20 July 1999. Add cite on House Report 106-117 part 3. 16 July 1999. Add July 14 Intel Committee actions on SAFE. 14 July 1999 ------------------------------------------------------------------------- [Congressional Record: July 13, 1999 (Digest)] [Page D791-D794] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr13jy99-2] House of Representatives SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT Committee on Armed Services: Held a hearing on H.R. 850, Security and Freedom through Encryption (SAFE) Act. Testimony was heard from the following officials of the Department of Justice: Janet Reno, Attorney General; and Louis J. Freeh, Director, FBI; William A. Reinsch, Under Secretary, Export Administration, Department of Commerce; and public witnesses. ---------- Source: http://www.usia.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=99071304.clt&t=/products/washfile/newsitem.shtml 13 July 1999 Third House Committee Approves Encryption Export Decontrol Bill (Administration reiterates its opposition) (660) By Bruce Odessey USIA Staff Writer Washington -- A bill opposed by the Clinton administration that would essentially eliminate U.S. export controls on any encryption software widely available outside the United States has moved closer to passage by the House of Representatives. By 33-5 the House International Relations Committee July 13 approved the bill, over the opposition of its own Republican chairman, Representative Benjamin Gilman, with only minor amendments. In order to become law the bill would have to pass the full House and Senate and either be signed by the President Clinton or re-passed with two-thirds' majorities to overturn a Clinton veto. Because the bill has as sponsors more than half of House members, House passage seems a certainty if it ever reaches the House floor. In Congress' previous session, the bill had the same level of support but was blocked from a full House vote by the chairman of the powerful Rules Committee, who has since retired. The new Rules Committee chairman has indicated support for the bill. The House Judiciary and Commerce committees have already approved provisions of the bill under their jurisdiction. The International Relations Committee acted just hours after a hearing at the Armed Services Committee, one of the few pockets of opposition to the bill in the House. In July 13 testimony before Armed Services, Attorney General Janet Reno and FBI Director Louis Freeh reiterated Clinton administration opposition to the bill. Reno argued that unlimited export of robust encryption software poses grave challenges to U.S. law-enforcement, security and intelligence officials in gathering information on terrorists and criminals. "Unless Congress recognizes the needs of law enforcement soon, it will become far more difficult for the FBI, DEA [Drug Enforcement Agency] and other federal, state and local law enforcement agencies ... to protect the public from crimes such as terrorism, narcotics trafficking, economic fraud and child pornography," Reno said. Supporters of the bill argue, however, that attempting to control software that can already easily be downloaded from the Internet is futile. The industry contends that under U.S. export controls its companies are losing global market share to non-U.S. producers. Administration officials have also argued that the bill would violate U.S. voluntary commitments made in 1998 in the Wassenaar Arrangement restricting the member countries of that group to adhere to limits on encryption export controls. Supporters of the bill argue, however, that the Wassenaar agreement covers only a fraction of the 35 or so encryption-manufacturing countries -- not India or Israel, for example -- and that Wassenaar is too weak to enforce any agreement. The International Affairs Committee did approve some amendments to the bill. One would bar U.S. exports of robust encryption to the government or military of China. Another would clarify that advanced computers, satellites and other products containing robust encryption would still be subject to export controls. Other amendments would prohibit exports of robust software to drug traffickers or to persons engaged in proliferation of weapons of mass destruction. Committee members rejected 22-15 an amendment that would have authorized the president to reimpose export controls on encryption if the Wassenaar Arrangement or some other multilateral agreement with credible enforcement power came into force. A Senate bill taking a different approach to encryption export decontrol, sponsored by Republican Senator John McCain, has been approved in the Senate Commerce Committee, which McCain chairs. Existing regulations allow domestic U.S. sales of any strength of encryption software; the current industry standard is 128-bit. Regulations generally restrict exports of software stronger than 56-bit; they make exceptions for exports to foreign subsidiaries of U.S. companies and to certain industries like banking and health care. A U.S. appeals court in San Francisco has ruled the existing export controls violate U.S. residents' constitutional right of freedom of speech, but the ruling has not taken effect while the Clinton administration appeals the court's decision further. ----- 13 July 1999 Attorney General Reno on encryption technology and crime (Says police need controlled access to encrypted messages) (2590) U.S. Attorney General Janet Reno has appealed for congressional action to help stop the spread of encryption technology that puts criminals beyond the grasp of law enforcement. "Unless Congress recognizes the needs of law enforcement soon, it will become far more difficult for the FBI (Federal Bureau of Investigation), DEA (Drug Enforcement Agency), and other federal, state, and local law enforcement agencies, faced with the rising threat from criminal use of commercially available encryption, to protect the public from crimes such as terrorism, narcotics trafficking, economic fraud, and child pornography," Reno said July 13. She made that statement while testifying before the House Armed Services Committee which is debating the national security implications of the unmonitored and unregulated export of encryption products. Reno said encryption software programs should contain coding that allows law enforcement agencies to unscramble encrypted telephone conversations and computer data when they obtain court orders for telephone wire taps and search warrants. "Law enforcement strongly supports the legitimate use of encryption to protect privacy and security and to support electronic commerce," Reno said. "We must recognize, however, that these beneficial uses do not change the fact that encryption in the hands of criminals is a powerful tool, one that effectively protects criminals from being brought to justice." The attorney general said she hopes Congress will fund the creation of a "Technical Support Center" within the FBI that will support federal, state and local law enforcement in developing technologies, tools, and techniques to deal with criminals and terrorists armed with encryption technologies. Reno said the Justice Department sides with the National Security Agency that the immediate decontrol of all export controls is not in the U.S. national interest. Following is the text of Reno's testimony, as prepared for delivery: (begin text) Testimony of Janet Reno Attorney General Department of Justice Before The House Armed Services Committee On the Security and Freedom through Encryption (SAFE) Act July 13, 1999 Mr. Chairman, thank you for the opportunity to testify about the Department of Justice's views on encryption, and particularly the proposed Security and Freedom through Encryption (SAFE) Act, introduced by Mr. Goodlatte as H.R. 850. As you are aware, encryption presents complex and difficult issues that we are attempting to address with our colleagues throughout the Administration. But despite the difficulty of the issues presented, the time has come for government and for our society to take a close look at both the benefits that encryption provides to us and the clear risks that it creates for public safety, and to determine whether and how law enforcement will be able to function effectively as the criminal use of encryption quickly overtakes law enforcement's capacity to address it. Encryption provides many important benefits to society, and protects the security and the privacy of citizens from intrusions by criminals into their personal documents, files, and communications. Our citizens expect that a ledger book in a person's home or a personal telephone conversation will remain private. Both the Constitution and Congress fully support this expectation of privacy. But both also recognize that the good of society requires narrow exceptions to this normal expectation of privacy. If law enforcement agents follow detailed procedures set forth by Congress and present probable cause to a court, they can be given the authority to obtain the ledger with a search warrant or intercept the telephone call with a wiretap order. The widespread use of encryption, however, will effectively eliminate these exceptions and prevent law enforcement, even with an order obtained from a court under procedures established by Congress, from obtaining information which may be critical to protecting public safety. Unless Congress recognizes the needs of law enforcement soon, it will become far more difficult for the FBI, DEA, and other federal, state, and local, law enforcement agencies, faced with the rising threat from the criminal use of commercially available encryption, to protect the public from crimes such as terrorism, narcotics trafficking, economic fraud, and child pornography. Simply put, encryption provides a way to scramble information so that the information can only be read by those people who-know the secret key needed to unscramble it. And if Congress does not support the Administration's efforts to encourage the development of "recoverable" products, or products that protect law enforcement's ability to obtain the plaintext of messages when faced with criminals using encryption, criminals may be able to act with impunity simply by using commercially available encryption products to scramble their communications and records. The following are only hypothetical scenarios, but could easily become real cases: The FBI learns that a terrorist group is operating in a major city and may be planning to bomb several buildings and a baseball field within the next 24 hours. As is often necessary when it is investigating organized criminal activity, the FBI must prepare a detailed affidavit setting forth the facts giving probable cause to believe that interception of conversations is necessary and will lead to evidence of this criminal activity, have the request to intercept approved by a person delegated authority by the Attorney General, and then present the application to a federal court even to initiate the tap on the telephone used by the suspected terrorists. Despite following these procedures, and unfortunately for public safety, all that the FBI hears when it taps the terrorists' phone is a meaningless mishmash of sounds, because the terrorist is using a commercially available encryption product. The terrorist could be planning to bomb a site that very day or could be having an innocent conversation -- there is no way to tell -- and the answer could come too late to save lives. Here is another example. A local sheriff learns that an individual is abusing children and producing and distributing child pornography. The sheriff then requests and obtains a search warrant from a state court authorizing law enforcement officers to conduct a search for evidence of crime. The officers then go to the suspected pedophile's home, serve him with a copy of the warrant, and begin searching for evidence. They find computers, digital cameras, and children's clothing, but no photographs, videotapes, or written records. Instead, they find that the digital cameras are connected to the computers, which can store digital pictures and movies. They also find that all of the information stored on the computers has been encrypted and is unreadable. Thus, they cannot use this evidence to prove a crime, and cannot use it to identify and rescue children who are currently being abused. Encryption also assists financial criminals. Many of us use the Internet frequently. We bank online, shop online, and file our taxes online. Encryption helps make all of these transactions more secure, but it can also make crimes far harder to detect. Ask yourself what would happen if a computer hacker were to usurp your identity, or that of one of your constituents. He could withdraw money, order merchandise in the victim's name, and ruin the victim's credit rating. Law enforcement might locate a suspect, present an affidavit to a Magistrate Judge, and obtain a search warrant. But if the computer hacker used encryption, the data stored on his computer, which could be essential in sustaining a successful prosecution or in identifying other victims, will be completely scrambled and impossible to use as evidence, unless we have the ability to decrypt it. While these are hypothetical cases, the underlying concerns are very real. We have already seen cases where child pornographers have encrypted child pornography, depriving law enforcement of critical evidence, including possibly the ability to identify abused children and get them the help they need. Terrorists are now actually using encryption, which means that in the future we may wiretap a conversation in which the terrorists discuss the location of a bomb soon to go off, but we will be unable to prevent the terrorist act because we cannot understand the conversation. And narcotics traffickers and computer hackers are now using encryption technology, thus defeating efforts to collect evidence. The issue Congress and the Administration must consider is whether law enforcement should have the ability to obtain usable evidence in these and other types of cases, and whether, and if so how, criminals will be caught. Of course, there are many legitimate reasons to protect information with encryption. Those using cellular phones can protect the privacy of their calls, preventing others from listening in. Information stored on a home or business computer -- personal letters, a diary, financial information -- can all be protected from computer hackers, because even if a hacker steals information, he will never be able to read it. For these reasons, law enforcement strongly supports the legitimate use of encryption to protect privacy and security, and to support electronic commerce. We must recognize, however, that these beneficial uses do not change the fact that encryption in the hands of criminals is a powerful tool, one that effectively protects criminals from being brought to justice. It is because of my concern for public safety, and because of my responsibility to bring criminals to justice, that I am deeply concerned about the use of encryption by criminals. But there are solutions. One is for the Administration, Congress and the public to support the use of products which scramble information securely and protect legitimate activities, but provide a way to get the unscrambled criminally-related information if law enforcement has the proper legal authority. For example, some products allow a third party such as a system administrator to provide law enforcement with access to plaintext when law enforcement meets the legal requirements for obtaining that plaintext. Public confidence in such products would be significantly enhanced if there were assurances that such keys would be protected from unauthorized disclosure, as we protect telephone calls and personal records today. This would support both security and privacy, and encourage the use of one type of encryption that addresses the needs of public safety. We in government must also continue to work cooperatively with industry to find new solutions. Director Freeh, Undersecretary Reinsch, and 1, as well as other members of the Administration, have met personally with CEOs of major companies in the computer and communications industries. These ongoing, productive discussions seek to find creative solutions, in addition to key recovery, to the dual needs for strong encryption to protect privacy and the ability of law enforcement, with appropriate authority, to obtain plaintext to protect public safety and business interests. I would like to emphasize that we have found these discussions productive, and that I believe that industry is genuinely concerned about the risks encryption poses for public safety. However, we must recognize that industry must respond to the market, and that market forces will only take us so far. If we strongly support products which allow law enforcement to obtain plaintext, and build a infrastructure around them, then many criminals will use such encryption because that is what is readily available and easy to use. But some criminals will not use encryption that allows access to plaintext by law enforcement no matter what government does, because, for example, criminals would rather lose data than have it seized by law enforcement. More must be done. To deal with the threat of dangerous criminals using non-recoverable encryption, law enforcement needs enhanced tools to obtain usable evidence, and the legal authority and practical ability to use those tools, if we are to maintain our current ability to protect public safety. Today, for example, we have the ability to use search warrants and wiretaps with the permission of a court, and under its strict supervision. These tools -- wiretaps and search warrants -- have proven to be absolutely essential in obtaining evidence and fighting crime. But encryption can turn a warrant or order into a practical nullity. We will obtain only meaningless, encrypted information that cannot be used as evidence. Therefore, in order to maintain our ability to use court-authorized tools, we are enhancing the technical ability of the Federal Bureau of Investigation and other law enforcement entities to obtain the plaintext of encrypted communications and stored data. Essential to preserving our ability to protect public safety is the funding of a centralized technical resource -- a "Technical Support Center" -- within the FBI. This is an important aspect of our budget proposal for Fiscal Year 2000, and I am asking for support in providing funding for this resource. I believe Director Freeh will address this resource in more detail. This resource, when fully established,, will support federal, state, and local law enforcement in developing a broad range of expertise, technologies, tools, and techniques to respond directly to the threat to public safety posed by the widespread use of encryption by criminals and terrorists. We will need Congressional support, both in terms of additional funding and authorizations, for developing and deploying technical capabilities that will allow us to obtain plaintext. The development of such a Center was discussed in meetings last summer among myself, Director Freeh, other law enforcement officials, and important leaders of the computer industry. We have continued to work with industry to develop solutions for protecting public safety in light of the widespread sale of robust encryption. However, we must recognize that the Technical Support Center does not offer a "silver bullet" -- the widespread use of non-recoverable encryption by criminals would quickly overwhelm any possible law enforcement technical response. Since there is no "silver bullet," we must continue to work on many fronts, as I have discussed, to protect public safety. In light of the above, the proposed Security and Freedom through Encryption Act raises several concerns from the perspective of the Department of Justice. First, we share the deep concern of the National Security Agency that the immediate decontrol of all export controls through the SAFE act is not in the national interest. The second problem is that the Act may retard the development of products that could assist law enforcement in obtaining access to plaintext. As I explained above, the Administration believes that the development and use of such products are important to protect public safety. Unfortunately, to the extent that the SAFE Act would actually prohibit the government from encouraging development of products that would allow law enforcement to access the plaintext of messages through avenues permitted by law, it places public safety at risk. Instead, any legislation should support public safety, not impair it. The proposed SAFE Act does not include any provisions aimed at improving law enforcement's ability to perform its public safety mission in an encrypted world. In conclusion, unless Congress recognizes the needs of law enforcement soon, the widespread use of commercially available encryption that does not preserve the ability of law enforcement to obtain the plaintext of messages under appropriate legal authority will soon greatly impair law enforcement's ability to protect public safety. Law enforcement will be unable to execute many search warrants for electronic information, and will be unable to conduct wiretaps in many instances. We will still investigate and prove criminal cases, but when criminals use encryption it will be much harder and we will be less likely to succeed. As a result, criminals will escape justice, and our attempt to make the world a safer place for law-abiding Americans will have failed in part. That, to me, is an unacceptable result, and we must not allow it to happen. (end text) ----------------------------------------------------------------------- [Congressional Record: July 12, 1999 (House)] [Page H5365-H5366] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr12jy99-98] REPORTS OF COMMITTEES ON PUBLIC BILLS AND RESOLUTIONS Mr. BLILEY: Committee on Commerce. H.R. 850. A bill to amend title 18, United States Code, to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption; with an amendment (Rept. 106- 117 Pt. 2). Ordered to be printed. ----------------------------------------------------------------------- [Congressional Record: July 14, 1999 (Digest)] [Page D801-D804] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr14jy99-2] [[Page D801]] House of Representatives ENCRYPTION Permanent Select Committee on Intelligence: Held a hearing on Encryption. Testimony was heard from the following officials of the Department of Justice: Janet Reno, Attorney General; and Louis J. Freeh, Director, FBI; John J. Hamre, Deputy Secretary, Department of Defense; and Thomas Constantine, former Director, DEA, Department of Justice. -------------------------------------------------------------------------- [Congressional Record: July 14, 1999 (Digest)] [Page D804-D805] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr14jy99-3] COMMITTEE MEETINGS FOR THURSDAY, JULY 15, 1999 (Committee meetings are open unless otherwise indicated) Senate Permanent Select Committee on Intelligence, executive, to mark up H.R. 850, Security and Freedom through Encryption (SAFE) Act, 2 p.m., H-405 Capitol. -------------------------------------------------------------------------- Date: Fri, 16 Jul 1999 21:55:17 -0400 To: dcsb@ai.mit.edu, cypherpunks@cyberpass.net, cryptography@c2.net From: Robert Hettinga Subject: Drawing A Hard Line On Encryption (was Re: Edupage, 16 July 1999) At 4:35 PM -0600 on 7/16/99, EDUCAUSE wrote: > DRAWING A HARD LINE ON ENCRYPTION > The House Permanent Select Committee on Intelligence unanimously > approved a measure to control exports of encryption software and > provide government access to encrypted data.� The committee was > the fourth House panel to approve the amendment, which was > designed to ensure that government agencies can obtain court > orders to access encrypted information.� The committee also > adopted a measure allowing the president to control, and deny, > encryption exports significant to national security.� Last, the > committee approved language authorization funding to enable law > enforcement and intelligence agencies to better prevent the > spread of increasingly powerful encryption software.� These > issues have been the subject of much controversy, as software > manufacturers argue that they are losing market share from export > controls, while privacy activists oppose law enforcement access > to encrypted data.� (Washington Post 07/16/99) ----------------- Robert A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- [Congressional Record: July 19, 1999 (House)] [Page H5838] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr19jy99-83] REPORTS OF COMMITTEES ON PUBLIC BILLS AND RESOLUTIONS Under clause 2 of rule XIII, reports of committees were delivered to the Clerk for printing and reference to the proper calendar, as follows: Mr. GILMAN: Committee on International Relations. H.R. 850. A bill to amend title 18, United States Code, to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption; with an amendment (Rept. 106-117 Pt. 3). Ordered to be printed. --------------------------------------------------------------------- JYA Note: For House Report 106-117 pt. 1 see: http://cryptome.org/hr106-117-p1.txt (104K) Parts 2 and 3 are not yet available.