United States. Congress. House. Committee on the J.

Security and Freedom through Encryption (SAFE) Act : hearing before the Committee on the Judiciary, House of Representatives, One Hundred Fourth Congress, second session, on H.R. 3011 ... September 25, 1996 online

. (page 1 of 15)
Online LibraryUnited States. Congress. House. Committee on the JSecurity and Freedom through Encryption (SAFE) Act : hearing before the Committee on the Judiciary, House of Representatives, One Hundred Fourth Congress, second session, on H.R. 3011 ... September 25, 1996 → online text (page 1 of 15)
Font size
QR-code for this ebook


iD^^



SECURITY AND FREEDOM THROUGH ENCRYPTION

(SAFE) ACT

Y 4. J 89/1: 104/100

Security and Freedon Through Encryp. . .

HEARING

BEFORE THE

COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES

ONE HUNDRED FOURTH CONGRESS

SECOND SESSION
ON

H.R. 3011

SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT



SEPTEMBER 25, 1996



Serial No. 100




^-^/ SS7



Printed for the use of the Committee on the Judiciary



U.S. GOVERNMENT PRINTING OFFICE
3e-300 CC WASHINGTON : 1996



For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
ISBN 0-16-053944-7



SECURITY AND FREEDOM THROUGH ENCRYPTION

(SAFE) ACT

4. J 89/1:104/100

curity and Freedon Through Encryp. . .

HEARING

BEFORE THE

COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES

ONE HUNDRED FOURTH CONGRESS

SECOND SESSION
ON

H.R. 3011

SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT



SEPTEMBER 25, 1996



Serial No. 100







7



Printed for the use of the Committee on the Judiciary



U.S. GOVERNMENT PRINTING OFFICE
36-300 CC WASHINGTON : 1996



For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
ISBN 0-16-053944-7



COMMITTEE ON THE JUDICIARY
HENRY J. HYDE, Illinois, Chairman



CARLOS J. MOORHEAD, California
F. JAMES SENSENBRENNER, Jr.,

Wisconsin
BILL McCOLLUM, Florida
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR SMITH, Texas
STEVEN SCHIFF, New Mexico
ELTON GALLEGLY, California
CHARLES T. CANADY, Florida
BOB INGLIS, South Carolina
BOB GOODLATTE, Virginia
STEPHEN E. BUYER, Indiana
MARTIN R. HOKE, Ohio
SONNY BONO, CaUfomia
FRED HEINEMAN, North Carolina
ED BRYANT, Tennessee
STEVE CHABOT, Ohio
MICHAEL PATRICK FLANAGAN, IlUnois
BOB BARR, Georgia



JOHN CONYERS, Jr., Michigan
PATRICIA SCHROEDER, Colorado
BARNEY FRANK, Massachusetts
CHARLES E. SCHUMER, New York
HOWARD L. BERMAN, CaUfomia
RICK BOUCHER, Virginia
JOHN BRYANT, Texas
JACK REED, Rhode Island
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
XAVIER BECERRA, California
ZOE LOFGREN, CaUfomia
SHEILA JACKSON LEE, Texas
MAXINE WATERS, CaUfomia



Alan F. Coffey, Jr., General Counsel / Staff Director
Julian Epstein, Minority Staff Director



(II)



CONTENTS



HEARING DATE



Page

September 25, 1996 1

TEXT OF BILL

H.R. 3011 3

OPENING STATEMENT

Hyde, Hon. Henry J., a Representative in Congress from the State of IlUnois,
and chairman, Committee on the Judiciary 1

WITNESSES

Brown, Mehnda, vice president and general counsel, Lotus Development

Corp., on behalf of the Business Software Alliance 55

Crowell, William P., Deputy Director, National Security Agency 31

Deneka, Dr. Charles W., chief technical officer. Coming, Inc., on behalf of

the National Association of Manufacturers 79

Goodlatte, Hon. Bob, a Representative in Congress from the State of Virginia 17

Gorelick, Jamie S., Deputy Attorney General, Department of Justice 24

Katz, Roberta R., senior vice president, general counsel and secretary,

Netscape Communications Corp 61

Reinsch, William A., Under Secretary, Bureau of Export Administration, De-
partment of Commerce 40

Ripley, Patricia, managing director. Bear, Steams & Co., Inc 73

LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Brown, Melinda, vice president and general counsel, Lotus Development
Corp., on Behalf of the Business Software Alliance: Prepared statement 57

Crowell, William P., Deputy Director, National Security Agency: Prepared
statement 34

Deneka, Dr. Charles W., chief technical officer, Coming, Inc., on behalf of
the National Association of Manufacturers: Prepared statement 80

Goodlatte, Hon. Bob, a Representative in Congress from the State of Virginia:
Prepared statement 20

Gorelick, Jamie S., Deputy Attomey General, Department of Justice: Pre-
pared statement 27

Hyde, Hon. Henry J., a Representative in Congress from the State of IlUnois,
and chairman. Committee on the Judiciary: Opening statement 13

Jackson Lee, Hon. Sheila, a Representative in Congress from the State of
Texas: Prepared statement 16

Katz, Roberta R., senior vice president, general counsel, and secretary,
Netscape Communications Corp.: Prepared statement 64

Lofgren, Hon. Zoe, a Representative in Congress from the State of California:
Prepares statement 14

Ripley, Patricia, managing director. Bear, Steams & Co., Inc.: Prepared state-
ment 75

APPENDIX

Material submitted for the hearing 91

(III)



SECURITY AND FREEDOM THROUGH
ENCRYPTION (SAFE) ACT



WEDNESDAY, SEPTEMBER 25, 1996

House of Representatives,
Committee on the Judiciary,

Washington, DC.
The committee met, pursuant to notice, at 9:44 a.m., in room
2141, Rayburn House Office Building, Hon. Henry J. Hyde (chair-
man of the committee) presiding.

Present: Representatives Henry J. Hyde, Charles T. Canady, Bob
Inglis, Bob Goodlatte, Sonny Bono, Ed Bryant of Tennessee, Steve
Chabot, Michael Patrick Flanagan, John Conyers, Jr., John Bryant
of Texas, Robert C. Scott, Zoe Lofgren, and Sheila Jackson Lee.

Also present: Joseph Gibson, counsel; Kenny Prater, clerk; and
John Flannery, minority special counsel.

OPENING STATEMENT OF CHAIRMAN HYDE

Mr. Hyde. The committee will come to order.

Today the committee considers H.R. 3011, the Security and Free-
dom Through Encryption (SAFE) Act. Encr3rption is the process of
encoding data or communications in a form that only the intended
recipient can understand. Once the exclusive domain of the na-
tional security agencies, encryption has become increasingly impor-
tant to persons and companies in the private sector; for example,
to protect intellectual property and other forms of proprietary infor-
mation that are stored and transmitted in digital formats.

The encrjrption debate encompasses two main issues. The first is
whether there should be any restrictions on the domestic use and
sale of encryption technology and, in particular, whether domestic
users must place their keys in escrow with the Government or
some neutral third party. Current law does not have any such re-
strictions. The second issue is whether there should be restrictions
on the export of encryption technology. Current law regulates the
export of encryption technology in the same manner as military
technology. To date, the State Department has generally only al-
lowed the export of relatively weak encryption technology.

With respect to the domestic use of encryption, the administra-
tion generally favors a key escrow system, and its representatives
will explain more about this proposal shortly. The law enforcement
and national security agencies believe that a key escrow system is
necessary to maintain their ability to perform lawful wiretaps and
to read computer data obtained through lawful means.

The computer industry, the larger business community, and pri-
vacy groups oppose any mandatory key escrow system. They be-

(1)



lieve that a mandatory system would unnecessarily invade the pri-
vacy of users and that law enforcement can solve its problems by
acquiring better technology to decode encrypted materials. They
argue that the benefits of preventing crime through the widespread
use of encryption outweigh any harm to law enforcement caused by
that use.

With respect to the export control issue, the administration has
to date generally opposed the lifting of the current export controls.
It argues that the controls are still effective and that our allies
would be distressed about the damage to law enforcement efforts
if we lifted the controls.

The computer industry and the privacy groups argue that the
controls ought to be substantially relaxed, if not eliminated. They
argue that the controls are easily evaded because many encryption
products are already available to anyone over the Internet, and be-
cause it is legal for anyone to come into the United States, buy
encryption products, and take them out of the country. If the situa-
tion does not change, they believe that Americans will no longer
dominate this field.

[The bill, H.R. 3011, follows:]



104th congress

2d Session



H.R.3011



To amend title 18, United States Code, to affirm the rights of United
States persons to use and sell encryption and to relax export controls
on encryption.



IN THE HOUSE OF REPRESENTATIVES

March 5, 1996
Mrs. GOODLATTE (for himself, Mr. DeLay, Mr. BOEHKER, Mr. MOORHEAD,
Mrs. SCHROEDER, Mr. Gejdensox, Mr. Manzullo, Mr. Coble, Mr.
Barr of Georgia, Mr. BoKO, Ms. LOFGREN, Mr. Campbell, Ms. EsHOO,
Mr. DOOLITTLE, Mr. Farr of California, Mr. McKeon, Mr. Engel,
Mrs. Waldholtz, Mr. E^^^^•G, Mr. Mica, Mr. Chahibuss, Mr. Ever-
ett, Mr. Ehlers, Mr. Orton, Mr. Matsui, Mr. BOUCHER, Mr.
Chabot, Mr. MOAKLEY, and Mr. Bartlett of Maryland) introduced the
foUowng bill; which was referred to the Conunittee on the Judiciary, and
in addition to the Committee on International Relations, for a period to
be subsequently determined by the Speaker, in each case for consider-
ation of such provisions as fall within the jurisdiction of the committee
concerned



A BILL

To amend title 18, United States Code, to affirm the rights
of United States persons to use and sell encryption and
to relax export controls on encryption.

1 Be it enacted by the Senate and house of Representa-

2 tives of the United States of America in Congress assembled,



2

1 SECTION 1. SHORT TITLE.

2 This Act may be cited as the "Security and Freedom

3 Through Encryption (SAFE) Act".

4 SEC. 2. SALE AND USE OF ENCRYPTION.

5 (a) In General. — Part I of title 18, United States

6 Code, is amended by inserting after chapter 121 the fol-

7 lowing new chapter:

8 "CHAPTER 122— ENCRYPTED WIRE AND

9 ELECTRONIC INFORMATION

"2801. Definitions.

"2802. Freedom to use encryption.

"2803. Freedom to sell encryption.

"2804. Prohibition on mandatory key escrow.

"2805. Unlawful use of encryption in furtherance of a criminal act.

10 **§ 2801. Definitions

1 1 "As used in this chapter —

12 "(1) the terms 'person', 'State', 'wire commu-

13 nication', 'electronic communication', 'investigative

14 or law enforcement officer', 'judge of competent ju-

15 risdiction', and 'electronic storage' have the mean-

16 ings given those terms in section 2510 of this title;

17 "(2) the terms 'encrypt' and 'encryption' refer

18 to the scrambling of wire or electronic information

19 using mathematical formulas or algorithms in order

20 to preserve the confidentiality, integrity, or authen-

21 ticity of, and prevent unauthorized recipients from

22 accessing or altering, such information;

•HR soil IH



3

1 "(3) the term 'key* means the variable informa-

2 tion used in a mathematical formula, code, or algo-

3 rithm, or any component thereof, used to decrypt

4 wire or electronic information that has been

5 encrypted; and

6 "(4) the term 'United States person' means —

7 "(A) any United States citizen;

8 "(B) any other person organized under the

9 laws of any State, the District of Columbia, or

10 any commonwealth, territory, or possession of

11 the United States; and

12 "(C) any person organized under the laws

13 of any foreign country who is owned or con-

14 trolled by individuals or persons described in

15 subparagraphs (A) and (B).

16 **§ 2802. Freedom to use encryption

17 "Subject to section 2805, it shall be lawful for any

18 person within any State, and for any United States person

19 in a foreign country, to use any encryption, regardless of

20 the encryption algorithm selected, encryption key length

21 chosen, or implementation technique or medium used.

22 **§ 2803. Freedom to sell encryption

23 "Subject to section 2805, it shall be lawful for any

24 person within any State to sell in interstate commerce any

25 encryption, regardless of the encryption algorithm se-



•HB soil IH



4

1 lected, encryption key length chosen, or implementation

2 technique or medium used.

3 **§ 2804. Prohibition on mandatory key escrow

4 "(a) Prohibition. — No person in lawful possession

5 of a key to encrypted information may be required by Fed-

6 eral or State law to relinquish to another person control

7 of that key.

8 "(b) Exception for Access for Law Enforce-

9 MENT Purposes. — Subsection (a) shall not affect the au-

10 thority of any investigative or law enforcement officer, act-

11 ing under any law in effect on the effective date of this

12 chapter, to gain access to encrypted information.

13 ''§2805. Unlawful use of encryption in furtherance of

14 a criminal act

15 "Any person who \villfully uses encryption in further-

16 ance of the commission of a criminal offense for which

17 the person may be prosecuted in a court of competent ju-

18 risdiction —

19 "(1) in the case of a first offense under this

20 section, shall be imprisoned for not more than 5

21 years, or fined in the amount set forth in this title,

22 or both; and

23 "(2) in the case of a second or subsequent of-

24 fense under this section, shall be imprisoned for not



•HR 3011 IH



5

1 more than 10 years, or fined in the amount set forth

2 in this title, or both.".

3 (b) Conforming Amendment. — The table of chap-

4 ters for part I of title 18, United States Code, is amended

5 by inserting after the item relating to chapter 33 the fol-

6 lowing new item:

"122. Elncrypted wire and electronic information 2801*.

7 SEC. 3. EXPORTS OF ENCRYPTION.

8 (a) Amendment to Export Administration Act

9 OF 1979. — Section 17 of the Export Administration Act

10 of 1979 (50 U.S.C. App. 2416) is amended by adding at

1 1 the end thereof the following new subsection:

12 "(g) Computers and Related Equipment.—

13 "(1) General rule. — Subject to paragraphs

14 (2), (3), and (4), the Secretary shall have exclusive

15 authority to control exports of all computer hard-

16 ware, software, and technology for information secu-

17 rity (including encryption), except that which is spe-

18 cifically designed or modified for military use, in-

19 eluding command, control, and intelligence applica-

20 tions.

21 "(2) Items not requiring licenses. — No

22 validated license may be required, except pursuant

23 to the Trading With The Enemy Act or the Inter-

24 national Emergency Economic Powers Act (but only

25 to the estent that the authority of such Act is not

•HR 3011 IH



8



6

1 exercised to extend controls imposed under this Act),

2 for the export or reexport of —

3 "(A) any software, including software with

4 encryption capabilities —

5 "(i) that is generally available, as is,

6 and is designed for installation by the pur-

7 chaser; or

8 "(ii) that is in the public domain for

9 which copjright or other protection is not

10 available under title 17, United States

11 Code, or that is available to the public be-

12 cause it is generally accessible to the inter-

13 ested public in any form; or

14 "(B) any computing device solely because

15 it incorporates or employs in any form software

16 (including software with encryption capabilities)

17 exempted from any requirement for a validated

18 license under subparagraph (A).

19 "(3) Software with encryption capabili-

20 TIES. — The Secretary shall authorize the export or

21 reexport of software with encryption capabilities for

22 nonmilitary end-uses in any country to which ex-

23 ports of software of similar capability are permitted

24 for use by financial institutions not controlled in fact



•HR 3011 IH



7

1 by United States persons, unless there is substantial

2 evidence that such software will be —

3 "(A) diverted to a military end-use or an

4 end-use supporting international terrorism;

5 "(B) modified for military or terrorist end-

6 use; or

7 "(C) reexported without any authorization

8 by the United States that may be required

9 under this Act.

10 "(4) Hardware with encryption capabili-

11 TIES. — The Secretary shall authorize the export or

12 reexport of computer hardware with encryption ca-

13 pabilities if the Secretary determines that a product

14 offering comparable security is commercially avail-

15 able outside the United States from a foreign sup-

16 plier, without effective restrictions.

17 "(5) Definitions. — ^As used in this sub-

18 section —

19 "(A) the term 'encryption' means the

20 scrambling of wire or electronic information

21 using mathematical formulas or algorithms in

22 order to preserve the confidentiality, integrity,

23 or authenticity of, and prevent unauthorized re-

24 cipients from accessing or altering, such infor-

25 mation;

•HR 3011 IH



10



8

1 "(B) the term 'generally available' means,

2 in the ^ase of software (including software with

3 encryption capabilities), software that is offered

4 for sale, license, or transfer to any person with-

5 out restriction, whether or not for consider-

6 ation, including, but not limited to, over-the-

7 counter retail sales, mail order transactions,

8 phone order transactions, electronic distribu-

9 tion, or sale on approval;

10 "(C) the term 'as is' means, in the case of

11 software (including software with encryption ca-

12 pabilities), a software program that is not de-

13 signed, developed, or tailored by the soft^vare

14 publisher for specific purchasers, except that

15 such purchasers may supply certain installation

16 parameters needed by the software program to

17 function properly with the purchaser's system

18 and may customize the software program by

19 choosing among options contained in the soft-

20 ware program;

21 "(D) the term 'is designed for installation

22 by the purchaser' means, in the case of soft-

23 ware (including software with encryption capa-

24 bilities) that —



•HR 3011 IH



11



9

1 "(i) the software publisher intends for

2 the purchaser (including any licensee or

3 transferee), who may not be the actual

4 program user, to install the software pro-

5 gram on a computing device and has sup-

6 plied the necessary instructions to do so,

7 except that the publisher may also provide

8 telephone help line services for software in-

9 stallation, electronic transmission, or basic

10 operations; and

11 "(ii) the software program is designed

12 for installation by the purchaser without

13 further substantial support by the supplier;

14 "(E) the term 'computing device' means a

15 device which incorporates one or more

16 microprocessor-based central processing units

17 that can accept, store, process, or provide out-

18 put of data; and

19 "(F) the term 'computer hardware', when

20 used in conjunction with information security,

21 includes, but is not limited to, computer sys-

22 tems, equipment, application-specific assem-

23 blies, modules, and integrated circuits.".

24 (b) Continuation of Export Administration

25 Act. — For purposes of carrying out the amendment made

•HR 3011 IH



12

10

1 by subsection (a), the Export Administration Act of 1979

2 shall be deemed to be in effect.

O



•HR 3011 IH



13

Mr. Hyde. Now we have a number of excellent witnesses with us
today, and I look forward to hearing from them.
[The opening statement of Mr. Hyde follows:]

Opening Statement of Hon. Henry J. Hyde, a Representative in Congress
From the State of Illinois, and Chairman, Committee on the Judiciary

Today the Committee considers H.R. 3011, the "Security and Freedom Through
Encryption Act."

Encrjrption is the process of encoding data or communications in: a form that only
the intended recipient can understand. Once the exclusive domain of the national
security agencies, encryption has become increasingly important to persons and
companies in the private sector — ^for example, to protect intellectual property and
other forms of proprietary information that are stored and transmitted in digital for-
mats.

The encrjrption debate encompasses two main issues. The first is whether there
should be any restrictions on the domestic use and sale of encryption technology,
and in particular, whether domestic users must place their keys in escrow with the
government or some neutral third party. Current law does not have any such re-
strictions.

The second issue is whether there should be restrictions on the export of
encrjTJtion technology. Current law regulates the export of encryption technology in
the same manner as military technology. To date, the State Department has gen-
erally only allowed the export of relatively weak encryption technology.

With respect to the domestic use of encr3T)tion, the Administration generally fa-
vors a key escrow system, and its representatives will explain more about this pro-
posal shortly. The law enforcement and national security agencies believe that a key
escrow system is necessary to maintain their ability to perform lawful wiretaps and
to read computer data obtained through lawful means.

The computer industry, the larger business community, and privacy groups op-
pose any mandatory key escrow system. They believe that a mandatory system
would unnecessarily invade the privacy of users and that law enforcement can solve
its problems by acquiring better technology to decode encrypted materials. They
argue that the benefits of preventing crime through the widespread use of
encryption outweigh any harm to law enforcement caused by that use.

With respect to the export control issue, the Administration has to date generally
opposed the Ufting of the current export controls. It argues that the controls are stiU
effective and that our allies would be distressed about the damage to law enforce-
ment efforts if we lifted the controls.

The computer industry and the privacy groups argue that the controls ought to
be substantially relaxed, if not eliminated. They argue that the controls are easily
evaded because many encryption products are already available to anyone over the
Internet and because it is legal for anyone to come into the United States, buy
encryption products, and take them out of the country. If the situation does not
change, they beUeve that Americans will no longer dominate this field.

We have a niunber of excellent witnesses with us today, and I look forward to
hearing fi-om all of them. I will now recognize Mr. Conyers for an opening state-
ment. If other members have opening statements, they will be placed in the record.
We have a number of witnesses this morning, so your cooperation in moving the
hearing along is appreciated.

Mr. Hyde. I now recognize Mr, Conyers. Does Mr. Conyers — ^you
will have an opening statement?

Ms. LOFGREN. Yes, Mr. Chairman.

Mr. Hyde. All right. I'll recognize the gentlelady from California,
Ms. Lofgren, for an opening statement, and if other members have
opening statements, they will be placed in the record. We have a
number of witnesses this morning, so your cooperation in moving
the hearing along is appreciated. The Chair recognizes the
gentlelady from California, Ms. Lofgren.

Ms. Lofgren. Thank you, Mr. Chairman. I do have a written
statement for the hearing record, but I would like to say, first, a
"thanks" to the committee for having this hearing today.



14

This is an issue that, I think, is enormously important to the eco-
nomic well-being of the United States and, unfortunately, too much
of the discussion has been held behind closed doors when really it
needs to be discussed publicly, as the NRC Report delivered earlier
this year indicated. I'd like to also give credit to Congressman
Goodlatte for his leadership in introducing the bill, which I am a
proud cosponsor of, and just say that I hope this is the beginning
of changing a very wrong-headed policy.

This can be done administratively, if possible legislatively, if re-
quired. But what we are doing now as a Nation is clearly not work-
able, and I say that not with disdain for the legitimate hopes and
responsibilities of law enforcement, which has an important job to
do for our country, but just in recognition of the market conditions
that really will overwhelm the issues that I think law enforcement
is really concerned about.

For us to control beyond DES, when triple-DES, is coming
throughout the Nation, for us to cripple our domestic producers of
encryption when IDEA-based encryption is available for free to any
person who has Internet access through Pretty Good Privacy, I
think is rather ludicrous. I think we would be well-advised for our


1 3 4 5 6 7 8 9 10 11 12 13 14 15

Online LibraryUnited States. Congress. House. Committee on the JSecurity and Freedom through Encryption (SAFE) Act : hearing before the Committee on the Judiciary, House of Representatives, One Hundred Fourth Congress, second session, on H.R. 3011 ... September 25, 1996 → online text (page 1 of 15)