Government officials warn that uncontrolled encryption breeds safety concerns

Wednesday, May 26, 1999

Government officials yesterday testified against a House bill that would ease federal encryption restrictions, saying that widespread use of strong encryption would severely hinder law enforcement efforts.

“The lessons learned from [criminal] investigations are clear: Criminals are beginning to learn that encryption is a powerful tool for keeping their crimes from coming to light,” said Ronald Lee, assistant deputy U.S. attorney general. “Moreover, as encryption proliferates and becomes an ordinary component of mass market items, and as the strength of encryption products increases, the threat to public safety will increase proportionately,”

But, with strong encryption technology in widespread use worldwide, encryption experts warned the House Subcommittee on Telecommunications, Trade and Consumer Protection that federal policy doesn’t reflect available technology. They claim that the policies also prevent domestic computer manufacturers from competing on a global scale.

The subcommittee heard testimony yesterday as members began consideration of House Bill 850, the proposed Security and Freedom through Encryption or SAFE Act. The bill, sponsored by Reps. Bob Goodlatte, R-Va., and Zoe Lofgren, D-Calif., would make it lawful to use and sell strong encryption in the United States and abroad. The bill would prohibit the government from requiring software manufacturers to include a “key” in the encryption to enable law enforcement to crack the code.

A similar but not identical bill — the Promote Reliable On-Line Transactions to Encourage Commerce and Trade or PROTECT Act — was introduced last month in the Senate. That bill would prohibit domestic controls on encryption, permit the export of stronger forms of encryption and set 128-bit encryption as the national standard. But the act would also prohibit the use of encryption to mask criminal conduct.

Technology experts have supported SAFE over PROTECT, claiming the House bill has fewer restrictions on encryption.

Besides new federal legislation, such experts say they were heartened by a federal appeals court decision earlier this month that said federal encryption policy unconstitutionally restricted the free-expression rights of an Illinois professor who wanted to post encryption on the Internet.

The 9th U.S. Circuit Court of Appeals in Bernstein v. U.S. Department of Justice said encryption codes, which make computer messages unreadable without a key, contain expressions of ideas and therefore cannot be suppressed indefinitely by government officials.

Encryption experts cheered the May 6 decision, citing it as evidence that they have a right to produce, use and distribute strong encryption to protect electronic commerce and private e-mail messages.

Despite the decision, Justice Department officials say encryption export controls remain necessary. Justice’s Lee said the department was considering an appeal but noted that current restrictions remain in place.

Lee told the subcommittee that federal officials support strong encryption which is recoverable; that is, encryption that can be broken down either with a key built into the program or one held in escrow.

“We are gravely concerned that the proliferation and use of non-recoverable encryption by criminal elements would seriously undermine these duties to protect the American people,” Lee testified.

William Reinsch, who directs export administration for the Commerce Department, said the government had relaxed numerous restrictions and had taken steps to allow financial institutions, medical institutions and banks to use unlimited-strength encryption.

Reinsch also noted that 32 countries, as part of an effort known as the Wassenaar Agreement, had signed on to numerous changes to encryption control. Most significantly, the agreement removes all controls over encryption at or below 56 bits, which has an unlocking key with 72 quadrillion possible combinations.

Encryption experts call the Wassenaar Agreement a “toothless tiger.”

Ed Gillespie, executive director of Americans for Computer Privacy, says the agreement is doomed to fail because it doesn’t include countries such as China, India, South Africa and Israel. Gillespie noted that current U.S. encryption policy lags behind restrictions set in the agreement.

Richard Hornstein, general counsel for Network Associates, testified that while administration officials had taken some steps to allow more encryption exports, “they still have not gone far enough.”

A national encryption policy, Hornstein said, must be based on technological and market realities. Noting that the worldwide standard is currently 128-bit encryption, he said many buyers have to pass on U.S.-made equipment because of weak encryption programs.

“When a foreign purchaser cannot obtain an American product they simply purchase it from a foreign supplier,” Hornstein told the subcommittee. “Unfortunately, not only are American companies losing a sale of an encryption product, they are also losing the sale of the program or hardware.”

The subcommittee didn’t schedule a vote on the SAFE Act, but Commerce Committee Chairman Tom Bliley, R-Va., promised action soon.

Bliley says he supports change because current policy is vague and unfairly restrictive.

“The administration’s policy of today is unworkable and an impediment to U.S. encryption producers and users,” he said in a statement. “We need the policy to change.”