1997 Congressional Hearings
Intelligence and Security


PREPARED STATEMENT OF ROBERT S. LITT,
DEPUTY ASSISTANT ATTORNEY GENERAL,
CRIMINAL DIVISION, DEPARTMENT OF JUSTICE

Security and Freedom Through Encryption (SAFE) Act
March 20, 1997 - House Judiciary Subcommittee on Courts and Intellectual Property


  Thank you, Mr. Chairman and members of the Subcommittee, for providing me with this opportunity to discuss with you the important and complex issue of encryption. The Nation's policy on this issue must carefully balance important competing interests, and it is essential for all interested parties to recognize the validity and importance of all of these interests. Although the Department of Justice does not support H.R. 695 in its present form, we look forward to continuing the productive discussions we have had with Congress on this issue, with the goal of arriving at a policy that accommodates all of these interests.

  Since 1992, when AT&T announced its plan to sell a small, portable telephone device that would provide users with low-cost but robust voice encryption, the issue of encryption—that is, the use of mathematical algorithms to protect the confidentiality of data—has been vociferously debated in the United States. Some people, who have legitimate concerns about privacy, commerce, and computer security in the information age, have advocated the unfettered proliferation of strong encryption products. They have argued that government should simply stay out of the encryption issue entirely. Government controls on the export of strong cryptography have come in for particular criticism.
  Let me make clear at the outset that the Department of Justice supports the spread of strong encryption. We believe that the availability and use of strong cryptography are critical if the ''Global Information Infrastructure'' (GII) is to fulfill its promise. Communications and data must be protected—both in transit and in storage—if the GII is to be used for personal communications, financial transactions, medical care, the development of new intellectual property, and myriad other applications. Indeed, people sometimes lose sight of the fact that law enforcement's responsibilities include protecting privacy and promoting commerce over our nation's communications networks. For example, we prosecute under existing laws those who violate the privacy of others by illegal eavesdropping, hacking or theft of confidential information. Indeed, last year the Administration sought, and Congress passed, the National Information Infrastructure Protection Act of 1996, to provide further protection to the confidentiality of stored data. And we help promote commerce by enforcing laws that protect intellectual property rights, by combating computer and communications fraud, and by helping to protect the confidentiality of business data through enforcement of the Economic Espionage Act. Our support for robust encryption stems from this commitment to protecting privacy and commerce.
  At the same time, however, we must be mindful of our other principal responsibilities: to protect public safety and national security against the threats posed by terrorists, organized crime, foreign intelligence agents, and others, and to prosecute serious crime when it does occur. Thus, while we favor the spread of strong encryption, we are gravely concerned that the proliferation and use of unbreakable encryption would seriously undermine our ability to protect the American people.

  The most easily understood example is electronic surveillance. Court-authorized wiretaps have proven to be one of the most successful law enforcement tools in preventing and prosecuting serious crimes, including drug trafficking and terrorism. We have used legal wiretaps to bring down entire narcotics trafficking organizations, to rescue young children kidnaped and held hostage, and in a variety of matters affecting our national security. In addition, as society becomes more dependent on computers, evidence of crimes is increasingly found in stored computer data, which can be searched and seized pursuant to court-authorized warrants.

  But if unbreakable encryption proliferates, these critical law enforcement tools would be nullified. Thus, for example, even if the government satisfies the rigorous legal and procedural requirements for obtaining a wiretap order, the wiretap would be worthless if the intercepted communications of the targeted criminals amount to an unintelligible jumble of noises or symbols. Or we might legally seize the computer of a terrorist and be unable to read the data identifying his targets, his plans and his co-conspirators. The potential harm to law enforcement—and to the nation's domestic security—could be devastating.
   I want to emphasize that this concern is not theoretical, nor is it exaggerated. Although encryption is only in its infancy, we have already begun to encounter its harmful effects in recent investigations.

In the Aldrich Ames spy case, Soviet intelligence operatives directed Ames to encrypt computer files that he transmitted to them.

Ramzi Yousef, recently convicted of conspiring to blow up 10 U.S.-owned airliners in Asia, and his co-conspirators apparently stored information about their terrorist plot in an encrypted computer file. (Yousef is also one of the alleged masterminds of the World Trade Center bombing.)
One of the subjects in a child pornography case encrypted pornographic images of children before sending the pictures out on the Internet.

The subject of a major international drug-trafficking case used a telephone encryption device to seriously reduce the effectiveness of a court-ordered wiretap.

In several major hacker cases, the subjects have encrypted computer files, thereby concealing evidence of serious crimes. In one such case, the government was unable to determine the full scope of the hacker's activity because of the use of encryption.

  These are just a few examples of recent cases involving encryption. As encryption proliferates and becomes an ordinary component of mass market items, and as the strength of encryption products increases, the threat to public safety will increase proportionately.

  To some, this is an acceptable outcome. They argue that people have a right to absolute immunity from governmental intrusion, regardless of the costs to public order and safety, and that any new technology that enhances absolute privacy should go unrestricted. But the Founding Fathers recognized that an absolute right to privacy was incompatible with an ordered society, and so our Nation has never recognized such an absolute right. Rather, the Fourth Amendment strikes a careful balance between an individual's right to privacy and society's need, on appropriate occasions, to intrude into that privacy. We have always permitted government to invade a person's privacy, for example by searching for and seizing personal communications and papers, when it is necessary to prevent, solve, and prosecute crimes, but, for the most part, we allow this only when the government demonstrates ''probable cause'' and obtains a warrant from the court. Unbreakable encryption would upset this delicate constitutional balance, which is one of the bedrock principles of our legal system, by effectively nullifying a court's issuance of a search warrant or wiretap order. The notion that advances in technology should dictate public policy is backwards. Technology should serve society, not rule it; technology should promote public safety, not defeat it.

  Others claim that the fears of law enforcement are overstated. They argue that U.S. law enforcement and intelligence agencies can be given the resources necessary to decrypt encrypted communications. Essentially, they argue that expensive, fast computers can be used to decipher encrypted communications by ''brute force''—which essentially means trying every possible ''key'' (a sequence of symbols that determines the transformation from plain text to cipher-text, and vice versa) until the right one is found. They point to the recent, highly publicized success of a graduate student in deciphering a message encrypted with a 40-bit key in under four hours and argue that law enforcement can surely do the same. But this argument does not withstand scrutiny.
  Most significantly, the time needed to decrypt a message rises exponentially as the length of the encryption key increases. According to the National Security Agency's estimates, the average time needed to decrypt a single message by means of a brute force cryptoanalytic attack on 56-bit DES—a strength whose export we are now allowing—would be approximately one year and eighty-seven days using a thirty-million-dollar supercomputer. And, of course, law enforcement would not be confronted with only one message to decrypt. During 1995, for example, federal and state courts authorized more than a thousand electronic surveillance court orders, resulting in over two million intercepted communications, each of which would require separate decryption. Given such numbers, brute force attacks are not a feasible solution.
  Additionally, law enforcement agencies at the federal, state, and local level are finding that searches in routine, non-wiretap cases now commonly result in the seizure of electronically stored information. Because storage devices have increased in capacity and decreased in price, the quantity of data seized in ''ordinary'' cases continues to increase dramatically. If all of these communications and stored files were DES-encrypted, brute force attacks would not provide a meaningful and timely solution, especially since some cases, such as kidnappings, may require immediate decryption to prevent death or serious bodily harm. Thus, even if hundreds of such supercomputers were built (an expensive undertaking, to say the least), the approximately 17,000 federal, state, and local law enforcement agencies could not be given timely access to necessary decryption services.
  Finally, many proponents of strong encryption advocate its proliferation precisely because it cannot be decrypted by the government. Thus, even if the government could acquire the ability to quickly decrypt DES-encrypted communications and information, many of the advocates of absolute privacy would push for even greater key lengths, on the ground that 56-bit DES no longer provided acceptable security. But greater key lengths would, of course, increase the difficulty and cost of decrypting encrypted data even more. We must recognize that it will always be easier and cheaper to devise algorithms using longer keys than to build computers powerful enough to break them in a reasonable period of time.
  Our goal, then, must be to encourage the use of strong encryption to protect privacy and commerce, but in a way that preserves law enforcement's ability to protect public safety and national security against terrorism and other criminal threats. We have engaged in extensive international discussions on this topic over the last year, and a consensus is now emerging throughout much of the world that the way to achieve this balance is through the use of a ''key recovery'' or ''trusted third party'' system. Under this system, a key for a given encryption product would be deposited with a trusted third party or ''recovery'' agent. (Some entities, such as large corporations, might be able to hold their own keys, provided that certain procedural protections were established to preserve the integrity of a law enforcement investigation.) If the government had lawful authority to obtain the encrypted information, for example by a search warrant or a court-ordered wiretap, it could obtain the key from the recovery agent in order to decrypt the information it was entitled to get.

  But I want to emphasize that a key recovery system would give the government no new power. It would create no new authority to obtain data, to examine personal records, or to eavesdrop. Access to encrypted data could be obtained only as part of a legally authorized investigation, and under the same circumstances that today would authorize access to unencrypted data. The same constitutional and statutory protections that preserve every American's privacy interests today would prevent unauthorized intrusions in a key recovery regime. All we would be doing would be preserving law enforcement's ability to do what it is legally and constitutionally entitled to do today. At the same time, though, individuals and companies would gain the benefit of strong cryptography to protect the confidentiality of their data, whether in storage or in transmission.

  Effective law enforcement is not, however, the only reason to support a key recovery system. Business, as well, needs a routinely available method of recovering encrypted information. For example, a company might find that one of its employees had encrypted confidential information in the company's files and then absconded with the key, or just lost it. Without a key recovery system, the company would be out of luck. Key recovery thus serves important private interests as well.

  In short, key recovery holds great promise for providing the security and confidentiality that businesses and individuals want and need, while preserving the government's ability to protect public safety and national security. There are no restrictions on the use of encryption domestically, and we do not propose to require the manufacture and use of key recovery products. Administration policy is to promote the voluntary manufacture and use of key recovery products, to develop a global key management infrastructure (''KMI''), and to liberalize United States restrictions on the export of robust cryptographic products in the hope that market forces will make such products a de facto industry standard.

  For many months, we also have been engaged in serious discussions on this subject with foreign governments, which are now anxious to join us in developing international standards to address this issue on a global scale. In fact, an experts working group of the Organization for Economic Cooperation and Development is expected to issue shortly a statement of principles that acknowledges the need to consider public safety when establishing national cryptographic policies. We believe that key recovery encryption will become the worldwide standard for users of the GII.

  If key recovery encryption does become the worldwide standard, U.S. businesses will be able to compete abroad effectively, retaining and even expanding their market share. At the same time, law enforcement agencies will have a legally authorized means of decrypting encoded data. This approach would therefore effectively serve the interests of all Americans.

  The argument is sometimes made that key recovery encryption is not the solution, because criminals will simply use non-key recovery encryption to communicate among themselves and to hide evidence of their crimes. But we believe that if our companies develop and market strong key recovery encryption products that will not interoperate with non-key recovery products and a global KMI arises, key recovery products will become the worldwide standard. Under those circumstances, even criminals will be compelled to use key recovery products, because even criminals need to communicate with legitimate organizations such as banks, both nationally and internationally.

  That is the cornerstone of our policy: encouraging the voluntary development of key recovery products and a KMI to preserve the balance of privacy and law enforcement that our Constitution embodies. For this reason we cannot support H.R. 695 as it is presently drafted. We believe that the central provision of the bill, Section 3—which would effectively eliminate all export controls on strong encryption—would undermine public safety and national security by encouraging the proliferation of unbreakable encryption. In addition, we believe that the bill would discourage the development of a key management infrastructure.

  As to the first issue, export controls, we have heard, of course, the oft-repeated argument that the ''genie is already out of the bottle''—that strong cryptography is already widely available overseas and over the Internet, that its dissemination cannot be halted, and that regulation serves only to handicap U.S. manufacturers seeking to sell their encryption products overseas. We disagree.

  First, although strong encryption products can be found overseas, these products are not ubiquitous, in part because the export of strong cryptography is controlled today by both the U.S. and other countries. It is worth noting in this regard that export of encryption over the Internet, like any other means of export, is restricted under U.S. law. Although it is difficult to completely prevent encryption products from being sent abroad over the Internet, we believe that the present legal restrictions have significantly limited the use of the Internet as a means of evading export controls.

  Second, the products that are available overseas are not widely used because there is not yet an infrastructure to support the distribution of keys among users and to provide interoperability among the different products. Such an infrastructure will have to be created in order to realize the full benefits of encryption, and we should strive to ensure that it is created in a way that preserves public safety.

  Third, the quality of encryption products offered abroad varies greatly, with some encryption products not providing the level of protection advertised.

  Finally, the vast majority of businesses and individuals with a serious need for strong encryption do not and will not rely on encryption downloaded from the Internet from untested sources, but prefer to deal with known and reliable suppliers. For these reasons, export controls continue to serve an important function.

  It is also important to consider that our allies strongly concur that unrestricted export of encryption would severely hamper law enforcement objectives. Indeed, when the U.S. let it be known at a December 1995 meeting of the OECD that it was considering allowing the export of some stronger, non-recoverable encryption, many of our allies expressed dismay at the prospect of such an action. They feared that unbreakable encryption would become so internationally pervasive that criminal organizations and terrorists would be able to use it freely. It follows that the elimination of U.S. export controls, as provided by H.R. 695, would have an even more devastating impact on international law enforcement. It would be a terrible irony if this government—which prides itself on its leadership in fighting international crime—were to enact a law that would jeopardize public safety and weaken law enforcement agencies worldwide.

  In addition, it would be a mistake to assume that if the U.S. were to lift export controls, U.S. companies would have unrestricted access to foreign markets. This assumption ignores the likely reaction of foreign governments to the elimination of U.S. export controls. Up to now, most other countries have not needed to restrict imports or the domestic use of encryption, largely because export controls in the U.S.—the world leader in computer technology—and other countries have made such restrictions unnecessary. But given other countries' legitimate concerns about the potential worldwide proliferation of unbreakable cryptography, we believe that many of those countries would respond to any lifting of U.S. export controls by imposing import controls, or by restricting use of strong encryption by their citizens. For example, the import and domestic manufacture, sale and use of encryption products have already been restricted in France, Russia and Israel. And the European Union is moving towards the adoption of a key-recovery-based key management infrastructure similar to that proposed by the Administration. In the long run, then, U.S. companies might not be any better off if U.S. export controls were lifted, but we would have undermined our leadership role in fighting international crime and damaged our own national security interests in the meantime.

  However, in recognition of the legitimate interests of U.S. software manufacturers, the Administration, as this Subcommittee is of course aware, has considerably liberalized export controls for certain commercial encryption products. The Administration transferred jurisdiction over commercial encryption products from the Department of State to the Department of Commerce at the end of December, a step that we expect will ease the burden on industry by providing for faster and more transparent decisions on applications for export licenses. We have allowed unlimited export of key recovery products as well as export of non-key recovery 56-bit encryption during a two-year transitional period by those companies that commit to the development of key recovery products.

  In light of these factors, we believe it would be profoundly unwise simply to lift export controls on encryption. National security should not be sacrificed for the sake of uncertain commercial benefits, especially when there is the possibility of satisfying both security and commercial needs simultaneously through global adoption of a key recovery system.

   The second problem that we see with H.R. 695 is its failure to promote development of a key management infrastructure. The Administration believes that the development of a key management infrastructure is critically important for a safe society. H.R. 695 prohibits laws that would require a keyholder to relinquish keys to third parties under certain circumstances. Unfortunately, to the extent that this provision would actually prohibit government from encouraging KMI development, the provision would put public safety and national security at risk and is inadvisable. For example, it might preclude the United States government from utilizing useful and appropriate incentives to use key recovery. The government might not be able to require its own contractors to use key recovery or demand its use in the legally required storage of records regarding such matters as sales of controlled substances or firearms.

   We as government leaders should embark upon the course of action that best preserves the balance long ago set by the Framers of the Constitution, preserving both individual privacy and society's interest in effective law enforcement. We should promote encryption products which contain robust cryptography but that also provide for timely and legal law enforcement access and decryption. This is the Administration's policy. We look forward to working with this Subcommittee as we continue to develop and implement our approach.

  I would now be pleased to answer any questions you may have.