Congressional Documents

                                  42 431                                 



                            105 th Congress                             



                             Rept.  105 108                             



                                                                            



                                                                             



                        HOUSE OF REPRESENTATIVES                        



                              1st Session                               



                                 Part 2                                 



                                                                        







                  SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT           







                                                                         



                  July  25, 1997.--Ordered to be printed                 



                                                                         



  Mr. Gilman , from the Committee on International Relations, submitted  

                             the following                               

                               R E P O R T                               



                              together with                              



                             DISSENTING VIEWS                            



                         [To accompany H.R. 695]                         





      The Committee on International Relations, to whom was referred the   

   bill (H.R. 695) to amend title 18, United States Code, to affirm the    

   rights of United States persons to use and sell encryption and to relax 

   export controls on encryption, having considered the same, report       

   favorably thereon with an amendment and recommend that the bill as      

   amended do pass.                                                        

   The amendment is as follows:                                            



     Strike out all after the enacting clause and insert in lieu thereof  

  the following:                                                          



          SECTION 1. SHORT TITLE.                                                 



     This Act may be cited as the ``Security and Freedom Through          

  Encryption (SAFE) Act''.                                                

          SEC. 2. SALE AND USE OF ENCRYPTION.                                     



     (a) In General.--Part I of title 18, United States Code, is amended  

  by inserting after chapter 121 the following new chapter:               

                  ``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION        





      ``2801. Definitions.                                                    



      ``2802. Freedom to use encryption.                                      



      ``2803. Freedom to sell encryption.                                     



      ``2804. Prohibition on mandatory key escrow.                            



      ``2805. Unlawful use of encryption in furtherance of a criminal act.    





          ``2801. Definitions                                                     



   ``As used in this chapter--                                            



       ``(1) the terms `person', `State', `wire communication', `electronic

   communication', `investigative or law enforcement officer', `judge of   

   competent jurisdiction', and `electronic storage' have the meanings     

   given those terms in section 2510 of this title;                        

       ``(2) the terms `encrypt' and `encryption' refer to the scrambling  

   of wire or electronic information using mathematical formulas or        

   algorithms in order to preserve the confidentiality, integrity, or      

   authenticity of, and prevent unauthorized recipients from accessing or  

   altering, such information;                                             

       ``(3) the term `key' means the variable information used in a       

   mathematical formula, code, or algorithm, or any component thereof, used

   to decrypt wire or electronic information that has been encrypted; and  

    ``(4) the term `United States person' means--                          



    ``(A) any United States citizen;                                       



       ``(B) any other person organized under the laws of any State, the   

   District of Columbia, or any commonwealth, territory, or possession of  

   the United States; and                                                  

       ``(C) any person organized under the laws of any foreign country who

   is owned or controlled by individuals or persons described in           

   subparagraphs (A) and (B).                                              

          ``2802. Freedom to use encryption                                       



     ``Subject to section 2805, it shall be lawful for any person within  

  any State, and for any United States person in a foreign country, to use

  any encryption, regardless of the encryption algorithm selected,        

  encryption key length chosen, or implementation technique or medium     

  used.                                                                   

          ``2803. Freedom to sell encryption                                      



     ``Subject to section 2805, it shall be lawful for any person within  

  any State to sell in interstate commerce any encryption, regardless of  

  the encryption algorithm selected, encryption key length chosen, or     

  implementation technique or medium used.                                

          ``2804. Prohibition on mandatory key escrow                             



     ``(a) Prohibition.--No person in lawful possession of a key to       

  encrypted information may be required by Federal or State law to        

  relinquish to another person control of that key.                       
     ``(b) Exception for Access for Law Enforcement Purposes.--Subsection 

  (a) shall not affect the authority of any investigative or law          

  enforcement officer, acting under any law in effect on the effective    

  date of this chapter, to gain access to encrypted information.          

          ``2805. Unlawful use of encryption in furtherance of a criminal act     



     ``Any person who willfully uses encryption in furtherance of the     

  commission of a criminal offense for which the person may be prosecuted 

  in a court of competent jurisdiction--                                  

       ``(1) in the case of a first offense under this section, shall be   

   imprisoned for not more than 5 years, or fined in the amount set forth  

   in this title, or both; and                                             

       ``(2) in the case of a second or subsequent offense under this      

   section, shall be imprisoned for not more than 10 years, or fined in the

   amount set forth in this title, or both.''.                             

     (b) Conforming Amendment.--The table of chapters for part I of title 

  18, United States Code, is amended by inserting after the item relating 

  to chapter 33 the following new item:                                   





         ``122. Encrypted wire and electronic information                       



        2801''.                                                                





          SEC. 3. EXPORTS OF ENCRYPTION.                                          



     (a) Amendment to Export Administration Act of 1979.--Section 17 of   

  the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended  

  by adding at the end thereof the following new subsection:              

   ``(g)  Certain Consumer Products, Computers, and Related Equipment.--  



       ``(1) General rule.--Subject to paragraphs (2), (3), and (4), the   

   Secretary shall have exclusive authority to control exports of all      

   computer hardware, software, and technology for information security    

   (including encryption), except that                                     



                    which is specifically designed or modified for military use,  

          including command, control, and intelligence applications.              

       ``(2) Items not requiring licenses.--No validated license may be    

   required, except pursuant to the Trading With The Enemy Act or the      

   International Emergency Economic Powers Act (but only to the extent that

   the authority of such Act is not exercised to extend controls imposed   

   under this Act), for the export or reexport of--                        

       ``(A) any consumer product commercially available within the United 

   States or abroad which--                                                

       ``(i) includes encryption capabilities which are inaccessible to the

   end user; and                                                           

    ``(ii) is not designed for military or intelligence end use;           



       ``(B) any component or subassembly designed for use in a consumer   

   product described in subparagraph (A) which itself contains encryption  

   capabilities and is not capable of military or intelligence end use in  

   its condition as exported;                                              

    ``(C) any software, including software with encryption capabilities--  



       ``(i) that is generally available, as is, and is designed for       

   installation by the purchaser;                                          

       ``(ii) that is in the public domain for which copyright or other    

   protection is not available under title 17, United States Code, or that 

   is available to the public because it is generally accessible to the    

   interested public in any form; or                                       

       ``(iii) that is customized for an otherwise lawful use by a specific

   purchaser or group of purchasers;                                       

       ``(D) any computing device solely because it incorporates or employs

   in any form--                                                           

       ``(i) software (including software with encryption capabilities)    

   that is exempted from any requirement for a validated license under     

   subparagraph (C); or                                                    

       ``(ii) software that is no more technically complex in its          

   encryption capabilties than software that is exempted from any          

   requirement for a validated license under subparagraph (C) but is not   

   designed for installation by the purchaser;                             

       ``(E) any computer hardware that is generally available, solely     

   because it has encryption capabilities; or                              

       ``(F) any software or computing device solely on the basis that it  

   incorporates or employs in any form interface mechanisms for interaction

   with other hardware and software, including hardware, and software, with

   encryption capabilities.                                                

       ``(3) Software with encryption capabilities.--The Secretary shall   

   authorize the export or reexport of software with encryption            

   capabilities for nonmilitary end uses in any country to which exports of

   software of similar capability are permitted for use by financial       

   institutions not controlled in fact by United States persons, unless    

   there is substantial evidence that such software will be--              

       ``(A) diverted to a military end use or an end use supporting       

   international terrorism;                                                

    ``(B) modified for military or terrorist end use; or                   



       ``(C) reexported without any authorization by the United States that

   may be required under this Act.                                         

       ``(4) Hardware with encryption capabilities.--The Secretary shall   

   authorize the export or reexport of computer hardware with encryption   

   capabilities if the Secretary determines that a product offering        

   comparable security is commercially available outside the United States 

   from a foreign supplier, without effective restrictions.                

    ``(5)  Definitions.--As used in this subsection--                      



       ``(A) the term `encryption' means the scrambling of wire or         

   electronic information using mathematical formulas or algorithms in     

   order to preserve the confidentiality, integrity, or authenticity of,   

   and prevent unauthorized recipients from accessing or altering, such    

   information;                                                            

    ``(B) the term `generally available' means--                           



       ``(i) in the case of software (including software with encryption   

   capabilities), software that is offered for sale, license, or transfer  

   to any person without restriction, whether or not for consideration,    

   including, but not limited to, over-the-counter retail sales, mail order

   transactions, phone order transactions, electronic distribution, or sale

   on approval; and                                                        

       ``(ii) in the case of hardware with encryption capabilities,        

   hardware that is offered for sale, license, or transfer to any person   

   without restriction, whether or not for consideration, including, but   

   not limited to, over-the-counter retail sales, mail order transactions, 

   phone order transactions, electronic distribution, or sale on approval; 

       ``(C) the term `as is' means, in the case of software (including    

   software with encryption capabilities), a software program that is not  

   designed, developed, or tailored by the software publisher for specific 

   purchasers, except that such purchasers may supply certain installation 

   parameters needed by the software program to function properly with the 

   purchaser's system and may customize the software program by choosing   

   among options contained in the software program;                        

       ``(D) the term `is designed for installation by the purchaser'      

   means, in the case of software (including software with encryption      

   capabilities) that--                                                    

       ``(i) the software publisher intends for the purchaser (including   

   any licensee or transferee), who may not be the actual program user, to 

   install the software program on a computing device and has supplied the 

   necessary instructions to do so, except that the publisher may also     

   provide telephone help line services for software installation,         

   electronic transmission, or basic operations; and                       

       ``(ii) the software program is designed for installation by the     

   purchaser without further substantial support by the supplier;          

       ``(E) the term `computing device' means a device which incorporates 

   one or more microprocessor-based central processing units that can      

   accept, store, process, or provide output of data; and                  

       ``(F) the term `computer hardware', when used in conjunction with   

   information security, includes, but is not limited to, computer systems,

   equipment, application-specific assemblies, modules, and integrated     

   circuits.''.                                                            

     (b) Continuation of Export Administration Act.--For purposes of      

  carrying out the amendment made by subsection (a), the Export           

  Administration Act of 1979 shall be deemed to be in effect.             

          SEC. 4. SENSE OF CONGRESS REGARDING INTERNATIONAL COOPERATION.          



   (a)  Findings.--The Congress finds that--                              



       (1) implementing export restrictions on widely available technology 

   without the concurrence of all countries capable of producing,          

   transshipping, or otherwise transferring that technology is detrimental 

   to the competitiveness of the United States and should only be imposed  

   on technology and countries in order to protect the United States       

   against a compelling national security threat; and                      

       (2) the President has not been able to come to agreement with other 

   encryption producing countries on export controls on encryption and has 

   imposed excessively stringent export controls on this widely available  

   technology.                                                             

     (b) Sense of Congress.--It is the sense of the Congress that the     

  President should immediately take the necessary steps to call an        

  international conference for the purpose of coming to an agreement with 

  encryption producing countries on policies which will ensure that the   

  free use and trade of this technology does not hinder mutual security.  



                                   BACKGROUND AND PURPOSE                         



      H.R. 695, the Security and Freedom Through Encryption (SAFE) Act,    

   represents a strong bipartisan effort to bring U.S. laws on the export  

   of encryption technology into the present and future, by looking at the 

   actual technological developments taking place on the world stage. The  

   SAFE Act enjoys strong support in the House as reflected by the         

   overwhelming number of co-sponsors, including a majority of the Members 

   of the Committee on International Relations.                            

      While differences still remain and the debate continues between U.S. 

   economic and commercial priorities and individual civil liberties, on   

   the one hand, and the needs and concerns of law enforcement and national

   security agencies, the SAFE Act is generating the political will to     

   reform the existing regulatory process to meet today's realities.       

      Encryption has been defined as referring to the use of software or   

   hardware to scramble wire or electronic information using mathematical  

   formulas or algorithms in order to preserve the confidentiality,        

   integrity, or authenticity of, and prevent unauthorized recipients from 

   accessing or altering such information. While anyone can encrypt a      

   message, only an authorized person can convert a scrambled message back 

   into its original form.                                                 

      The basic idea of modern encryption, or cryptography, is that any    

   message can be represented as a set of numbers (the plaintext) used to  

   transform the plaintext into a different set of numbers (the            

   ciphertext). Simply stated, keys consist of a series of ones and zeros  

   (called ``bits'), and are described in terms of their ``length'', which 

   is corresponds to the number of possible combinations that can be used  

   to decode a particular message. A 40-bit key means that the number of   

   possible combinations of ones and zeros equals 2 to the 40th power. It  

   then follows that a 56-bit key is 2 to the 56th power, which means that 

   it is 2 to the 16th power stronger that a 40-bit key.                   

      Once the exclusive domain of the national security and intelligence  

   sectors, encryption now has an expanded application, impacting the      

   everyday lives of millions of Americans. Today, banking systems, stock  

   markets, air traffic control systems, credit bureaus, telephone         

   networks, weather satellites, social security system, television        

   networks, civilian and government payrolls, and the Internet are all    

   directly affected by a flow of data managed by countless computers and  

   telecommunication networks around the world. Computer technology now    

   serves as the nervous system of modern society.                         

      It is increasingly difficult to protect the privacy and              

   confidentiality of transactions at all levels, and increasingly         

   important to do so. The Justice Department has estimated that annual    

   losses related to computer security breaches could be as high as $7     

   billion. If this were adjusted to include the number of undocumented    

   cases by companies reluctant to report such intrusions, the figure could

   be even higher. The National Counterintelligence Center in their        

   ``Annual Report to Congress on Foreign Economic Collection and          

   Industrial Espionage'' concluded that such ``specialized technical      

   operations (including computer intrusions, telecommunications targeting 

   and intercept, and private sector encryption weaknesses) account for the

   largest portion of economic and industrial information lost by          

   corporations.''                                                         

      Therefore, stronger encryption tools are widely viewed as the key to 

   providing security and privacy for the information superhighway.        

      Current U.S. policy restricts the export of ``strong'' encryption    

   hardware or software products with keys greater than 40 bits            

   long--determined to be gravely inadequate by numerous experts. The      

   current Administration proposal, which would allow the export of 56-bit 

   encryption, is viewed as not meeting the needs of U.S. companies to     

   conduct business in a secure manner with their suppliers, their business

   partners, their customers, and even their affiliated companies outside  

   the United States.                                                      
      Supporting the need for higher encryption standards is the fact that,

   on the same day that the companion legislation--the McCain-Kerrey       

   bill--was introduced in the Senate calling for a 56-bit limit on        

   encryption exports, a group of independent programmers and researchers  

   cracked a 56-bit code using computers linked across the Internet. This  

   successful breaking of 56-bit encryption clearly demonstrates the       

   anachronistic nature of current U.S. law and reflects how out-of-touch  

   the Administration's policy is with the needs of the global marketplace.

      The Administration's proposal would only allow the export of 56-bit  

   encryption for those who promise to build in ``key recovery''. ``Key    

   recovery'' or ``key escrow'' essentially means that when stored data or 

   electronic communications are encrypted, a third party has a copy of the

   key needed to decrypt the information. As presented by proponents of    

   this policy, escrowed encryption is intended to provide for encryption  

   protection for legitimate uses but also enable law enforcement officials

   to gain access to the key when it is necessary to decode the plaintext  

   data as part of an investigation.                                       

      This has been interpreted as an attempt to use the export control    

   process to manipulate and control the market for and expansion of       

   encryption technology, by making it easy to export products with key    

   recovery and difficult for those products without. The logical basis for

   this policy is flawed as it is rooted in the wrongful assumption that   

   foreign competitors can be convinced to alter their policy to parallel  

   what U.S. policy is calling for. The current policy is not based on fact

   but on the optimistic view that the U.S. can influence other countries  

   not to export strong encryption without an escrow system.               

      Speculation does not make for good laws. Individually and as a unit, 

   many of our European allies have clearly illustrated their commitment to

   allow market forces and                                                 



                    individual needs to dictate the levels of encryption. In its  

          April 1997 proposal entitled, ``A European Initiative in Electronic     

          Commerce'', the European Union stated as key elements of the Initiative 

          to ensure a framework which ``boosts the trust and confidence of        

          businesses for investments and consumers to make use of electronic      

          commerce by dismantling remaining legal and regulatory barriers and     

          preventing the creation of new obstacles.'' It goes on to say that:     

          ``The use of strong encryption which ensures the confidentiality of both

          sensitive commercial and of personal data is one of the foundation      

          stones of electronic commerce . . . The Community (European Community)  

          shall work at the international level towards the removal of trade      

          barriers for encryption products.''                                     

      Even the more conservative recommendations made in March 1997 by the 

   Council of the Organization for Economic Cooperation and Development,   

   clearly state that: ``Users should have access to cryptography that     

   meets their needs, so that they can trust in the security of information

   and communications systems, and the confidentiality and integrity of    

   data on those systems.'' The Council further underscores that:          

   ``Government controls on cryptographic methods . . . should respect user

   choice to the greatest extent possible . . . and should not be          

   interpreted as implying that governments should initiate legislation    

   which limits user choice.'' Finally, they add: ``The development and    

   provision of cryptographic methods should be determined by the market in

   an open and competitive environment. Such an approach would best ensure 

   that solutions keep pace with changing technology, the demands of users 

   and evolving threats to communications systems security.''              

      While U.S. companies are kept at 40-bit encryption or at 56-bit with 

   the condition that they commit to develop key recovery, non-U.S.        

   exporters, particularly the countries of the European Union, are        

   producing packages that include encryption technology using 128 bits    

   leaving American companies far behind in the race to capture new        

   markets.                                                                

      Furthermore, American companies are placed at a competitive          

   disadvantage by being forced to create and deploy two separate systems  

   to meet two separate standards. Because of the nightmare this would     

   create, most U.S. businesses end up making their exportable products    

   subject to the same restrictions as their domestic products. By not     

   allowing U.S. industries to provide secure products in the face of      

   strong foreign competitors who are not restricted by outdated export    

   controls, current law is hurting U.S. businesses. No one will buy       

   encryption products for which the U.S. government can obtain a key. A   

   recent report by the CEOs of 13 large American technology companies     

   concluded that the U.S. computer industry could potentially lose up to  

   $30 60 billion annually by the year 2000 due to these export controls.  

      At a fundamental level, evaluating the value of key recovery systems 

   in and of themselves, eleven of the world's top cryptographers concluded

   that key recovery systems would create new vulnerabilities. A key       

   recovery system would create serious difficulties as it would require a 

   vast infrastructure of recovery agents and oversight entities to manage 

   access to the keys. In their May 1997 report entitled, ``The Risks of   

   Key Recovery, Key Escrow, and Trusted Third Party Encryption'', these   

   experts also determined that ``the field of cryptography has no         

   experience in deploying secure systems of this scope and complexity''   

   and that such systems could potentially cost many billions of dollars.  

      Key recovery systems do not even meet the national security needs on 

   which the policy is based on. The Software Publishers Association has   

   documented hundreds of foreign encryption products already widely       

   available abroad and which criminals, terrorists, and foreign           

   governments have access to. It is the upstanding, law-abiding citizen   

   who suffers.                                                            

      The fact is that strong encryption helps to further the goals of law 

   enforcement and national security, more than key recovery could ever    

   hope to. In its landmark report on encryption policy, the blue-ribbon   

   National Research Council concluded the following about the use of      

   strong encryption:                                                      



                     If cryptography can protect the trade secret and   

          proprietary information of business and thereby reduce        

          economic espionage (which it can), it also supports in a most 

          important manner the job of law enforcement. If cryptography  

          can help protect nationally critical information systems and  

          networks against unauthorized penetration (which it can), it  

          also supports the national security of the United States.     



      In summary, if U.S. laws are not changed soon, not as mandated by the

   Administration's policy or its companion legislation in the Senate, but 

   as H.R. 695 attempts to do, world standards for security technology will

   shift away from the U.S. as customers buy products from foreign         

   manufacturers. The U.S. government will not have a view into the        

   security technology that replaces U.S. technology as the world          

   standards. U.S. industries will lose control of information security    

   technologies which are vital to economic security. It will cost the U.S.

   economy billions of dollars and hundreds of thousands of jobs.          

      On July 7, 1997, German Economics Minister Guenter Rexrodt called for

   the removal of restrictions on encryption technology in his opening     

   remarks for a two-day conference on Internet commerce attended by 40    

   government ministers from the European union, the United States, Russia,

   Japan and Canada. ``Users can only protect themselves against having    

   data manipulated, destroyed or spied on through the use of strong       

   encryption procedures,'' Rexrodt said, ``that is why we have to use all 

   of our powers to promote such procedures instead of blocking them.''    

      Individual Americans and U.S. businesses should be afforded the same 

   protection and the same opportunities as other countries provide their  

   own people and industries.                                              



                    H.R. 695--the SAFE Act--does just that. It is aimed at        

          correcting the unfair and unsafe situation that currently exists under  

          current law as it: prohibits export controls on ``generally available'' 

          commercial encryption except for military end-users or to identified    

          individuals or organizations in specific foreign countries; does not    

          require reporting for companies after export; prohibits mandatory use of

          key recovery; denies liability protection and penalties for key holders;

          denies foreign government access to keys under specified conditions if  

          key holder is used voluntarily; prohibits U.S. government and law       

          enforcement access to keys by court order if key holder is used         

          voluntarily; codifies existing domestic use policy; gives the Secretary 

          of Commerce exclusive jurisdiction over export of commercial encryption 

          except for military end-uses or to identified individuals or            

          organizations in specific foreign countries.                            

      In essence, H.R. 695 prevents economic espionage while protecting    

   hundreds of thousands of American jobs by affording all Americans the   

   freedom to use any type of encryption anywhere in the world; by allowing

   any type of encryption to be sold in the United States; and creates a   

   level playing field by permitting the export of the generally available 

   software, hardware, and other encryption-related computer products.     

      The Committee hopes that other Members realize the need, value, and  

   importance of H.R. 695 as it works its way through the legislative      

   process. In the interest of the American people, of U.S. economic       

   leadership and growth, and of national security, the Committee hopes    

   that the House will pass the SAFE Act.                                  

                                      COMMITTEE ACTION                            



      H.R. 695 was introduced by Representative Goodlatte on February 12,  

   1997, and referred to the Committee on Judiciary and in addition to the 

   Committee on International Relations for a period subsequently to be    

   determined by the Speaker. It was reported to the House by the Committee

   on the Judiciary, amended, on May 22, 1997 (H. Rept. 105-108). On May   

   22, 1995, the referral to the Committee on International Relations was  

   extended through July 11, 1997, and on June 26, 1997, the referral to   

   the Committee on International Relations was extended for a period      

   ending not later than July 25, 1997.                                    

      On June 26, 1997, the bill was referred, in addition, to Committees  

   on Commerce, National Security, and the Permanent Select Committee on   

   Intelligence for a period ending not later than September 5, 1997, for  

   consideration of such provisions of the bill and the amendment reported 

   by the Committee on the Judiciary as fall within the jurisdiction of    

   those committees pursuant to clause 1(3) and (k), rule X and rule       

   XLVIII, respectively.                                                   

      On May 8, 1997, the Subcommittee on International Economic Policy and

   Trade held a hearing entitled: ``Encryption: Individual Right to Privacy

   vs. National Security.'' Witnesses for this hearing included: Hon.      

   William Reinsch, Under Secretary of Commerce, Bureau of Export          

   Administration; Hon. William Crowell, Deputy Director, National Security

   Agency; Hon. Robert Litt, Deputy Assistant Attorney General, Criminal   

   Division, U.S. Department of Justice; Mr. John Gage, Director, Science  

   Office, Sun Microsystems, Inc.; Mr. Humphrey Polanen, General Manager,  

   Network Security Products Group, Sun Microsystems, Inc.; Jerry Berman,  

   Executive Director, Center for Democracy and Technology; Tom Parenty,   

   Director of Security, Sybase Corporation; and Stephen T. Walker,        

   President and CEO, Chairman of the Board of Directors, Trusted          

   Information Systems.                                                    

      On May 29, 1997, the Full Committee held a Members briefing on H.R.  

   695, ``the Security and Freedom through Encryption (SAFE) Act.''        

   Speakers for the briefing included Hon. Louis Freeh, Director, Federal  

   Bureau of Investigation and Hon. William Crowell, Deputy Director,      

   National Security Agency.                                               

      On June 4, 1997, the Subcommittee on International Economic Policy   

   and Trade held a Members Briefing on the future of U.S.-European trade  

   relations. Speakers for the briefing included: Hon. David L. Aaron, U.S.

   Ambassador to the Organization for Economic Cooperation and Development 

   (OECD); H.E. Hugo Paemen, Head of the Delegation to the United States of

   the Commission of the European Union; and Dr. Dominique                 

   vanderMensbrugghe, Senior Economist, OECD Development Center.           

      On June 24, 1997, the Subcommittee on International Economic Policy  

   and Trade held a mark-up of H.R. 695, ``the Security and Freedom through

   Encryption (SAFE) Act''. Witnesses included: Congressman Bob Goodlatte. 

       Amendment.-- An en bloc amendment was offered by Ros-Lehtinen,      

   Gejdenson, Campbell and Sherman. The amendment removes the distinction  

   between mass market and customized software thus ensuring that          

   customized software is also subject to liberalized export controls. It  

   expands section 3 on exports of encryption by including consumer        

   products which do not necessarily fall under the umbrella of            

   ``computing'' products but which also require and use encryption. It    

   broadens the scope and definition of ``generally available'' to include 

   hardware with encryption capabilities. The amendment also adds a fourth 

   section to the bill in the form of a sense of Congress regarding        

   international cooperation. The amendment passed by voice vote.          

      A motion to report the bill, as amended, to the Full Committee passed

   by a roll call vote, as follows:                                        

      Voting yes: Ros-Lehtinen, Manzullo, Chabot, Campbell, Blunt, Brady,  

   Rohrabacher, Gejdenson, Danner, Hilliard, Sherman, Rothman, Clement,    

   Luther.                                                                 



   Voting no:  Bereuter.                                                   



   Passed: 14 1.                                                           



      On June 26, 1997, the Full Committee held a classified Members       

   briefing on the impact of H.R. 695, ``the Security and Freedom through  

   Encryption (SAFE) Act'' on national security and law enforcement        

   activities. Speakers for the briefing included: Hon. Louis Freeh,       

   Director, Federal Bureau of Investigation; Hon. William Crowell, Deputy 

   Director, National Security Agency; Hon. William Reinsch, Under         

   Secretary of Commerce, Bureau of Export Administration.                 

      On July 22, 1997, the Full Committee marked up the bill in open      

   session, pursuant to notice. The Committee first adopted the amendment  

   recommended by the Subcommittee on International Economic Policy by     

   unanimous consent, as original text for the purposes of amendment.      

   Representatives Goodlatte and Lofgren and representatives of the        

   Administration (The Hon. William Reinsch, Under Secretary of Commerce;  

   Mr. Jim Kallstrom, Federal Bureau of Investigation; Mr. James R. Taylor,

   National Security Agency; and Mr. Anthony Bocchichio of the Drug        

   Enforcement Agency) responded to questions from members during the      

   course of the markup.                                                   

      After further consideration, on that date, a quorum being present,   

   the Full Committee by voice vote ordered the bill reported to the House 

   with the recommendation that the bill, as amended, do pass.             

                       Rollcall votes on amendments                      



      In compliance with clause (2)(l)(2)(B) of rule XI of the Rules of the

   House of Representatives, the record of committee roll call votes on    

   final passage or amendments during the full committee's consideration of

   H.R. 695 is set out below, as is a report of the full committee's final 

   action on the bill.                                                     

                      Description of Amendment, Motion, Order, or Other Proposition

           (votes during markup of H.R. 695--July 22, 1997)                        

      Vote No. 1.--Gilman amendment provide that certain items could not be

   exported if in the opinion of the President they would endanger the     

   national security.                                                      

      Voting Yes: Gilman, Leach, Bereuter, Gallegly, Fox, Hamilton, Berman,

   Menendez, Brown, Danner, Rothman, Clement, and Davis.                   

      Voting No: Smith, Ros-Lehtinen, Ballenger, Rorhabacher, Manzullo,    

   Royce, King, Chabot, Sanford, Houghton, Campbell, Blunt, Moran, Brady,  

   Gejdenson, Ackerman, Hastings, Hilliard, Capps, Sherman, Wexler, and    

   Luther.                                                                 

   Ayes, 13. Noes, 22.                                                     



      Note: The bill was subsequently ordered reported favorably, amended, 

   by voice vote, a quorum being present, on July 22, 1997.                

                                SECTION-BY-SECTION ANALYSIS                       



                         Section 1.  Short Title                         



      This section states that this Act may be cited as the ``Security and 

   Freedom Through Encryption (SAFE) Act''.                                

                  Section 2.  Sale And Use Of Encryption                 



      This section states that, in general, Part I of Title 18, United     

   States Code, is amended by adding a new chapter after chapter 121.      

      This section also creates ``Chapter 122-Encrypted Wire And Electronic

   Information'' which includes sections; 2801. Definitions., 2802. Freedom

   To Use Encryption., 2803. Freedom to Sell Encryption., 2804. Prohibition

   On Mandatory Key Escrow., 2805. Unlawful Use Of Encryption in the       

   furtherance of a criminal act.                                          

      Section 2801 is titled ``Definitions'' and provides definitions for  

   ``person'' ``State'' ``wire communication'' ``electronic                

   communication'', ``investigative or law enforcement officer'', judge of 

   competent jurisdiction'', ``electronic storage'', ``encrypt'',          

   ``encryption'', ``key'', and ``United States person''. Many of these    

   definitions were taken explicitly from 18 U.S.C. 2810.                  

      New section 2802 states that it is legal for any person in the United

   States or any United States person in a foreign country, to use any form

   of encryption regardless of the algorithm, key length, or technique used

   in the encryption.                                                      

      New section 2803 states that it is legal for any person in the United

   States to sell in interstate commerce encryption products using any form

   of encryption regardless of the algorithm, key length, or technique     

   used. The Committee intends that Sections 2802 and 2803 be read as      

   limitations on government power. They should not be read as overriding  

   otherwise lawful employer policies concerning employee use of the       

   employers computer system, nor as limiting the employer's otherwise     

   lawful means for remedying violations of those policies.                



      New section 2804 specifically prohibits requiring any person in      

   lawful possession of an encryption key to turn that key over to another 

   person. This section prevents any form of mandatory key escrow system   

   with an exception for any law enforcement personnel or a member of the  

   intelligence community.                                                 

      New section 2805 make it a crime to use encryption unlawfully in     

   furtherance of some other crime. This new crime is punishable with a    

   sentence of 5 years for a first offence and 10 years. This section      

   requires that for a person to violate this section that person must be  

   found guilty of some other federal felony crime and was deliberately    

   using encryption to avoid detection of that other federal felony crime. 

      Subsection 2(b) of H.R. 695 provides for a conforming amendment to   

   the table of chapters in Title 18.                                      

                     Section 3.  Export of Encryption                    



      Subsection 3(a) of H.R. 695 amends the Export Administration Act by  

   creating a new subsection (g) entitled ``Computers and Related          

   Equipment,'' to 50 U.S.C. App. 2416.                                    

      New subsection (g)1 place all encryption products, except those      

   specifically designed or modified for military use, under the           

   jurisdiction of the Secretary of Commerce.                              

      New subsection (g)2 allows encryption software that is generally     

   available or in the public domain, like mass-market software products,  

   to be exported freely except pursuant to the Trading With The Enemy Act 

   or the International Emergency Economic Powers Act (but only to the to  

   the extent that the authority of such Act is not exercised to extend    

   controls imposed under this Act.). The Subcommittee on International    

   Economic Policy and Trade, on an amendment offered by Chair Ros-Lehtinen

   and Ranking Member Gejdenson, and others, amended Subsection (g)2 on a  

   voice vote in Subcommittee to include certain other consumer products,  

   or component or subassembly (provided those components are not capable  

   of military or intelligence end use in its condition as exported.),     

   which have encryption capabilities that are inaccessible to the end user

   and which are commercially available within the United States or abroad.

   These product as discussed by the Subcommittee are consumer products    

   such as small dish satellite receivers, digital video disk players,     

   smart cards, Web TV, etc. These products, which are commercially        

   available within the United States or abroad, were viewed by the        

   Subcommittee as being clearly and purely for consumer end-use and not   

   for military purposes. The Ros-Lehtinen amendment also amended (g)2 to  

   include customized software for an otherwise lawful purpose by a        

   specific purchaser or group of purchasers.                              

      New subsection (g)3 requires the Secretary of Commerce to allow other

   encryption software to be exported unless there is substantial evidence 

   that will be put to military or terrorist uses or that it will be       

   reexported without U.S. authorization.                                  

      New subsection (g)4 requires the Secretary to allow the export of    

   hardware with encryption capabilities when the Commerce Department finds

   that it is commercially available from foreign suppliers without        

   effective restrictions.                                                 

      New subsection (g)5 provides definitions for this subsection. The    

   subcommittee amendment offered by Chair Ros-Lehtinen, and others also   

   amended this subsection to include the same consumer products added to  

   subsection (g)2.                                                        

      As the Ros-Lehtinen amendment adopted in the Subcommittee on         

   International Economic Policy and Trade stated, the Committee would like

   to reiterate that, with the ever increasing use of computer technology  

   and computer information (hardware and software) in consumer product    

   lines for protection of privacy, information security, and intellectual 

   property interests, it intends this legislation to cover all            

   devices--whether traditional computing devices or convergent consumer   

   products that incorporate encryption. The applications covered by this  

   legislation include video, audio, and data communications systems and   

   telecommunication equipment. Hardware and software containing           

   encryption, such as encoders, decoders, and network terminals, which are

   essential to protect the video signal, are therefore included under     

   section 3(a) of this Act. As well as video, audio, data communications  

   systems containing encryption and decryption capability are used by     

   cable, satellite, and wireless delivery systems. This legislation is    

   also intended to include set-top devices and other terminals where the  

   encryption is not directly available to the user but is used for        

   purposes such as pay per view, and hardware such as network computers,  

   telephones or cable modems, satellite uplinks and downlinks.            

      Subsection 3(b) of H.R. 695 provides that for the purposes of        

   carrying out the amendment made by subsection 3(a), the Export          

   Administration Act shall be deemed to be in effect. This statement is   

   necessary because Congress failed to reauthorize the Export             

   Administration Act and it expired in 1994. The Administration maintains 

   the Export Administration Act policies by executive order. The Committee

   plans to reauthorize the Export Administration Act in this Congress.    

    Section 4.  Sense of Congress Regarding International Cooperation    



      This section asks on the President to call an international          

   conference for the purpose of                                           



                    achieving an agreement among the encryption producing         

          countries on policies which will ensure that the free use and trade of  

          this technology does not hinder mutual technology.                      

                                COMMITTEE OVERSIGHT FINDINGS                      



      In compliance with clause 2(l)(3)(A) of rule XI of the Rules of the  

   House of Representatives, the Committee reports the findings and        

   recommendations of the Committee, based on oversight activities under   

   clause 2(b)(1) of rule X of the Rules of the House of Representatives,  

   are incorporated in the descriptive portions of this report.            

                   COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT FINDINGS          



      No findings or recommendations of the Committee on Government Reform 

   and Oversight were received as referred to in clause 2(l)(3)(D) of rule 

   XI of the Rules of the House of Representatives.                        

                                ADVISORY COMMITTEE STATEMENT                      



      No advisory committees within the meaning of section 5(b) of the     

   Federal Advisory Committee Act were created by this legislation.        

                          APPLICABILITY TO THE LEGISLATIVE BRANCH                 



      The Committee finds that the legislation does not relate to the terms

   and conditions of employment or access to public services or            

   accommodations within the meaning of section 102(b)(3) of the           

   Congressional Accountability Act.                                       

                             CONSTITUTIONAL AUTHORITY STATEMENT                   



      In compliance with clause 2(l)(4) of rule XI of the Rules of the     

   House of Representatives, the Committee cites the following specific    

   powers granted to the Congress in the Constitution as authority for     

   enactment of H.R. 695 as reported by the Committee: Article I, section  

   8, clause 1 (relating to providing for the common defense and general   

   welfare of the United States); and Article I, section 8, clause 18      

   (relating to making all laws necessary and proper for carrying into     

   execution powers vested by the Constitution in the government of the    

   United States).                                                         

          NEW BUDGET AUTHORITY AND TAX EXPENDITURES, CONGRESSIONAL BUDGET OFFICE  

                                  COST ESTIMATE                                   

      The Committee expects to adopt a cost estimate of the Congressional  

   Budget Office as its submission of any new required information on new  

   budget authority, new spending authority, new credit authority, or an   

   increase or decrease in the national debt, which it expects to provide  

   in a supplemental report.                                               

                                 FEDERAL MANDATES STATEMENT                       



      The Committee adopts as its own the estimate of Federal mandates     

   prepared by the Director of the Congressional Budget Office pursuant to 

   section 423 of the Unfunded Mandates Reform Act.                        





       U.S. Congress,                                                          



       Congressional Budget Office,                                            



       Washington, DC, July 25, 1997.                                          







          Hon.  Benjamin Gilman,                Chairman, Committee on International Relations, 



       House of Representatives, Washington, DC.                               



       Dear Mr. Chairman: The Congressional Budget Office has prepared the 

   enclosed mandates statement for H.R. 695, the Security and Freedom      

   Through Encryption (SAFE) Act. CBO's analysis of the bill's federal     

   costs will be sent to you as soon as it is completed.                   

      If you wish further details on this estimate, we will be pleased to  

   provide them. The CBO staff contacts are Pepper Santalucia (for the     

   state and local impact) and Matt Eyles (for the private-sector impact). 

   Sincerely,                                                              



         Jane E. O'Neill,  Director.                                            



   Enclosure.                                                              



              CONGRESSIONAL BUDGET OFFICE MANDATES STATEMENT             



           H.R. 695--Security and Freedom Through Encryption (SAFE) Act            



      H.R. 695 would allow individuals in the United States to use and sell

   any form of encryption and would prohibit states or the federal         

   government from requiring individuals to relinquish the key to          

   encryption technologies to any third party. The bill also would prevent 

   the Bureau of Export Administration in the Department of Commerce from  

   restricting the export of most nonmilitary encryption products. Finally,

   H.R. 695 would establish criminal penalties and fines for the willful   

   use of encryption technologies in committing criminal offenses.         

      The bill would prohibit states from requiring persons to make        

   encryption keys available to another person or entity. This prohibition 

   would be an intergovernmental mandate as defined in the Unfunded        

   Mandates Reform Act of 1995 (UMRA). However, states would bear no costs 

   as a result of this mandate because none currently require the          

   registration or availability of such keys. H.R. 695 contains no         

   private-sector mandates as defined in UMRA.                             



                   CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED          



     In compliance with clause 3 of rule XIII of the Rules of the House of

  Representatives, changes in existing law made by the bill, as reported, 

  are shown as follows (new matter is printed in italic and existing law  

  in which no change is proposed is shown in roman):                      

                                TITLE 18, UNITED STATES CODE                      



         * * * * * * *                                                           



          PART I--CRIMES                                                          





 Chap.                                                                   



 Sec.                                                                    



         1.   General provisions                                                



        1                                                                      



         * * * * * * *                                                           





         122. Encrypted wire and electronic information                         



        2801                                                                   





         * * * * * * *                                                           



                   CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION         





      2801. Definitions.                                                      



      2802. Freedom to use encryption.                                        



      2803. Freedom to sell encryption.                                       



      2804. Prohibition on mandatory key escrow.                              



      2805. Unlawful use of encryption in furtherance of a criminal act.      





          2801. Definitions                                                       



   As used in this chapter--                                              



       (1) the terms ``person'', ``State'', ``wire communication'',        

   ``electronic communication'', ``investigative or law enforcement        

   officer'', ``judge of competent jurisdiction'', and ``electronic        

   storage'' have the meanings given those terms in section 2510 of this   

   title;                                                                  

       (2) the terms ``encrypt'' and ``encryption'' refer to the scrambling

   of wire or electronic information using mathematical formulas or        

   algorithms in order to preserve the confidentiality, integrity, or      

   authenticity of, and prevent unauthorized recipients from accessing or  

   altering, such information;                                             

       (3) the term ``key'' means the variable information used in a       

   mathematical formula, code, or algorithm, or any component thereof, used

   to decrypt wire or electronic information that has been encrypted; and  

    (4) the term ``United States person'' means--                          



    (A) any United States citizen;                                         



       (B) any other person organized under the laws of any State, the     

   District of Columbia, or any commonwealth, territory, or possession of  

   the United States; and                                                  

       (C) any person organized under the laws of any foreign country who  

   is owned or controlled by individuals or persons described in           

   subparagraphs (A) and (B).                                              

          2802. Freedom to use encryption                                         



     Subject to section 2805, it shall be lawful for any person within any

  State, and for any United States person in a foreign country, to use any

  encryption, regardless of the encryption algorithm selected, encryption 

  key length chosen, or implementation technique or medium used.          

          2803. Freedom to sell encryption                                        



     Subject to section 2805, it shall be lawful for any person within any

  State to sell in interstate commerce any encryption, regardless of the  

  encryption algorithm selected, encryption key length chosen, or         

  implementation technique or medium used.                                

          2804. Prohibition on mandatory key escrow                               



     (a) Prohibition.--No person in lawful possession of a key to         

  encrypted information may be required by Federal or State law to        

  relinquish to another person control of that key.                       

     (b) Exception for Access for Law Enforcement Purposes.--Subsection   

  (a) shall not affect the authority of any investigative or law          

  enforcement officer, acting under any law in effect on the effective    

  date of this chapter, to gain access to encrypted information.          

          2805. Unlawful use of encryption in furtherance of a criminal act       



     Any person who willfully uses encryption in furtherance of the       

  commission of a criminal offense for which the person may be prosecuted 

  in a court of competent jurisdiction--                                  

       (1) in the case of a first offense under this section, shall be     

   imprisoned for not more than 5 years, or fined in the amount set forth  

   in this title, or both; and                                             

       (2) in the case of a second or subsequent offense under this        

   section, shall be imprisoned for not more than 10 years, or fined in the

   amount set forth in this title, or both.                                

         * * * * * * *                                                           





                                                                                 



                     SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979          



    Sec.  17. (a) * * *                                                   



         * * * * * * *                                                           





   (g)  Certain Consumer Products, Computers, and Related Equipment.--    



       (1) General rule.--Subject to paragraphs (2), (3), and (4), the     

   Secretary shall have exclusive authority to control exports of all      

   computer hardware, software, and technology for information security    

   (including encryption), except that which is specifically designed or   

   modified for military use, including command, control, and intelligence 

   applications.                                                           

       (2) Items not requiring licenses.--No validated license may be      

   required, except pursuant to the Trading With The Enemy Act or the      

   International Emergency Economic Powers Act (but only to the extent that

   the authority of such Act is not exercised to extend controls imposed   

   under this Act), for the export or reexport of--                        

       (A) any consumer product commercially available within the United   

   States or abroad which--                                                

       (i) includes encryption capabilities which are inaccessible to the  

   end user; and                                                           

    (ii) is not designed for military or intelligence end use;             



       (B) any component or subassembly designed for use in a consumer     

   product described in subparagraph (A) which itself contains encryption  

   capabilities and is not capable of military or intelligence end use in  

   its condition as exported;                                              

    (C) any software, including software with encryption capabilities--    



       (i) that is generally available, as is, and is designed for         

   installation by the purchaser;                                          

       (ii) that is in the public domain for which copyright or other      

   protection is not available under title 17, United States Code, or that 

   is available to the public because it is generally accessible to the    

   interested public in any form; or                                       

       (iii) that is customized for an otherwise lawful use by a specific  

   purchaser or group of purchasers;                                       

       (D) any computing device solely because it incorporates or employs  

   in any form--                                                           

       (i) software (including software with encryption capabilities) that 

   is exempted from any requirement for a validated license under          

   subparagraph (C); or                                                    

       (ii) software that is no more technically complex in its encryption 

   capabilties than software that is exempted from any requirement for a   

   validated license under subparagraph (C) but is not designed for        

   installation by the purchaser;                                          

       (E) any computer hardware that is generally available, solely       

   because it has encryption capabilities; or                              

       (F) any software or computing device solely on the basis that it    

   incorporates or employs in any form interface mechanisms for interaction

   with other hardware and software, including hardware, and software, with

   encryption capabilities.                                                

       (3) Software with encryption capabilities.--The Secretary shall     

   authorize the export or reexport of software with encryption            

   capabilities for nonmilitary end uses in any country to which exports of

   software of similar capability are permitted for use by financial       

   institutions not controlled in fact by United States persons, unless    

   there is substantial evidence that such software will be--              

       (A) diverted to a military end use or an end use supporting         

   international terrorism;                                                

    (B) modified for military or terrorist end use; or                     



       (C) reexported without any authorization by the United States that  

   may be required under this Act.                                         



       (4) Hardware with encryption capabilities.--The Secretary shall     

   authorize the export or reexport of computer hardware with encryption   

   capabilities if the Secretary determines that a product offering        

   comparable security is commercially available outside the United States 

   from a foreign supplier, without effective restrictions.                

    (5)  Definitions.--As used in this subsection--                        



       (A) the term ``encryption'' means the scrambling of wire or         

   electronic information using mathematical formulas or algorithms in     

   order to preserve the confidentiality, integrity, or authenticity of,   

   and prevent unauthorized recipients from accessing or altering, such    

   information;                                                            

    (B) the term ``generally available'' means--                           



       (i) in the case of software (including software with encryption     

   capabilities), software that is offered for sale, license, or transfer  

   to any person without restriction, whether or not for consideration,    

   including, but not limited to, over-the-counter retail sales, mail order

   transactions, phone order transactions, electronic distribution, or sale

   on approval; and                                                        

       (ii) in the case of hardware with encryption capabilities, hardware 

   that is offered for sale, license, or transfer to any person without    

   restriction, whether or not for consideration, including, but not       

   limited to, over-the-counter retail sales, mail order transactions,     

   phone order transactions, electronic distribution, or sale on approval; 

       (C) the term ``as is'' means, in the case of software (including    

   software with encryption capabilities), a software program that is not  

   designed, developed, or tailored by the software publisher for specific 

   purchasers, except that such purchasers may supply certain installation 

   parameters needed by the software program to function properly with the 

   purchaser's system and may customize the software program by choosing   

   among options contained in the software program;                        

       (D) the term ``is designed for installation by the purchaser''      

   means, in the case of software (including software with encryption      

   capabilities) that--                                                    

       (i) the software publisher intends for the purchaser (including any 

   licensee or transferee), who may not be the actual program user, to     

   install the software program on a computing device and has supplied the 

   necessary instructions to do so, except that the publisher may also     

   provide telephone help line services for software installation,         

   electronic transmission, or basic operations; and                       

       (ii) the software program is designed for installation by the       

   purchaser without further substantial support by the supplier;          

       (E) the term ``computing device'' means a device which incorporates 

   one or more microprocessor-based central processing units that can      

   accept, store, process, or provide output of data; and                  

       (F) the term ``computer hardware'', when used in conjunction with   

   information security, includes, but is not limited to, computer systems,

   equipment, application-specific assemblies, modules, and integrated     

   circuits.                                                               



                                      DISSENTING VIEWS                            



      While well-intentioned, this bill's one-dimensional focus on the     

   decontrol of encryption products would upset the vital balance that U.S.

   policy seeks to strike between the competitiveness of American industry 

   and U.S. national security and law enforcement goals. The bill would    

   prohibit any licensing or review of exports of encrypted software and   

   hardware items. Consequently, its implementation would not only hinder  

   our national security efforts but also undermine the Administration's   

   ability to forge an international consensus on the use and              

   implementation of national key recovery policies.                       

      While SAFE Act advocates correctly point out that the Administration 

   has not yet achieved a multilateral consensus endorsing its preference  

   for a key management infrastructure approach on encryption issues, it   

   should be noted that recent cryptography guidelines adopted by the      

   Organization for Economic Cooperation and Development have stressed the 

   need to balance privacy, law enforcement, national security concerns,   

   and commercial interests. They also underline the fact that failure to  

   coordinate these policies could cripple the global information network  

   and impede international trade.                                         

      A July policy brief published by the Brookings Institution by Kenneth

   Flamm on ``Deciphering the Cryptography Debate'' noted along the same   

   lines that:                                                             

      ``A level playing field, with common global rules of the game, is    

   needed to avoid giving economic rivals competitive advantages over one  

   another. The administration made an important and correct decision in   

   seeking an international consensus on the key recovery approach to      

   strong encryption and must be sure to continue to work hard in seeking  

   this common global approach. While it has yet to achieve such a         

   consensus within the OECD, many of the key players with the technical   

   capability to ship advanced cryptography products and affect global     

   markets--Britain, France and (quietly) Japan--are supporting the U.S.   

   approach, and if a few more (like Germany and Israel) can be brought on 

   board, the critical mass around which the core of an international      

   agreement can be assembled will exist.''                                

      If enacted in its current form, this bill would undermine any        

   prospects for achieving such consensus and would compel a number of the 

   OECD countries to put additional import restrictions in place blocking  

   the entry of our strongest encryption products.                         

      We recognize that the development of strong encryption can play a    

   vital role in the development of electronic commerce and promoting      

   privacy but the development of key recovery policies is essential to    

   head off a potential crisis in the years ahead for our law enforcement  

   authorities. If strong encryption is in widespread use in the near      

   future, it will make it virtually impossible to decipher encrypted      

   communications. Brute force attacks to crack encryption algorithms in   

   that type of environment are not feasible or realistic, especially in   

   the time sensitive cases where law enforcement needs access to encrypted

   files to save lives.                                                    

      By removing all controls on the export of any software and hardware  

   with encryption capabilities, this bill threatens U.S. national security

   and law enforcement interests.                                          

      With respect to U.S. national security, encrypted communications make

   it more difficult for U.S. intelligence agencies to monitor             

   communications relating to terrorism, weapons proliferation, military   

   operations, and other threats to U.S. national security interests. The  

   Administration does not dispute the contention of U.S. software         

   manufacturers that encryption products are in use around the world.     

      But the Administration also points out that these products are not   

   yet being widely used by individuals, groups, and governments whose     

   activities pose threats to U.S. security and safety. As we understand   

   it, the goal of U.S. export control policy is not to prevent the spread 

   of                                                                      



                    encryption worldwide--something which clearly cannot be       

          done--but to slow down the spread of these products enough to give      

          U.S.-led diplomacy an opportunity to achieve increased multilateral     

          cooperation on common export control policies and on the adoption of a  

          global key management infrastructure. Such an international key         

          management infrastructure would enable U.S. intelligence and law        

          enforcement agencies to cooperate with their counterparts in friendly   

          countries in gaining access to communications that threaten common      

          security and safety interests.                                          

      The elimination of all U.S. controls on encryption exports will also 

   jeopardize domestic law enforcement. We recognize that encryption is    

   essential to the fulfillment of the promise of electronic commerce and  

   to the protection of individual privacy in a networked world. But       

   encryption also complicates the mission of U.S. law enforcement         

   agencies, because it can make it impossible for law enforcement         

   personnel to understand data and communications to which they have been 

   granted access under court order or other proper legal authority.       

      This is why current U.S. policy seeks to promote the adoption of key 

   recovery features in encryption products used in the United States.     

   Export controls are a key component of this policy. Under current       

   practice, U.S. firms are permitted to export powerful encryption        

   products if they already include key recovery features or if they pledge

   to develop such features during the next two years. If we eliminate all 

   U.S. export controls, as this bill would do, the federal government will

   therefore lose one of its most important means for promoting the        

   development of key recovery in the U.S. market. That will harm U.S. law 

   enforcement.                                                            

      Lawful wiretapping and duly authorized court-ordered access to       

   information and materials on a timely basis are essential tools for     

   police and law enforcement authorities. If this legislation were to be  

   enacted in its present form, the resultant proliferation of global and  

   interconnected encryption has the very real potential to deny our local,

   state and federal authorities the timely access they now enjoy to data  

   and other communications, even after a court order has been issued.     

      More than one half the annual court-ordered wire taps are at the     

   state and local level, and of the national total for all such wire taps,

   more than 70% are for drug-related cases. Congressional action on this  

   legislation has the potential to affect our cities and towns where the  

   devastating impact of illicit drugs already causes nearly $70 billion in

   annual societal costs. We ought not to add to that carnage and          

   destruction by denying law enforcement one of the most effective tools  

   against this scourge, timely access to lawful requests for information  

   needed to combat these crimes.                                          

      Attorney General Janet Reno, our nation's chief law enforcement      

   officer, urged the members of our Committee to consider the effects of  

   this legislation in her July 18, 1997, letter to the International      

   Relations Committee. She said that ``* * * the misuse of encryption     

   technology will become a matter of life and death in many instances.    

   That is why we urge you to adopt a balanced approach.'' We invite the   

   attention of Members to correspondence from our Nation's law enforcement

   and national security leaders, appended below.                          

      During the full committee's consideration of H. R. 695, Chairman     

   Gilman offered an amendment which would have helped to create this      

   necessary balance in the bill. It would have provided the President the 

   authorities to control the export and reexport of encrypted items if he 

   determines that they would adversely affect our national security and   

   our ability to fight crimes such as drug trafficking, terrorism and     

   espionage. This amendment was, unfortunately, not adopted.              

      Other Committees of the House including National Security,           

   Intelligence and Commerce will now review this legislation through      

   September 5 before it is considered by the full House later this year.  

   We urge our colleagues on these Committees as well as our colleagues on 

   the International Relations and the Judiciary Committees to review this 

   legislation very carefully and consider its impact on our society and   

   our ability to fight terrorism and protect our national security        

   interests.                                                              



    Benjamin A. Gilman.                                                     



    Lee H. Hamilton.                                                        



    Doug Bereuter.                                                          



                                                                                 





       Office of the Attorney General,                                         



       Washington, DC, July 18, 1997.                                          



       Dear Member of Congress: Congress is considering a variety of       

   legislative proposals concerning encryption. Some of these proposals    

   would, in effect, make it impossible for the Federal Bureau of          

   Investigation (FBI), Drug Enforcement Administration (DEA), Secret      

   Service, Customs Service, Bureau of Alcohol, Tobacco and Firearms, and  

   other federal, state, and local law enforcement agencies to lawfully    

   gain access to criminal telephone conversations or electronically stored

   evidence possessed by terrorists, child pornographers, drug kingpins,   

   spies and other criminals. Since the impact of these proposals would    

   seriously jeopardize safety and national security, we collectively urge 

   you to support a different, balanced approach that strongly supports    

   commercial and privacy interests but maintains our ability to           

   investigate and prosecute serious crimes.                               

      We fully recognize that encryption is critical to communications     

   security and privacy, and that substantial commercial interests are at  

   stake. Perhaps in recognition of these facts, all the bills being       

   considered allow market forces to shape the development of encryption   

   products. We, too, place substantial reliance on market forces to       

   promote electronic security and privacy, but believe that we cannot rely

   solely on market forces to protect the public safety and national       

   security. Obviously, the government cannot abdicate its solemn          

   responsibility to protect public safety and national security.          

      Currently, of course, encryption is not widely used, and most data is

   stored, and transmitted, in the clear. As we move from a plain text     

   world to an encrypted one, we have a critical choice to make: we can    

   either (1) choose robust, unbreakable encryption that protects commerce 

   and privacy but gives criminals a powerful new weapons, or (2) choose   

   robust, unbreakable encryption that protects commerce and privacy and   

   gives law enforcement the ability to protect public safety. The choice  

   should be obvious and it would be a mistake of historic proportions to  

   do nothing about the dangers to public safety posed by encryption       

   without adequate safeguards for law enforcement.                        

      Let there be no doubt: without encryption safeguards, all Americans  

   will be endangered. No one disputes this fact; not industry, not        

   encryption users, no one. We need to take definitive actions to protect 

   the safety of the public and security of the nation. That is why law    

   enforcement at all levels of government--including the Justice          

   Department, Treasury Department, the National Association of Attorneys  

   General, International Association of Chiefs of Police, the Major City  

   Chiefs, the National Sheriffs' Association, and the National District   

   Attorneys Association--are so concerned about this issue.               

      We all agree that without adequate legislation, law enforcement in   

   the United States will be severely limited in its ability to combat the 

   worst criminals and terrorists. Further, law enforcement agrees that the

   widespread use of robust non-key recovery encryption ultimately will    

   devastate our ability to fight crime and prevent terrorism.             

      Simply stated, technology is rapidly developing to the point where   

   powerful encryption will become commonplace both for routine telephone  

   communications and for stored computer data. Without legislation that   

   accommodates public safety and national security concerns, society's    

   most dangerous criminals will be able to communicate safely and         

   electronically store data without fear of discovery. Court orders to    

   conduct electronic surveillance and court-authorized search warrants    

   will be ineffectual, and the Fourth Amendment's carefully-struck balance

   between ensuring privacy and protecting public safety will be forever   

   altered by technology. Technology should not dictate public policy, and 

   it should promote, rather than defeat, public safety                    

      We are not suggesting the balance of the Fourth Amendment be tipped  

   toward law enforcement either. To the contrary, we only seek the status 

   quo, not the lessening of any legal standard or the expansion of any law

   enforcement authority. The Fourth Amendment protects the privacy and    

   liberties of our citizens but permits law enforcement to use tightly    

   controlled investigative techniques to obtain evidence of crimes. The   

   result has been the freest country in the world with the strongest      

   economy.                                                                

      Law enforcement has already confronted encryption in high-profile    

   espionage, terrorist, and criminal cases. For example:                  

       An international terrorist was plotting to blow up 11 U.S.-owned    

   commercial airliners in the Far East. His laptop computer, which was    

   seized in Manila, contained encrypted files concerning this terrorist   

   plot;                                                                   

       A subject in a child pornography case used encryption in            

   transmitting obscene and pornographic images of children over the       

   Internet; and                                                           



       A major international drug trafficking subject recently used a      

   telephone encryption device to frustrate court-approved electronic      

   surveillance.                                                           

    And this is just the tip of the iceberg. Convicted spy Aldrich Ames,  

  for example, was told by the Russian Intelligence Service to encrypt    

  computer file information that was to be passed to them.                

      Further, today's international drug trafficking organizations are the

   most powerful, ruthless and affluent criminal enterprises we have ever  

   faced. We know from numerous past investigations that they have utilized

   their virtually unlimited wealth to purchase sophisticated electronic   

   equipment to facilitate their illegal activities. This has included     

   state of the art communication and encryption devices. They have used   

   this equipment as part of their command and control process for their   

   international criminal operations. We believe you share our concern that

   criminals will increasingly take advantage of developing technology to  

   further insulate their violent and destructive activities.              

      Requests for cryptographic support pertaining to electronic          

   surveillance interceptions from FBI Field Offices and other law         

   enforcement agencies have steadily risen over the past several years.   

   There has been an increase in the number of instances where the FBI's   

   and DEA's court-authorized electronic efforts were frustrated by the use

   of encryption that did not allow for law enforcement access.            

      There have also been numerous other cases where law enforcement,     

   through the use of electronic surveillance, has not only solved and     

   successfully prosecuted serious crimes but has also been able to prevent

   life-threatening criminal acts. For example, terrorists in New York were

   plotting to bomb the United Nations building, the Lincoln and Holland   

   Tunnels, and 26 Federal Plaza as well as conduct assassinations of      

   political figures. Court-authorized electronic surveillance enabled the 

   FBI to disrupt the plot as explosives were being mixed. Ultimately, the 

   evidence obtained was used to convict the conspirators. In another      

   example, electronic surveillance was used to stop and then convict two  

   men who intended to kidnap, molest, and kill a child. In all of these   

   cases, the use of encryption might have seriously jeopardized public    

   safety and resulted in the loss of life.                                

      To preserve law enforcement's abilities, and to preserve the balance 

   so carefully established by the Constitution, we believe any encryption 

   legislation must accomplish three goals in addition to promoting the    

   widespread use of strong encryption. It must establish:                 

       A viable key management infrastructure that promotes electronic     

   commerce and enjoys the confidence of encryption users;                 

       A key management infrastructure that supports a key recovery scheme 

   that will allow encryption users access to their own data should the    

   need arise, and that will permit law enforcement to obtain lawful access

   to the plain text of encrypted communications and data; and             

       An enforcement mechanism that criminalizes both improper use of     

   encryption key recovery information and the use of encryption for       

   criminal purposes.                                                      

      Only one bill, S. 909 (the McCain/Kerrey/Hollings bill), comes close 

   to meeting these core public safety, law enforcement, and national      

   security needs. The other bills being considered by Congress, as        

   currently written, risk great harm to our ability to enforce the laws   

   and protect our citizens. We look forward to working to improve the     

   McCain/Kerrey/Hollings bill.                                            

      In sum, while encryption is certainly a commercial interest of great 

   importance to this Nation, it is not solely a commercial or business    

   issue. Those of us charged with the protection of public safety and     

   national security, believe that the misuse of encryption technology will

   become a matter of life and death in many instances. That is why we urge

   you to adopt a balanced approach that accomplishes the goals mentioned  

   above. Only this approach will allow police departments, attorneys      

   general, district attorneys, sheriffs, and federal authorities to       

   continue to use their most effective investigative techniques, with     

   court approval, to fight crime and espionage and prevent terrorism.     

   Sincerely your,                                                         



          Janet Reno, Attorney General; Louis Freeh, Director, Federal Bureau

     of Investigation; Thomas A. Constantine, Director, Drug Enforcement     

     Administration; Raymond W. Kelly, Undersecretary for Enforcement, U.S.  

     Department of Treasury; John W. Magaw, Director, Bureau of Alcohol,     

     Tobacco and Firearms; Barry McCaffrey, Director, Office of National Drug

     Control Policy; Lewis C. Merletti, Director, United States Secret       

     Service; George J. Weise, Commissioner, United States Customs Service.  

                                                                                 





       The Secretary of Defense,                                               



       Washington, DC, July 21, 1997.                                          



       Dear Member of Congress: Recently you received a letter from the    

   nation's senior law enforcement officials regarding US encryption       

   policies. I am writing today to express my strong support for their     

   views on this important issue.                                          

      As you know, the Department of Defense is involved on a daily basis  

   in countering international terrorism, narcotics trafficking, and the   

   proliferation of weapons of mass destruction. The spread of unbreakable 

   encryption, as a standard feature of mass market communication products,

   presents a significant threat to the ability of the US and its allies to

   monitor the dangerous groups and individuals involved in these          

   activities. Passage of legislation which effectively decontrols         

   commercial encryption exports would undermine U.S. efforts to foster the

   use of strong key recovery encryption domestically and abroad. Key      

   recovery products will preserve governments' abilities to counter       

   worldwide terrorism, narcotics trafficking and proliferation.           

      It is also important to note that the Department of Defense relies on

   the Federal Bureau of Investigation for the apprehension and prosecution

   of spies. Sadly, there have been over 60 espionage convictions of       

   federal employees over the last decade. While these individuals         

   represent a tiny minority of government employees, the impact of        

   espionage activities on our nation's security can be enormous. As the   

   recent arrests of Nicholson, Pitts and Kim clearly indicate, espionage  

   remains a very serious problem. Any policies that detract from the FBI's

   ability to perform its vital counterintelligence function, including the

   ability to perform wiretaps, inevitably detract from the security of the

   Department of Defense and the nation.                                   

      Encryption legislation must also address the nation's domestic       

   information security needs. Today, approximately 95% of DoD             

   communications rely on public networks; other parts of government, and  

   industry, are even more dependent on the trustworthiness of such        

   networks. Clearly, we must ensure that encryption legislation addresses 

   these needs. An approach such as the one contained in S. 909 can go a   

   long way toward balancing the need for strong encryption with the need  

   to preserve national security and public safety. I hope that you will   

   work with the Administration to enact legislation that addresses these  

   national security concerns as well as the rights of the American people.

   I appreciate your consideration of these views.                         



   Sincerely,                                                              



         Bill Cohen.                                                            



                                                                                 



       International Association of Chiefs of Police,                          



       Alexandria, VA, July 21, 1997.                                          



       Dear Member of Congress: Enclosed is a letter sent to you by the    

   Attorney General, the Director of National Drug Control Policy and all  

   the federal law enforcement heads concerning encryption legislation     

   being considered by congress. Collectively we, the undersigned,         

   represent over 17,000 police departments including every major city     

   police department, over 3,000 sheriffs departments, nearly every        

   district attorney in the United States and all of the state Attorneys   

   General. We fully endorse the position taken by our federal counterparts

   in the enclosed letter. As we have stated many times, Congress must     

   adopt a balanced approach to encryption that fully addresses public     

   safety concerns or the ability of state and local law enforcement to    

   fight crime and drugs will be severely damaged.                         

      Any encryption legislation that does not ensure that law enforcement 

   can gain timely access to the plaintext of encrypted conversations and  

   information by established legal procedures will cause grave harm to    

   public safety. The risk cannot be left to the uncertainty of market     

   forces or commercial interests as the current legislative proposals     

   would require. Without adequate safeguards, the unbridled use of        

   powerful encryption soon will deprive law enforcement of two of its most

   effective tools, court authorized electronic surveillance and the search

   and seizure of information stored in computers. This will substantially 

   tip the balance in the fight against crime towards society's most       

   dangerous criminals as the information age develops.                    

      We are in unanimous agreement that congress must adopt encryption    

   legislation that requires the development, manufacture, distribution and

   sale of only key recovery products and we are opposed to the bills that 

   do not do so. Only the key recovery approach will ensure that law       

   enforcement can continue to gain timely access to the plaintext of      

   encrypted conversations and other evidence of crimes when authorized by 

   a court to do so. If we lose this ability--and the bills you are        

   considering will have this result--it will be a substantial set back for

   law enforcement at the direct expense of public safety.                 

   Sincerely yours,                                                        



    Darrell L. Sanders,                                                     



      President, International Association of Chiefs of Police.              



    James E. Doyle,                                                         



      President, National Association of Attorneys General.                  



    Fred Scoralic,                                                          



      President, National Sheriffs' Association.                             



    William L. Murphy,                                                      



      President, National District Attorneys Association.