26 July 1997
Source: Hardcopy from Declan McCullagh
http://www.netlynews.com
See Declan's 23 July report on this
transcript.
See parallel July 18, 1997 letter to Congress on encryption bills from Attorney General Janet Reno and heads of seven federal law enforcement agencies.
Not for Quotation or Duplication
[as written on the original; no restrictions on this version]
| This transcript was declassified pursuant to redacted copies provided to the House International Relations Committee by Louis J. Freeh, Director, Federal Bureau of Investigation (FBI), William P. Crowell, Deputy Director, National Security Agency (NSA), and William A. Reinsch, Under Secretary, Bureau of Export Administration, Department of Commerce, July 21, 1997. |
Committee Hearings
of the
U.S. HOUSE OF REPRESENTATIVES
[Emblem]
[Redaction, perhaps date and time stamp]
OFFICE OF THE CLERK
Office of Official Reporters
[Note: Bottom of every page has redacted i.d.]
[1] 1 RPTS STRICKLAND 2 DCMN HERZFELD 3 4 5 MEMBERS BRIEFING REGARDING ENCRYPTION 6 7 Thursday, June 26, 1997 8 9 House of Representatives, 10 Committee on International Relations, 11 Washington, D.C. 12 13 The committee met, pursuant to call, at 2:15 p.m. in Room 14 H-139, The Capitol, Hon. Benjamin A. Gilman [chairman of the 15 committee] presiding. 16 17 18 19 20 21 22 23 24 25
[2] 1 Chairman Gilman. I want to welcome our Director, Lou 2 Freeh, and Mr. William Crowell, Deputy Director of the 3 National Security Agency, to the briefing on encryption and 4 its possible impact on our national security and law 5 enforcement activities, something that many of us are 6 concerned with. 7 We also would like to take this opportunity to 8 congratulate Director Freeh on the McVeigh conviction and the 9 Kansi capture. Well done. And I would note that your critics 10 are noticeably silent right now. We look forward to hearing 11 your presentation, so fire away, and we welcome hearing what 12 your thoughts are on the encryption measures that are before 13 us. 14 15 STATEMENT OF LOUIS J. FREEH, DIRECTOR, FEDERAL BUREAU OF 16 INVESTIGATION 17 18 Director Freeh. Thank you, Mr. Chairman. Do you want 19 to start, Mr. Chairman? 20 Chairman Gilman. Please. 21 Director Freeh. Thank you very much, and thank you all 22 for the opportunity to be here at this briefing. I think I 23 want to just start from a simple proposition and very 24 important one, and that is the fourth amendment to the 25 Constitution, ratified, of course, in 1791. The framers very
[3] 1 wisely in that amendment balanced the protection of privacy 2 both in searches and seizures against what they clearly 3 recognized and which we still recognize as an important law 4 enforcement public safety interest to fight crime and deter 5 criminals. 6 The balance in that fourth amendment has worked very well 7 over 200 years. Despite advances in technology, we have been 8 able to balance and give to both law enforcement and national 9 security the tool to protect ourselves and protect our 10 rights. 11 The advent of telecommunications changes, which are great 12 and which we advocate -- progress is important for the 13 country, it is important for our national economy -- we are 14 advocates of robust encryption with American companies 15 manufacturing it and selling it as the leading producers 16 around the world, which is the case today. 17 Our concern is that robust encryption proliferating and 18 becoming interoperable without any access window, without any 19 point where law enforcement or national security using a court 20 order, using judicial process, cannot come in and on a 21 real-time basis intercept pursuant to order and understand and 22 deter people who are about bad business, terrorists, organized 23 criminals, drug traffickers. 24 The promotion of encryption without any kind of safety 25 valve is, in my view, very, very destructive, not only to the
[4] 1 law enforcement and national security goals, but more 2 importantly to the balance in the fourth amendment. We will 3 allow technology to change that delicate balance, which means 4 that if I have a court order that shows by probable cause that 5 someone is about to commit a crime or is committing a crime, 6 whether it is a crime of kidnapping, a crime of drug 7 trafficking, a crime of terrorism, a judge signs my order and 8 I attempt to execute that order for the first time, the 9 evidence which I am accessing, evidence which I am allowed to 10 have under the fourth amendment, is incomprehensible to me. 11 [I] can't understand it. I don't have it real-time, I cannot act 12 on it. That to me is a very dramatic change in that delicate 13 fourth amendment balance. 14 What we are advocating, and particularly from a law 15 enforcement point of view, what we are advocating is that we 16 balance the encryption policy and not view it as some do, 17 unfortunately, solely as an economic issue. It is a very 18 important economic issue for the country, for the global 19 economy, for the information infrastructure. But it is also 20 critically a public safety and national security issue, and my 21 view is that in some of the debates -- and not in this 22 Congress, by the way, which has looked at both sides of this 23 very carefully, and I have testified, along with my colleague 24 here, on many different occasions -- we have a very unique 25 opportunity here for the Congress to make some policy
[5] 1 decisions which will impact very directly on what we do for 2 public safety and national security in the years to come. 3 We think that letting the robust -- the forms of 4 encryption proliferate, taking down export controls as some 5 the legislation would do, and not putting any provisions or 6 safety valves in there where myself or my friends in the 7 national security community cannot, again with probable cause 8 with judicial process, access and understand real-time 9 evidence, the commission of crimes, and solving and preventing 10 what would be great tragedies and great devastation, that we 11 are losing a very important tool that law enforcement has had 12 for 200 years. 13 Now we have had it in different forms over 200 years. 14 1968, the Congress passed the Electronic Surveillance Act, 15 which gives the Federal agents and the State and local 16 authorities the ability, pursuant to probable cause and making 17 the balance required in the fourth amendment, giving us the 13 technical ability to go out and get evidence of crimes when 19 there is probable cause to identify them. 20 In 1994, we became very concerned, and all of you were 21 involved and ultimately supportive of the changes which were 22 made to ensure that into the next century, because of change: 23 in the telecommunications technology, we would still have 24 court orders which would access conversations of people for 25 which we had probable cause to believe were committing
[6] 1 crimes. You solved that problem with the CALEA statute of 2 1994. We are now in the implementation phase of your 3 solution. Without that solution. we would have reached the 4 point in 5 or 6 years where, despite judicial orders, we would 5 go to the phone companies and they could not execute the order 6 because the messages were in 0s and 1s, and there was no 7 access point in the software to hear that. 8 Encryption is not very different from that in the sense 9 that if we do not have a safety valve and an access point, on 10 which would be controlled judicially and used very carefully, 11 in a very, very small number of cases, which I will speak to 12 in a moment, we will be deprived of evidence in criminal case 13 and opportunities in counterterrorism and national security 14 matters to protect this country. And we do not have the 15 computers, we do not have the technology to get either 16 real-time access to that information or any kind of timely 17 access. 18 If we hooked together thousands of computers and worked 19 together over 4 months we might, as was recently demonstrated 20 decrypt one message bit. That is not going to make a 21 difference in a kidnapping case, it is not going to make a 22 difference in a national security case. We don't have the 23 technology or the brute force capability to get to this 24 information. 25 What we are asking for is a balanced encryption policy,
[7] 1 one that will allow the technology to progress, but at the 2 same time put in there a safety valve and an access point 3 controlled by the courts which myself and people in the 4 Intelligence Community can get to and understand evidence where 5 it is important for us to do so. 6 This is not an FBI position alone. This is a unanimous 7 and strong law enforcement position. The international 8 Associations of Chiefs of Police have entered resolutions 9 supporting what I have just presented to you; the National 10 Sheriffs Association, the National Association of District 11 Attorneys. I would urge you to speak to your local police 12 chiefs, the heads of your law enforcement associations in you 13 States and districts. This is a very, very critical law 14 enforcement public safety issue. 15 We believe that a balanced policy will not erode the 16 American domination of this technology. We don't believe that 17 we are going to impede commerce. We don't believe that we are 18 going to do anything except from a very common-sensical point 19 of view those of us in public service, and specifically those 20 of us in public safety, need to have, which is some ability to 21 do our job in a different technology. 22 I could list all the cases where electronic surveillance 23 pursuant to court order was critical. The issue is not 24 whether or not that is a valid technique. I think everybody 25 agrees that we need this technique. It is a very underused
[8] 1 technique because it is so intrusive. In all of 1996, if you 2 add up all the Federal, State and local court orders for 3 electronic surveillance there were only 1,149. The majority 4 were done by the Federal Government, but only about 5 51 percent. The other 49 percent were done by your sheriffs 6 district attorneys and police chiefs. 7 The inability to deal with robust encryption, the lack 8 any access in real-time, because that is what law enforcement 9 is about, real-time, to this information in not every case, 10 but in many, many cases, will, in my view, in my judgment, 11 affect public safety and maybe even tragically cost lives. 12 Mr. Rohrabacher. Could you go through those numbers 13 again? 14 Director Freeh. 1,149 orders. These were Federal, State 15 and local electronic surveillance orders. 16 Mr. Berman. Electronic surveillance encompasses what? 17 Director Freeh. Wiretaps, microphones. 18 Mr. Rohrabacher. And how many were Federal Government? 19 Director Freeh. It is just about 50-50. I could give 20 you the exact numbers. Federal Government 581; the State and 21 locals did 568. Almost 50-50. Seventy-one percent of those 22 cases were drug cases because that is the area of crime, 23 narcotics cases -- 24 Ms. Lofgren. The number? 25 Director Freeh. Seventy-one percent.
[9] 1 Mr. Rohrabacher. Of Federal or all of them? 2 Director Freeh. Total, were drug cases. Those are the 3 targets of greatest difficulty. The Cali cartel, which has 4 hired software engineers, by the way, to write encrypted 5 programs for them so they can speak and deliver narcotics 6 without law enforcement access. 7 We are very, very concerned that if the policy decisions 8 are not made at this point, we are not going to be able 5 or ten 9 years from now, if we find law enforcement in the position 10 where myself and my colleagues think we will be without any 11 access, it is going to be very hard at that point to go back 12 and correct it and retrofit or do any kind of remedial 13 action. The cost of that and the policy decisions will be 14 very, very difficult. 15 We appreciate very much the consideration that the 16 Congress has given. We are very favorably disposed towards 17 Senate bill 909, which, as you know, came out of Senator 18 McCain's committee, which achieves, more than all the 19 legislation that we have seen, some degree of balance and some 20 consideration for the law enforcement and public safety 21 needs. 22 Encryption is not just an economic issue. It may be for 23 the majority of people who have spoken out about it, and it 24 certainly is a commercial issue, but there is a critical 25 public safety and law enforcement component to this which, if
[10] 1 we disregard, will put us in a position where in the most 2 important cases against the most difficult targets we are 3 going to be deprived of opportunities and information and 4 evidence on a real-time basis. 5 So what we are really asking is not for an expansion of 6 our powers, not for any abrogation of the Constitution or the 7 Bill of Rights. We are actually asking for the balance of the 8 fourth amendment to be maintained; that that balance has 9 worked very well for 200 years. The framers certainly 10 considered the important law enforcement and public safety 11 interests balanced against the protection and the right of 12 people to be secure in their persons, papers, and effects. If 13 we were writing that amendment today, we would add PCs and 14 disks and modems, obviously not within their contemplation. 15 But they did understand the critical importance of having law 16 enforcement, under strict judicial controls, access 17 information in critical public safety and law enforcement 18 cases. 19 So we are asking for a balance. We are asking that very 20 difficult policy decisions be considered by the Congress. We 21 know the arguments that have been made against our position, 22 but we feel very strongly that it is an opportunity as we had 23 in 1994, and which the Congress very positively and 24 appropriately responded to when it looked like we were going 25 to be out of the court-authorized wiretap business because of
[11] 1 change in technology. A11 of you, Don Edwards principally in 2 this House, and Senator Leahy and others in the Majority at 3 that time in the Senate, and ultimately everybody on a 4 unanimous vote said that we understand the change in 5 technology, we understand that our decisions will put some 6 burdens and costs on the common carriers, but there is such a 7 critical public safety issue here that we have to do something 8 to protect public safety. 9 You have the same issue before you in a different form 10 with respect to encryption. It needs to be promoted. Robust 11 encryption, we are in favor of that. We just want to maintain 12 the balance of the fourth amendment and ensure from a public 13 safety and national security point of view we have the most 14 important tool to do our job, which is real-time understanding 15 of data streams and also stored data. 16 Imagine a criminal justice system where every time our 17 agents went out to execute a search warrant, we came back with 18 encrypted files; as part of Youssef's file, when we were given 19 his computer. This was the fellow convicted, as you know, of 20 engineering the conspiracy to blow up ll U.S. airliners in the 21 Pacific. He was going to murder the Pope while he was in 22 Manila, and he is now going on trial as the principal engineer 23 of the World Trade Center bombing case. One of his files in 24 his computer was encrypted. 25 That, in our view, is the tip of iceberg. We are going
[12] 1 to see more of that. It is going to percolate down not just 2 to world class terrorists, but to bank robbers. And State and 3 local authorities who are the strongest advocates of what I am 4 presenting to you will be the people adversely affected. 5 So we are asking for the balance and the consideration, 6 and we really appreciate your attention to the issue. 7 Chairman Gilman. Well, thank you very much, Lou, for 8 being with us. Did you want to add some comments? 9 10 11 12 13 14 15 16 17 18 19 20 22 23 24
[13] 1 STATEMENT OF WILLIAM A. REINSCH, UNDER SECRETARY, BUREAU OF 2 EXPORT ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE 3 4 Mr. Reinsch. Just a word if I may. I am Bill Reinsch 5 from the Commerce Department. Bill Crowell from NSA is 6 running late and will be along. 7 Let me be very brief because you all, or most of you, 8 heard me before probably ad nauseam. Why we want key 9 recovery, I think you just heard. There are other reasons: 10 Federal protection of records and things like that. But the 11 main reason is what Director Freeh just articulated, and we 12 think it is a very important one that is material to the 13 balance that we are seeking. 14 At the same time, we think the market is going in the key 15 recovery direction anyway. I just came from New York speaking 16 to a bunch of bankers about what they are interested in. What 17 they are interested in is a variety of key recovery devices 18 and key recovery technologies. That is what they want and 19 what their customers want. We think the market is also moving 20 in that direction anyway. 21 The issue for us and why we distinguish between bills is 22 what will drive us toward key recovery so that we can achieve 23 Director Freeh's objectives and that will retard what we see 24 as moving in that direction. The reason we like Kerry[*]-McCain 25 or McCain-Kerrey S. 909 is because of the whole set of things [As written here and other instances; probably "Kerrey"]
[14] 1 in it that are designed to help facilitate the creation of a 2 key management infrastructure, create a Federal key recovery 3 system for our own use, and to try to, through a variety of 4 incentives and procurement carrots and sticks if you will, 5 encourage the market to move in a direction of key recovery, 6 knowing that we will never get there 100 percent. 7 Chairman Gilman. Let me interrupt a moment. I don't 8 know that everybody is familiar with key recovery. Why don't 9 you explain that. 10 Mr. Reinsch. When Bill gets here, he will do the 11 public-private encryption thing, which in a nutshell is this: 12 The way to facilitate electronic commerce and allow commerce 13 on the Internet or in some huge mushrooming kind of sense, 14 which is what we see happening, is through what people refer 15 to as a public-private key pair -- most of you know about 16 this, I think -- in which your public key is public, and it is 17 in a directory, it is on the net. It is anywhere. If you 18 want to send me a message, my public key is in the directory, 19 too. We each have a private key known only to ourselves 20 except the key recovery, which I will get to. 21 You want to send me a message, you encrypt the message 22 using my public key because you have got it. Now that is a 23 one-way algorithm. Once you have encrypted it, you cannot 24 decrypt it. The only person that can decrypt it is the person 25 who holds my private key, which is me. That guarantees that
[15] 1 you can transmit something to me safely without having to have 2 some kind of personal exchange of keys. 3 I am doing your bit; stop me when I make a mistake. 4 The alternative to a public-private key system is 5 everybody you want to communicate with in confidence, you have 6 got to exchange your key with his key, one at a time. You 7 want to communicate with 10,000 people, you are going to have 8 to have 10,000 keys. A public-private system is a way that 9 allows you to do it a lot more simply. 10 Key recovery in that context is really nothing more than 11 having a spare key, as if you had a spare key to your filing 12 cabinet or a spare password for your computer or anything 13 else. We are indifferent; I suppose we have opinions, but our 14 policy is indifferent as to whether the spare key is held by 15 you, by a trusted third party, by anybody. 16 What we envision happening is banks, Visa, Master Card is 17 leading the way, developing networks of their own for 18 electronic banking and electronic commerce in which they will 19 either hold the keys, or they will hire a third party to hold 20 the keys and maintain the system. 21 Customers want it, banks want it because of a variety of 22 reasons, the rogue employee problem. I work for Bank of 23 America, and I leave and take S3 million with me and go to the 24 Bahamas, the Bank of America wants to find out how I did 25 that. If I encrypted all my files, they cannot. I leave and
[16] 1 get hit by a bus, Bank of America wants to access my files. 2 The institutions want the keys, and the electronic commercial 3 system is going to, I think, only take off when that kind of 4 system exists. 5 McCain-Kerry pushes us in that direction. Our problem 6 with Mr. Goodlatte's bill, with all due respect, is that it 7 doesn't push us in that direction, and that is the fundamental 8 difference between the bills. And I have been saved by NSA. 9 Mr. Crowell. Mr. Chairman, I apologize for being late, 10 but I was captured by a large number of Senators. 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
[17] 1 Chairman Gilman. Please feel free to add any comments. 2 Director Freeh and Mr. Reinsch both spoke up, so please tell 3 us any additional information that you can provide for us. 4 5 STATEMENT OF WILLIAM P. CROWELL, DEPUTY DIRECTOR, NATIONAL 6 SECURITY AGENCY 7 8 Mr. Crowell. Since this is a closed session, I would 9 like to go a lot further than we have in a lot of hearings 10 about the national security implications. 11 I would like to begin by saying that the National 12 Security Agency in particular understands that we have a dual 13 responsibility with regard to this issue. We have a 14 responsibility for providing signals intelligence to the 15 Nation, intelligence information which is vital for us being 16 able to do our war planning and our weapons developments, 17 weapons assessments, all of those kinds of things, [redaction 18 ---------------------------] and so we have an interest in 19 [redaction----------] the encryption system. But we also have 20 an interest in protecting information, and that is part of 21 national security, and we recognize that. 22 Therefore, we have a very strong interest as the Nation 23 shifts to commercial networks in making sure that those 24 networks upon which the Defense Department and the government 25 at large will depend in the future, we have a large interest
[18] 1 in making sure they are also solid and protectable, and they 2 are not put together on a weak foundation. So that has caused 3 us to be primarily technical advisors to this process, to try 4 and make sure that we are balancing our ability to protect 5 ourselves on the one hand with our intelligence capabilities 6 [redact--]. 7 And on the intelligence side, we have developed a plan 8 for doing business in the future [redaction------------------- 9 -------------------------------------------------------------- 10 ----------------------------------------]. But we are not 11 going to be able, and we recognize it, to prevent the ultimate 12 widespread use of encryption throughout the world. What we 13 will do [redaction-------------------------------------------- 14 -------------------------------------------------------------- 15 -------------] all the things that we have done since World 16 War II. The Enigma Machine could not be broken by today's 17 computers. The Enigma Machine, which was the German 18 cryptographic machine used by their submarines, could not be 19 broken today [redaction--------------------------------------- 20 --------------------] If we didn't have the smart people, if 21 we didn't go out and capture a submarine as we did in World 22 War II, if we didn't co-opt people as we did in World War II, 23 and if they hadn't made mistakes as the Nazis did, we would 24 not have been able to sink 742 Nazi submarines in the battle 25 of the Atlantic.
[19] l Today, we wouldn't be able to do it today. So we are 2 going to, on our intelligence side, try to be as smart as 3 possible, work as hard as possible, [redaction---------------- 4 -------------------------------------------------------------- 5 -------------------------------------------------------------- 6 ------------------------------------------------] 7 Now, how did they get it? Surely they will, and we will 8 have to work even harder. [redaction-------------------------- 9 -------] On the other hand, we have to make sure that the 10 Defense Department, which now uses -- 95 percent of its 11 communications are in the public sector, no longer DOD 12 communications systems -- that we build a proper foundation, 13 public key management infrastructure and so on, in order to 14 protect our defense interests on the protection side. 15 There is an interest that we all have in common, which 16 was just talking about on the Senate side, and that is that we 17 are moving rapidly, although some would say not rapidly enough 18 and others would say far too rapidly, toward electronic 19 government. When we get to that, we will have an obligation 20 to continue to meet our statutory requirements to protect 21 public information. That STET means we have to have strong 22 encryption in place where it is required. That means we must 23 have key recovery. We must use key recovery in the 24 government. 25 You have statutorily required that we will able to return
[20] 1 documents to the public through the archives when they are n 2 longer classified, and we will not be able to do that if any 3 employee can do the equivalent of marking it classified 4 forever by encrypting it with a key that cannot be recovered 5 So those are three points I wanted to make just as a general 6 introduction. 7 I would go further and say there have been people who 8 have said that Louis Freeh's organization should just get 9 smarter technically, and if they were just smarter 10 technically, they would be able to break all of this stuff. 11 would like to leave you with just one set of statistic~, and 12 then I think I am going to close with just a few comments on 13 the bill itself. 14 There is no brute force solution for law enforcement. 15 [redaction---------------------------------------------------- 16 -------------------------------------------------------------- 17 ----------------------------------] A group of students -- not 18 students -- the Internet gang last week broke a single message 19 using 56-bit DEC[+]. It took 78,000 computers 96 days to break 20 one message, and the headline was, DEC has weak encryption. 21 He doesn't consider that very weak. If that had been 22 64-bit encryption, which is available for export today, and is 23 available freely for domestic use, that same effort would have 24 taken 7,000 years. And if it had been 128-bit cryptography, 25 which is what PGP is, pretty good privacy, it would have taken [+ As written; probably "DES"]
[21] 1 8.6 trillion times the age of the universe. 2 He has a serious problem and issue to deal with in terms 3 of being able to technically address this issue. 4 Now, what are our concerns about the bill? I hope I am 5 not repeating what my colleagues have said, but let me just 6 lay the foundation. The first issue is that it doesn't move 7 us in the direction of building a sound foundation for the use 8 of cryptography either by the government or the public at 9 large. Building the key management infrastructures that will 10 certify identities to public keys or cancel the use of public 11 keys when people are dead or no longer part of a system -- 12 Mr. Berman. Is there something now that would keep you 13 from doing that? 14 Mr. Crowell. Yeah, there is no management structure that 15 does that. 16 Mr. Berman. In the law? 17 Mr. Crowell. There is no provision for such a management 18 structure. 19 Mr. Reinsch. The reliability problem, among other 20 things, that ought to be addressed. 21 Mr. Goodlatte. Just nonetheless that is exactly what is 22 happening in private sector today, as Mr. Reinsch just told us 23 from his visit to New York. 24 Mr. Crowell. We believe that the private sector users 25 will move in that direction. Producers have not moved us in
[22] 1 that direction. 2 Mr. Goodlatte. They already are. 3 Mr. Reinsch. Well, they are because of our policy. What 4 we have said is you get a better deal on exports if you commit 5 to make key recovery products. And so far we have 31 6 companies that have come in, and we approved. It would have 7 them, the big ones, IBM, DEC, Netscape, the small ones that 8 you have probably never heard of, but they have come in 9 because of our policy, and I think it has had a favorable 10 impact just since January. 11 Mr. Crowell. The second one is key recovery, which I 12 believe we have now set a foundation for in the marketplace. 13 Every user that I have talked about who has valuable data, 14 like Fidelity Investments or Citibank or whatever, has said, 15 no way we are going to encrypt this stuff in our databases and 16 so on without having a means of recovery. So, I think it 17 doesn't move us in those directions. 18 The second thing is that the export control provisions 19 are such that the relaxation of controls is almost 20 instantaneous. The rules with regard to foreign availability 21 and so on will be such that it will have that effect. It 22 doesn't have a measure of quality. It doesn't have a measure 23 of some of the other things that we are concerned about. 24 I think I will stop there. 25 Chairman Gilman. Let me ask, I think it is Mr. Reinsch,
[23] 1 I have a release here about Netscape. Netscape Communication 2 Corporation today announced the U.S. Department of Commerce 3 has granted the company permission to export Netscape 4 Communicator client software with 128-bit encryption 5 capabilities available for immediate downloading from the 6 Internet from our net site. Netscape Communicator's strong 7 encryption will allow users worldwide to enjoy far greater 8 protection when they are communicating certified strong 9 encryption applications on the Internet. Can you explain to 10 us what happened here? 11 Mr. Reinsch. Sure. On May 9th, we announced -- I think 12 Mr. Crowell could give you some of the rationale behind it -- 13 we announced a special policy for banks and general 14 application software being used by banks. We believe that -- 15 we did that for two reasons: One, because banks operate 16 within an existing regulatory framework and have an existing 17 set of regulation obligations to cooperate with law 18 enforcement that, in our judgment, allows us to give them 19 special treatment; and second, because we felt that banks are 20 really going to lead the way in the movement in commerce, and 21 we want to try to facilitate that path and make it a recovery 22 path. 23 So what we said on May 9th, and this is just an outcome 24 of that, was two things, that we would permit the export of 25 banking application-specific software, that is software that
[24] 1 has no use except for intrabank and banking transactions, 2 which is like the ProComm product that made the news in 3 March. We would allow that to be exported by banks for banks 4 after one-time review for them, which is very important, 5 without key length limit. This is software with very limited 6 utility. 7 What we also said was that we would permit the export of 8 general commercially available software, which is what this 9 is, to banks for banking purposes, including home banking or 10 electronic banking- In other words, what we are trying to 11 facilitate with this is software that permits banks to 12 communicate with their customers, if you will, and customers 13 to communicate back to the bank. 14 What the software will not allow to happen is for the 15 customers to communicate with each other; around the wheel, a 16 opposed to the spokes. But what we said we would do for that 17 software for the banking use was that if the vendor, in this 18 case Netscape, but Microsoft made a similar announcement 19 yesterday, by the way, if the vendor has made a commitment to 20 build key recovery products, like in our basic policy, we 21 would for this kind of software for bank use permit its export 22 not only to 56 bits, but to any bit length. That permitted us 23 to approve Netscape's 168-bit product. Microsoft yesterday 24 announced approval of a similar product, although I am told by 25 the people that are into this commercially that the Netscape
[25] 1 product is available today, and the Microsoft product will not 2 be available until later in the summer, but we don't do 3 endorsements. There will be more of these. These are 4 consistent with our policy. 5 Chairman Gilman. Let me ask you, Mr. Freeh and 6 Mr. Crowell, what are your comments with regard to this latest 7 release? 8 Director Freeh. The decision on October 1 of last year 9 to relax the export controls with the specific provision that 10 the approved exportations would be in exchange for the 11 licensees constructing over the next 2-year period key 12 recovery-type products is, from our point of view, a very 13 positive development in the sense that it begins to create 14 incentives, incentives which are being taken advantage of 15 particularly by the financial community and institutions to 16 get their products distributed where they want them l? distributed, but also give us the commitment, although not 18 really an enforceable commitment, but a commitment 19 nevertheless, that they will also construct and develop key 20 recovery products. 21 The export controls mainly impact on the national 22 security interests that the United States has. We are 23 particularly concerned about the domestic availability in the 24 years to come. But this policy overall, as the Assistant 25 Secretary points out, is the incentive which is moving toward.
[26] 1 an infrastructure which we can take advantage of. 2 Chairman Gilman. Mr. Crowell do you agree with those 3 comments? 4 Mr. Crowell. Absolutely. And it is consistent with a 5 measured and sector-specific relaxation of export controls. 6 Chairman Gilman. Mr. Freeh, I know my other colleagues 7 have questions, and I will be brief. What impact would the 8 possible enactment of the SAFE Act have on your law 9 enforcement activities? 10 Director Freeh. Is that the current legislation? 11 Chairman Gilman. That is the current legislation by, I 12 think, Mr. Goodlatte? 13 Director Freeh. My view of it, it would be devastating 14 to us in the long run if we take down both the export controls 15 without any commitment or assurances or enforcement mechanisms 16 for moving towards key recovery infrastructure and combine 17 that with the promotion of a worldwide proliferation and 18 interconnection of robust encryption without a safety valve or 19 an access point for law enforcement. Maybe not next week and 20 maybe not next year, but eventually we will have trouble, in 21 my view. And my successors will have trouble protecting the 22 public safety because we are going to lose one of our most 23 important tools, which is timely court-authorized access to 24 communications and stored data. 25 Chairman Gilman. Mr. Crowell, do you agree those
[27] 1 comments? 2 Mr. Crowell. I am sorry; I got pulled away. 3 Chairman Gilman. I asked what impact a possible 4 enactment would have. 5 Mr. Crowell. They are consistent with what I said 6 earlier, that we believe that it doesn't move us in the right 7 direction, and it does change the export situation. 8 Chairman Gilman. I am going to have to go outside a few g moments, but I will be back in. 10 Mr. Hamilton, will you take over? 11 Mr. Hamilton. [Presiding.] Mr. Chairman, thank you for 12 arranging the briefing, and I want to thank our friends for 13 coming in here to talk to us about this. I am impressed with 14 kind of the dynamics of this thing. We have been through it 15 before, as you recall. What happens is the government has a 16 policy which restricts the exports. The industry doesn't like 17 it. The industry begins to contact their friends on the 18 Hill. They make a very strong case that you folks are 19 blocking exports, depriving us of jobs and profits and all of 20 the rest of it. 21 You, in response to that pressure, will adjust. You 22 begin to make some changes in your policy. At the end of the 23 day, you folks will prevail because you are going to have the 24 President on your side, and he is going to veto anything that 25 he thinks is against the law enforcement and the national
[28] 1 security interests of the country. 2 Now, I assume you don't want to try to block exports in 3 general. I assume you want to see the American software 4 industry, or however you describe it, prosper and sell export 5 and jobs. That is very, very important for us. 6 So the question that comes down to me is what is your 7 bottom line? What is your safety valve in your terms, 8 Mr. Director? You have got the Goodlatte bill, which, as I 9 understand it, eliminates all restrictions on encryption. You 10 spoke favorably a moment ago about the McCain-Kerry bill, but 11 as I understand that bill. It still maintains export control 12 on encryption software which uses longer than 56 bits. That 13 is not going to be satisfactory to the industry people, I am 14 quite sure. 15 So what kind of restrictions on exports are a minimum 16 that you just simply must have in order to protect these law 17 enforcement and national security interests that you are 18 seeking? 19 Director Freeh. With respect to the exports I will defer 20 to you. 21 Mr. Hamilton. Is McCain-Kerry your bottom line today? 22 Is it something that you cannot go beyond, McCain-Kerry? 23 Director Freeh. It is a minimal -- speaking for myself 24 and law enforcement, it is a minimal assurance and balance 25 that we feel needs to be maintained.
[29] 1 Mr. Hamilton. In other words, you cannot accept any 2 export -- anything with keys longer than 56 bits? You cannot 3 accept those exports? 4 Director Freeh. Yes, with all the other provisions of 5 the bill with respect to exports. 6 Mr. Hamilton. That is your bottom line? 7 Mr. Reinsch. Let me phrase it slightly differently, if I 8 may, because this is closed. Coming to terms with this issue 9 is an evolutionary process. You have just referred to some 10 phases of the evolution, and I think your point is well taken 11 although I must say that I wish that point of view had 12 prevailed last week on the vote on computer exports, but you 13 can't have everything. This was not a case of the Congress 14 forcing us to liberalize; it was a case of Congress forcing us 15 to roll back. 16 Mr. Berman. You mean the supercomputers? 17 Mr. Reinsch. Yes, but that is another issue. 18 Mr. Berman. They are going to weapons programs. 19 Mr. Reinsch. It is a lot more complicated, and I will 20 not go into weapons programs. 21 Mr. Goodlatte. If it makes you feel any better, I voted 22 with you on that. 23 Mr. Reinsch. I appreciate that. The irony is that the 24 arguments are sort of the same, and I want you to tell your 25 friends on the Senate side to do the same thing.
[30] 1 Mr. Crowell. As the Agency who originally said we should 2 have no restrictions on supercomputers, we found it strange 3 too. 4 Mr. Reinsch. This is an evolutionary process. So I want 5 to look down the road, and I can't walk you very far down that 6 road quite yet, but think a little bit about what we are 7 saying. What he needs is key recovery. What he needs is 8 review of each product once before it goes out the door. 9 Mr. Crowell. And key management infrastructure. 10 Mr. Reinsch. I was including that. The question is how 11 do we get there? We were trying to get there through export 12 controls. That may or may not be the best way. Arguably 13 import control might be the better way, but nobody wants to do 14 import controls, and they are off the map. 15 If you can think of a better way to get to where we want 16 to go, then I think that that is a worthwhile discussion to 17 have, but we haven't been able to come up with a better way. 18 And the more we erode the export control base, the farther 19 away we get from our goal. But as I said, our real problem 20 with Mr. Goodlatte's bill is not simply -- it is that it will 21 not push us forth toward key recovery, and the people in the 22 private sector that are supporting his bill don't like key 23 recovery and don't want to go down that road. 24 Mr. Hamilton. And there are features in the McCain-Kerry 25 bill that provide incentives? That is one thing you like
[31] 1 about that bill? 2 Mr. Reinsch. Yes. 3 Mr. Goodlatte. Mr. Chairman, could I interject one point 4 on that? 5 Mr. Hamilton. Yes. 6 Mr. Goodlatte. All of the companies that he just listed 7 IBM, Netscape and so on, that have come to them and have 8 agreed to participate in their key recovery requirements in 9 order to get the export licenses all endorse my bill. They 10 are not opposed to key recovery. Most of them are working or 11 key recovery products that they are going to sell. 12 What they object to is having the government put a label 13 on their product as it goes out the door saying this product 14 has been approved by the United States Government [redaction-- 15 -------------------------------------------] and therefore has 16 a competitive disadvantage with the foreign competition, and 17 think it is not in the national security interest of our 18 country to drive this development of cryptography offshore. 19 Sun Microsystems just a few weeks ago announced a program 20 with a Russian company to create the cryptography, import it 21 into the United States, attach it to the underlying software. 22 Sun Microsystems would sell it domestically, and the Russians 23 would sell it internationally. Everybody would be able to 24 communicate with each other, bypass our export control laws, 25 and suddenly we have the Russians creating our cryptography
[32] 1 rather than U.S. companies. 2 It makes no sense, in my opinion, to allow that kind of 3 transition of an industry that we dominate to take place and 4 take away from Mr. Crowell the opportunity to work with the 5 domestic U.S. companies on a case-by-case, confidential basis 6 to create the kind of information they need to have to game[+] 7 the system and instead turn that over to foreign governments 8 Mr. Reinsch. Let me be blunt for a minute, if I may, 9 uncharacteristically. Of course they endorse your bill. You 10 are offering them a bowl of ice cream; we are offering them a 11 plate of broccoli. What would they do under those 12 circumstances? Of course they are going to be for your bill. 13 There are differences within them, however, in terms of 14 the way that they are reacting to and accommodating our 15 policy. The companies that want to be in the end of the 16 business, that is building networks, that have clients and not 17 customers, that believe in service and ongoing relationships 18 and are setting up systems for banks or companies are fairly 19 comfortable with our policy because their customers want key 20 recovery, and they are busily figuring out ways to achieve 21 what their customers want and what they want in our 22 framework. 23 The companies that are most upset by our policies, 24 because it does not fit in their marketing plans, are the 25 companies that are engaged in the mass market shrink wrap [+ as written]
[33] 1 retail business whose service consists entirely of replacing 2 faulty diskette and don't have a system- or client-based 3 business as their main focus. 4 Ms. Lofgren. That is not Sun's business. 5 Mr. Crowell. It is mostly Sun's business. I mean, it is 6 slightly a step above shrink wrap, but it is mostly their 7 business. 8 Mr. Reinsch. If you look at the -- I am not suggesting 9 we write off this piece of the market because this is a 10 tremendously important piece of the market. What I am 11 suggesting is if there is a way to get everybody -- and I have 12 talked to all these companies, as you have. I spent half my 13 life doing this. The other half was trying to deal with the 14 supercomputers. But if we can get all of these companies 15 moving in the direction of key recovery -- and some of them 16 are flat out reluctant to do that and said so, and some of 17 them have changed their view about that. Netscape is one that 18 changed -- then we are in the process of coming together. But 19 we are not there yet. 20 Mr. Hamilton. Let me restore the regular order. I will 21 let you respond, and then we will go to Mr. Bereuter. 22 Mr. Crowell. With regard to the Russian product, Russian 23 law requires that that product be approved for export. 24 Director Freeh. And key recovery. 25 Mr. Crowell. It goes further and says it cannot be used
[34] 1 inside Russia, which it is already being used inside Russia 2 nor can it be exported unless it is key recoverable. 3 Elvis Company, my understanding is that the Elvis Company 4 approached Sun with the idea of putting cryptography in the 5 products to be imported into the United States. [Redaction --- 6 -------------------------------------------------------------- 7 -------------------------------------------------------------- 8 -----------------] 9 Mr. Goodlatte. I would agree, but I would suppose that 10 the Russian Government wants to have the same process to 11 approve the export for the same reason that you want to, in 12 order to be able to game the system, and they are going to 13 game it to our disadvantage rather than our advantage. 14 Mr. Crowell. I will repeat something I said when I came 15 in. We have accepted that we will be faced with a much harder 16 problem in the future than we have been in the past. We have 17 accepted that. We have found U.S. industry very cooperative. 18 Many of them, though, in this new software world don't even 19 know that this is a U.S. program. There is a need for an 20 instrument, just like the FCC has. When you get a garage door 21 opener, it is licensed so that you will not turn on your 22 neighbor's TV with the garage door opener. There is a need 23 for a licensing process [redaction---------------------------- 24 ------------------------------------------------------]. If 25 I gave you a diagram of encryption, you not only have to know
[35] 1 the key, you have to know the algorithm to be able to break 2 it. We are not trying to game it. And some companies are not 3 going to risk their future by gaming with us. And it should 4 not be thought that every U.S. company will do that. 5 Mr. Hamilton. Mr. Bereuter? 6 Mr. Bereuter. I just have a short question. It may be 7 difficult, I don't know. 8 Mr. Hamilton. Thank you, very much. 9 Mr. Bereuter. With respect to key recovery structure, 10 how do you intend to multilateralize it? If you don't have 11 multilateral agreements on export controls, aren't we 12 eventually going to lose our competitive position? 13 Mr. Reinsch. Yes, you are exactly right. If we cannot 14 multilateralize it, we will fail. I have said that publicly. 15 I will say it privately. We are working very hard to try to 16 multilateralize it. [redaction-------------------------------- 17 -------------------------------------------------------------- 18 -------------------------------------------------------------- 19 -------------------------------------------------------------- 20 -------------------------------------------------------------- 21 -------------------------------------------------------------- 22 -------------------------------------------------------------- 23 -------------------------------------------------------------- 24 -----------------------------------------] 25 With the exception of the Germans, which is a very
[36] 1 important exception, and I don't want to minimize it, with the 2 exception of the Germans, the other countries are essentially 3 moving in the same direction, either proactively or 4 reactively. The French have already gone beyond with us[+] a 5 very restrictive policy. The British have proposed a policy 6 in their White Paper which we can give you which would set up 7 a single key recovery certification authority that would be 8 approved by the government within the UK. If you want to 9 play, you have to be in that. 10 [redaction----------------------------------------------- 11 ----------------------] The Japanese will not flout the 12 international consensus. I think they are very busy 13 developing all kinds of products. They will be ready to flood 14 the market the minute they know what the consensus is. [redact 15 -------------------------------------------------------------- 16 -------------------------------------------------------------- 17 -------------------------------------------------------------- 18 -------------------------------------------------------------- 19 -------------------------------------------------------------- 20 -------------------------------------------------------------] 21 And this is one of the things over the next couple of 22 months we have to do something about. But the others are 23 having the same debate we are, and they are pretty much coming 24 to terms with the view that some limitations are going to be 25 required, because if it isn't, they can't pursue their own [+ as written]
[37] 1 national policy. If they don't have some control on what goes 2 in and out, or at least out, they cannot pursue what they want 3 to internally. 4 Mr. Bereuter. I know I need to go, but I know there are 5 other Members here that want to do things. Mr. Berman, 6 Mr. Goodlatte, Ms. Lofgren, and the gentleman from Florida -- 7 Mr. Rothman. New Jersey. We do look alike. 8 Mr. Bereuter. I am sorry, New Jersey. And Mr. 9 Rohrabacher was here, but I don't know if he is back. Can you 10 police yourself in my absence here, because I have to go. 11 Howard? 12 Mr. Berman. Sure, just like the companies will. I will 13 ask a couple of questions because I think these guys and you 14 guys will join the debate well. The thing they say to me a 15 lot, if this is so devastating, then the absence of a key 16 recovery system on very powerful encryption now that can 17 encrypt domestic transmissions and transmissions presumably 18 between the United States and points abroad -- I mean, how 19 devastating could this be if you are not pushing a bill to 20 stop the dissemination of any of this domestically or 21 internationally until you have your key recovery systems in 22 place; or even in your more recent order, 2 years, develop 23 something within 2 years and send us as high as you want, it 24 sort of undercuts the devastating aspect of it, the way you 25 are focusing the argument against the export part of it as
[38] 1 opposed to just changing the general law. Why don't you treat 2 it like heroin or something? 3 Director Freeh. Well, it is a good question, and a very 4 indicative one. Within the administration there have been s long and not harmonious discussions about what approach is 6 more requisite. The law enforcement components perhaps have 7 more immediate view, going to your question about the impact 8 of this, and that debate is pretty much over within the 9 administration, and the view is that the minimum that we 10 expect to be able to achieve and what we hope the Congress 11 considers is the balance which is set forth. 12 Now, that may not be the best of all worlds from a law 13 enforcement point of view, but it is a minimal step, in the 14 absence of which there is no prospect of protecting us. 15 The other -- the real answer to your question is that we 16 have not run into, in the normal course of our duties, that 17 closed door and that brick wall which we expect to be there as 18 soon as there is a universal type of proliferation where there 19 is interconnected encryption and stored data in encrypted 20 forms becomes the norm. 21 More and more our agents in computer cases, in cases of 22 electronic surveillance, are running into encryption, very 23 minimal instances, and the numbers are almost de minimis now, 24 but they are increasing at a sufficiently alarming rate to put 25 us on notice, I have them here, that this window is going to
[39] 1 shut and shut very quickly. It is like the digital access 2 window. We could not, and I did not in my testimony before 3 Chairman Edwards, say we are out of the wiretap business, and 4 if you don't do this, we are going to roll up shop. r did say 5 if we don't fix this problem, 5 years, 6 years, 10 years we 6 are going to be dead in the water with respect to that. This 7 problem has not hit us yet, but it is there, and it is 8 coming. 9 Mr. Crowell. If I could add to that, the same is true 10 internationally. Governments, militaries, diplomats continue 11 to use encryption, as they have for 50 years. [redaction------ 12 -------------------------------------------------------------- 13 ---------------------------] We are beginning to see 14 commercial encryption coming into some of those, and we are 15 beginning to see commercial encryption coming into the 16 militaries. [redaction---------------------------------------- 17 -----------------------] There are several others, [redaction l8 -------], who are using some commercial -- 19 Mr. Berman. Is it U.S. encryption? 20 Mr. Crowell. [redaction--------------------------] 21 Ms. Lofgren. What are they using? 22 Mr. Crowell. [redaction----------------------------------- 23 ------------------------------------------] 24 Mr. Berman. That is one of the criticisms of your 25 position is this stuff gets uploaded and downloaded. In other
[40] 1 words, you are. trying to do something at a dock and through a2 licensing process that is too late in the game. They can 3 download stuff right now. 4 Mr. Crowell. Actually we don't worry too much about 5 downloading. People are beginning to realize that there is a 6 lot more than the algorithm, and how do you verify that it is 7 any good. Real professionals in this business don't download 8 security software. 9 Director Freeh. Most people even on the Internet don't 10 violate the law by stealing and downloading commercial 11 encryption. Most people obey the law, which is in our favor, 12 which is what we want to build around. 13 Mr. Berman. They need a network to operate, 14 Ms. Lofgren. The crooks are less law-abiding than most 15 people. 16 Mr. Goodlatte. Director Freeh cited the Cali cartel as 17 hiring software engineers. The only time you will have access 18 to it is when you have to deal with a law-abiding entity like 19 a bank, and the bank -- and that is why I am not impressed 20 with your export control generosity to Netscape. It only 21 applies to banks. They are sitting targets. They are going 22 to respond to your subpoenas now under current law to give you 23 the key to decode any communications that they have with 24 anybody. 25 Mr. Berman. That is his point. That is why we could
[41] 1 give it to the banks. 2 Mr. Goodlatte. Right, but what about securing the 3 Internet? what about people's use of their credit cards on 4 the Internet, or their medical records, or the problem with 5 industrial espionage and the lack of security that the average 6 business has in transferring data to an engineering plant or 7 manufacturing plant? What about the New York Stock Exchange 8 or the Chicago Board of Trade? 9 Mr. Crowell. They can obtain it today with domestic 10 products. 11 Mr. Goodlatte. Sure, but if the Bank of America wants to 12 communicate with their Paris or London or Tokyo office, they 13 do not do it unless they break the law. 14 Mr. Crowell. You can by 64 bit. That is good for 7,000 15 years. So I don't believe it is the lack of availability. I 16 believe they are making economic decisions about how much do 17 they need to protect and how much do they want to pay to 18 protect it. And those are hard -- 19 Mr. Goodlatte. If it is available on the market now -- 20 Mr. Crowell. Lotus Notes has been available in 64 bits 21 approved for export for 2 years. 22 Mr. Reinsch. The example, when I was coming back from 23 New York, I just rode to the airport with a Bank of America 24 guy who invented their systems that they use in this area. 25 You know what he was upset about legislatively? The only
[42] 1 thing that bothered him about the McCain-Kerrey bill was the 2 provisions on Federal access which he felt were not written 3 properly because he thought they wouldn't require him to tell 4 the subject of the intercept, if you will, that, in fact, 5 there was an intercept going on. He didn't have any problem 6 with the rest of the bill, and he didn't have any problem with 7 what we are trying to do. Whatever they are doing, 8 internationally and nationally they are making it work. And 9 he again explained it to me, and I sort of got to the airport 10 at that point. 11 Ms. Lofgren. As you said several times both here and 12 elsewhere, the plan that you are proposing assumes and 13 requires acceptance, you know, worldwide, as Mr. Bereuter 14 indicated. And I will tell you this: I am from Silicon 15 Valley. I have people who feel very strongly about it, as you 16 know. But if I really felt that your scheme would work and 17 was necessary for the national security, I would tell them to 18 take a hike because our obligation is to make sure that our 19 country is safe. 20 I don't believe, however, that your scheme is going to 21 work. We had the guy from the European Union come in, and we 22 had this discussion. The paper that he left with us that 23 purports to be European Union's policy position on this whole 24 subject says straight up, their policy is to eliminate export 25 controls from the European Union on encryption. And if that
[43] 1 is their policy, how does your scheme work? 2 Mr. Crowell. Their policy states they will have trusted 3 third parties for key recovery, and they -- 4 Ms. Lofgren. I didn't bring it with me, I am sorry. 5 Mr. Crowell. And so it is more consistent with what we 6 are saying, I believe. 7 Ms. Lofgren. Well, from my memory -- 8 Mr. Berman. What about the other side? You said if I 9 thought it would work or I thought it would harm the national 10 security, I would not support them. What is the basis for 11 thinking that it would not harm the national security, or do 12 you mean it would not harm the national security any more than 13 it is going to be otherwise harmed? 14 Ms. Lofgren. My view is this, and I stuck with you, and 15 we met many, many times. If you are a bad guy, and you can 16 get encryption from a source other than a U.S. supplier to 17 foil our law enforcement, then why wouldn't you do that? And 18 if that would occur, then your policy is not going to help. 19 Mr. Berman. You are saying that national security has 20 already been harmed, and you can't stop it? 21 Ms. Lofgren. We can't stop it technologically. 22 Director Freeh. You have to put it in perspective. As 23 Bill stated, this is not a universal solution. We are not 24 going to stop, nor have we ever stopped, the Japanese military 25 command from encryption, the German war command, the Cali
[44] 1 cartel, et cetera. We are not talking about rolling back or 2 capturing literally the universe in this, What we are talking 3 about is universal proliferation and interconnected 4 proliferation. 5 If the Cali cartel wants to encrypt its command and 6 control decisions going from Bogota to Miami, we are not going 7 to do a lot with respect to these initiatives to stop it. 8 However, the people in Miami that have to deal with the 9 selling and the distributors and who have to deal with the 10 traffickers, the transporters, the money launderers, the 11 couriers, that is a network that we can attack, and that is 12 access points which, from our point of view, are critical. I 13 we do nothing to encourage some key recovery insurance, we are 14 going to lose the whole 10 yards. 15 Ms. Lofgren. If I may, as Bill pointed out earlier, the 16 transition or change pace is different because of the 17 availability of technology. I can't remember, I thought it 18 was you, Bill, but once the barrier is lifted, it moves in a 19 way that did not occur in World War II times. And I guess the 20 concern I have, I know the CEOs in most of these companies. 21 They are more than willing to do whatever they can -- I mean, 22 if you went to them and said, here is a terrorist, we need 23 your help, they would help you. If we in effect move this 24 offshore, you are going to even lose that ability. I mean, it 25 is a wild crew, I grant you that. They live in a different
[45] 1 world. But they are patriotic Americans. They don't want 2 harm to our country. 3 Director Freeh. Look, there is no greater supporter to 4 public safety than the common carriers, whether it was one 5 company or whether it was many companies. And for years we 6 went to them with court orders, and they would give us the 7 access to John Gotti's conversations willingly. But unless 8 their technology had that access point, and with a digital 9 system it would not have that access point, and they would not 10 voluntarily build it and'pay for it but for the 1994 statute 11 which this Congress passed, that is the kind of incentive that 12 has to be had to create a structure so they can do what they 13 want to do, I agree with you, which is support us. 14 Mr. Rothman. I am sorry; was late. Basically, by 15 requiring these encryption codes, if you will, or software to 16 have the back door available locked away somewhere, the 17 government would apply for a court order like it would on a 18 wiretap or something to get access to that key to unlock this 19 code, and that is all you are looking for? 20 Director Freeh. Well that is part of it. The 21 McCain-Kerry bill talks about doing it pursuant to subpoena; 22 others have talked about a court order. What we have agreed 23 to have and need to have is some court process, legal process, 24 supervised by a judge or magistrate to allow that access to 25 happen.
[46] 1 Mr. Rothman. I guess there are two issues in that for 2 me. One is the civil libertarian aspect and I guess freedom 3 from government intrusion, I guess, if it is the same 4 standards that apply -- it is not, Mr. Goodlatte? 5 Mr. Goodlatte. Not in my opinion, nor in the opinion of 6 most civil libertarians who have reviewed the bill. It allow 7 a foreign government to go directly to the Attorney General of 8 the United States for an authorization to get a key from a 9 third party holding your key. It allows the FBI or other 10 agents to go to the Attorney General for a letter. Subpoena 11 power is an erosion of the court-ordered standard that is 12 usually the case. 13 Mr. Rothman. What if they narrowed the scope, if you 14 will, to the same kind of level of proof that is required in 15 an eavesdropping case? 16 Mr. Goodlatte. That would be current law, and we have no 17 problem with that. 18 Mr. Rothman. Is that sufficient for you? 19 Mr. Crowell. That is what we are trying to achieve. 20 Mr. Reinsch. We have said many times that our intent is 21 to embody current law in this. 22 Mr. Rothman. But in order for that to be of any value, 23 you need those private companies to cooperate and create this 24 back door, and for that you need power of law to force them to 25 create the back door; is that right? Is that what you are
[47] 1 looking for? . 2 Mr. Crowell. Not for -- 3 Director Freeh. We need to have somewhere under some 4 regime, private, government or otherwise, a key which allows 5 us to understand what the court order, on a very high 6 standard, a standard which will not change, permits the 7 government to do upon a showing of probable cause. The same 8 Title III requirements allow me to listen to a conversation or 9 seize something. I take that court order signed by an Article 10 III judge, I have to go someplace now that has a key. I can, 11 just say to the company, telephone company, you know, give me 12 this pairing and let me listen. I cannot understand it, and 13 they cannot continue unless they have the key. 14 Mr. Rothman. If the company hasn't created a back door 15 to their own system? 16 Director Freeh. We will not have any access. 17 Mr. Rothman. And the bill you want wouldn't mandate them 18 to create this back door? 19 Mr. Reinsch. That is correct. 20 Mr. Goodlatte. Let me give you the opposite point of 21 view. There is no law in this country today that any way 22 restricts anybody's right to have any level of encryption on 23 their private communication. There is no law limiting the 24 import into this country of encryption. The only leverage 25 that these folks have is our export control laws.
[48] 1 So they say we are not mandating it, we just want you to 2 run by us for export purposes a plan that calls for a key 3 recovery element to your export. But if you are going to 4 communicate internationally, which is what the Internet is all 5 about, then means domestically you have to have that key 6 recovery system just like you do internationally. So while 7 they say they are not mandating it, effectively they are 8 mandating it, they require it internationally. 9 Mr. Rothman. Have we done too badly by having had for 10 the better part of our Nation's history law enforcement having 11 the ability to intercept our conversations or business 12 transactions? Have we suffered grievously? 13 Mr. Goodlatte. I don't object to that at all. 14 Mr. Rothman. How would we be worse off? The government 15 could always tap our phones anyway, could plant listening 16 devices in our homes and cars and under our lampshades anyway, 17 and we haven't done too badly. Now they say that is not 18 enough, there is a whole level of communication we will be 19 unable to listen to. Why shouldn't we give them the power to 20 do that under the same standards as they had to meet to listen 21 to our phone conversations? 22 Mr. Goodlatte. Well, the reason is that what you are 23 going to develop is a system where you have hundreds and 24 hundreds of foreign products that are available right now from 25 all over the world -- you brought this point out during the
[49] 1 International Relations Committee hearing. 2 Mr. Rothman. Yes. 3 Mr. Goodlatte. That you are not talking about large 4 things like bombs or jet or mainframe computers, You are 5 talking about 1s and 0s, going through computer lines that can 6 be downloaded off the Internet or purchased, domestically or 7 foreign, all over the world that bypass those systems. And 8 those products created in foreign countries are going to 9 overtake an industry that we dominate today. 10 Mr. Rothman. That was my second point, if I may. The 11 first one was a civil libertarian argument. 12 Mr. Goodlatte. But they blend together. 13 Mr. Rothman. The other argument being economies. Are we 14 going to lose our entire market share to these rogue little 15 companies that will not abide by multilateral agreements? 16 Director Freeh. I think you hit the nail on the head. 17 When I started, we are asking to maintain the balance of the 18 fourth amendment. For 200 years the framers and every 19 Congress thereafter has balanced protection of privacy with 20 the legitimate need for police under strict probable cause 21 limits with court orders to do search and seizure. The bills 22 that are being proposed will dramatically shift that balance 23 for the first time in 200 years. 24 What it means is that with probable cause, the judge 25 signs the order for me to access the conversations, but I
[50]1 cannot understand it. And I cannot understand it because no 2 one has, either by statute or otherwise required that there 3 be some key safely placed somewhere, only attainable with a 4 court order. That dramatically changes the balance of the 5 fourth amendment to the detriment of public safety. with 6 respect to foreign commerce, those little companies are not 7 going to make a difference in the market. 8 Mr. Rothman. Mr. Goodlatte do you buy that? In other 9 words, are we facing a catastrophe economically in terms of 10 job loss or business loss if we as a Nation participate in 11 this multilateral agreement? 12 Mr. Goodlatte. There was a study released about 2 years 13 ago that indicated that by the year 2000, just 3 years from 14 now, the effect upon jobs in the United States would be a loss 15 of 200,000 jobs and $60 billion in sales because encryption -- 16 you are not talking about a limited segment of the computer 17 market. As encryption develops, virtually any kind of 18 software that you use that is in any way involved with data 19 storage or communications is going to have encryption attached 20 to it. You are either going to have an industry that is 21 robustly available to attach encryption domestically, or you 22 are going to cede it to companies -- and they are not 23 fly-by-night operations -- overseas that will do it, and some 24 of these major U.S. companies will take an element of their 25 business offshore if that is what it takes to do it.
[51] 1 Mr. Reinsch. May I comment on that for a second? 2 Mr, Rothman. If the Chairman will acknowledge you. I am 3 just a freshman. 4 Mr. Reinsch. We are having a good dialogue. I am glad 5 you mentioned that. I would like to see that study. I have 6 seen the figures, but I don't have the study. 7 Mr. Goodlatte. I would be happy to get that for you. 8 Mr. Reinsch. Mr. Goodlatte makes a good point up to a 9 point. What we see happening is that there is some software 10 that is encryption-exclusive or specific, if you will. That 11 is what it does. What is going to happen recently is Lotus 12 Notes, WordPerfect, you know, whatever, Windows, Microsoft 13 Word will have encryption capabilities built into it, and it 14 will be sold, and in that sense what is currently -- if you 15 asked me to tell you what the encryption software is. I would 16 tell 2 or 3 percent of the total software market. As 17 encryption gets built into the other stuff, then I think it 18 becomes bigger. 19 On the other hand, you have to ask yourself why are 20 people going to buy Lotus Notes, because of encryption 21 capability or because of its spreadsheet capability? And I 22 think that is what will be competitive capabilities of these 23 items that will drive the market. 24 Mr. Rothman. Mr. Chairman, may I? 25 Chairman Gilman. [Presiding.] Yes, by all means.
[52] 1 Mr. Rothman. Is there any belief that the present day 2 manufacturers, the present day biggest sellers Of software, 3 will be unwilling to participate in this voluntary program? 4 So that at least for the next year or two, our beat judgment 5 is that 90 to 95 percent of the world's makers and 6 distributors of software with encryption will observe this? 7 Mr. Reinsch. No. I would say there is one company that 8 is probably not going to. 9 Mr. Rothman. Which is that? 10 Mr. Reinsch. Microsoft. 11 Mr. Rothman. That is a pretty big company. 12 Mr. Reinsch. Who is behind his bill. 13 Mr. Goodlatte. Well, they are all behind the bill. 14 Mr. Crowell. Let's be fair, Let's be sure we balance 15 this. Microsoft has worked with the Federal Government to 16 comply with export controls in key recovery kinds of 17 situations or in making sure that financial-specific products 18 were, in fact, financial-specific and verifying users. They 19 have done a lot of things that have been helpful. 20 Mr. Rothman. But they will not go along with your 21 voluntary program? 22 Mr. Crowell. They will not publicly endorse it, that is 23 for sure. 24 Mr. Reinsch. They appear not to believe that key 25 recovery is the way of the future.
[53] 1 Mr. Rothman. If you are just a freshman Member of 2 Congress, and someone comes to and says, we want you to adopt 3 a voluntary measure, and the biggest player in the country 4 says, we are not going to participate, what have we 5 accomplished? 6 Mr. Crowell. Can I characterize? I will give you an 7 example of what is going on. For 2 years, Microsoft said 8 there is no future in the network. We are not going to build 9 any network products. They are now one of the biggest 10 competitors in the networks business, web browsers, server 11 software, all of those kinds of things. 12 Mr. Rothman. You think they will change their mind? 13 Mr. Crowell. I don't think it is religious with them. I 14 think they are driven by market forces, yes. 15 Mr. Goodlatte. And good regulations. 16 Mr. Crowell. And good regulations. 17 And so if you put the proper framework out there, I think 18 they will in their business interest. 19 Mr. Reinsch. I don't want to suggest that they are doing 20 anything wrong. 21 Mr. Rothman. By the way, Mr. Goodlatte persuaded me. I 22 cosponsored that bill, that amendment, but I must tell you I 23 am having second thoughts. I don't know if that is a good 24 thing or a bad thing. 25 Chairman Gilman. It can't be all bad.
[54] 1 Mr. Rothman. And I think, frankly, the notion of making 2 the parallel between how government always having the power to 3 intercept our phone calls anyway, we have lived with that and 4 are arguably one of the freest if not the freest Nation on the 5 planet. We haven't done that badly, certain we know we have 6 had our share of dissent. 7 Director Freeh. It is also a very small number of 8 cases. If you add up all the State, Federal and local 9 surveillance orders, it is only 1,149. 10 Mr. Rothman. In the whole country? 11 Director Freeh. Seventy-one percent are drug cases, and 12 almost half them are not by the Federal Government, but your 13 State and local authorities. And if you talk to the 14 International Association of Chiefs of Police, your local 15 district attorney, they will give you, I think, the view that 16 I have given you. 17 Mr. Rothman. On that economic argument, which is a 18 powerful one, too, you know, that is a big unknown for me at 19 this point. 20 Mr. Goodlatte. Let me go back to the civil liberties 21 argument. 22 Chairman Gilman. If I could get a few questions in. I 23 regret I was called out to another function. If I am being 24 repetitive, let me know. 25 Mr. Freeh, how many organized -- major organized crime
[55] 1 cases has the FBI been able to make and sustain without 2 wiretaps? 3 Director Freeh. Without wiretaps? Very, very few. 4 Every one of our major cases, Mr, Gigante who is going on 5 trial in New York now, as you know, for the first time in 6 many, many years, all wiretap-related cases. 7 Chairman Gilman. And without a bathrobe, right? 8 Director Freeh. Without a bathrobe. 9 All of our major criminal cases, organized crime cases, 10 have been directly dependent on electronic surveillance. 11 Chairman Gilman. What impact will be on the FBI 12 real-time ability to follow leads, make seizures, to save 13 lives if there is a delay in understanding what is being said 14 on an ongoing wiretap? 15 Director Freeh. With unbreakable non-key recovery 16 encryption proliferated, we will be out of the public safety 17 business in terms of any real-time understanding or response 18 capability, not just in the big cases, but kidnapping cases 19 also, the things that we need to be in front of. 20 Chairman Gilman. Would you need added manpower resource 21 and equipment if there is a need to decrypt? And would that 22 add to your already difficult case of language translation in 23 many of your wiretaps? 24 Director Freeh. We would certainly need those resources, 25 but I think more importantly is the point that was made here.
[56] 1 Contrary to the National Research Council recommendation that 2 the FBI buy more computers and Bill Gate's suggestion to me 3 that we upgrade our research and development [redaction------ 4 --------------------------] American industry cannot do it, 5 and that is decrypt real time encryption over a very minimal 6 level of robustness. [redaction-----------] If you gave me $3 7 million to buy a Cray computer, it would take me how many 8 years to do one message bit? 9 Mr. Crowell. 64 bits, 7,000 years. 10 Director Freeh. I don't have that time in a kidnapping 11 case. It would kill us. 12 Chairman Gilman. Mr. Crowell, do you want to add 13 anything to these comments? 14 Mr. Crowell. No, sir. 15 Chairman Gilman. Mr. Reinsch? 16 Mr. Reinsch. No. 17 Chairman Gilman. Let me ask Mr. Goodlatte., how do you 18 take care of the security concerns in your bill? 19 Mr. Goodlatte. Well, security concerns are legitimate. 20 The problem is that what they are proposing to do will not 21 work. And that is the concern I have. We are more than 22 willing to work with them in any other way. But I would just 23 suggest to you as the Chairman of the International Relations 24 Committee, they haven't answered what I think is the critical 25 question, and the Speaker raised this question the other day,
[57] 1 and that is if we attempt to force the route of key recovery 2 or key escrow, and alternatives develop around the worlds and 3 they are developing right now, to get this cryptography 4 without having to comply with this mechanism set up by the 5 U.S. Government, then the ability that the NSA has had for 6 many years to work with domestic suppliers of encryption and 7 software in general, to get the information they need to work 8 that will be lost because you will be dealing with Russian and 9 Irish and Indian and countries and companies all over the 10 world that are not going to be cooperating with them for their 11 systems. 12 I think that their basic fundamental underlying 13 proposition, which is that they will be able to game the 14 system if they have this filter that they run U.S. software 15 through, will in the end result in a very insecure situation. 16 They will no longer have that capability because they will not 17 have U.S. industry there to deal with them. 18 Chairman Gilman. How do you respond to that? 19 Mr. Crowell. First of all, the implication there is that 20 we rely on U.S. companies altering their products in order to 21 make us successful, and I would like to categorically state 22 that that is not -- 23 Mr. Goodlatte. They are giving you information about the 24 product. 25 Mr. Crowell. Well, that is true. We would like to have
[58] 1 information on the product, [redaction------------------------ 2 -------------------------------------------------------------- 3 -------------------------------------------------------------- 4 -----------------------------------] So it will not change the 5 equation for us, [redaction----------------------------------- 6 ------] 7 Mr. Goodlatte. That is my point, not yours. 8 Mr. Crowell. Yes, we will be up against very large 9 odds. I mentioned at the beginning that there are two 10 considerations here. One is having a sound foundation for 11 U.S. protection, governmental and nongovernmental critical 12 infrastructure, and we believe that the building of a key 13 management infrastructure and key recovery to protect public 14 interest and electronic government is a very, very important 15 part of that. We believe that export controls that are 16 relaxed in terms of restrictions on bit lengths and all of 17 those kinds of things, but that require one-time review on a 18 rapid basis, encourage cooperation with U.S. industry and will 19 be required by virtually every nation in the world and will 20 not differentiate U.S. industry from the rest of the world. 21 Mr. Goodlatte. If you get one-time review, but don't 22 have any standard that you are applying to that review, would 23 that satisfy you? We were talking with Mr. Hamilton about 24 what they would take as a bottom line to resolve this. 25 Mr. Crowell. Not if it precipitously, without any other
[59] 1 criteria, allowed to any user anywhere in the world, including 2 rogue states, the availability of any strength encryption. 3 No, we have had other criteria that we have included, and the 4 administrative procedures that we follow allow us to have that 5 flexibility. You do not have the mandatory -- name a product 6 you don't have the same level of mandatory decontrol that you 7 are advocating for encryption. 8 Mr. Goodlatte. Well, we are arguing the same side of the 9 issue when we say that, because -- 10 Mr. Crowell. We often are, sir. 11 Mr. Goodlatte. That is fine, but that is not what the 12 McCain-Kerry bill does. 13 Mr. Crowell. And we haven't endorsed the McCain-Kerrey 14 bill. We have said it has certain parts that we believe move 15 us in the right direction. One part is the incentives for 16 building certificate authorities in key management 17 infrastructure. The second is incentives for key recovery. 18 The third is some relaxation in export controls. 19 Mr. Goodlatte. We conducted some discussions about the 20 whole issue of incentives for key recovery, and I certainly 21 have no problem whatsoever with those who want to develop and 22 use key recovery. I think it is a wise thing for the Federal 23 Government to have for its own agencies. I think any major 24 business and perhaps really anybody who thinks about it, if 25 you lose the key to your house, you can probably find another
[60] 1 way to get in. You lose the key to what is in your computer,2 you have a serious problem. So there is a reason for people 3 to want to have key recovery, The issue is who do you trust 4 and what role the government plays in setting that up, or do 5 you allow free enterprise to set it up? 6 Mr. Crowell. Our policy and the McCain-Kerry bill 7 encourages the development of key recovery systems by 8 industry, and except for government users of encryption, they 9 do not require any involvement in government in the choices of 10 technical approach or anything else. It is a purely voluntary 11 system. 12 Mr. Goodlatte. Not if you require it before the product 13 goes out the door. 14 Chairman Gilman. Let me ask one other question. I have 15 been informed that Aldrich Ames, the terrorist Youssef and the 16 Cali cartel all use encryption. 17 Director Freeh. Ames was instructed by his handlers to 18 use encryption. Youssef's computer in the Philippines had an 19 encrypted file. Some of the targets that we have used in the 20 images cases, the on-line pedophiles, have used and promoted 21 encrypted communications. So we think that this is a good 22 index as to where we are going with our -- 23 Chairman Gilman. Any major crime cases that you are 24 working on right now, are they using encryption as well? 25 Director Freeh. Yes, in some cases. Very few instances,
[61] 1 the DEA had to abandon a Title III case in California because 2 the subjects in the Zorro 2 case were using encryption in some 3 of their communications. Again, very few instances now, but 4 it is clearly the trend that is increasing and we are going to 5 be hit with very hard. 6 Chairman Gilman. Let me ask one other question. Is 7 there some compromise between your position and 8 Mr, Goodlatte's position that we could undertake to meet the 9 security concerns and at the same time meet some of the 10 commercial concerns? Do you see any mid-area that we could 11 use to arbitrate this problem? 12 Mr. Goodlatte. We have had a number of discussions, and 13 I think there are some areas, Mr. Chairman, where that can be 14 achieved. I think the fundamental difference, and I don't 15 know how you split it, is on whether or not the export control 16 laws of our country and the regulations that are in place 17 right now can allow the government to require before a piece 18 of software is exported that it have a key recovery mechanism 19 attached to it that is a very difficult thing to compromise 20 on. That is why we call it mandatory. 21 Chairman Gilman. Why is that so difficult? 22 Mr. Goodlatte. Because you either require it or you 23 don't. And the Privacy groups in the country and the industry 24 groups are strongly opposed to that mechanism being attached 25 to the software going out of the country. And there are a lot
[62] 1 of reasons, some of which I described, for concern including 2 the concern that by doing that, we are working at cross 3 purposes with ourselves because we are going to label our 4 software as being inspected and approved by the U.S. 5 Government, and the foreign competition is not going to have 6 that attached to theirs, and over time there is going to be an 7 erosion of the market. 8 Mr. Reinsch. If I may, Mr. Chairman, what I was trying 9 to suggest while you were out of the room was that, 10 Mr. Goodlatte makes a good point, our assessment of the 11 industry's view is that it is more divided than that, and 12 there is one company in particular, Microsoft, that is -- 13 takes the view that Mr. Goodlatte described. I don't think 14 the rest of them would. And that is why I suggested that if 15 there is a way out of there, and I am not sure there is a way 16 out of this between now and the time of the markup, but if 17 there is light at the end of the tunnel down the road, it is 18 in all of Mr. Goodlatte's constituents, if you will, or 19 industry supporters coming along on key recovery, because that 20 solves our problem. 21 And if they are not going to come along on key recovery 22 at the end of the day, you know, then we don't feel that we 23 have a lot of choices other than the ones that we have taken. 24 Director Freeh. One quick analogy I can give you is for 25 4 years we negotiated with the phone companies and the common
[63] 1 carriers to write some software which would give us access so 2 our Title III orders not be null and void when we served 3 them. For 4 years they said, we will do it. They did nothing 4 over the 4 years, and the Congress had to intervene to require 5 them to do something, which in all fairness to public safety 6 they should have done, but couldn't do, because there was no 7 incentive to do. We are happy to negotiate and compromise. 8 We haven't seen that coming from the industry. 9 Chairman Gilman. Is there any hope for some compromise, 10 Mr. Goodlatte? 11 Mr. Goodlatte. Well, on that issue, I think it is a 12 difficult issue. On some of the issues regarding the 13 incentives that Mr. Reinsch talks about, there is, I think, 14 room for compromise; in other words, some of the issues 15 regarding what protections people have if they offer key 16 recovery. It is very contentious because other people, when 17 you give a waiver to somebody who holds the key and say, if 18 you give that key to the wrong person by mistake, if you are 19 acting in good faith, we will not hold you responsible for 20 that, that key is giving away somebody else's constitutional 21 rights, so obviously that other person is very concerned about 22 that. Nonetheless those issues, I think, are compromisable. 23 Mr. Crowell. I read that statement on the CDT -- in some 24 correspondence from the CDT recently, and for the life of me I 25 don't find that in any of our proposals or in the McCain-Kerry
[64] 1 bill. 2 Mr. Goodlatte. We had a rather extensive discussion of 3 it -- you were not present; Mr. Reinsch was -- the last time 4 we met in the Judiciary Committee. 5 Mr. Crowell. The unconditional liability protection. 6 Mr. Goodlatte. It is not unconditional. 7 Mr. Crowell. The statement I saw in the CDT, which I 8 heard you make that a negligent act by a company mishandling a 9 key was not an offense, and it is an offense under the 10 McCain-Kerry bill. 11 Mr. Goodlatte. There is a provision in McCain-Kerrey 12 that if you act in good faith, you are given protections that 13 you would not be ordinarily given under the law. 14 Chairman Gilman. Are there any further comments? 15 Mr. Goodlatte. Mr, Chairman, I thank you for allowing me 16 as much latitude as you have. 17 Chairman Gilman. I thank our panelists for being here 18 and giving of your time. 19 Any other comments? Staff? 20 Thanks again. It has been very helpful. Thank you. 21 [Whereupon, at 3:48 p.m., the committee was adjourned.] 22 23 24 25
[End]
Digitized and hypertexted by NYA/Urban Deadline.