November 8, 1995
The Honorable Albert Gore, Jr.
Office of the Vice President
Old Executive Office Building, Room 276
Washington, D.C. 20501
Dear Mr. Vice President:
A secure, private, and trusted Global Information Infrastructure (GII) is essential to promote economic growth and meet the
needs of the Information Age society. Competitive businesses need cryptography to protect proprietary information as it flows
across increasingly vulnerable global networks. Individuals require privacy protection in order to build the confidence necessary
to use the GII for personal and financial transactions. Promoting the development of the GII and meeting the needs of the
Information Age will require strong, flexible, widely-available cryptography. The undersigned groups recognize that the
Administration's recently articulated cryptography initiative was a serious attempt to meet some of these challenges, but the
proposed initiative is no substitute for a comprehensive national cryptography policy. To the extent that the current policy
becomes a substitute for a more comprehensive policy, the initiative actually risks hindering the development of a secure and
trusted GII.
A number of the undersigned organizations have already written to express concern about the latest Administration cryptography
initiative. As some of us have noted, the Administration's proposed export criteria will not allow users to choose the encryption
systems that best suit their security requirements. Government ceilings on key lengths will not provide an adequate level of
security for many applications, particularly as advances in computing render current cryptography systems less secure.
Competitive international users are steadily adopting stronger foreign encryption in their products and will be unlikely to
embrace U.S. restrictions. As they stand, current export restrictions place U.S. hardware manufacturers, software developers,
and computer users at a competitive disadvantage, seriously hinder international interoperability, and threaten the strategically
important U.S. communications and computer hardware and software industries. Moreover, the Administration policy does not
spell out any of the privacy safeguards essential to protect individual liberties and to build the necessary public trust in the GII.
The current policy directive also does not address the need for immediate liberalization of current export restrictions. Such
liberalization is vital to enable U.S. companies to export state-of-the-art software products during the potentially lengthy process
of developing and adopting a comprehensive national cryptography policy. Without relief, industry and individuals alike are
faced with an unworkable limit on the level of security available and remain hamstrung by restrictions that will not be viable in
the domestic and international marketplace.
Many members of the undersigned groups have been working actively with the Administration on a variety of particular
applications, products, and programs promoting information security. All of us are united, however, by the concern that the
current network and information services environment is not as secure as it should be, and that the current policy direction will
delay the secure, private, and trusted environment that is sought.
Despite the difficulties of balancing the competing interests involved, the undersigned companies, trade associations, and
privacy organizations are commencing a process of collective fact-finding and policy deliberation, aimed at building consensus
around a more comprehensive cryptography policy framework that meets the following criteria:
Robust security: access to levels of encryption sufficient to address domestic and international security threats,
especially as advances in computing power make currently deployed cryptography systems less secure.
International interoperability: the ability to securely interact worldwide.
Voluntary use: freedom for users to choose encryption solutions, developed in the marketplace, that meet their
particular needs.
Acceptance by the marketplace: commercial viability and ability to meet the expressed needs of cryptography
users.
Constitutional privacy protections: safeguards to ensure basic Fourth Amendment privacy protection and
regulation of searches, seizures, and interceptions.
Respect for the legitimate needs of law enforcement and national security, while recognizing the reality that
determined criminals will have access to virtually unbreakable encryption.
In six months, we plan to present our initial report to the Administration, the Congress, and the public in the hopes that it will
form the basis for a more comprehensive, long-term approach to cryptography on the GII. We look forward to working with
the Administration on this matter.
Sincerely,
American Electronics Association
America Online, Inc.
Apple Computer, Inc.
AT&T
Business Software Alliance
Center for Democracy & Technology
Center for National Security Studies
Commercial Internet eXchange Association
CompuServe, Inc.
Computer & Communications Industry Association
Computing Technology Industry Association
Crest Industries, Inc.
Dun & Bradstreet
Eastman Kodak Company
Electronic Frontier Foundation
Electronic Messaging Association
EliaShim Microcomputers, Inc.
Formation, Inc.
Institute for Electrical and Electronic Engineers - United States Activities
Information Industry Association
Information Technology Industry Council
Information Technology Association of America
Lotus Development Corporation
MCI
Microsoft Corporation
Novell, Inc.
OKIDATA Corporation
Oracle Corporation
Securities Industry Association
Software Industry Council
Software Publishers Association
Software Security, Inc.
Summa Four, Inc.
Sybase, Inc.
Tandem Computers, Inc.
Telecommunications Industry Association
ViON Corporation