CCIA Letter to Senator Gregg on Encryption Policy

5 October 2001. Thanks to Jason Mahler, CCIA.

This responds to remarks made by Senator Gregg on September 13, 2001:

http://cryptome.org/gregg091301.txt

October 4, 2001

Senator Judd Gregg
393 Russell Senate Office Building
Washington, DC 20510

Dear Senator Gregg:

On behalf of the Computer & Communications Industry Association (CCIA), I would like to express our serious concern with your proposal to roll back important reforms in U.S. encryption policy, and implement unprecedented government controls on technology and computer networks. CCIA is an international, nonprofit association of computer and communications industry firms, representing a broad cross-section of the industry. CCIA is dedicated to preserving full, free and open competition throughout its industry. Our members employ over a half-million workers and generate annual revenues in excess of $300 billion. Like all Americans, we are devastated by the events of September 11th, but we do not believe that new government restrictions on technology are the solution to preventing future terrorist attacks or protecting our national security.

As you are aware, the Commerce Department, in consultation with the Departments of Justice, Defense, and State, took steps early last year to relax restrictions on the export of encryption products, effectively ending government efforts to control this widespread and critical technology. In implementing these reforms, Commerce Secretary Daley stated the new policy "helps business and promotes e-commerce by adjusting our regulations to marketplace realities that U.S. companies face when they try to sell their products overseas. We've also worked very hard to address privacy concerns and to ensure that our law enforcement and national security concerns are met."

Government controls on encryption and mandatory key escrow would do very little to prevent terrorism or protect our national security, and there is no evidence that your proposal would have even a negligible impact in anti-terrorism efforts. Furthermore, this legislation would be extremely counterproductive to our industry's efforts to promote a healthy, competitive, global economy as well as ensuring secure, authenticated, trusted communications and digital asset protection in the global business environment.

The arguments against the approach you have suggested are numerous, but we would like to highlight a few important points:

1. The purpose of encryption technology is to authenticate users – to authenticate that they are who they say they are and ensure that only authorized users gain access to that network. The trade-off with implementing a mandatory "back door" policy is that by requiring such a "back door," you are essentially making available a new point of vulnerability for any computer network, exposing it to unwanted and un-authenticated users, and an entirely new magnitude of threats to network security;

2. The impact of a mandatory key escrow regime on criminals or terrorists is miniscule, particularly when compared to the vulnerability exposed due to the implementation of this "back door." Criminals and terrorists will obviously not adopt key escrow or key recovery systems and will not make their keys available government authorities. The risks associated with this potential vulnerability are far greater than the suggested impact of implementing such a policy;

3. It is illogical to assert that because terrorists are now known to use encryption, there is a sufficient basis to require all law-abiding citizens to employ key escrow or key recovery and to prevent the export of strong encryption. Illicit use of encryption technology should not be the basis for weakening the security of all public and private networks. Access to encryption technology is nearly ubiquitous, and the expertise required to employ the technology is minimal. Encryption, or more precisely "cryptography," is in essence a form of mathematics, and government control of mathematics or any academic discipline is contrary to our Nation's basic principles and ultimately futile;

4. The complexity and costs of establishing the key escrow scheme that your proposal envisions are staggering. A group of America's foremost computer security and cryptography experts have analyzed the problems presented in creating the infrastructure necessary to accommodate the requirements of a mandatory key escrow or key recovery system, and determined that it is "far beyond the experience and current competency of the field." Setting aside the logistical and technical obstacles, they determined that such a system -- if possible to create -- would be staggeringly expensive. (For more information, go to www.cdt.org/crypto/risks98);

5. The role that encryption technology plays in safeguarding our public and private networks should not be underestimated. According to an InformationWeek research survey of 500 business-technology professionals published last month and conducted in conjunction with the President's Export Council Subcommittee on Encryption in the weeks before the attacks, almost half the companies queried encrypt stored and transmitted data, most often financial and personnel files and high-level executive correspondence. Of the companies using encryption, 71% say they're highly committed to it. (For more survey results, go to www.informationweek.com/857/encryption.htm)

6. Finally, CCIA highlights that government regulation of technologies such as encryption that help to protect individual privacy may also be contrary to the spirit of international laws and norms that recognize privacy as a fundamental human right. Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, as well as other international agreements and national laws, make clear the importance of privacy protection for human freedom and civil society. In the many nations that suppress free expression and political dissent, the use of encryption is often the only method by which dissidents can communicate with each other and with the outside world. We are concerned that by mandating government access to all encrypted communications, your proposal creates far more potential for civil rights abuse than can be demonstrably justified by terrorism surveillance needs.

We do not suggest that there is nothing that our industry can do assist law enforcement in confronting the danger posed by terrorism and other threats to our national security. A major advantage unique to the U.S. is the dominance of our technology in world markets. By maintaining our lead in these critical fields of research and innovation, we can provide our law enforcement and intelligence agencies with access to the best tools and foremost intellects in these areas. We will also ensure that the manufacturers of most encryption products and other sensitive technology are more likely to be American companies. Applying additional funds for research in encryption, computer security, and related fields would help the United States remain a step ahead of the rest of the world in counter-intelligence, as well as promote our national economic interests.

Thank you for the opportunity to share our concerns with you on this important matter. Please do not hesitate to contact me if I can be of further assistance.

Sincerely,

Ed Black
President and CEO

cc: Senator Ernest F. Hollings, Chairman, Senate Commerce, Justice, State and the Judiciary Appropriations Subcommittee

Members, House and Senate Commerce, Justice, State and the Judiciary Appropriations Subcommittee

Senator Thomas A. Daschle
Senator Trent Lott
The Honorable Dennis J. Hastert
The Honorable Richard A. Gephardt