5 September 1997 Source: Declan McCullagh ------------------------------------------------------------------- ---------- Forwarded message ---------- SENATE JUDICIARY COMMITTEE TERRORISM, TECHNOLOGY & GOVERNMENT INFORMATION SUBCOMMITTEE CHAIR: SENATOR JON KYL (R-AZ) TESTIFYING: FBI DIRECTOR LOUIS FREEH 226 DIRKSEN SENATE OFFICE BUILDING WEDNESDAY, SEPTEMBER 3, 1997, 2 PM SEN. KYL: The conferences are just coming to a close. As a result, I am informed that the ranking member, Senator Feinstein, will be here very shortly; and when she arrives, we'll give her the opportunity to make a statement. So we should expect other members shortly. But in view of the agenda that we have, the number of witnesses we want to hear from today, I'd like to begin the hearing at this time. The purpose of this hearing is to explore how encryption is affecting the way that we deal with criminals, terrorists and the security needs of our businesses. Our subcommittee, which has the responsibility for technology, terrorism and government information, is a fitting focal point for an in-depth examination of the ramifications of encryption for public safety and national security. Three panels of distinguished witnesses will share their views on these topics. In panel one we will hear from the director of the Federal Bureau of Investigation on the use of encryption by criminals, terrorists and spies and the impact of the usage on law enforcement. In panel two we'll learn the results of a recent study and some real- life examples of how criminals and terrorists are using encryption in an attempt to thwart law enforcement efforts. The last panel will offer insights from industry on their specific security concerns. The United States is leading the world into the information age, an age in which information rather than industrial mechanics will likely be a dominant commodity. As the U.S. information-based economy has become more efficient via the use of computing and communication technologies, our society has become increasingly vulnerable because of our dependency on the available and predictable operation of these technologies. Encryption has the potential to limit the risks that these dependencies have introduced. But if used unwisely it also has the potential to undermine the responsibilities that Congress and the Constitution give to our nation's law enforcement and national security agencies. So the issue that I would like to address today is how to get the good encryption widely used without allowing it to be used against society. If we do not address the encryption issue from this perspective, we will wind up increasing the risks to our economy, citizens and national security rather than decreasing them. There have been other hearings held earlier this year on the encryption topic which have looked at important questions of commerce and privacy and export control policy. When I examine what has been said to date and what had been proposed in some encryption bills, I was struck by the fact that some of these efforts seem to be addressing this as a zero-sum game: privacy versus public safety, industry versus government. Too often I've seen the encryption issue mischaracterized as one that is about enabling encryption exporters to increase profits overseas. I am offended by the notion that public safety should have to take a back seat to short-term corporate opportunity; and so are the great majority of leaders in the business community. In fact, I suspect that there is a broader community of interests we share as Americans that rests on the need to maximize all of these goals. I think that it's fair to say that just about everyone here in this room will benefit to some degree from the government's ability to deal with encryption used by criminals and terrorists. Law enforcement is already beginning to encounter the harmful effects of encryption. For example, the masterminds of the World Trade Center bombing were also plotting to blow up 11 U.S.-owned airliners. Data regarding this terrorist plan was found in encrypted computer files found after the arrest of these terrorists, and their destructive plan was never carried out. Such counterculture use of encryption is not limited to international terrorists. Child pornographers for example are using encryption to hide pornographic images of children that they transmit across the Internet. With the explosive impact of the Internet and computers, we can only expect more cases like that � like this. And that's one reason why I sponsored an amendment last year that became law with the Economic Espionage Act, requiring the United States Sentencing Commission to begin reporting to Congress this year on the use of encryption to facilitate or conceal criminal conduct. I will be very interested in seeing the results of that report, as I am sure my colleagues are as well. The law enforcement community � locally, nationally and abroad � is extremely concerned about this serious threat posed by the use of encryption by violent criminals, terrorists, child pornographers, drug traffickers and the like since it will prevent them from performing their public safety responsibilities. On another score, corporate security managers need to protect corporate information and communications systems against industrial espionage, and are increasingly turning to encryption as part of the answer. At the same time they are concerned about the security of their personnel and facilities in the face of criminal and terrorist threats. Not to be overlooked is the concern that rogue employees could use encryption as an electronic shredder and hold companies hostage by encrypting corporate information and withholding the encryption key. Finally, our government has long used encryption to protect vital government information systems. In an era of information warfare, protecting the nation's critical infrastructures against terrorists and other threats will require the strategic use of encryption and other protective measures. This subcommittee will have the opportunity to hear more about this from the director of central intelligence, who has offered to meet with us in closed session at a later date. In light of these vital concerns, we need to stay focused on the goal that I defined moments ago. That is, how to get good encryption widely used without allowing it to be used against society. I believe that we can and must define such a balanced encryption policy so that our citizens and businesses will continue to thrive as we enter the information age, and I hope that our hearing today will be a step in that direction. Before I introduce our first witness, since Senator Feinstein is not here, Senator Leahy, would you like to make any comments before we begin? SEN. PATRICK LEAHY (D-VT): I do have a few, if I might, Mr. Chairman. And I put my full statement in the record. But I commend you and Senator Feinstein for holding this hearing, because there is a double-edged sword when you come to encryption, and you reflect that � it has both good and bad use, and we have to figure out how we keep the good and get rid of the bad. We have the U.S. working group � they're � a report by Dorothy Denning and William Baugh on behalf of the U.S. Working Group on Organized Crime, concludes that no one approach to encryption will be foolproof. And I think one of the problems has been everybody has looked for a foolproof approach, and there is none. We're all worried about what happens when the criminals use encryption to thwart police surveillance, or if you have the spies or the terrorist group that you referred to � not only here but other places � that is a concern. And the working group I think estimates a somewhere from 50 to 100 percent increase in the future of criminal groups using encryption. This is all extremely unnerving in one way. But I think if you maintain export restrictions on strong encryption technology you are not going to have an answer by doing that. The working group said that export controls do not keep unbreakable encryption out of the hands of criminals entirely. Export controls simply make the privacy and valuable proprietary information of Americans and American businesses more vulnerable to on-line theft and economic espionage and other crimes. The National Research Council's crises report recommended relaxation of export controls. Encryption we know is an effective method for promoting intellectual property. Senator Kyl and I are concerned about software piracy and have sponsored legislation, the Criminal Copyright Improvement Act, S. 1044, to address the problem of large-scale wilful copyright infringements on the Internet. But if you encrypt copyright software so that only the legitimate users get access, that's one way you combat that intellectual piracy. But if you mandate, even coerce, the use of key recovery encryption, that is not the solution. The working group report points out that key recovery systems could potentially be abused either by government or by the people operating key recovery services. And when the administration makes no secret of its efforts to promote adoption of a global key recovery system so that governments around the world will have access to the decoding keys, this concerns me greatly. The working group report warns about the security risks of this effort, stating, "it's hard to see how a global key recovery infrastructure can avoid exploitation by organized crime, especially considering the integration of organized crime with governments, such as Russia. If key recovery is adopted on a large scale, strong boundaries have to be created" � and so on. It brought the same alarm the Leahy-Burns Encrypted Communications Act, S. 376, pending before this Judiciary Committee � very strict requirements before you could release any decryption key to a foreign government. I think the administration put the proverbial cat before the horse by promoting key recovery without having in place privacy safeguards, defining how and under what circumstances law enforcement and other users can get decryption keys. So I think this is a very important hearing. I look back, Director Freeh, to when we had the digital telephony bill before us, and I must say, Mr. Chairman � had some discussions with the director about this. We went to as secure a venue as we could find, knowing how important this was. And I will release a certain amount of secrecy here, Mr. Chairman, by saying with that secure venue, with the dirt roads near my farm in Vermont where for several days the director and I would go out at the crack of dawn and go hiking up and down miles of these dirt roads discussing encryption. It's one sided � he could discuss it with a great deal more breath that I could, but we did this. And basically I raise the fact that the digital telephony bill was a way � which finally brought this apparent � we had from the left to the right, from civil liberties groups, privacy groups, law enforcement, telephone companies � everybody was off in a different direction. We finally got everybody into one room, and just basically said, "Okay, how are we going to do this?" � and we did it. I think that's what you're trying to do, Mr. Chairman, and I commend you for it. I would also say, director, that while you were there of course we had the terrible situation in New Hampshire and Vermont with the firefight with Carl Drega who murdered four people, two law enforcement officers, seriously wounded John Piper (sp), Border Patrol agent John Piper (sp). You and I went and visited him in the hospital. You recall that he was barely able to speak � all kinds of tubes going on him, an oxygen mask, attended by his wife and lovely 10-year-old daughter Hannah. I just want you to know that he went home from the hospital and he is in much, much better shape. His family tells me there's going to be a complete recovery, and again they thank you for your taking the time to go and visit him. And I thank you, Mr. Chairman. SEN. KYL: Well, thank you, Senator Leahy. I certainly concur with you that taking a walk in the beautiful Vermont woods would be preferable to being in a stuffy secure facility to discuss these issues � and some by their nature do need to be discussed in a classified setting. But fortunately today we are able to discuss a great deal publicly, and we are blessed to have as our lead-off witness the director of the Federal Bureau of Investigation, Louis Freeh. We have had the opportunity to discuss encryption policy with Director Freeh during the course of prior hearings in this committee, first at the FBI oversight hearing on June 4th, where the director and I discussed the needs of law enforcement as pertains to encryption; and, second, at the hearing on key recovery infrastructure that the full Judiciary Committee held on June 25th. To set the stage for today's hearings, we've asked Director Freeh to expound on how the use of encryption by organized crime and terrorists adversely impacts the FBI's very important role in preventing and investigating criminal and domestic terrorist activity, as well as the bureau's vital counterintelligence responsibilities. We're also eager to gain a finer understanding of the way in which the FBI works with corporate America in addressing their pressing security concerns. Before you begin, director, I would like to insert into the record a compilation of letters from the secretary of defense, the attorney general, the directors of the Secret Service, Customs and Drug Enforcement Agency, the Bureau of Alcohol, Tobacco and Firearms, the Office of National Drug Control Policy and yourself, the International Associations of Chiefs of Police and Attorneys General, the National Association of Sheriffs and District Attorneys � all stating unequivocally that encryption policy must not jeopardize national security and public safety. Without objection those will be entered into the record, and on that note, Director Freeh, we thank you. Welcome. MR. FREEH: Thank you, Mr. Chairman. Senator Leahy, good afternoon. It's a pleasure as always to be before the committee. Let me echo Senator Leahy's compliment to you, Mr. Chairman, for holding this hearing, continuing this very important discussion and really supplying some leadership with respect to an issue which is not a privacy versus law enforcement issue, but really a public safety issue balanced with the great commercial interests at stake. Senator Leahy, as we did discuss on those dirt roads, let me compliment you for your leadership in these very difficult areas, going back as you noted to the digital telephony problem which many people said could not be solved � it was too complex, it was too expensive. Nobody could agree to it. And with your leadership you achieved a monumental piece of legislation, as far as I am concerned, that balance the law enforcement needs with the privacy needs � in fact, enhancing privacy concerns in portions of that bill. When I became director just about four years ago this week � although it seems much longer at times � I was told by the technical experts and people who advise the FBI director on these matters, that the issue at stake in the next couple of years would be the continuing ability to conduct court-authorized wiretaps and electronic surveillance, which as everyone on this committee well knows is the most important and efficient law enforcement technique � not just in the criminal area, but in the national security area. And it is a technique which is not only the bailiwick of the federal authorities. In 1996 51 percent of the electronic surveillance orders int he United States were given to the federal government. The other 49 percent were given to states and local prosecutors and police departments. This is a universal technique, and one which is reserved for the most difficult cases � the complex organized crime cases, crimes of terrorism, crimes of financial complexity, violent crimes, and on the local and state level kidnapping and other cases where that particular technique is required because no other technique can obtain the evidence for which there is probable cause. I was told as I became the director that there were two aspects to the threat against court-authorized electronic surveillance. One was access, and that's the digital telephony issue: Will the common carriers and the manufacturers build systems and switches and software which will continue � not give, but continue to give us access per court order to conversations of a criminal nature? We had had that ability since 1968. The change from the analog system to the digital system threatened to de facto take away that ability because there would be no more alligator clips to snap on to easy- access points, because switches would be made in the software. Against a lot of doubt and a lot of resistance, this Congress � Senator Leahy in particular � and many other people working on that objective, solved this very complex access problem. And although not completely resolved or implemented, we are well on our way to solving that access problem and preserving what is the single most important technique in law enforcement and national security cases. There is another side to the threat to electronic surveillance, and that is the problem which encryption poses. If we are able to access with a court warrant the conversations of criminals and spies and terrorists, but we can't understand it, or it's going to take, as my associate Bill Crowell (sp) says, 26 trillion years to decrypt a message bit, we're out of business with respect to that technique. It is of little use to us in the information age when the encryption is so robust that even a court order � even an order of an Article 3 constitutional judge, cannot access that on a real-time basis. So that is the issue that we are now debating, and it is, as you very well point out, Mr. Chairman, not a debate between privacy and law enforcement; it's a public safety question. And what the law enforcement components represented in the letters that you've just entered in the record have said, is that we are in favor of encryption. In fact, we are in favor of the most robust encryption available. We want the American companies � the American manufacturers � to remain as they are now the dominant industry in the world, controlling about 75 percent of the international market. However, we say that we have to balance that economic policy, which is a very important one, with the public safety needs of the people that we are obligated to protect � both against criminals and against national security threats. If we are unable to access and decrypt real- time, with a court warrant in hand, conversations of criminals and people who would commit horrible crimes � even crimes like the one that Senator Leahy refers to � we will be hard up to defend the country in many respects. That is why in my previous testimony I have said that unless we have some solution to unbreakable encryption we will be devastated with respect to our ability to fight crime and terrorism. That is not an exaggeration on my part; it is the consensus of many law enforcement professionals and technical experts who have studied this problem over many, many years. We seek and request a balanced encryption policy � one that will promote robust encryption but will provide under very unique and infrequent circumstances pursuant to a court order the ability of my investigators or other investigators for state and local authorities to go in and solve a kidnapping case � to find the victim, to prevent an act of terrorism, to dismantle an organized crime group or a drug cartel. Without that technique we will be unable to deal with that issue. We also believe that the legislative approach is necessary because we cannot leave to private industry the task of solving this problem for law enforcement. We have an interest for instance in communications in transit � the actual discussion of crimes by people for whom we have probable cause to believe are committing crimes. Many people in industry and many companies who are developing key recovery systems on their own � about 30 companies right now � are more focused on the stored-data aspect of this issue as opposed to the in-transit communications which are of immediate importance to law enforcement. So for that and many other reasons we cannot leave the solution to the business community, as some would suggest. We do believe, as shown by recent events, that many companies � many responsible companies for very good business objectives are developing their own key recovery systems to protect the users of encryption so that they can get access to their own products when deprived of those by other criminals or people who would steal their secrets. So we do believe that there is a legitimate policy role to be played by the government and by the Congress in the form of legislation. We have looked at the various pieces of legislation that are before the Congress, both in the House and the Senate. We think that parts of all of them represent objectives for which we would agree. The control of encryption, depriving criminals from the use of encryption in the commission of criminal acts, restrictions on the government with respect to accessing and decrypting materials. However, none of those bills in my opinion give law enforcement the minimal safeguards which it needs to preserve this technique and use it effectively. We believe that what is necessary more than anything else right now is this balanced approach between robust encryption and legitimate court-authorized access. And I don't think that we should be deluded by the argument that the genie is out of the bottle, there is nothing we can do � it is hopeless. They said that actually about digital telephony problems back in 1994. We think that a key recovery system can be established, that the government can promote it on a voluntary basis. Industry, which is already in many respects constructing such an infrastructure, will respond to that support, and that we can create the ability to protect people in the 21st century. We are not arguing, nor have we ever argued, that we are going to have a 100 percent perfect solution. That's not the case. John Gotti never implicated himself on a telephone conversation with one of his confederates, because he was aware of the fact that law enforcement agents might be listening to that, and he took precautions to protect himself. Drug cartels, organized crime organizations, terrorists, take similar precautions to protect themselves. They will kept encryption that will not be accessible in any key recovery context. They will do that, and they do it right now. But what we cannot afford to do is reach a situation where all of the potential access points for a court- ordered access are denied to us because what is proliferated is robust encryption without a key recovery infrastructure, without any points of access or interest where a court order can be effectuated. We think that the Senate bill, the 909 bill, which comes the closest to meeting law enforcement's minimal needs, is a outstanding initiative � an attempt to deal with this very difficult problem. We have worked, and we will look forward to working very closely to add to that bill what we believe to be necessary accommodations for law enforcement, and ones which will give us a more balanced approach. The problem with respect to encryption cannot be dealt with merely in the context of export controls. Encryption products limited by export controls do relate directly to the national security and foreign policy interests. However, law enforcement, as it must be in the United States, is more concerned about the significant and growing threats to public safety which could be caused by the proliferation and use within the United States of a communications infrastructure that supports the use of strong encryption but does not support law enforcement's immediate decryption needs. So we are looking to the Congress, as in all the letters reflected in the record now, for some type of assistance with respect to protection against unbreakable domestic encryption. And we have noted, as I did in my testimony in 909, some very positive initiatives in that direction. You gave in your opening statement, Mr. Chairman, several examples of cases where criminals � pedophiles, terrorists � have begun to take advantage of the encryption technology to the detriment of law enforcement, as well as the people who are ultimately victims of those acts. We could cite many others to you. Recently a DEA electronic surveillance order was completely frustrated by the use of encryption by the subjects of that surveillance. Although there are now very few instances of these types of impediments, our own experience, and our experience from talking to our state and local counterparts, is that this is really just the tip of the iceberg. This is the opening of the window which unless addressed at this point will pose for us in the very few years ahead substantial problems and impediments in the execution of court orders � not our own orders, but orders signed by judges who have found probable cause for us to seize communications or records. Without some decryption ability those records will become meaningless because nobody will understand them in time to use them in an appropriate way. Over the past few years, law enforcement has grappled with this issue. It is one of the few issues where I can say that there is unanimous agreement not just on the federal level, but on the state and local level � by the Sheriffs Association, the International Association of Chiefs of Police, who passed a resolution in this regard � it's going to be a subject of their convention next month in Orlando � the National Association of District Attorneys, representatives of literally hundreds of thousands of law enforcement officers around the country who have depended vitally on the effective use of court-authorized electronic surveillance to perform their very difficult jobs in the most dangerous cases. We will not be able to protect the country in the way that we are expected to do it, in the way that we have done it, if we lose this technique. We are not asking for any new powers or any new authorities. That's another misnomer which I am happy to correct once again. We rely for our request on the Fourth Amendment to the Constitution, where the framers in 1791 balanced the privacy that people were entitled to in their houses and their papers with the legitimate need of law enforcement, upon a showing of probable cause, to a federal judge in this case, the ability to breach that privacy and security because the commission of a crime or the planned commission of a crime have such a great impact on the safety and the society of the community that the framers decided that upon a sufficient showing of probable cause and the issuance of a court order, that privacy expectation would be overcome and we would be allowed to seize evidence of a crime. We're not asking for new authority to seize any conversations or papers. The (broad?) requirement would still be maintained. We would still have to procure an order from an Article III judge to seize a paper or a conversation. But we would also then be entitled to understand what we've seized. If we can seize it but we can't understand it, it becomes a (nullity?) and, de facto, we lose that power of search and seizure which we've had, which the country has had since 1791, balanced very carefully against privacy and the expectations of privacy. So I want to say one more time that we're not asking for any new powers or new authorities. We're asking for a Fourth Amendment that works in the information age. When it was designed by the framers, they didn't contemplate, obviously, digital telephony and encryption. I think to deprive law enforcement of that power, that constitutional power, would be a dramatic alteration not only in the Fourth Amendment but in the ability of law enforcement officers to do their job pursuant to (warrants?). There is nothing in any of the recommendations that the government has made which enlarges or expands our powers in any way. What it does, quite frankly, is ensure that the powers that we've used for over 200 years, controlled by courts and juries ultimately, are powers which will be viable and relative in an information age when people are using 120- bit encryption. As my friend in the NSA tells me, to break 120-bit encryption, it would take 26 trillion times the age of the universe to decipher one criminal bit or one message bit in order to respond and take some appropriate action. We can't function that way. If the decision is made that electronic surveillance and court-authorized electronic surveillance is important but not as important as the commercial interests which go with robust and unbreakable encryption, it seems to me that's a decision that the Congress could make and the country could make. But I think it would be an ill-advised one and that we would be paying the price for many years to come for the deprivation of what have proven to be the most important law enforcement techniques, and techniques which are very well controlled. There's no argument and there's no body of proof, even a small portion, which shows that the federal, state and local prosecutors and agents have abused electronic surveillance. In fact, as I (mentioned?), in 1996 there were only 1149 electronic surveillance orders in the whole country. That's adding up state, local and federal. This is a very unique and very infrequently used technique. The impact, however, is that it's used in the most important cases. It was used in the case up in New York where individuals were planning to blow up the Holland Tunnel and several bridges and infrastructure in New York. It was used in other cases where people were going to blow up airlines in the Pacific. It's used routinely by state and local authorities in kidnapping cases, extortion cases. We want to preserve that technique. Obviously we want to balance it against the legitimate privacy and commercial interests, and we think that the best way to do that is legislation which achieves that balance. And except for 909, the other pieces of legislation don't, in my view, attempt to balance those two interests at all. In fact, they're completely one-sided with respect to the commercial interests. So we're ready to work, as we have done, with the committees, with the industry, to try to resolve the situation. I think Senator Leahy is right. If everybody sits down and maybe locks themselves in a room, I think they can agree on something. But I think if we don't, the country is going to pay the price in the years to come. SEN. KYL: Director Freeh, thank you very much. I indicated that Senator Feinstein was delayed somewhat at the beginning of the hearing. Senator Feinstein, if you'd like to make any comments now before we question Director Freeh, this would be the time. SEN. DIANNE FEINSTEIN (D-CA): Thank you very much, Mr. Chairman. I would. I thank you for holding this hearing and for your interest in the subject. Coming from California, at least trying very hard to represent a huge and burgeoning Silicon Valley industry, this whole issue is a very key and critical one. I've heard Director Freeh testify on this issue, I believe, twice before. And if I may venture, I think his views are fully representative, almost without exception, of the entire federal, state and local law enforcement communities of the United States. And I think they have to be given considerable weight and due diligence. I, for one, am very concerned. Director Freeh, you've pointed out where encryption has been used successfully by terrorists, whether it's the Ohmshinrikkio cult in Japan or the Manila situation with the airlines or the New York situation. Also in California it was used in a multi-county gambling enterprise. I understand the Cali drug cartel uses encryption with some of its personnel sources or personnel statements. You've mentioned that you think one bill comes close to providing some of the guarantees that we need. The bottom line is I think probably nothing other than some form of mandatory key recovery really does the job. The situation that I have always had when I talk about this is, "Well, how can we compete, then, with other countries that don't have these requirements?" I mean, I, for one, believe that the public safety issue is a paramount issue because everybody's going to stop using the telephone or any other forms of communication to participate in an act of complicity to commit a crime and use an encryption system on a computer. I mean, that's going to be kind of (de reguerre?) unless we have some methodology, and two, some infrastructure that's able to protect everybody's rights � the right to privacy as well as the right, as you've pointed out, for a judge to give an order and for law enforcement to be able to punctuate that encryption system and pull out of it what it needs to break an important case. Whether this can come from something short of mandatory key recovery, I don't know. But I think in effect, Mr. Chairman, this is our challenge. And I suspect we think very much alike on this issue. So I look forward to the testimony. And I won't go on now because I have some questions after you ask yours that I hope Director Freeh would be willing to come forward and state with some specificity in what he thinks could provide this kind of balanced system that can protect privacy rights as well as public safety. SEN. KYL: Thank you very much, Senator Feinstein. Once again, you and I are in complete agreement. And I also would underscore a point you made, and that is that the letters which I did insert in the record prior to your arrival uniformly state the position that Director Freeh has stated here. He noted that, and in his testimony indicated that the federal and state law enforcement is unanimous in its view that there needs to be this balanced approach of which he spoke. I would like to begin by going directly to the question that you just posed and ask it very specifically. Director Freeh, in your prepared statement, and I'll quote from it, you say that S. 909 � and incidentally, before I do that, let me compliment my colleague, Senator McCain from Arizona, as one of the two key authors of that legislation; the other, the ranking member of the Intelligence Committee, Senator Kerrey, the Intelligence Committee on which I also sit. Both of those senators have tried very hard to achieve this balanced approach, and they've been pummeled pretty hard, particularly by one side, which believes that the legislation should be perhaps more oriented toward the commercial interests. But I want to compliment both of them, and in particular my colleague from Arizona for his efforts here. But you say in your testimony that S. 909 still does not contain sufficient assurances that the impact on public safety and effective law enforcement caused by the widespread use of encryption will be adequately addressed. What are law enforcement's needs in this specific regard, and how can the proposals put forth in S. 909 be improved to meet those needs? MR. FREEH: Senator, the main concern, as I expressed in my testimony, for myself and my state and local colleagues is domestic access pursuant to a court order. We believe that some export controls are necessary for national security reasons and otherwise. But the bulk of our work and the entire majority, for the most part, of state and local efforts are going to be focused on the domestic use of encryption. What we would recommend from a law enforcement point of view is that the legislation contain a provision that would require the manufacturers of encryption products and services, those which will be used in the United States or imported into the United States for use, include a feature which would allow for the immediate, lawful decryption of the communications or the electronic information once that information is found by a judge to be in furtherance of a criminal activity or a national security matter. There are a number of ways that that could be implemented, but what we believe we need as a minimum is a feature implemented and designed by the manufacturers of the products and services here that will allow law enforcement to have an immediate lawful decryption of the communications in transit or the stored data. That could be done in a mandatory manner. It could be done in an involuntary manner. But the key is that we would have the ability, once we have the court order in hand, to get that information and get it real-time without waiting for what it would take for a supercomputer to give us, which is too long for life or safety reasons. SEN. KYL: Now, S. 909 currently calls for a voluntary system of key recovery use so that, theoretically, two members of a drug cartel could communicate in an encrypted way without ever taking advantage of the system that has a key recovery system in it. On the other hand, for most communication or data storage that exists, sooner or later even criminals tend, for convenience sake, to need to use the system. And in those situations where they're using a system where voluntarily key recovery has been provided, then law enforcement would have access to that. As I understand it, what you are suggesting here � and I am aware, by the way, that the Department of Justice, the FBI, private industry, many other folks, are trying to work together in a way to find just exactly the right language to approach this issue. And I appreciate your efforts and urge you to continue that effort. As I understand it, what you are suggesting here is that whether or not the legislation requires, in a mandatory way, a key recovery system, as it would in the limited situation where a government contractor is dealing with the federal government, or whether it's voluntary, as it is for everyone else under S. 909, in either case, at least the manufacturer would have to build into the system the capability for a key recovery system, should the users decide to take advantage of it. Is that correct? MR. FREEH: That's very � it's very accurately descriptive of what I meant. It's like � maybe this is a bad analogy, but an air bag in a car; that the manufacturer is required in some states and federally to provide it, and now there's discussions about giving the user the ability to activate it or deactivate it, depending upon their own assessment of its efficacy and their safety needs. And I think we're talking about something very similar. SEN. KYL: I remember back in the early days when you could buy a car that either had the tape deck in it or not. But if you didn't want to buy the tape deck, there was kind of a blank hole in the dashboard, but at least you could put it in there if you wanted to. And that's similar to what you're suggesting here. MR. FREEH: Yes. I think the legislation has to begin by requiring the manufacturers to have the feature available and then take up the larger and maybe more complex discussion about how that's enabled. Is it done voluntary by the user? Is the network provider of the service required to have that immediate decryption ability because they're providing a public service? And there's a lot of permutations of that which we're trying to work through. But the key concept � you've hit the nail right on the head, Senator. SEN. KYL: And this would be a much easier and less expensive requirement in the production of the systems, would it not, than that which was required in the digital telephone legislation, which actually required constructing a pretty sophisticated system by the system constructors? MR. FREEH: Yes, I believe it would be much more cost-effective and much more efficient. In that system, the government set standards for the industry to build to and said it would pay them so much money to retrofit systems that didn't meet those standards. Here we're not saying the key recovery standard X, Y, Z. We're telling the manufacturers that they need to have a feature that would allow immediate decryption, and they can do that in the cheapest, most efficient way that they can design. And I think they can do that fairly easily. SEN. KYL: I appreciate it very much. Is there anything else that you wish to add in terms of suggestions for improving S. 909? Again, I know you're still working on this and you may want to wait for another opportunity to expand. But if there's anything else that you'd like to add at this time, I'd invite you to do so. MR. FREEH: Senator, just the point that I made before, that I think it's a worthwhile issue for discussion to look at whether network service providers should also be required to have some immediate decrypting ability to respond to a court order. We work, as you know, particularly in the pedophile cases, with on-line services who give us, when we run up against encryption, court-authorized access to information that is the subject of crimes. And that deals in many respects with our problem, particularly as networks proliferate and more and more people use them for communications. It also maintains the court-authorized requirement and it also gives us the balance that I think is required in a policy that's going to work. SEN. KYL: And a final point I would make; you've made it over and over, and yet whenever I discuss this, people seem to misunderstand. In no way are you asking for any additional legal authority for either seizure or wiretap. Is that correct? MR. FREEH: That's correct, Senator. I mean, maybe as an example � I've used this once or twice before � right now, if we have a search warrant, we have probable cause that someone in a residence, for instance, has evidence of an ongoing past or future crime. The judge signs it. We go into the residence and, say, in the garage or not in the main structure, we find a box or a safe. Many assistant U.S. attorneys � and I did this myself when I was one � (inaudible) � might go back to the court and get another warrant to go inside the safe box on the theory that it was not within the scope of the original warrant and the expectation of privacy might be different; all those legal arguments. What we're talking about here is maybe two warrants. We're going to have the authority to seize the evidence, whether it's a conversation or stored data. And now we need another warrant to unlock what we've already seized, because if we don't know what it means, it doesn't make any sense. So we're not asking for any additional authority. We're maybe going through the requirement two times, which actually gives people more protection. SEN. KYL: I think the way you put it was asking for a Fourth Amendment that works in the information age. MR. FREEH: Yes, sir. SEN. KYL: I thought that was a good way to put it. Senator Feinstein? SEN. FEINSTEIN: I have three questions, if I might, Mr. Chairman. Presently today, U.S. countries can export 56-bit technology only if they've pledged to develop key recovery systems within two years. And the McCain-Kerrey legislation eliminates export restrictions on 56-bit products, 56-and- below products. My question is, do you favor this? MR. FREEH: I think if it's balanced with a key recovery system, particularly one which domestically gives up some immediate decrypting ability under a court order, I do favor it. I think it's � SEN. FEINSTEIN: So you would say, though, that you favor it if there is a key recovery system � MR. FREEH: Yes, ma'am. SEN. FEINSTEIN: � only. MR. FREEH: Exactly. SEN. FEINSTEIN: Okay. Now, let's go to 128-bit encryption products that do not have key recovery. They're currently exported from other countries or imported from other countries to international customers. And they're also available domestically. What would your position be there? MR. FREEH: Well, if we had legislation that required the immediate decryptability of any product used, sold or distributed in the United States, our domestic law enforcement interests would be protected. If we did not have such legislation, obviously the introduction of that type of robust encryption into the United States without any key recovery requirement or decryption ability would be very, very dangerous for us. We would not be able to, with a court order in our hands, decrypt or understand those algorithms. Now, it works both ways. Many other countries � France, Russia and Israel in particular � have outlawed the importation and use of encryption in their countries because they have recognized the same public safety issues that we have. I think once countries that began that type of exportation, particularly the United States started to export those types of products overseas, you would see great resistance from many other countries. SEN. FEINSTEIN: Again, I tend to agree with you. Let me go to my third question. I don't see how anything short of mandatory key recovery accomplishes your purpose. Am I correct? Or if not, what specifically would accomplish your purpose? A voluntary system doesn't accomplish your purpose because the Cali drug cartel isn't going to participate on a computer with a voluntary key encryption system. They're going to go to one that doesn't have one. So how does anything short of mandatory key recovery solve the problem? MR. FREEH: Mandatory key recovery, to the extent that it was implemented, would be the best law enforcement solution. I would not be candid with you if I told you anything other than that. SEN. FEINSTEIN: No, I'm just saying not solution. How does � it can't solve the problem. I mean, it's a step forward. Anything is a step forward. But it still is a massive loophole that everyone would take use of. MR. FREEH: But there are massive loopholes right now. I mean, from person to person, from cartel to cartel, the encryption products which would defeat law enforcement are available and are used. Our concern is that if we have mass proliferation of unbreakable encryption, there are no infrastructures that are established to find some recovery points along the chain of information flow or storage. If the government of the United States, which is the largest consumer, I think, of encryption products domestically, doesn't require key recovery in the products it buys, if we don't ask our on- line services for access, if we don't do all the things which are doable, in my view, then nothing is going to work because there are going to be no alternatives to access. I think we can design a system short of mandatory key recovery which will work certainly better than no system at all. And I think the precepts of 909 and some additions which could be added thereto will give law enforcement at least a fighting chance, which is really what we're asking for in this context, to keep a technique which is very valuable. I don't think we'll ever solve the problem 100 percent. There are loopholes now. There will be loopholes even with a mandatory key recovery system. What we want to try to do is design an infrastructure which will give us as many access points for that court order as possible. And that's the end game that we're involved in right now. SEN. FEINSTEIN: See, I think that there's a very realistic concern. You know, if you have information that somebody is using computers to practice terrorist acts, it seems to me the ability to go to a judge, get a court order and be able to punctuate that computer in a timely way is really where the public safety is going to be met in a positive way. And what I'm kind of concerned about is that every time anybody talks about mandatory key recovery, it's as if it's something terrible, when the whole world and everybody else really ought to come to grips with cyberspace as a whole new communication system, and not to afford the same rights for law enforcement in cyberspace that they have with the telephone. It's going to just create enormous problems downstream. MR. FREEH: Senator, I agree with you. SEN. FEINSTEIN: I mean, I tend to be very robust on the side of having a system which exists for every computer that it cannot be used for criminal purposes without at least some degree of penetration. MR. FREEH: Yes. No, I agree with you. SEN. FEINSTEIN: But you're being so nice about it, and so kind of � MR. FREEH: Well, I would use the word practical. SEN. FEINSTEIN: Maybe you have been beaten up more than I have so far. (Laughter.) I don't know. MR. FREEH: The � the position that I think we are left to is � look, if I could convince everybody in this town � I mean, everybody in this town � that we needed mandatory key recovery, and that that was something doable, I would certainly work very hard in that regard. I � my sense is and my experience, having worked on this for three or four years, is that that is not the case � for very good reasons people of good faith with legitimate arguments not being able to universally accept that system. So � SEN. FEINSTEIN: Could you go into those reasons � MR. FREEH: Sure � SEN. FEINSTEIN: � that you feel are the good faith reasons? MR. FREEH: The good faith reasons are that it would retard American industry. As you pointed out, somebody overseas faced with a product that has an embedded security feature in it, or one that does not, is going to pick the latter product. I don't think that's the case myself. I think people buy software for spreadsheets and other features, and not out of concern for embedded security features. Every time we pick up our telephone we know that if somebody � a sheriff or FBI agent has convinced a judge that we are using that phone for criminal purposes somebody is going to be listening and recording every word that we make. But we still use the phone. In fact, people still use the phone even in the commission of crimes � because it's a convenient and available and exclusive infrastructure and network that they have to use. Another argument is that it's a violation of privacy rights. I think that's a bogus argument. Nobody is advocating or suggesting access to encrypted information unless there is a predicate finding by a judge that somebody is committing a crime or about to commit a crime. I think there's a lot of arguments that, you know, are made in good faith and because the objectives of that particular position support that argument. But we are talking about, as I think you very accurately described, is a new technology, a new environment, a new century, and people are going to be communicating on the Internet as they communicate now on telephones. So what we are saying is let's transport the Fourth Amendment from the 18th century to the 21st century, maintaining all the protections that the Framers guaranteed in that amendment. We are not advocating anything different. But the technology is going to require real-time access, which we will not get in a system that abandons the argument that we need a balanced policy here. SEN. FEINSTEIN: So if it weren't � if those points could be satisfied, the two sort of good faith points you've just raised, either in an international agreement or some other � in some other manner � mandatory key recovery you think would be acceptable to everyone? MR. FREEH: Yes. Yes, I do. SEN. FEINSTEIN: Thank you very much. SEN. KYL: Thank you, Senator Feinstein. That's an excellent point. I would like to just ask one final question. We are all absolutely committed to the protection of our constitutional rights. And, by the way, encryption helps to advance the rights of privacy that are at least implicated in the Constitution � or implied. Absent the ability of law enforcement to use traditional law enforcement techniques of being able to tap a computer just like you would tap a telephone, if a judge is convinced that you have cause to believe a crime is being committed, is it not true that actually constitutional rights could be � I don't want to use the word "jeopardized" � but at least under somewhat more threat by virtue of the kinds of techniques that law enforcement would have to resort to? In other words, if you � if brute force techniques don't work, and you've certainly made that point, and others have made the point too � and you don't have this ability through key recovery, what other options do you have for conducting authorized surveillance, and what are the implications of those options to people's personal privacy? MR. FREEH: Well, I think the implications are very serious. Let me just give you the example of a � SEN. KYL: Or also the risk to law enforcement � MR. FREEH: Yes � SEN. KYL: � which I think is also in play. MR. FREEH: If we convince a � we convince an Article 3 judge that someone is using their phone to commit a crime, judge issues an order which we serve on the telephone company, which allows us access to hear those conversations � a key part of the judge's order is what they call the minimization provisions, which mean if during the course of a conversation the monitors determine that this is an innocent conversation, not related to the crimes which are predicated in the court order, they shut it off � they turn it off and maybe they put it on four or five minutes later to spot check to see if a criminal conversation is now taking place. The reason for that is very obvious. It's to limit the intrusive use and impact of that technique � the same with the microphone surveillance. If the only way we could get access to decrypted information would be a court order which allowed an intrusion into someone's home or office so an agent could literally stand over the shoulder of the operator to see what was being decrypted, that would be an entirely larger intrusion � both personally and I think also in its constitutional impact. It would also be very dangerous for the law enforcement agents if every time they wanted to get access to decrypted material they had to do things which would expose them to greater risk and greater harm. So I think both from a constitutional protection point of view and a law enforcement safety point of view this is maintaining what we currently use to minimize the surveillance of innocent conduct, but also to enable our agents to work out there safely. SEN. KYL: Thank you. Senator Feinstein, did you have anything else at this point? SEN. FEINSTEIN: No, I have no other questions. SEN. KYL: Senator Leahy will not be able to return, but would like to submit some questions. And I will simply announce for the record that we will keep the record open for a reasonable time here. And certainly Senator Leahy will be permitted to submit questions, and he may provide some to you, Director Freeh. Once again we thank you very, very much for your testimony here. I want to personally compliment you for your dedication to this, for trying to come up with the best answers, for your commitment to the Constitution � but also for the protection of the people of this country � protection that has been entrusted partially to you. I commend you for your service and appreciate your testimony today. MR. FREEH: Thank you, Mr. Chairman. Thank you, senator. ###