STATEMENT OF SENATOR LEAHY ON INTRODUCTION OF
ENCRYPTED COMMUNICATIONS PRIVACY ACT OF 1996
March 5, 1996
I am joined today by Senators Burns, Dole, Pressler and Murray in
introducing a bill that is pro-business, pro-jobs and pro-privacy.
The "Encrypted Communications Privacy Act of 1996" would enhance
the global competitiveness of our high-tech industries, protect the
high-paying good jobs in those industries and maximize the choices in
encryption technology available for businesses and individuals to
protect the privacy, confidentiality and security of their computer,
telephone, and other wire and electronic communications.
The guiding principle for this bill can be summed up in one
sentence: Encryption is good for American business and good business
for Americans.
FBI Director Louis Freeh testified last week at a hearing on
economic espionage and quoted Secretary of State Warren Christopher as
saying that "our national security is inseparable from our economic
security." I could not agree more. Yet, American businesses are
suffering a double blow from our current encryption policies. First,
American firms lose billions of dollars each year due to the theft of
proprietary economic information, which could be better protected if
strong encryption were more widely used. Second, government export
restrictions tie the hands of American high-tech businesses by barring
the export of strong encryption technology. The size of these
combined losses makes encryption one of the critical issues facing
American businesses today.
Moreover, the increasing use of and dependency on networked
computers by Americans to obtain critical medical services, to conduct
research, to be entertained, to go shopping and to communicate with
friends and business associates, raises special concerns about the
privacy and confidentiality of their computer transmissions. I have
long been concerned about these issues, and have worked over the past
decade to create a legal structure to foster privacy and security for
our wire and electronic communications. Encryption technology provides
an effective way to ensure that only the people we choose can read our
communications.
A leading encryption expert, Matt Blaze, told me in a recent letter
that our current regulations governing the use and export of
encryption are having a "deleterious effect... on our country's
ability to develop a reliable and trustworthy information
infrastructure." It is time for Congress to take steps to put our
national encryption policy on the right course.
The Encrypted Communications Privacy Act would accomplish three
goals:
First, the bill encourages the use of encryption by legislatively
confirming that Americans have the freedom to use and sell here in the
United States any encryption technology that they feel is most
appropriate to meet their privacy and security needs. The bill bars
any government-mandated use of any particular encryption system, such
as a key escrow encryption system.
Second, for those Americans who choose to use a key escrow
encryption method, the bill establishes privacy standards for key
holders and stringent procedures for how law enforcement can obtain
access to decoding keys and decryption assistance. These standards
would subject key holders to criminal and civil liability if they
released the keys or divulged the identity and information about the
user of the encryption system, without legal authorization.
Commenting on these provisions, Bruce Schneir, who has literally
written the textbook on encryption, said in a recent letter to me that
the bill "recognizes the special obligations of keyholders to be
vigilant in safeguarding the information entrusted to them, without
imposing hurtles on the use of cryptography."
Finally, the bill loosens export restrictions on encryption
products. Under the bill, it would be lawful for American companies to
export high-tech products with encryption capabilities when comparable
encryption capabilities are available from foreign suppliers, and
generally available encryption software, including mass market
products and encryption that is in the public domain. According to Mr.
Schneir, the bill "removes the strangle-hold that has encumbered the
development of mass-market security solutions" which are so vital to
the development of our information infrastructure.
Senator Murray took a leading role in the last Congress on
reforming our export restrictions on encryption, and I commend her for
continuing to give this important issue her committed attention again
in this Congress.
Current export restrictions allow the export of primarily weak
encryption software programs. So weak, in fact, that a January 1996
report by an ad hoc group of world-renowned cryptographers and
computer scientists estimated that it would take a pedestrian hacker a
matter of hours to break and a foreign intelligence agency a matter of
nanoseconds to break. No wonder that foreign buyers of encryption
products are increasingly looking elsewhere for strong security. This
hurts the competitiveness of our high-tech industry.
A recent report by the Computer Systems Policy Project, which is a
group of major American computer companies estimated that U.S.
companies stand to lose between $30 and 60 BILLION in revenues and
over 200,000 of high-tech jobs by the year 2000 because U.S. companies
are handicapped in the global market by outdated export restrictions.
Even the Commerce Department reported in January that U.S. export
controls may have a "negative effect on U.S. competitiveness" and "may
discourage" the use of strong encryption domestically since
manufacturers want to make only one product for export and for use
here.
Although American companies account for almost 75 percent of the
global market for prepackaged software, the rest of the world is
competing strongly in the market for encryption software.
Short-sighted government policy is holding back American business.
Almost two years ago, I chaired a hearing of the Judiciary
Subcommittee on Technology and the Law on the Administration's
"Clipper Chip" key escrow encryption program. I heard testimony about
340 foreign encryption products that were available worldwide, 155 of
them employing encryption in a strength that American firms were
prohibited from exporting.
In two short years, those numbers have increased. According to a
survey of cryptographic products conducted by Trusted Information
System, as of December 1995, 497 foreign products from 28 countries
were available with encryption security. Almost 200 of these foreign
products used strong encryption that American companies are barred
from selling abroad. This study draws the obvious conclusion that "As
a result, U.S. Government restrictions may be succeeding only in
crippling a vital American industry's exporting ability."
At the Clipper Chip hearing I chaired in 1994, I heard a number of
reports about American companies losing business opportunities due to
U.S. export restrictions. One data security company reported that
despite its superior system, it had been unable to respond to requests
from NATO and foreign telecommunications companies because it cannot
export the encryption they demanded. This cost this single American
company millions in foregone business. Another major computer company
lost two sales in Western Europe in a single year totaling about $80
million because the file and data encryption in the integrated system
they offered was not exportable.
Our current export restrictions on encryption technology are
fencing off the global marketplace and hurting the competitiveness of
this part of our high-tech industries. While national and domestic
security concerns must weigh heavily, we need to do a better job of
balancing these concerns with American business' need for encryption
and the economic opportunities for our high-tech industries that
encryption technology provides.
American businesses are not only suffering lost sales because of
our current export restrictions, but are also suffering staggering
losses due to economic espionage. FBI Director Freeh testified that
the White House Office of Science and Technology Policy puts the
amount of that loss at $100 billion per year. At a hearing last week
on economic espionage, we heard from one witness who had to close down
his software company, with a loss of 25 jobs, after China bribed an
employee to steal the source code for the company's software.
We have bills pending before Congress to enact new criminal laws to
punish people who steal trade secrets or other proprietary information
and who break into computers to steal sensitive information. But new
criminal laws are not the whole answer. Criminal laws often only come
into play too late, after the theft has occurred or the injury
inflicted.
We must encourage American firms to take preventive measures to
protect their vital economic information. That is where encryption
comes in. Just as we have security systems to lock up our offices and
file drawers, we need strong encryption systems to protect the
security and confidentiality of business information.
The Computer Systems Policy Project estimates that, without strong
encryption, financial losses by the year 2000 from breaches of
computer security systems to be from $40 to $80 billion.
Unfortunately, some of these losses are already occurring. One U.S.
based manufacturer is quoted in the Project's report, saying:
"We had a multi-year, multi-billion dollar contract stolen off our
P.C. (while bidding in a foreign country). Had it been encrypted, [the
foreign competitor] could not have used it in the bidding time frame."
New technologies present enormous opportunities for Americans, but
we must strive to safeguard our privacy if these technologies are to
prosper in this information age. Otherwise, in the service of law
enforcement and intelligence needs, we will dampen any enthusiasm
Americans may have for taking advantage of the new technologies.
I look forward to working with my colleagues on this important
matter, and ask unanimous consent that my full statement, the bill, a
summary of the bill and three letters of support from Matt Blaze,
Bruce Schneir, and Business Software Alliance, be included in the
Record.
Return to the CDT Cryptography Page
Return to the CDT Home Page