STATEMENT OF SENATOR LEAHY ON INTRODUCTION OF ENCRYPTED COMMUNICATIONS PRIVACY ACT OF 1996 March 5, 1996 I am joined today by Senators Burns, Dole, Pressler and Murray in introducing a bill that is pro-business, pro-jobs and pro-privacy. The "Encrypted Communications Privacy Act of 1996" would enhance the global competitiveness of our high-tech industries, protect the high-paying good jobs in those industries and maximize the choices in encryption technology available for businesses and individuals to protect the privacy, confidentiality and security of their computer, telephone, and other wire and electronic communications. The guiding principle for this bill can be summed up in one sentence: Encryption is good for American business and good business for Americans. FBI Director Louis Freeh testified last week at a hearing on economic espionage and quoted Secretary of State Warren Christopher as saying that "our national security is inseparable from our economic security." I could not agree more. Yet, American businesses are suffering a double blow from our current encryption policies. First, American firms lose billions of dollars each year due to the theft of proprietary economic information, which could be better protected if strong encryption were more widely used. Second, government export restrictions tie the hands of American high-tech businesses by barring the export of strong encryption technology. The size of these combined losses makes encryption one of the critical issues facing American businesses today. Moreover, the increasing use of and dependency on networked computers by Americans to obtain critical medical services, to conduct research, to be entertained, to go shopping and to communicate with friends and business associates, raises special concerns about the privacy and confidentiality of their computer transmissions. I have long been concerned about these issues, and have worked over the past decade to create a legal structure to foster privacy and security for our wire and electronic communications. Encryption technology provides an effective way to ensure that only the people we choose can read our communications. A leading encryption expert, Matt Blaze, told me in a recent letter that our current regulations governing the use and export of encryption are having a "deleterious effect... on our country's ability to develop a reliable and trustworthy information infrastructure." It is time for Congress to take steps to put our national encryption policy on the right course. The Encrypted Communications Privacy Act would accomplish three goals: First, the bill encourages the use of encryption by legislatively confirming that Americans have the freedom to use and sell here in the United States any encryption technology that they feel is most appropriate to meet their privacy and security needs. The bill bars any government-mandated use of any particular encryption system, such as a key escrow encryption system. Second, for those Americans who choose to use a key escrow encryption method, the bill establishes privacy standards for key holders and stringent procedures for how law enforcement can obtain access to decoding keys and decryption assistance. These standards would subject key holders to criminal and civil liability if they released the keys or divulged the identity and information about the user of the encryption system, without legal authorization. Commenting on these provisions, Bruce Schneir, who has literally written the textbook on encryption, said in a recent letter to me that the bill "recognizes the special obligations of keyholders to be vigilant in safeguarding the information entrusted to them, without imposing hurtles on the use of cryptography." Finally, the bill loosens export restrictions on encryption products. Under the bill, it would be lawful for American companies to export high-tech products with encryption capabilities when comparable encryption capabilities are available from foreign suppliers, and generally available encryption software, including mass market products and encryption that is in the public domain. According to Mr. Schneir, the bill "removes the strangle-hold that has encumbered the development of mass-market security solutions" which are so vital to the development of our information infrastructure. Senator Murray took a leading role in the last Congress on reforming our export restrictions on encryption, and I commend her for continuing to give this important issue her committed attention again in this Congress. Current export restrictions allow the export of primarily weak encryption software programs. So weak, in fact, that a January 1996 report by an ad hoc group of world-renowned cryptographers and computer scientists estimated that it would take a pedestrian hacker a matter of hours to break and a foreign intelligence agency a matter of nanoseconds to break. No wonder that foreign buyers of encryption products are increasingly looking elsewhere for strong security. This hurts the competitiveness of our high-tech industry. A recent report by the Computer Systems Policy Project, which is a group of major American computer companies estimated that U.S. companies stand to lose between $30 and 60 BILLION in revenues and over 200,000 of high-tech jobs by the year 2000 because U.S. companies are handicapped in the global market by outdated export restrictions. Even the Commerce Department reported in January that U.S. export controls may have a "negative effect on U.S. competitiveness" and "may discourage" the use of strong encryption domestically since manufacturers want to make only one product for export and for use here. Although American companies account for almost 75 percent of the global market for prepackaged software, the rest of the world is competing strongly in the market for encryption software. Short-sighted government policy is holding back American business. Almost two years ago, I chaired a hearing of the Judiciary Subcommittee on Technology and the Law on the Administration's "Clipper Chip" key escrow encryption program. I heard testimony about 340 foreign encryption products that were available worldwide, 155 of them employing encryption in a strength that American firms were prohibited from exporting. In two short years, those numbers have increased. According to a survey of cryptographic products conducted by Trusted Information System, as of December 1995, 497 foreign products from 28 countries were available with encryption security. Almost 200 of these foreign products used strong encryption that American companies are barred from selling abroad. This study draws the obvious conclusion that "As a result, U.S. Government restrictions may be succeeding only in crippling a vital American industry's exporting ability." At the Clipper Chip hearing I chaired in 1994, I heard a number of reports about American companies losing business opportunities due to U.S. export restrictions. One data security company reported that despite its superior system, it had been unable to respond to requests from NATO and foreign telecommunications companies because it cannot export the encryption they demanded. This cost this single American company millions in foregone business. Another major computer company lost two sales in Western Europe in a single year totaling about $80 million because the file and data encryption in the integrated system they offered was not exportable. Our current export restrictions on encryption technology are fencing off the global marketplace and hurting the competitiveness of this part of our high-tech industries. While national and domestic security concerns must weigh heavily, we need to do a better job of balancing these concerns with American business' need for encryption and the economic opportunities for our high-tech industries that encryption technology provides. American businesses are not only suffering lost sales because of our current export restrictions, but are also suffering staggering losses due to economic espionage. FBI Director Freeh testified that the White House Office of Science and Technology Policy puts the amount of that loss at $100 billion per year. At a hearing last week on economic espionage, we heard from one witness who had to close down his software company, with a loss of 25 jobs, after China bribed an employee to steal the source code for the company's software. We have bills pending before Congress to enact new criminal laws to punish people who steal trade secrets or other proprietary information and who break into computers to steal sensitive information. But new criminal laws are not the whole answer. Criminal laws often only come into play too late, after the theft has occurred or the injury inflicted. We must encourage American firms to take preventive measures to protect their vital economic information. That is where encryption comes in. Just as we have security systems to lock up our offices and file drawers, we need strong encryption systems to protect the security and confidentiality of business information. The Computer Systems Policy Project estimates that, without strong encryption, financial losses by the year 2000 from breaches of computer security systems to be from $40 to $80 billion. Unfortunately, some of these losses are already occurring. One U.S. based manufacturer is quoted in the Project's report, saying: "We had a multi-year, multi-billion dollar contract stolen off our P.C. (while bidding in a foreign country). Had it been encrypted, [the foreign competitor] could not have used it in the bidding time frame." New technologies present enormous opportunities for Americans, but we must strive to safeguard our privacy if these technologies are to prosper in this information age. Otherwise, in the service of law enforcement and intelligence needs, we will dampen any enthusiasm Americans may have for taking advantage of the new technologies. I look forward to working with my colleagues on this important matter, and ask unanimous consent that my full statement, the bill, a summary of the bill and three letters of support from Matt Blaze, Bruce Schneir, and Business Software Alliance, be included in the Record. _________________________________________________________________ Return to CDT Cryptography Page Return to CDT Home Page