the world, including in the United States. It does not require it. As you pointed out, there are no requirements within the United States that kind of encryption is to be used by American citizens. But the export controls do require that above a certain strength exported encryption software would be sold abroad, is required to have key recovery features at least by the end of this year, and for even stronger encryption it's required now. Mr. GOODLATTE. Isn't that effectively mandating a key recovery system for the United States? It may not be the actual law, but the effect of having export controls is to create domestic controls. Mr. AARON. I've always been a little baffled by that concern because we have the largest [by far] Internet computer information technology market in the world. Within the United States, we have a fair number of very powerful, in fact virtually unbreakable encryption programs that are for sale within the United States. I can't say, despite all the attention by industry, that the export control laws are what are holding back the promise of encryption. I believe most people who have analyzed this with some expertise believe that what is holding back encryption and its more widespread use within the United States is in fact the absence of appropriate certificate authorities and authenticating bodies that enable people who are communicating with encrypted names from knowing who the person is they're communicating with. Mr. GOODLATTE. Well that's obviously not the focus of the industry because they have placed great emphasis on changing the export control laws, and obviously they feel that they have been hindored in their ability to compete. I'm also aware of the fact that you have been engaged in negotiations with other countries around the world in an effort to get them to adopt similar standards to those standards of the United States, not a market-driven policy, but a governmental policy, and it's my understanding that those efforts have been lacking in success, which indicates again to me that this policy of trying to use export control laws to guide the market with regard to the use of encryption is not going to work. It's failing. ME AARON. I wouldn't agree with that assessment, Mr. Goodlatte My experience in discussing these matters with foreign governments is that two things are underway. First of all, foreign governments are making their own policies, the Canadian Government, the Swedish Government, the British Government and the French Government. The French have made their policy, and the other three governments are in the process of making their policies. They are all trying to come to the same point that we're trying to reach here in the United States, which is how to balance the need for strong encryption against the requirements of law enforcement. I think it's extremely important to recognize that if we go forward with technologies that do not permit law enforcement to continue to conduct electronic surveillance this will have a powerful impact on the ability of law enforcement to carry out its responsibilities. Understandably all markets are quite concerned about the impact on an enforcement, and every government is going through the same difficult task of balancing these issues. As you point out the law enforcement community does have a deep concern here and their interests are quite different than that of the business community in some very specific sectors. I think that there is possibility (with good will on both sides) to find middle ground so that we can have strong encryption for all the purposes that are necessary to protect privacy and at the same time not give a blank check to criminal elements in our society. Mr. GOODLATTE. Well, Ambassador Aaron, my time has expired. Mr. Chairman, I would ask unanimous consent for a couple of additional minutes. Mr. COBLE. Without objection. Mr. GOODLATTE. I hope you are right about that. I share law enforcement's concern, as you say, but I do not share the solution that they have offered because I don't think it's workable. It is clear that those who are dedicated to acquiring encryption to misuse it already have access to it. The Cali Cartel is known to have software engineers who write and create encryption programs. You can download encryption off the Internet, and you can buy it from more than 20 foreign countries right now. You mentioned four that are in various stages of considering the issue, but there are nearly 200 nations around the world, and access to encryption for those who are bent on violating the law is very easy. It's not like your standard export control product, like a bomb or a jet or a mainframe computer where there are few manufacturers and there are a few known recipients of these, and the funnel through our export process can be fairly effective at restricting access to these things. Here we're talking about an idea, mathematical algorithms, little 1's and O's going through wires. Every day there are individuals who violate the export control laws of the United States without their knowledge by sending encrypted material between this country and other countries, and to use those laws for this purpose I think is totally ineffective. I think most other nations around the world are recognizing that. Mr. Chairman, with your permission I would like submit for the record two articles from the New York Times, one dated October 9, 1997, which is entitled "Europeans Reject U.S. Plan on Electronic Cryptography," which talks about a meeting of the European Commission that had rejected the proposals by the United States aimed at ensuring that police agencies can crack coded messages over telephone and computer networks, and more recently a February 9, 1998 New York Times article entitled "Support for Encryption is Less than U.S. Claims Study Says," and it starts out "The Clinton Administration is losing its battle to increase international controls over how reliably computer data can be scrambled to ensure privacy according to reports scheduled to be released Monday by an independent research group." This report goes on to quote individuals who say "I don't see any clear consensus out there in the world. I think the governments are equally divided on the issues and are not likely to try and follow the U.S. in trying to go down the path of the U.S. in the key recovery scheme." Mr. Chairman, if these could be made a part of the record I would appreciate it. Mr. COBLE. Without objection they will be indeed made a part of the record. Mr. GOODLATTE. Thank you, Ambassador Aaron. [The information referred to follows:] W ASHINGTON -- The Clinton administration is losing its battle to increase international controls over how reliably computer data can be scrambled to insure privacy, according to a report scheduled to be released Monday by an independent research group. The administration has been lobbying members Is It About Privacy or Security? of the European Union and other industrialized The Encryption Debate: nations to back its efforts to place controls on "strong encryption," a technology for scrambling data so effectively that the code cannot be broken and the content cannot be deciphered without a digital key. Data encrypting is used increasingly to protect the privacy of financial transactions, medical records and business communications. The administration wants the ability to descramble all encrypted messages to keep tabs on criminals. Go to Forum In a report scheduled to be released Monday, the Electronic Privacy Information Center, a Washington-based research group, says that its survey of 243 governments showed that the United States is virtually the only democratic, industrialized nation seeking domestic regulation of strong cncryption. 2 Internet Access High-Speed Fiber E-Mail Alerts Show By Matt Richtel. Microsoft Case May With Computers, That finding directly contradicts the Clinton administration's assertion in congressional hearings that it has the support of most nations on this issue. David Sobel, who directed the study by the research William Reinsch, the undersecretary for export "All the administration has ever said is that there are The report comes as Congress prepares to renew what Key recovery, as such systems are known, is opposed by virtually everyone outside of law enforcement agencies, including groups as diverse as the American Civil Liberties Union and the National Rifle Association. Opponents argue that such systems would be analogous to being required to leave copies of your letters at the post office in case some day you were suspected of committing a crime. The survey, based on direct questioning of officials in more than 200 nations and territories, found that in the "vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction," according to the report. "This is truc for both leading industrial countries and for countries in emerging markets," the report says. "We also noted that recent trends in international law and policy suggest greater relaxation in controls on cryptography. There are a small number of countrics With Computers. Museum Takes On a By Pamela Mendels Celebrating Black. TODAY'S SECTION SEVEN DAY INDEX CYBERTIMES CYBERTIMES. NAVIGATOR cryptography. There are a small number of countries where strong domestic controls on the use of cryptography are in place. These include Belarus, China, Israel, Pakistan, Russia, and Singapore. There are an even smaller number of countries that are currently considering the adoption of new controls. These include India, South Korea and the United States." The report calls the policies of the United States "most surprising, given the fact that virtually all of the other democratic, industrial nations have few if any controls on the use of cryptography." It goes on to obeserve that the administration's position "may be explained, in part, by the dominant role that state security agencies in the U.S. hold in the development of encryption policy." France is a notable exception to the international trend, having one of the most restrictive encryption control policics in the world. But the movement there has been toward easing those controls, according to the report. Last August, Industry Minister Christian Pierrel said that France would liberalize its encryption policies to "allow French companies to fully enter the market of clectronic commerce currently dominated by U.S. companies." Sobel said that the study was conducted, in part, "to test the administration's representations about the state of play around the world on this issues, because they have been pretty outspoken in congressional hearings in claiming that the U.S. policy is in line with what other governments are inclined to do with respect the encryption issues." Reinsch defended those claims. "What we are finding in talks with government after government is a recognition of the need to create key management infrastructure," he said. Lynn McNulty, a retired associated director for computer sccurity at the National Institute for Standards and Technology who now is director of government affairs for the RSA Data Security, a developer of commercial encryption software, said he was not surprised by the survey's findings. "I don't see any clear consensus out there in the world," McNulty said. "I think the governments are equally divided on this issues and are not likely to try and follow the U.S. in trying to go down the path of the U.S. in the key recovery scheme." Related Sites Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears. Electronic Privacy Information Center |