13 October 1998
Source: http://www.usia.gov/current/news/latest/98101306.clt.html?/products/washfile/newsitem.shtml

Thanks to JM


USIS Washington File
_________________________________

13 October 1998

TEXT: AARON SAYS ENCRYPTION PROTECTS PRIVACY, COMMERCE

(Balance must be struck to protect business, society)  (2740)

Washington -- David Aaron, U.S. undersecretary of commerce for
international trade, says a balance is needed with strong encryption
software so that both electronic commerce and civil society get the
protection they need.

Aaron said the balance must be struck so that law enforcement agencies
will be able to carry out court-authorized surveillance to combat
terrorists, drug traffickers, child pornographers, and other
criminals.

"We believe the answer lies in cryptographic systems that provide
trustworthy security services along with lawful access," Aaron said.
"By lawful access, I refer to a range of technologies designed to
permit the plain text recovery of encrypted data and communications
under a court order or other lawful means that safeguards civil
liberties."

He said the United States is not wedded to a single approach. He said
the approach is to be found in an industry-led, market-based solution
to helping law enforcement.

He delivered the remarks to a Federation of German Chambers of
Industry and Commerce luncheon in Bonn, Germany, October 13. A copy of
the text was made available in Washington.

Following is the text of Aaron's remarks as prepared for delivery:

(begin text)

Federation of German Chambers of Industry and Commerce Luncheon
Prepared Remarks for David L. Aaron, U.S. Under Secretary of Commerce
for
International Trade
October 13, 1998

"The Truth about U.S. Encryption Policy"

Thank you for the opportunity to meet with you today. My remarks will
focus on encryption, which is an essential part of the future of
electronic commerce. I want to tell the "truth" about US encryption
policy because over the last few months in Germany, there have been a
discouraging number of distortions and misrepresentations of our
policy placed on the public record. Some of them attack the integrity
of the United States government. It is particularly sad and surprising
to hear such things from officials of a country with whom we have the
closest friendship and alliance. These assertions must be corrected
before they have a negative effect on our bilateral relationship.

I have read the speeches from German government officials and
politicians that you have heard. I have read the same headlines that
you have read. "U.S. encryption policy is an attempt to dominate the
global encryption market." "Keys to U.S. encryption products in
Germany must be deposited within the U.S." "Key recovery products
provide a back-door for U.S. intelligence services." "U.S. encryption
products violate German laws." All of these assertions are untrue.

I am here today to tell you the truth so that you can decide for
yourselves what products to use to protect your privacy, to secure
your electronic transactions, and to save your valuable business
records. I would like to begin with a brief description of our policy,
the reasons for it, and then answer these specific charges in detail.

U.S. Encryption Policy

As U.S. Special Envoy for Cryptography, I've had the pleasure of
meeting with a large number of U.S. and foreign industry leaders. They
have all impressed upon me the crucial importance of robust encryption
for the future of their enterprises and to safeguard electronic
commerce. The U.S. government agrees that strong encryption to protect
privacy, and commerce, is a must.

But strong encryption also poses serious dangers for public safety.
Law enforcement's use of electronic surveillance is and has been an
essential tool in terrorism cases and many criminal investigations.
Encryption threatens to take this tool away -- not only preventing
court-authorized surveillance but also more frequent lawful searches
and seizures of computers and their files.

Already our U.S. Justice Department and drug enforcement agencies have
encountered important examples of instances where encryption has been
used by terrorists, drug traffickers, child pornographers, and other
criminals. For example, Ramzi Yousef, a key figure in the World Trade
Center bombing and an employee of Osama Bin Laden, used encryption to
conceal his plans to blow-up 11 U.S. airliners in Southeast Asia.

We expect the criminal use of unbreakable encryption to increase as it
becomes widely available and easy to use. For a country like Germany
which is the target of foreign mafias and has been the site of
numerous terrorist incidents, the elimination of any possible use of
lawful police surveillance poses obvious dangers.

Clearly, a balance must be struck between the needs of businesses and
consumers and the protection of society as a whole. What is the
answer? We believe the answer lies in cryptographic systems that
provide trustworthy security services along with lawful access. By
lawful access, I refer to a range of technologies designed to permit
the plain text recovery of encrypted data and communications under a
court order or other lawful means that safeguards civil liberties.

We are not wedded to any single technology approach. Key management
infrastructures, key recovery and other recoverable products that
provide lawful access are some of the ways to achieve a reasonable
balance. We believe that seeking industry-led, market-based solutions
is the best approach to helping law enforcement.

To promote such cooperation, last March, Vice President Gore called
for an intensive dialogue between the government and U.S. industry,
the law enforcement community, and privacy groups. This dialogue has
been productive, resulting in a number of policy refinements which
will benefit all involved, including foreign companies interested in
purchasing strong U.S. encryption.

In September, we announced the following steps:

Encryption of any strength, with any key length, with or without key
recovery, will now be permitted for export, under license exception,
to several sectors, including banking, insurance, health and medical
organizations, and on-line merchants, in Western Europe, Japan and
Australia. Export to end-users or destinations outside this will be
considered on a case-by-case basis. The new guidelines will also allow
encryption hardware and software products with an encryption strength
up to 56-bit DES or equivalent to be exported without a license to all
users outside the seven terrorist countries (Iran, Iraq, Libya, Syria,
Sudan, North Korea, and Cuba). Under the new guidelines, these DES
products are not required to have key recovery.

To assist law enforcement, we will continue to promote the development
of key recovery products by easing our regulatory requirements for
such products.

Our policy of encouraging this market is clearly working; both U.S.
and foreign companies are developing key recovery and recoverable
products in response to customer demand. For example, no company wants
to have its files locked up permanently by a disgruntled employee.

In this connection, exporters will no longer need to name nor or
submit additional information on the reliability of a key recovery
agent prior to export. So if you want a U.S. key recovery product, and
decide to use that feature, we don't want to know, nor do we care, who
you chose as your key recovery agent.

Our policy on key recovery is clear. It is not key escrow. We are not
saying, nor have we ever said, that everyone has to escrow their keys
with the U.S. government or that they even have to escrow keys with a
third party. We are not saying that keys must be held in the U.S.

This has always been true despite contrary assertions by some German
officials. In fact, we have approved a number of exports where foreign
users, some here in Germany, are carrying out self-escrow -- that is,
they hold their own recoverable keys. Our recent step to eliminate the
review of key recovery agents should erase any conceivable
misunderstanding by your government officials.

Finally, we will also support the export of products which we have
come to refer to as "recovery capable" or "recoverable." These are
products that deal with the development of local or wide area networks
and the transmission of e-mail and other data over networks. These
so-called "recoverable" products allow for recovery of plain text by a
systems or network administrator without the cooperation of the user.

We will permit the export of these products to commercial firms in
most major countries, including Western Europe, Japan and Australia,
for their internal business use. Germany is obviously included in this
group.

What does all this mean? It means that it is up to each foreign
government to decide its own policy on lawful access, key recovery and
the like. And each foreign company using U.S. encryption products can
do what it likes within those laws.

This does not mean we will cease promoting crypto that provides lawful
access - particularly at home but also abroad. Aside from export
controls, we will continue to use government purchasing power. The
U.S. government will use strong encryption with key recovery for its
own internal communications and with the public.

To standardize government purchases, the Department of Commerce has
convened a technical, industry advisory committee to develop a Federal
standard for key recovery which should be completed soon.

We have successfully demonstrated the practicality of key recovery
through ten U.S. Government pilot projects. We now plan to bring some
of these pilots to production. For example, one pilot project involves
the electronic filing of patent applications over the Internet with
the U.S. Patent and Trademark Office, incorporating digital signature
and encryption. We also are considering new pilots projects.

Balancing the competing needs of commerce, privacy and public safety
has been no simple task. As we move forward with this policy, we plan
to continue working closely with all of the stakeholders: industry,
Congress, law enforcement, privacy groups and the national security
community to constantly assess and reassess the effectiveness of our
actions in this changing medium. We will also continue to consult
closely with foreign governments so as to encourage the growth of
secure global electronic commerce without jeopardizing our struggle
against international terrorism and crime.

Deconstructing the Myths

Against this backdrop, I would like to spend a few minutes
deconstructing some of those myths you have been hearing about our
policy. To be frank, I find some of these statements not only false,
but difficult to understand. Perhaps it is all a misunderstanding, but
we have engaged in an extensive dialogue with German government
officials for more than two years; my colleagues and I have met with
German officials and industry on numerous occasions to discuss our
policy and answer your questions. We have gone to great lengths to
ensure transparency and understanding of our policy. This message has
been communicated not only at the working level, but at the highest
levels of the German government. We stand ready to continue this
dialogue.

So while the reasons for these latest statements are hard to fathom, I
will continue to try to make our position understood. Our relationship
is too important, too productive to allow these misrepresentations to
poison the waters. During my visit, I will be meeting with German and
U.S. industry, individuals who may be part of the new government, and
the press, in an ongoing effort to dispel these myths.

Myth No. 1: "U.S. encryption policy is an attempt to dominate the
global encryption market."

This is a criticism I have heard often. Think about it for a minute.
If it were true, we would simply drop our export controls and open the
floodgates. All one has to do is read some of the websites of our
encryption producers or trade publications like Wired magazine to see
that U.S. producers believe that we are seriously disadvantaging them
in the world market.

The U.S. software industry feels particularly handicapped by the fact
that they are not permitted to freely export 128 bit encryption as are
some of their competitors. As a matter of fact, a number of foreign
firms, some based in Germany, have used U.S. encryption export
controls, as part of their marketing campaigns. So this charge is
simply ludicrous on its face.

Myth No. 2: "Keys to US encryption products in Germany must be
deposited within the US."

One of the principal, and surprising, criticisms is that the primary
objective of U.S. encryption policy is to make the U.S. the repository
for all encryption keys. As I have repeatedly told German officials
and have said here today, nothing could be further from the truth. Our
export regulations explicitly allow for key recovery agents abroad and
self-escrow of keys by companies and users.

Myth No. 3: "The U.S. supports key recovery products to give a
back-door for US intelligence services."

This is closely related to the previous charge and is particularly
offensive. Let me say it again, the U.S. government has not and does
not require that keys be held in the US for access by the U.S.
government. As I mentioned earlier, one of the recent updates to our
policy is the elimination of any type of U.S. government review of key
recovery agents. We have instead decided that other governments can
decide whether their key recovery agents, if they have any, are
reliable.

That was the only reason we wanted such a review in the first place.
Anyone who continues to make such an accusation ought to come forward
with some evidence to back up the charge. Otherwise it will be hard to
escape the conclusion that this is being done for commercial
advantage.

Myth No. 4:  "U.S. encryption products violate German laws."

Frankly, this one continues to mystify me. The Bundestag's Enquete
Commission recently issued a report contending that U.S. regulations
may conflict with German laws such as the Basic Law, the Penal Code,
the Federal Data Protection Act and the Telecommunications Act.
However, no evidence or argument was presented to support this claim.

Certainly it is not our intention to break German laws. Indeed it is
difficult to imagine how this could be the case given the flexibility
of our policy. As I have just explained, but will repeat as often as
necessary, the U.S. government has not and does not require that keys
be held in the U.S. for access by the U.S. government -- if this is
the concern.

As for keys held abroad, who holds the keys is up to the customer or
user and the relevant foreign government. As is the case in any
criminal investigation involving our two countries, U.S. law
enforcement will work with German law enforcement under existing
bilateral arrangements to exchange evidence and information including
possibly keys or access to plain text but only to the extent that the
German government approves.

The Need for International Cooperation

It is clear that no widely used encryption systems, nor any successful
national policy, will be possible without international cooperation.
As U.S. Special Envoy, my goal is an international consensus on the
development of key management and recovery framework that will foster
robust and dependable security for the global information
infrastructure while protecting public safety and national security.
Three key issues for cooperation are emerging: the need for harmonized
export control policies, the development of compatible infrastructures
and the need for law enforcement cooperation. These are the real
issues we need to address, not the myths. We plan to continue to work
with your government, in the appropriate international fora, as we
move forward.

German-American cooperation and understanding have been crucial to
dealing with a host of post-cold war dangers, from proliferation of
weapons of mass destruction to fighting terrorism and crime. Lawful
access to encryption is an essential element in this struggle. This is
not to say that there is no room for honest differences between our
two countries on encryption. And certainly Germany has the right to
develop its own policy - indeed U.S. policy specifically takes this
into account.

But it is time we put behind us the erroneous myths and suspicions
that have confounded our cooperation in this area. I am confident that
if we focus on the facts both the tenor and the strengths of our
traditional cooperation can be restored.

I would be happy to answer any questions you might have.

(end text)