Encryption experts cheer introduction of SAFE Act

Monday, March 8, 1999

American technology experts are praising new legislation that would bolster their right to scramble electronic messages through strong encryption and are warning lawmakers that delayed action on the bill will leave the market wide open to foreign cryptographers.

Reps. Bob Goodlatte, R-Va., and Zoe Lofgren, D-Calif., recently reintroduced the Security and Freedom through Encryption — or SAFE — Act that would make it lawful to use and sell strong encryption here and abroad. The bill would prohibit the government from requiring software manufacturers to include a “key” in the encryption to enable law enforcement to crack the code.

“Among other things, this bill would reaffirm the right of all Americans to use whatever encryption they choose to protect themselves, their digital property, and their electronic communications,” said David McCurdy, president of the Electronic Industries Alliance and a former House member. “Furthermore, it would prevent the government from requiring businesses to use only certain types of encryption in their global operations.”

The introduction of H.R. 850 marks the third time congressional members have tried to ease limits on encryption developed stateside. Last year, similar legislation lingered in committees in both the House and Senate and never came up for a vote.

Supporters of the SAFE Act claim that current policy forces U.S. software companies to join with foreign competitors to compete in the software market. Without action now, they argue, America’s controlling interest in encryption will be lost to other countries.

Encryption programs permit computers to scramble data so they can’t be read without a numerical access key. Current federal law prohibits posting all-but-unbreakable encryption on the Internet or sending it abroad on a disk without a license, saying that to do so violates export codes.

Currently, computer users in the United States can use “strong encryption,” even when it has no built-in key to allow police to unscramble the code. But because export laws limit the strength of codes that can be sent abroad, software manufactures usually produce only the strongest that’s legally exportable.

For years, the computer industry and law enforcement have been at odds over how much control the government should have over encryption software. Encryption experts contend legal limitations violate free speech, creating a prior restraint that prevents computer programmers and others from exchanging programs or encryption over the Internet. Government access to the encryption codes, they argue, infringes on privacy rights as well.

But government officials contend that encryption controls prevent illegal use of the software technology. Some say widespread use of encryption would hinder effective law enforcement.

Sponsors of the SAFE Act say their bill is designed to guarantee computer users the right to use any encryption and to forbid government-mandated “key recovery” systems. The bill, if passed, would lessen strength restrictions on exported encryption.

Lofgren says that if the government doesn’t revise its encryption policy now, the cost to the U.S. economy could run as high as $60 billion a year and 200,000 jobs by 2000.

Last fall, the Clinton administration relaxed some restrictions on encryption. The move allowed U.S. companies to sell abroad high-tech tools that use the 56-bit Data Encryption Standard, which has an unlocking key with 72 quadrillion possible combinations.

But even with the 56-bit limit, developers of cryptography stateside say the United States remains woefully behind those who are developing encryption technology elsewhere. They note that a team assembled by the Electronic Frontier Foundation recently cracked the national standard in fewer than 23 hours.

Also, Thomas Parenty, director of Data and Communications Security Sybase, says that 128-bit encryption is already the worldwide standard. He told members of the House Subcommittee on Courts and Intellectual Property on March 3 that U.S. companies are losing sales to foreign suppliers who aren’t restricted to 56-bit encryption.

“Unfortunately, not only are American companies losing a sale of an encryption item, but they are also losing the sale of the program or hardware such as an Internet server or an application browser that uses the encryption capability,” Parenty testified. “In fact, companies risk losing sales of entire systems because of their inability to provide necessary security features.”

Parenty says he supports the SAFE Act partly because it ensures that Americans can exercise their First Amendment rights to develop, use and sell any kind of encryption they want.

But Dorothy E. Denning of Georgetown University’s Computer Science Department testified in the same subcommittee hearing that government should ease encryption restrictions slowly to allow law enforcement to keep a handle on crime.

Denning says other technologies, such as digital signatures, are sufficient to ensure privacy.

“If these controls are lifted entirely, law enforcement and national defense are at greater risk,” Denning said. “Even though export controls do not prevent domestic or foreign adversaries from getting access to strong encryption, they have influenced major product lines. Many criminals and terrorists use these products rather than going to the trouble of installing add-ons.”