Bureau of Industry and Security
U.S. Department of Commerce
Where Industry and Security Intersect
What's New | Sitemap | Search

Contact:
BIS Public Affairs
(202) 482-2721

Testimony of Honorable William A. Reinsch
Under Secretary for Export Administration

Before the Subcommittee on International Economic Policy and Trade
House Committee on International Relations
Administration Encryption Policy
May 8, 1997

Much has happened since encryption was debated during the 104th Congress. The President has decided on an encryption policy, and we are well on our way to implementing it. It balances all of the competing interests in this issue: privacy, electronic commerce, law enforcement, and national security.

Making strong commercial encryption widely available is in the best interest of the United States. Indeed, it is inevitable, as powerful computers and advanced telecommunications rapidly lead to the creation of broad electronic networks which will form the basis for communication and commerce in the future. The ability to encrypt electronic messages and data will be essential for electronic commerce and for the full development of information technology. Businesses and individuals need encrypted products to protect sensitive commercial information and to preserve privacy, and their demand for those products will further facilitate the spread of encryption.

This trend is also economically desirable. Protecting the confidentiality of business information will reduce losses from fraud and industrial espionage. Perhaps more important, we are the world's leading producer of information technology with almost half the world's producers and roughly half their revenues coming from exports. And we want to keep it that way.

To retain this leading position and the jobs it produces, we must ensure our producers' continued ability to maintain foreign market share. Our companies must be able to meet the growing demand for products with strong encryption. If they do not, foreign firms will step in to fill the void. The United States cannot allow its encryption policy to become a point of vulnerability for this vital industrial sector. We must shape our export control policies to allow American companies to take advantage of their strengths in information technology in their pursuit of global markets.

But the increased use of encryption carries with it serious risks for public safety and our national security. Any policy on encryption must address these risks as well if it is to be in the national interest. Our policy provides that balance, by working in close consultation with the private sector and by working with the market, not against it.

The Administration's Policy The President's policy of balance is based on trying to promote key recovery in the marketplace. By "key recovery" I refer to a range of technologies, some in existence, some under development, some still being conceived, designed to permit the plaintext recovery of encrypted data or communications. There has been a tendency in this debate to construe this term and others as narrowly focussed on a single technology, and I want to make clear that is not our intent. We expect the market to make those judgments. In order to facilitate the development and dissemination of these products, we have taken the following steps:

• On December 30, 1996, we published new regulations that transferred the licensing of commercial encryption products from the Department of State's Munitions List to the Department of Commerce's Dual-Use list. This change of jurisdiction emphasized the Administration's decision that strong encryption is not something to be used primarily by governments or military forces, but will become an accepted part of normal commercial activity.

• The new regulations set forth several procedures which support the development of a key management infrastructure. The most important of these is the creation of a license exemption which would allow recoverable encryption products of any strength and key length to be exported freely after a single review by Commerce, Justice and the Department of Defense.

• We have also expanded the definition of products eligible for this key recovery license exemption to include not only "key escrow" systems, which use a trusted third party, but also other systems which allow for recovery of the keys or plaintext. This means that we have gone beyond a simple prescription for key escrow and trusted third parties as the solution to all encryption needs.

• The new regulations also allow for self-escrow and escrowing of keys overseas in certain circumstances, which will make key recovery products more attractive in export markets. Since the establishment of a key management infrastructure may take some time, the regulations make explicit that we will consider requests for self escrow and escrowing overseas even before there are government agreements on access or an established network of recovery agents in place.

• To encourage the development of recoverable encryption products, we have also created a special, two year liberalization period during which companies may export 56 bit DES or equivalent products, provided they submit plans and show that they are working to develop the key management infrastructure envisioned by the Administration. This temporary relief will help provide an incentive and a transition period for manufacturers to move to Key Management Infrastructure.

• To help create standards which will guide the Federal Government in its own key management efforts, the National Institute of Standards and Technology has formed an industry advisory committee to develop requirements and standards for key recovery. We have invited representatives of foreign governments to attend meetings of this advisory committee, which has met twice, to help ensure coordination and compatibility on a multilateral basis.

• In addition, we have continued discussions with our major trading partners on a common approach to encryption policy and encryption exports. To head this effort, the President appointed David Aaron, our Ambassador to the Organization for Economic Cooperation and Development as his Special Envoy on Encryption. We have found that these countries share many of our concerns, and a number of them have begun their own pilot key recovery programs.

• We asked for public comments on this new regulation. We received 43. They are posted on BXA's web site for all to review. Some are critical, but many are very helpful. Perhaps a better gauge of industry response has been the flow of applications since the change in policy. In the first two months we have received close to 700 license applications for exports valued at almost $800 million. Twenty four companies have submitted commitment plans which lay out how they will build and market key recovery products, and we know that others are preparing them. These companies include some of the largest software and hardware manufacturers in the country. We have approved twelve of these plans, and we expect to approve more very shortly. None have been rejected.

The flow of licenses and the company commitment plans tell us our policy is working. That said, we intend to amend our regulations in the near future to reflect the many helpful comments we received from industry. We want to make sure that our efforts to regulate the export of recoverable encryption are compatible with the larger structure for electronic commerce now beginning to take shape.

We have also supported the development of ten pilot projects designed to demonstrate key recovery in such diverse applications as processing electronic grants and sharing internationsl patent applications. I have with me a description of those projects, and I would request that it be included in the record.

In light of the comments we received we are amending our export regulations for encryption, to make the process at Commerce more responsive, to continue the treatment of encryption technology found previously at the Department of State, to clarify the personal use exemption, for people taking laptops with encryption out of the U.S. exporters.

Next Steps

The Administration has stated on numerous occasions that we do not support mandatory key escrow or key recovery. Our objective is to enable the development and establishment of a voluntary key management system for public-key based encryption. We believe the Administration's policy is succeeding in bringing key recovery products to the marketplace. Our attention is now turning toward how we can best facilitate the development of the key management infrastructure that will support those products. To that end, we support legislation intended to do the following:

• Expressly confirm the freedom of domestic users to choose any type or strength of encryption.

• Explicitly state that participation in the key management infrastructure is voluntary.

• Set forth legal conditions for the release of recovery information to law enforcement officials pursuant to lawful authority and provide liability protection for key recovery agents who have properly released such information.

• Criminalize the misuse of keys and the use of encryption to further a crime.

• Offer, on a voluntary basis, firms that are in the business of providing public cryptography keys the opportunity to obtain government recognition, allowing them to market the trustworthiness implied by government approval.

In reviewing H.R. 695, let me first say that we welcome a continuing dialogue with Mr. Goodlatte and others interested in this subject to see if we can reach a common view. At the same time, I must tell you that legislation such as H.R. 695 would not be helpful, and the Administration cannot support it. The bill has a number of provisions we can support, but it proposes export liberalization far beyond what the Administration can entertain and which would be contrary to our international export control obligations. We are sympathetic to some aspects of H.R. 695, such as penalties for unlawful use of encryption and access to encrypted information for law enforcement purposes, but the bill does not provide the balanced approach we are seeking and as a result would unnecessarily sacrifice our law enforcement and national security needs. I defer to other witnesses to describe the impact of the bill on law enforcement, but let me describe a few of its other problems.

The bill appears to decontrol even the strongest encryption products, thus severely limiting government review of highly sensitive transactions. The Administration has a long-standing policy that the risks to national security and law enforcement which could arise from widespread decontrol of encryption justify continued restrictions on exports.

In addition, whether intended or not, we believe the bill as drafted would inhibit the development of key recovery even as an option. The Administration has repeatedly stated that it does not support mandatory key recovery, but we most certainly endorse and encourage development of voluntary key recovery systems, and we see a strong and growing demand for them that we do not want to cut off.

As I have said on many occasions, encryption is one of the most difficult issues in public policy today, but we are committed to making progress in cooperation with industry, the law enforcement community, and the Congress in a way that reinforces market principles and achieves our diverse goals. We hope that you will work with us to facilitate that process by passing the legislation we are proposing.

Note

In April of 2002 the Bureau of Export Administration (BXA) changed its name to the Bureau of Industry and Security(BIS). For historical purposes we have not changed the references to BXA in the legacy documents found in the Archived Press and Public Information.

  

                          

 

---

FOIA | Disclaimer | Privacy Policy Statement | Information Quality
Department of Commerce | Contact Us