tensive an enforcement effort do you need, and that's when I think the question about voluntary compliance or not would come in.

But I would hope that we would have some agreement that this notion that we don't need any law just doesn't work, and that if you have the law we would then hope that most people would comply voluntarily. That's the way we tend to prefer law enforcement.

Mr. MEDINE. Well I think the question is where does the law currently begin and end? I think, following up on Becky Burr's comments, FTC's authority primarily in the adult area relates to deception, which is a firm states how they are going to be using information; we can enforce that by bringing an action. What we can't mandate is a firm stating their privacy policies. They have to do that voluntarily.

Mr. FRANK. Right.
Mr. MEDINE. So that's where industry self-regulation comes in.

Mr. FRANK. I think obviously we can deal with deception under existing law. It's sometimes hard to prove. And children is obviously a separate case where they give up their own information, and you can say with regard to underage people they need protection.

I guess the thing we have to address is people who give information voluntarily, adults, for one purpose, and then find that it used for another. Is there any law on that or is that now wide open for people to do what they want?

Mr. MEDINE. Well again that's the issue of whether firms are voluntarily telling consumers how they're going to use the data. If they say we will use it to fulfill your order and for no other purpose, and they don't honor that, then that's deceptive.

Mr. FRANK. Most people don't think to ask.
I would ask for another couple of minutes, Mr. Chairman.
Mr. COBLE. Without objection.

Mr. FRANK. I think, you know, most of us when we're buying something don't stop and think to ask now what else are you going to use this for. I mean I agree if they tell you one thing and violate it that's a different story. And if they say to you, by the way, we're going to take this information and sell it to people who will forever after call you up at dinner time and harass you, then I might not buy it. So I think most of these fall into the category of people who get the information from you, and I think most people assume that it's only going to be for this purpose, but it's for another purpose. Is there any law in that area?

Mr. MEDINE. There isn't, and that's where we're looking for selfregulation. That's why we're surveying web sites to see what percentage are voluntarily providing consumers information about their practices, and again we will report to Congress on June 1st about that.

Mr. FRANK. Well let me ask you, I mean why shouldn't we do this self-regulation. If I'm self-regulating how is the law going to hurt me? The law doesn't hurt me if I'm self-regulating. It just tells me I should do what I'm already doing.

Mr. MEDINE. Well you'll have to take that up with industry. Our approach has been to try to Mr. FRANK. We'll have to take it up with who? With industry, no.

Mr. MEDINE. I mean our view has been let's give industry a chance to do all that voluntarily without the need for a law pressing them on that.

Mr. FRANK. Why? Excuse me, why? What is this, like law is some bad thing? You know, laws properly enforced don't walk around and bite people. If the law says you should not take information from people without telling them you're going to use it for another purpose and they use it for another purpose, who is that law hurting?

Mr. MEDINE. Well I think the concern has been that laws can somehow, depending on how they're drafted, confine the development of an industry, be technology specific and not allow for new technologies to be developed. There is tremendous change going on.

Mr. FRANK. Those are all those fake reasons I'm talking about. You know, they tell us that because they really want to keep going. By the way, I don't mean to get into a turf battle here, but they're more worried about how you enforce them than how we draft them has been my experience.

Let me just ask, finally, if there is a compendium, if anybody has done one and, if not, I would urge, Ambassador, and I think you're the highest ranking Executive Branch official here, could we ask for a kind of compendium on what the law now is maybe working interdepartmentally through Justice. I think it would be very helpful for this subcommittee. If by the end of this session for next year, and I mean I'm not looking for something instantly, but after we adjourn for the year and have gone home and we've stopped pestering you, if we could have an interdepartmental effort that laid out the state of the law on this subject matter I think that would be a very useful jumping off point for us for next year, Mr. Chairman.

I thank you for the extra time.

Mr. AARON. We would be happy to arrange that. OMB actually has prepared such a document a year ago, and we can make sure that it's updated.

Mr. FRANK. Yes, if they could because obviously things are changing and if it could be passed around. Do they get input from all the other departmental agencies?

Mr. AARON. Oh, yes.
Mr. FRANK. And I assume from the regulatory agencies as well.
Mr. AARON. They make sure that we are involved.

Mr. FRANK. Did they release that document? I don't know if we've seen it.

Mr. AARON. I'm sorry?
Mr. FRANK. Have they released that document?

Mr. AARON. Yes. I understand that was circulated a year ago or produced and made public a year ago.

Mr. FRANK. Made public a year ago.
Mr. AARON. Yes, and Justice was involved also.
Mr. COBLE. I thank the gentleman.

The gentleman from Virginia, Mr. Goodlatte is recognized for 5 minutes.

Mr. GOODLATTE. Thank you, Mr. Chairman.

Ambassador Aaron, welcome. I would like to commend you on your efforts to promote electronic commerce and protect individual privacy. It's something that is of great concern to me and I think vitally important to see the Internet reach its full potential.

As you know, I have introduced legislation that is designed to make sure that one of the primary tools for protecting privacy and promoting electronic commerce is available to all law-abiding citizens, and that is the use of strong encryption, and it would be my interest in hearing your comments on the efforts that have been pursued in the Congress and in the Administration to reach an agreement on the most effective way to do that.

I know that there are certain law enforcement concerns about encryption being used by those who are not law-abiding citizens who want to cover up their own activities, and the FBI and others have some concerns about that which I share with them. However, I do not share the solution that they have put forward which is to require every law-abiding citizen to put the key to their software programs in a location where law enforcement can access it without their knowledge.

This is a massive erosion of the Fourth Amendment privacy rights of United States citizens, and it would be exceedingly harmful to the software industry in the United States which would effectively have their packaging labeled with a different standard than the foreign competition that is out there in more than 20 countries around the world today. Ultimately the effect of that will be to stunt, as the current export control policy of the Administration is doing, the growing use of strong encryption in advancing the Internet for all means of electronic commerce, protecting credit cards, medical records, copyrighted material, industrial trade secrets and protecting the infrastructure of our country, whether it be the New York Stock Exchange or a nuclear power plant.

Encryption serves vital functions, and I'm concerned that this Administration's policy is retarding the growth and use of encryption, and that certainly is the consensus opinion of not only the software and hardware computer industries, but also of the business community in general because my legislation has been endorsed by the U.S. Chamber of Commerce, the National Association of Manufacturers and a number of other respected organizations that are concerned about having electronic commerce grow on the Internet.

Would you respond to that.

Mr. AARON. I think it's important to recognize that the Administration's encryption policy is not designed to require every American to place a key to their encryption in the hands of either the government or a third party.

Mr. GOODLATTE. But in order to get an export control license you have to come forward with a key recovery plan in order to export the product, and the Internet being an international function it is not feasible to have domestic encryption. There is no law against the domestic use of encryption today, you are correct about that. But if you're going to use something in your New York and San Francisco offices and also in your London, Paris and Tokyo offices you've got to be able to export that encryption in order to utilize it, and our policy seems to very much retard that.

Mr. AARON. The policy on export controls is designed to encourage the development and sale of key recoverable encryption around the world, including in the United States. It does not require it. As you pointed out, there are no requirements within the United States that kind of encryption is to be used by American citizens. But the export controls do require that above a certain strength exported encryption software would be sold abroad, is required to have key recovery features at least by the end of this year, and for even stronger encryption it's required now.

Mr. GOODLATTE. İsn't that effectively mandating a key recovery system for the United States? It may not be the actual law, but the effect of having export controls is to create domestic controls.

Mr. AARON. I've always been a little baffled by that concern because we have the largest [by far) Internet computer information technology market in the world. Within the United States, we have a fair number of very powerful, in fact virtually unbreakable encryption programs that are for sale within the United States. I can't say, despite all the attention by industry, that the export control laws are what are holding back the promise of encryption.

I believe most people who have analyzed this with some expertise believe that what is holding back encryption and its more widespread use within the United States is in fact the absence of appropriate certificate authorities and authenticating bodies that enable people who are communicating with encrypted names from knowing who the person is they're communicating with.

Mr. GOODLATTE. Well that's obviously not the focus of the industry because they have placed great emphasis on changing the export control laws, and obviously they feel that they have been hindered in their ability to compete.

I'm also aware of the fact that you have been engaged in negotiations with other countries around the world in an effort to get them to adopt similar standards to those standards of the United States, not a market-driven policy, but a governmental policy, and it's my understanding that those efforts have been lacking in success, which indicates again to me that this policy of trying to use export control laws to guide the market with regard to the use of encryption is not going to work. It's failing.

Mr. AARON. I wouldn't agree with that assessment, Mr. Goodlatte. My experience in discussing these matters with foreign governments is that two things are underway. First of all, foreign governments are making their own policies, the Canadian Government, the Swedish Government, the British Government and the French Government. The French have made their policy, and the other three governments are in the process of making their policies. They are all trying to come to the same point that we're trying to reach here in the United States, which is how to balance the need for strong encryption against the requirements of law enforcement.

I think it's extremely important to recognize that if we go forward with technologies that do not permit law enforcement to continue to conduct electronic surveillance this will have a powerful impact on the ability of law enforcement to carry out its responsibilities. Understandably all markets are quite concerned about the impact on an enforcement, and every government is going through the same difficult task of balancing these issues. As you point out the law enforcement community does have a deep concern here and their interests are quite different than that of the business community in some very specific sectors.

I think that there is a possibility (with good will on both sides) to find middle ground so that we can have strong encryption for all the purposes that are necessary to protect privacy and at the same time not give a blank check to criminal elements in our society.

Mr. GOODLATTE. Well, Ambassador Aaron, my time has expired.

Mr. Chairman, I would ask unanimous consent for a couple of additional minutes.

Mr. COBLE. Without objection.

Mr. GOODLATTE. I hope you are right about that. I share law enforcement's concern, as you say, but I do not share the solution that they have offered because I don't think it's workable. It is clear that those who are dedicated to acquiring encryption to misuse it already have access to it. The Cali Cartel is known to have software engineers who write and create encryption programs. You can download encryption off the Internet, and you can buy it from more than 20 foreign countries right now. You mentioned four that are in various stages of considering the issue, but there are nearly 200 nations around the world, and access to encryption for those who are bent on violating the law is very easy. It's not like your standard export control product, like a bomb or a jet or a mainframe computer where there are few manufacturers and there are a few known recipients of these, and the funnel through our export process can be fairly effective at restricting access to these things.

Here we're talking about an idea, mathematical algorithms, little l's and O's going through wires. Every day there are individuals who violate the export control laws of the United States without their knowledge by sending encrypted material between this country and other countries, and to use those laws for this purpose I think is totally ineffective. I think most other nations around the world are recognizing that.

Mr. Chairman, with your permission I would like submit for the record two articles from the New York Times, one dated October 9, 1997, which is entitled “Europeans Reject U.S. Plan on Electronic Cryptography," which talks about a meeting of the European Commission that had rejected the proposals by the United States aimed at ensuring that police agencies can crack coded messages over telephone and computer networks, and more recently a February 9, 1998 New York Times article entitled "Support for Encryption is Less than U.S. Claims Study Says,” and it starts out “The Clinton Administration is losing its battle to increase international controls over how reliably computer data can be scrambled to ensure privacy according to reports scheduled to be released Monday by an independent research group."

This report goes on to quote individuals who say “I don't see any clear consensus out there in the world. I think the governments are equally divided on the issues and are not likely to try and follow the U.S. in trying to go down the path of the U.S. in the key recovery scheme.”

Mr. Chairman, if these could be made a part of the record I would appreciate it.

Mr. COBLE. Without objection they will be indeed made a part of the record.

« ForrigeFortsett »