(SAFE) ACT - H.R. 850

MAY 18, 1999

Madam Chairwoman, thank you for the opportunity to testify about the Department of Justice's views on export controls on encryption, and particularly the proposed Security and Freedom through Encryption (SAFE) Act, introduced by Mr. Goodlatte as H.R. 850. As you are aware, export controls on encryption is a complex and difficult issue that we are attempting to address with our colleagues throughout the Administration. In my testimony, I will first outline the basic perspective and recent initiatives of the Department of Justice on encryption issues, and will then discuss some specific concerns with the SAFE Act.

The Department of Justice supports the spread of strong, recoverable encryption. Law enforcement's responsibilities and concerns include protecting privacy and commerce over our nation's communications networks. For example, we prosecute under existing laws those who violate the privacy of others by illegal eavesdropping, hacking or theft of confidential information. Over the last few years, the Department has continually pressed for the protection of confidential information and the privacy of citizens. Furthermore, we help protect commerce by enforcing the laws, including those that protect intellectual property rights, and that combat computer and communications fraud. (In particular, we help to protect the confidentiality of business data through enforcement of the recently enacted Economic Espionage Act.) Our support for robust encryption is a natural outgrowth of our commitment to protecting privacy for personal and commercial interests.

But the Department of Justice protects more than just privacy. We also protect public safety and national security against the threats posed by terrorists, organized crime, foreign intelligence agents, and others. Moreover, we have the responsibility for preventing, investigating, and prosecuting serious criminal and terrorist acts when they are directed against the United States. We are gravely concerned that the proliferation and use of non-recoverable encryption by criminal elements would seriously undermine these duties to protect the American people, even while we favor the spread of strong encryption products that permit timely and legal law enforcement access and decryption.

The most easily understood example is electronic surveillance. Court-authorized wiretaps have proven to be one of the most successful law enforcement tools in preventing and prosecuting serious crimes, including drug trafficking and terrorism. We have used legal wiretaps to bring down entire narcotics trafficking organizations, to rescue young children kidnaped and held hostage, and to assist in a variety of matters affecting our public safety and national security. In addition, as society becomes more dependent on computers, evidence of crimes is increasingly found in stored computer data, which can be searched and seized pursuant to court-authorized warrants. But if non-recoverable encryption proliferates, these critical law enforcement tools would be nullified. Thus, for example, even if the government satisfies the rigorous legal and procedural requirements for obtaining a wiretap order, the wiretap would be worthless if the intercepted communications of the targeted criminals amount to an unintelligible jumble of noises or symbols. Or we might legally seize the computer of a terrorist and be unable to read the data identifying his or her targets, plans and co-conspirators. The potential harm to public safety, law enforcement, and to the nation's domestic security could be devastating.

I want to emphasize that this concern is not theoretical, nor is it exaggerated. Although use of encryption is still not universal, we have already begun to encounter its harmful effects. For example, in an investigation of a multi-national child pornography ring, investigators discovered sophisticated encryption used to protect thousands of images of child pornography that were exchanged among members. Similarly, in several major hacker cases, the subjects have encrypted computer files, thereby concealing evidence of serious crimes. In one such case, the government was unable to determine the full scope of the hacker's activity because of the use of encryption. The lessons learned from these investigations are clear: criminals are beginning to learn that encryption is a powerftd tool for keeping their crimes from coming to light. Moreover, as encryption proliferates and becomes an ordinary component of mass market items, and as the strength of encryption products increases, the threat to public safety will increase proportionately.

Export controls on encryption products have been in place for years and exist primarily to protect national security and foreign policy interests. The nation's intelligence gathering efforts often provide valuable information to law enforcement agencies relating to criminal or terrorist acts, and we believe that this capability cannot be lost. Nonetheless, U.S. law enforcement has much greater concerns about the use of non-recoverable encryption products by criminal elements within the United States that prevent timely law enforcement decryption of lawfully-seized encrypted data and communications relating to criminal or terrorist activity.

The Department of Justice, and the law enforcement community as a whole, supports the use of encryption technology to protect data and communications from unlawful and unauthorized access, disclosure, and alteration. Additionally, encryption helps to prevent crime by protecting a range of valuable information over increasingly widespread and interconnected computer and information networks. At the same time, we believe that the widespread use of unbreakable encryption by criminal elements presents a tremendous potential threat to both public safety and national security. Accordingly, the law enforcement community supports the development and widespread use of strong, recoverable encryption products and services.

The Department believes that encouraging the use of recoverable encryption products is an important part of protecting business and personal data as well as protecting public safety. In addition, this approach continues to find support among businesses and individuals that foresee a need to recover information that has been encrypted. For example, a company might find that one of its employees lost his encryption key, thus accidentally depriving the business of important and time-sensitive business data. Similarly, a business may find that a disgruntled employee has encrypted confidential information and then absconded with the key. In these cases, a plaintext recovery system promotes important private sector interests. Indeed, as the Government implements encryption in our own information technology systems, it also has a business need for plaintext recovery to assure that data and information that we are statutorily required to maintain are in fact available at all times. For these reasons, as well as to protect public safety, the Department has been affirmatively encouraging the voluntary development of data recovery products, recognizing that only their ubiquitous use will provide both protection for data and protection of public safety.

Because we remain concerned with the impact of encryption on the ability of law enforcement at all levels of government to protect the public safety, the Department and the FBI are engaged in continuing discussions with industry in a number of different fora. These ongoing, productive discussions seek to find creative solutions, in addition to key recovery, to the dual needs for strong encryption to protect privacy and plaintext recovery to protect public safety and business interests. While we still have work to do, these dialogues have been useful because we have discovered areas of agreement and consensus, and have found promising areas for seeking compromise solutions to these difficult issues. While we do not think that there is one magic technology or solution to all the needs of industry, consumers, and law enforcement, we believe that by working with those in industry who create and market encryption products, we can benefit from the accumulated expertise of industry to gain a better understanding of technology trends and develop advanced tools that balance privacy and security.

We believe that a constructive dialogue on these issues is the best way to make progress, rather than seeking export control legislation. Largely as a result of the dialogue the Administration has had with industry, significant progress was made on export controls. Recent updates were announced by Vice President Gore on September 16, 1998, and implemented in an interim rule, which was issued on December 31, 1998. The Department of Justice supports these updates to export controls, which liberalized controls on products that have a bit length of 56-bits or less and permit the export of unlimited-strength encryption to certain industry sectors, including medical facilities and banks, financial institutions, and insurance companies in most jurisdictions. These changes allow these sectors, which possess large amounts of highly personal information, to use products that will protect the privacy of their clients. We also expanded our policy to permit recoverable exports, such as systems managed by network administrators, to foreign commercial firms. We learned about these systems through our dialogue with industry, and they are largely consistent with the needs of law enforcement. In addition, the Department, in conjunction with the rest of the Administration, intends to continue our dialogue with industry, and will evaluate the export control process on an ongoing basis in order to ensure that the balance of interests remains fair to all concerned.

At the same time, the Department of Justice is also trying to address the threat to public safety from the widespread use of encryption by enhancing the ability of the Federal Bureau of Investigation and other law enforcement entities to obtain the plaintext of encrypted communications. Among the initiatives is the funding of a centralized technical resource within the FBI. This resource, when fully established, will support federal, state, and local law enforcement in developing a broad range of expertise, technologies, tools, and techniques to respond directly to the threat to public safety posed by the widespread use of encryption by criminals and terrorists. It will also allow law enforcement to stay abreast of rapid changes in technology. Finally, it will enhance the ability of law enforcement to fully execute the wiretap orders, search warrants, and other lawful process issued by courts to obtain evidence in criminal investigations when encryption is encountered.

The proposed Security and Freedom through Encryption Act raises several concerns from the perspective of the Department of Justice. First, we share the deep concern of the National Security Agency that the proposed SAFE Act would harm national security and public safety interests through the liberalization of export controls far beyond our current policy, and contrary to our international export control obligations. We are similarly concerned that a decontrol of unbreakable encryption will cause the further spread of encryption products to terrorist organizations and international criminals and frustrate the ability of law enforcement to combat these problems internationally.

The second problem is that the Act may impede the development of products that could assist law enforcement to access plaintext even when also demanded by the marketplace. The Administration believes that the development of such products is important for a safe society. Unfortunately, to the extent that this provision would actually prohibit government from encouraging development of key management infrastructures and other similar technologies, the provision could preclude U.S. government agencies from complying with statutory requirements and would put public safety and national security at risk. For example, it might preclude the United States government from utilizing useful and appropriate incentives to use key recovery techniques. The government might not be able to require its own contractors to use key recovery or demand its use in the legally required storage of records regarding such matters as sales of controlled substances or firearms.

It is also important to consider that our allies concur that unrestricted export of encryption poses significant risk to national security, especially to regions of concern. As recently as December 1998, the thirty-three members of the Wassenaar Arrangement reaffirmed the importance of export controls on encryption for national security and public safety purposes and adopted agreements to enable governments to review exports of hardware and software with a 56-bit key length and above and mass-market products above 64 bits, consistent with national export control procedures. Thus, the elimination of U.S. export controls, as provided by the proposed Act, would severely hamper the international community's efforts to combat such international public safety concerns as terrorism, narcotics trafficking, and organized crime.

In light of these factors, we believe that the Administration's more cautious balanced approach is the best way to protect our national interests, including a strong U.S. industry and promoting electronic commerce, while simultaneously protecting law enforcement and national security interests. We believe that legislation that eliminates all export controls on encryption could upset that delicate balance and is contrary to our national interests.

The recent decision of the United States Court of Appeals for the Ninth Circuit in Daniel Bernstein v. United States Department of Justice and United States Department of Commerce has not changed our view that legislation eliminating export controls is contrary to our national interests. The Department of Commerce and the Department of Justice are currently reviewing the Ninth Circuit's decision in Daniel Bernstein v. United States Department of Justice and United States Department of Commerce, and we are considering possible avenues for further review, including seeking a rehearing of the appeal en banc in the Ninth Circuit. In the interim, the regulations controlling the export of encryption products remain in full effect.

We as government leaders should embark upon the course of action that best preserves the balance long ago set by the Framers of the Constitution, preserving both individual privacy and society's interest in effective law enforcement. We should promote encryption products which contain robust cryptography but that also provide for timely and legal law enforcement plaintext access to encrypted evidence of criminal activity. We should also find ways to support secure electronic commerce while minimizing risk to national security and public safety. This is the Administration's approach. We look forward to working with this Subcommittee as it enters the markup phase of this bill.