk due to our export regulations. Why? The company suffered lengthy delays in getting export approval because the systems contained encryption technology to scramble TV signals--a critical component of the system to protect the intellectual property rights of the programming carried by the signal. Foreign competitors seeking to get into the vast China market were ready and willing to step into the company's place if it were unable to fulfill its contractual obligations. Two weeks after the contractual delivery date, the company finally got the export approval it sought. This example is particularly ironic since in trade negotiations, the United States has strongly urged China to protect intellectual property rights better.

Encryption expert Matt Blaze, in a recent letter to me, noted that current U.S. regulations governing the use and export of encryption are having a "deleterious effect ... on our country's ability to develop a reliable and trustworthy information infrastructure." This sentiment is echoed by the chief executive officers of 13 major U.S. computer systems companies, including IBM, Apple, Digital Equipment, Hewlett-Packard and others, which recently reported that "encryption is the most practical and effective means to protect valuable and confidential electronic information traveling across open networks. The availability of effective encryption is necessary to realize the full potential of the Global Information Infrastructure (GII)."

The time is right for Congress to take steps to put our national encryption policy on the right course. The PRO-CODE bill, as well as the "Encrypted Communications Privacy Act," S.1587, are much-needed steps to reform our nation's cryptography policy.

Back to the Pro-CODE Page