PROTECT S. 798

Immediately decontrols 64-bit encryption products.

PROTECT raises the current 56-bit ceiling on key length to 64-bits, a moderate increase in strength that falls far short of 128-bit and "Triple-DES" worldwide standards for good security. A 56-bit key message was cracked this January by a group of researchers and encryption enthusiasts in 22 hours. While 64-bit keys are significantly stronger than these 56-bit products, experts have long argued that higher key lengths are needed to ensure security from brute-force attacks over time.

Directs NIST to complete development of the Advanced Encryption Standard (AES) and decontrols export of AES and equivalent products by 2002.

NIST is currently in the process of developing the Advanced Encryption Standard (AES), a strong new global standard based on encryption of 128 bits and higher. In January 1999, NIST advised the U.S. government to revise its current encryption standard, "DES," because "exhaustion of DES (i.e. breaking a DES encryption ciphertext by trying all possible keys) has become increasingly more feasible with technology advance."

The PROTECT Act gives NIST a deadline of Jan. 1, 2002 for development of AES. After Jan. 1, 2002, the US "may no longer impose United States encryption export controls on encryption products if the encryption algorithm and key length employed were incorporated in the AES, or have equivalent strength"

This significant provision would effectively sunset most encryption export controls by allowing wide export of the strongest security products by 2002. In doing so, however, the bill would place a great deal of pressure on the process of developing AES. Care will be needed to ensure that AES remains a secure standard that can be trusted by encryption users.

Does not contain criminal provisions.

Several encryption export relief bills, including the SAFE Act, contain provisions that penalize the use of encryption in the furtherance of a crime. These provisions have long been a concern for privacy advocates because, while narrowly drafted, they represent the first domestic restrictions on that threaten to chill the use of encryption. The PROTECT Act does not contain any of these criminal provisions.

Allows export of strong encryption products to certain trusted end-users, export of recoverable products, and export of "crypto-ready" products.

PROTECT allows immediate export through license exceptions of any encryption products to "legitimate and responsible entities," on-line merchants, and foreign governments that are U.S. allies. "Legitimate and responsible" entities broadly includes: firms with publicly traded shares; U.S. corporate subsidiaries or affiliates; firms required by law to maintain plaintext records; regularly audited organizations; and "online merchants who use encryption to support electronic commerce." It appears the bill would not necessarily allow export to non-profit groups like human rights organizations, or to individual users of mass market encryption.

PROTECT would allow export of any encryption that provides plaintext access capabilities, such as key recovery. The bill would also export of so-called "crypto-with-a-hole" encryption-ready systems.

Allows export of generally available products over 64-bits.

The PROTECT Act gives the Secretary of Commerce authority to grant license exemptions to products over 64-bits if they are "generally available" or if a comparable product "is, or will be within the next 12 months" generally available from a foreign supplier. The bill creates an Encryption Export Advisory Board to make recommendations to the Secretary of Commerce regarding the availability of encryption products. While the Secretary's decision is subject to judicial review, the President may override the Board's determinations for purposes of national security without review.

Prohibits domestic controls and mandatory plaintext access.

The PROTECT Act contains a sweeping provision prohibits any federal or state agency from requiring, setting standards, or providing incentives requiring key recovery "or any other plaintext access capability."

The bill also affirmatively allows the domestic use and sale of encryption of any strength. While this provision does not change current law, PROTECT makes a useful statement of principal by Congress that the Administration's export controls should not restrict the domestic use of encryption.

Text of S. 798 as introduced

CDT Policy Post comparing PROTECT with SAFE.

June 22, 1999 CDT writes letter to Chairman McCain urging the Commerce Committee to support more immediate encryption export relief.

June 10, 1999 Senate Commerce Committee holds hearing on PROTECT.

Opening Statement Senator Max Cleland

Panel I
Mr. William Reinsch, Under Secretary of Commerce, Bureau of Export Administration, Department of Commerce
Honorable James Robinson, Assistant Attorney General, Criminal Division, Department of Justice
Ms. Barbara A. McNamara , Deputy Director, National Security Agency

Panel II
Mr. Jim Bizdos, Vice Chairman of the Board, Security Dynamics
Mr. David Aucsmith, Chief Security Architect, Intel Corporation
Professor Lance Hoffman, School of Engineering and Applied Science,Cyberspace Policy Institute, George WashingtonUniversity

April 14, 1999 PROTECT introduced in Commerce Committee.

McCain press release on bill's introduction
Burns press release on bill's introduction

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy