Mixed Signals In The Debate Over Encryption Technology
By Juliana Gruenwald, CQ Staff Writer
When Vivian Lindsey wants to buy a book, she logs on to the World Wide Web and selects what she wants from Amazon.Com, a Seattle-based company that sells books, music and videos over the Internet.
"It's so much easier," said Lindsey, an administrative assistant from Rockville, Md., who uses her credit card to pay for her purchases and gets them delivered by mail.
There is one caveat. Lindsey said she only buys items over the Internet if she is sure that her credit card number is protected from theft.
Amazon provides that assurance. Like many companies that conduct business on-line, it is using encryption, technology that scrambles data or communications to keep intruders from gaining access.
"Encryption is the foundation of security and electronic commerce," said Gant Redmon, counsel for Axent Technologies Inc., a company based in Rockville that makes encryption products.
While most agree that encryption is a key element in the growth of electronic commerce, a long-running debate has raged involving the high-tech industry, government officials and lawmakers over how far the government should go in restricting the technology's use. High-tech companies have been pushing to export much stronger encryption products than currently allowed.
The Clinton administration has been reluctant to relax export controls on encryption. It is worried that easing controls may hinder law enforcement and intelligence gathering when the technology is used to block access to communications or data.
But high-tech companies argue that restrictions are doing little to control the spread of strong encryption. Instead, they argue that these restrictions are making it increasingly difficult for U.S. companies to compete with foreign competitors.
Just how serious the issue is becoming was apparent June 9 when top law enforcement officials met with a half-dozen executives of high-tech companies to discuss both sides of the issue.
Among the participants in the meeting, hosted by Sen. Dianne Feinstein, D-Calif., at her office, were FBI Director Louis J. Freeh and Attorney General Janet Reno, as well as Microsoft Corp. Chairman Bill Gates, Scott McNealy, chief executive of Sun Microsystems Inc., and Sen. Jon Kyl, R-Ariz.
While providing few details, Feinstein said afterward, "Some seeds for possible approaches were developed." Both sides agreed to meet again. Feinstein and Kyl have been sympathetic to law enforcement and national security officials.
Reno said June 11 during her weekly news conference, "It was a very good, open, frank exchange. I found it very useful, and I look forward to continuing these efforts."
After the meeting, an administration official, speaking on condition of anonymity, said the session persuaded the White House to redouble its efforts to reach a "balanced solution" by fall that would be likely to include some relaxation of current export controls.
The official said the administration is still discussing how far it would go in relaxing controls.
Both sides in the debate fear that national security and U.S. business interests will be harmed unless a solution is reached.
"If we don't solve the problem now, I'm afraid that in the long run we may end up worse off," said Robert S. Litt, associate deputy attorney general in the Justice Department's Criminal Division. "We're going to run the risk of greater restrictions, more intrusive surveillance and ultimately less freedom than we have now."
Many thought the battle would be fought out in the 105th Congress. Several bills have been introduced, and a few have seen committee action.
But the same forces that have stymied industry efforts within the administration have helped stall an effort in Congress this year. With precious few legislative days left this session, many of those involved say it appears unlikely lawmakers will resolve such a contentious issue.
While industry leaders say they are not giving up hope for legislative action, they have been holding discussions with the administration, at the urging of Vice President Al Gore, in hopes of finding some middle ground.
The FBI's Case
The White House's policy has been driven by fears of law enforcement and national security officials that loosening export controls would lead to the widespread use of unbreakable encryption by criminals and terrorists who want to hide their illegal activities.
As the use of encryption becomes more commonplace among criminals, law enforcement officials are concerned that their ability to use wiretaps and other legal means to gain valuable evidence will be thwarted if communications or stored data is coded with unbreakable encryption.
While still relatively small, the number of FBI cases involving computerized evidence where encryption was used increased from 3 percent to 7 percent in the last several years. And FBI officials expect it to continue rising.
Freeh took the debate one step further in 1997 by calling for restrictions on the use of encryption products within the United States -- comments that sent waves of panic throughout the technology industry. (1997 CQ Weekly, p. 2140)
The FBI has been "trying to find a balance in which we can still do our job and do our job in the future as this proliferates. We hope strong encryption proliferates from a business part and from a privacy part -- but how can we do it in such a way . . . that doesn't [hurt] us," said FBI deputy Assistant Director Edward L. Allen in an interview.
The FBI has been pushing to require manufacturers to ensure that law enforcement has some way to gain access to a decrypted version of stored data or communications.
Freeh has advocated requiring all encryption products made in the United States or those imported into the United States to include a "key recovery" feature that would require a user of encryption to store the key needed to decrypt data with a trusted third party.
Privacy advocates and industry representatives say this would give the FBI unprecedented access into every American's private communications.
FBI officials now say they are not advocating any particular technology as long as authorities can gain access, with a court order, to a plain-text version of encrypted information.
Other officials say the administration does not favor a mandatory key recovery system.
"We have said we're not going to make people use [key recovery], and we're not going to make them manufacture" such products, said William A. Reinsch, under secretary for the Commerce Department's Bureau of Export Administration and the administration's chief spokesman on the issue. But, he said, "we're trying to talk with them so they can understand why it's in their interest as well as ours" to make key recovery products.
The administration has advocated the development of an international voluntary "public key infrastructure," in which individuals and businesses could interact in a secure system. At the same time, such a system would provide law enforcement with the access they desire. No international consensus on such a system has been reached.
Some industry officials acknowledge that there is a limited market for key recovery products, but it is primarily only for protecting stored data and not for protecting e-mail or other communications.
But criminals are unlikely to use encryption with a recovery feature that provides law enforcement with a window into their information, privacy advocates and industry officials argue. They also claim that key recovery would make the encrypted information of legitimate users more vulnerable to hackers and criminals.
"It just simply, from a security standpoint, doesn't make sense to have a key potentially within the public domain," said William Binzel, vice president of government relations for Mastercard International.
Some also are wary of the FBI's call for access to a plain-text version of encrypted information.
"It is basically, in practice, semantics, as far as we can decipher," said Rebecca M.J. Gould, vice president of policy for the Business Software Alliance, which represents several software companies.
A Bit Stronger
While Americans are free to use any type or level of encryption in the United States they choose, the administration's policy allows the export only of encryption products that industry describes as weak.
Under current regulations, due to expire at the end of the year, companies can apply for a license to export stronger encryption products those with a strength level of 56 bits, if they have a plan for developing products with a key recovery feature. (A bit is a digit in a binary system. The longer the bit system, the greater number of possible keys and the more difficult it is to break.)
Companies can export products with any strength level as long as such products already include key recovery.
In a blunt assessment of the situation, Commerce Secretary William M. Daley said in April, "While our policy goal, balance, is the right one, our implementation has been a failure."
Explaining his boss's comments, Reinsch said Daley was referring to mixed signals that have come out of the administration by the FBI and others about the types of products it would like the industry to build.
If the administration can not "send signals to the industry about what we would like to see them build or what we would not like to see them build, then . . . we're not implementing the policy properly, and we're in effect slowing down the development of products we would like to see in the marketplace," Reinsch said.
But he added that Daley also was sending a message to business that it needs to be more willing to compromise.
Some industry officials agree they will have to be more flexible.
"Both sides, on the outer edges of the debate, have enough votes to cancel each other out -- in Congress and even in the administration," said Aaron W. Cross, IBM Corp.'s public policy director, adding that IBM is "trying to work for something that is politically realistic at this point."
However, other industry representatives and privacy advocates portrayed Daley's comments as an admission that the administration's policies have been a failure.
One of their key arguments is that efforts to control the spread of encryption are futile at this point. They argue that strong encryption products that do not include recovery features are already available worldwide and can even be downloaded from the World Wide Web.
As of December 1997, there were more than 1,600 encryption products manufactured in 30 countries, according to a study by Trusted Information Systems, a company that provides security products and services for electronic communications.
"The most difficult thing [in this debate] is getting the administration to show some reality on encryption," said Sen. Patrick J. Leahy, D-Vt.
Encryption makers and software manufacturers say they are losing market share to foreign competitors who can respond to customers who want the most secure products available.
Peter F. Harter, global policy counsel for Netscape Communications Corp., which uses encryption in all its software products, said it is forced to "sell dumbed-down versions" of its products overseas, leaving the company in a tenuous position.
Victor S. Wheatman, a vice president and research director at the Gartner Group, a communications and technology research firm based in Stamford, Conn., said U.S. companies "arguably have the best products, and [foreign] competitors are able to dance around them."
Wheatman noted that some companies are increasingly finding ways to get around the restrictions, such as working through foreign subsidiaries.
If the current restrictions are not lifted, said Rep. Zoe Lofgren, D-Calif., "at some point we won't have any domestic industry."
In an April study, the Economic Strategy Institute, which studies economic competitiveness, said the U.S. economy could lose between $35 billion and $96 billion as a consequence of current encryption policies. The study includes the potential impact on U.S. companies that make encryption and on companies that use encryption in their products or for their own security.
While acknowledging that there is going to be a cost to industry if the issue is not resolved soon, Reinsch said the institute's estimates exaggerate the likely economic impact.
One former administration official, who spoke on condition of anonymity, was among those who advocated export controls, saying such controls bought time to allow officials to develop ways to contend with challenging new technologies.
But the administration's regulations may have reached a point of diminishing returns, and the effort spent defending the current policy might be better used to seek ways to deal with future technological threats, the former official said.
In discussions with the administration that have been under way for the past few months, a coalition of business interests that favors relaxing export controls, Americans for Computer Privacy, proposed that the administration provide industry with some interim relief from restrictions as efforts at a broader compromise continue.
The proposal, offered in May, would allow the export of 56-bit products without any commitment to building products that include a key recovery feature. It also would allow certain organizations and companies to export products with any strength to "legitimate and responsible" entities overseas, such as companies that are publicly traded in global markets.
"We need relief now, and we need to quit playing this game," said Gould of the Business Software Alliance.
James X. Dempsey, senior counsel for the Center for Democracy and Technology, a group that promotes civil liberties in cyberspace, said that as part of any deal the administration "is going to have to reject the concept of domestic controls."
Congress has had as much difficulty with this issue as the administration.
Five House committees have approved differing versions of encryption legislation (HR695). (1997 CQ Weekly, p. 2307)
High-tech companies back the original version of HR695, which would allow the export of encryption equal in strength to what is generally available overseas. It also would bar the administration from placing restrictions on encryption products used in the United States.
They oppose a version of the bill backed by the FBI and approved by the House Intelligence Committee in September. It would require encryption products manufactured and distributed for sale or use in the United States to include a feature to allow law enforcement to gain access to decryption information or to a plain-text version of the data or communications. Exports also would be required to include such a feature.
The bill's original backers say they would prefer no bill at all to the Intelligence Committee's version.
House Rules Committee Chairman Gerald B.H. Solomon, R-N.Y., opposes sending a bill to the floor that does not appease law enforcement and national security officials. "We're not going to let a bill go through that's going to wipe out the strategic interests of the United States," Solomon said.
The bill has been stalled as House leaders decide how to proceed.
With nearly 250 cosponsors in the original version, HR695 has broad bipartisan support.
Rep. Robert W. Goodlatte, R-Va., HR695's chief sponsor, has been working with the leadership to bring the bill to the floor without the provisions approved by the Intelligence Committee. "We're pushing hard," he said.
A spokesman for House Majority Leader Dick Armey, R-Texas, said the issue is still on the leadership's agenda and could come up before Congress leaves for its summer recess in August.
But some industry supporters say they may have more success if they wait until 1999, when Solomon will no longer be chairman of the Rules Committee. He is retiring at the end of the 105th Congress. David Dreier, R-Calif., a cosponsor of HR695, is in line to chair the panel.
Rep. Rick White, R-Wash., whose district includes software maker Microsoft Corp., said he still thinks "there's hope" that the House will move legislation this year. "It depends on the technology community deciding if they want to pursue it aggressively or not."
Even if supporters of HR695 do get a vote in the House, they face a tough time in the Senate. In addition, the current bills backed by industry are unlikely to gain President Clinton's signature even if Congress does clear legislation this year.
Senate Majority Leader Trent Lott, R-Miss., said there is a chance that the Senate could still take up encryption legislation this year. But he added that he has problems with the only Sebate bill that has seen any action this year.
The Senate Commerce Committee approved encryption legislation (S909) in June 1997. Even though the bill was promoted as a middle-of-the road approach, the industry says it leans too far in the administration's direction, and the FBI says it does not go far enough it meet its demands.
Sens. John Ashcroft, R-Mo., Conrad Burns, R-Mont., and Leahy introduced legislation (S2067) on May 12 that is similar to HR695 but includes some additional provisions aimed at satisfying some of the FBI's requests. The bill calls for the creation of a "Net Center" to help federal, state and local law enforcement officials stay informed about advanced technologies.
Burns and some other GOP supporters of the industry's position, such as White, say they are skeptical about the administration's willingness to compromise.
"The strategy all along has been a four-corner stall on any serious compromise," Burns said.
Some legislators on both sides of the issue say Clinton needs to show more leadership.
"The president needs to step up. . . . He needs to make the case for the national security," said Sen. Bob Kerrey, D-Neb., one of S909's sponsors.
Others cite the difficulty Clinton would have coming down in opposition to law enforcement and national security officials -- a reality that has pushed some lawmakers to Freeh's camp.
Also influencing the debate is the recent controversy over the administration's decision to allow a U.S. company to launch satellites aboard a Chinese rocket; that matter does not help the industry's cause, Kerrey and others said. (Weekly Report, p. 1467)
There is "not going to be a majority in the Senate who are going to do something that the director of the FBI, the secretary of Defense . . . say can jeopardize national security," said Senate Commerce Committee Chairman John McCain, R-Ariz., S 909's chief sponsor.
© 1998 Congressional Quarterly Inc. All Rights Reserved.