42 431 105 th Congress Rept. 105 108 HOUSE OF REPRESENTATIVES 1st Session Part 2 SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT July 25, 1997.--Ordered to be printed Mr. Gilman , from the Committee on International Relations, submitted the following R E P O R T together with DISSENTING VIEWS [To accompany H.R. 695] The Committee on International Relations, to whom was referred the bill (H.R. 695) to amend title 18, United States Code, to affirm the rights of United States persons to use and sell encryption and to relax export controls on encryption, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. The amendment is as follows: Strike out all after the enacting clause and insert in lieu thereof the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Security and Freedom Through Encryption (SAFE) Act''. SEC. 2. SALE AND USE OF ENCRYPTION. (a) In General.--Part I of title 18, United States Code, is amended by inserting after chapter 121 the following new chapter: ``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION ``2801. Definitions. ``2802. Freedom to use encryption. ``2803. Freedom to sell encryption. ``2804. Prohibition on mandatory key escrow. ``2805. Unlawful use of encryption in furtherance of a criminal act. ``2801. Definitions ``As used in this chapter-- ``(1) the terms `person', `State', `wire communication', `electronic communication', `investigative or law enforcement officer', `judge of competent jurisdiction', and `electronic storage' have the meanings given those terms in section 2510 of this title; ``(2) the terms `encrypt' and `encryption' refer to the scrambling of wire or electronic information using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such information; ``(3) the term `key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire or electronic information that has been encrypted; and ``(4) the term `United States person' means-- ``(A) any United States citizen; ``(B) any other person organized under the laws of any State, the District of Columbia, or any commonwealth, territory, or possession of the United States; and ``(C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B). ``2802. Freedom to use encryption ``Subject to section 2805, it shall be lawful for any person within any State, and for any United States person in a foreign country, to use any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. ``2803. Freedom to sell encryption ``Subject to section 2805, it shall be lawful for any person within any State to sell in interstate commerce any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. ``2804. Prohibition on mandatory key escrow ``(a) Prohibition.--No person in lawful possession of a key to encrypted information may be required by Federal or State law to relinquish to another person control of that key. ``(b) Exception for Access for Law Enforcement Purposes.--Subsection (a) shall not affect the authority of any investigative or law enforcement officer, acting under any law in effect on the effective date of this chapter, to gain access to encrypted information. ``2805. Unlawful use of encryption in furtherance of a criminal act ``Any person who willfully uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a court of competent jurisdiction-- ``(1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined in the amount set forth in this title, or both; and ``(2) in the case of a second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined in the amount set forth in this title, or both.''. (b) Conforming Amendment.--The table of chapters for part I of title 18, United States Code, is amended by inserting after the item relating to chapter 33 the following new item: ``122. Encrypted wire and electronic information 2801''. SEC. 3. EXPORTS OF ENCRYPTION. (a) Amendment to Export Administration Act of 1979.--Section 17 of the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end thereof the following new subsection: ``(g) Certain Consumer Products, Computers, and Related Equipment.-- ``(1) General rule.--Subject to paragraphs (2), (3), and (4), the Secretary shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except that which is specifically designed or modified for military use, including command, control, and intelligence applications. ``(2) Items not requiring licenses.--No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of-- ``(A) any consumer product commercially available within the United States or abroad which-- ``(i) includes encryption capabilities which are inaccessible to the end user; and ``(ii) is not designed for military or intelligence end use; ``(B) any component or subassembly designed for use in a consumer product described in subparagraph (A) which itself contains encryption capabilities and is not capable of military or intelligence end use in its condition as exported; ``(C) any software, including software with encryption capabilities-- ``(i) that is generally available, as is, and is designed for installation by the purchaser; ``(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or ``(iii) that is customized for an otherwise lawful use by a specific purchaser or group of purchasers; ``(D) any computing device solely because it incorporates or employs in any form-- ``(i) software (including software with encryption capabilities) that is exempted from any requirement for a validated license under subparagraph (C); or ``(ii) software that is no more technically complex in its encryption capabilties than software that is exempted from any requirement for a validated license under subparagraph (C) but is not designed for installation by the purchaser; ``(E) any computer hardware that is generally available, solely because it has encryption capabilities; or ``(F) any software or computing device solely on the basis that it incorporates or employs in any form interface mechanisms for interaction with other hardware and software, including hardware, and software, with encryption capabilities. ``(3) Software with encryption capabilities.--The Secretary shall authorize the export or reexport of software with encryption capabilities for nonmilitary end uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be-- ``(A) diverted to a military end use or an end use supporting international terrorism; ``(B) modified for military or terrorist end use; or ``(C) reexported without any authorization by the United States that may be required under this Act. ``(4) Hardware with encryption capabilities.--The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available outside the United States from a foreign supplier, without effective restrictions. ``(5) Definitions.--As used in this subsection-- ``(A) the term `encryption' means the scrambling of wire or electronic information using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such information; ``(B) the term `generally available' means-- ``(i) in the case of software (including software with encryption capabilities), software that is offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; and ``(ii) in the case of hardware with encryption capabilities, hardware that is offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; ``(C) the term `as is' means, in the case of software (including software with encryption capabilities), a software program that is not designed, developed, or tailored by the software publisher for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the software program; ``(D) the term `is designed for installation by the purchaser' means, in the case of software (including software with encryption capabilities) that-- ``(i) the software publisher intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software program on a computing device and has supplied the necessary instructions to do so, except that the publisher may also provide telephone help line services for software installation, electronic transmission, or basic operations; and ``(ii) the software program is designed for installation by the purchaser without further substantial support by the supplier; ``(E) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data; and ``(F) the term `computer hardware', when used in conjunction with information security, includes, but is not limited to, computer systems, equipment, application-specific assemblies, modules, and integrated circuits.''. (b) Continuation of Export Administration Act.--For purposes of carrying out the amendment made by subsection (a), the Export Administration Act of 1979 shall be deemed to be in effect. SEC. 4. SENSE OF CONGRESS REGARDING INTERNATIONAL COOPERATION. (a) Findings.--The Congress finds that-- (1) implementing export restrictions on widely available technology without the concurrence of all countries capable of producing, transshipping, or otherwise transferring that technology is detrimental to the competitiveness of the United States and should only be imposed on technology and countries in order to protect the United States against a compelling national security threat; and (2) the President has not been able to come to agreement with other encryption producing countries on export controls on encryption and has imposed excessively stringent export controls on this widely available technology. (b) Sense of Congress.--It is the sense of the Congress that the President should immediately take the necessary steps to call an international conference for the purpose of coming to an agreement with encryption producing countries on policies which will ensure that the free use and trade of this technology does not hinder mutual security. BACKGROUND AND PURPOSE H.R. 695, the Security and Freedom Through Encryption (SAFE) Act, represents a strong bipartisan effort to bring U.S. laws on the export of encryption technology into the present and future, by looking at the actual technological developments taking place on the world stage. The SAFE Act enjoys strong support in the House as reflected by the overwhelming number of co-sponsors, including a majority of the Members of the Committee on International Relations. While differences still remain and the debate continues between U.S. economic and commercial priorities and individual civil liberties, on the one hand, and the needs and concerns of law enforcement and national security agencies, the SAFE Act is generating the political will to reform the existing regulatory process to meet today's realities. Encryption has been defined as referring to the use of software or hardware to scramble wire or electronic information using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering such information. While anyone can encrypt a message, only an authorized person can convert a scrambled message back into its original form. The basic idea of modern encryption, or cryptography, is that any message can be represented as a set of numbers (the plaintext) used to transform the plaintext into a different set of numbers (the ciphertext). Simply stated, keys consist of a series of ones and zeros (called ``bits'), and are described in terms of their ``length'', which is corresponds to the number of possible combinations that can be used to decode a particular message. A 40-bit key means that the number of possible combinations of ones and zeros equals 2 to the 40th power. It then follows that a 56-bit key is 2 to the 56th power, which means that it is 2 to the 16th power stronger that a 40-bit key. Once the exclusive domain of the national security and intelligence sectors, encryption now has an expanded application, impacting the everyday lives of millions of Americans. Today, banking systems, stock markets, air traffic control systems, credit bureaus, telephone networks, weather satellites, social security system, television networks, civilian and government payrolls, and the Internet are all directly affected by a flow of data managed by countless computers and telecommunication networks around the world. Computer technology now serves as the nervous system of modern society. It is increasingly difficult to protect the privacy and confidentiality of transactions at all levels, and increasingly important to do so. The Justice Department has estimated that annual losses related to computer security breaches could be as high as $7 billion. If this were adjusted to include the number of undocumented cases by companies reluctant to report such intrusions, the figure could be even higher. The National Counterintelligence Center in their ``Annual Report to Congress on Foreign Economic Collection and Industrial Espionage'' concluded that such ``specialized technical operations (including computer intrusions, telecommunications targeting and intercept, and private sector encryption weaknesses) account for the largest portion of economic and industrial information lost by corporations.'' Therefore, stronger encryption tools are widely viewed as the key to providing security and privacy for the information superhighway. Current U.S. policy restricts the export of ``strong'' encryption hardware or software products with keys greater than 40 bits long--determined to be gravely inadequate by numerous experts. The current Administration proposal, which would allow the export of 56-bit encryption, is viewed as not meeting the needs of U.S. companies to conduct business in a secure manner with their suppliers, their business partners, their customers, and even their affiliated companies outside the United States. Supporting the need for higher encryption standards is the fact that, on the same day that the companion legislation--the McCain-Kerrey bill--was introduced in the Senate calling for a 56-bit limit on encryption exports, a group of independent programmers and researchers cracked a 56-bit code using computers linked across the Internet. This successful breaking of 56-bit encryption clearly demonstrates the anachronistic nature of current U.S. law and reflects how out-of-touch the Administration's policy is with the needs of the global marketplace. The Administration's proposal would only allow the export of 56-bit encryption for those who promise to build in ``key recovery''. ``Key recovery'' or ``key escrow'' essentially means that when stored data or electronic communications are encrypted, a third party has a copy of the key needed to decrypt the information. As presented by proponents of this policy, escrowed encryption is intended to provide for encryption protection for legitimate uses but also enable law enforcement officials to gain access to the key when it is necessary to decode the plaintext data as part of an investigation. This has been interpreted as an attempt to use the export control process to manipulate and control the market for and expansion of encryption technology, by making it easy to export products with key recovery and difficult for those products without. The logical basis for this policy is flawed as it is rooted in the wrongful assumption that foreign competitors can be convinced to alter their policy to parallel what U.S. policy is calling for. The current policy is not based on fact but on the optimistic view that the U.S. can influence other countries not to export strong encryption without an escrow system. Speculation does not make for good laws. Individually and as a unit, many of our European allies have clearly illustrated their commitment to allow market forces and individual needs to dictate the levels of encryption. In its April 1997 proposal entitled, ``A European Initiative in Electronic Commerce'', the European Union stated as key elements of the Initiative to ensure a framework which ``boosts the trust and confidence of businesses for investments and consumers to make use of electronic commerce by dismantling remaining legal and regulatory barriers and preventing the creation of new obstacles.'' It goes on to say that: ``The use of strong encryption which ensures the confidentiality of both sensitive commercial and of personal data is one of the foundation stones of electronic commerce . . . The Community (European Community) shall work at the international level towards the removal of trade barriers for encryption products.'' Even the more conservative recommendations made in March 1997 by the Council of the Organization for Economic Cooperation and Development, clearly state that: ``Users should have access to cryptography that meets their needs, so that they can trust in the security of information and communications systems, and the confidentiality and integrity of data on those systems.'' The Council further underscores that: ``Government controls on cryptographic methods . . . should respect user choice to the greatest extent possible . . . and should not be interpreted as implying that governments should initiate legislation which limits user choice.'' Finally, they add: ``The development and provision of cryptographic methods should be determined by the market in an open and competitive environment. Such an approach would best ensure that solutions keep pace with changing technology, the demands of users and evolving threats to communications systems security.'' While U.S. companies are kept at 40-bit encryption or at 56-bit with the condition that they commit to develop key recovery, non-U.S. exporters, particularly the countries of the European Union, are producing packages that include encryption technology using 128 bits leaving American companies far behind in the race to capture new markets. Furthermore, American companies are placed at a competitive disadvantage by being forced to create and deploy two separate systems to meet two separate standards. Because of the nightmare this would create, most U.S. businesses end up making their exportable products subject to the same restrictions as their domestic products. By not allowing U.S. industries to provide secure products in the face of strong foreign competitors who are not restricted by outdated export controls, current law is hurting U.S. businesses. No one will buy encryption products for which the U.S. government can obtain a key. A recent report by the CEOs of 13 large American technology companies concluded that the U.S. computer industry could potentially lose up to $30 60 billion annually by the year 2000 due to these export controls. At a fundamental level, evaluating the value of key recovery systems in and of themselves, eleven of the world's top cryptographers concluded that key recovery systems would create new vulnerabilities. A key recovery system would create serious difficulties as it would require a vast infrastructure of recovery agents and oversight entities to manage access to the keys. In their May 1997 report entitled, ``The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption'', these experts also determined that ``the field of cryptography has no experience in deploying secure systems of this scope and complexity'' and that such systems could potentially cost many billions of dollars. Key recovery systems do not even meet the national security needs on which the policy is based on. The Software Publishers Association has documented hundreds of foreign encryption products already widely available abroad and which criminals, terrorists, and foreign governments have access to. It is the upstanding, law-abiding citizen who suffers. The fact is that strong encryption helps to further the goals of law enforcement and national security, more than key recovery could ever hope to. In its landmark report on encryption policy, the blue-ribbon National Research Council concluded the following about the use of strong encryption: If cryptography can protect the trade secret and proprietary information of business and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States. In summary, if U.S. laws are not changed soon, not as mandated by the Administration's policy or its companion legislation in the Senate, but as H.R. 695 attempts to do, world standards for security technology will shift away from the U.S. as customers buy products from foreign manufacturers. The U.S. government will not have a view into the security technology that replaces U.S. technology as the world standards. U.S. industries will lose control of information security technologies which are vital to economic security. It will cost the U.S. economy billions of dollars and hundreds of thousands of jobs. On July 7, 1997, German Economics Minister Guenter Rexrodt called for the removal of restrictions on encryption technology in his opening remarks for a two-day conference on Internet commerce attended by 40 government ministers from the European union, the United States, Russia, Japan and Canada. ``Users can only protect themselves against having data manipulated, destroyed or spied on through the use of strong encryption procedures,'' Rexrodt said, ``that is why we have to use all of our powers to promote such procedures instead of blocking them.'' Individual Americans and U.S. businesses should be afforded the same protection and the same opportunities as other countries provide their own people and industries. H.R. 695--the SAFE Act--does just that. It is aimed at correcting the unfair and unsafe situation that currently exists under current law as it: prohibits export controls on ``generally available'' commercial encryption except for military end-users or to identified individuals or organizations in specific foreign countries; does not require reporting for companies after export; prohibits mandatory use of key recovery; denies liability protection and penalties for key holders; denies foreign government access to keys under specified conditions if key holder is used voluntarily; prohibits U.S. government and law enforcement access to keys by court order if key holder is used voluntarily; codifies existing domestic use policy; gives the Secretary of Commerce exclusive jurisdiction over export of commercial encryption except for military end-uses or to identified individuals or organizations in specific foreign countries. In essence, H.R. 695 prevents economic espionage while protecting hundreds of thousands of American jobs by affording all Americans the freedom to use any type of encryption anywhere in the world; by allowing any type of encryption to be sold in the United States; and creates a level playing field by permitting the export of the generally available software, hardware, and other encryption-related computer products. The Committee hopes that other Members realize the need, value, and importance of H.R. 695 as it works its way through the legislative process. In the interest of the American people, of U.S. economic leadership and growth, and of national security, the Committee hopes that the House will pass the SAFE Act. COMMITTEE ACTION H.R. 695 was introduced by Representative Goodlatte on February 12, 1997, and referred to the Committee on Judiciary and in addition to the Committee on International Relations for a period subsequently to be determined by the Speaker. It was reported to the House by the Committee on the Judiciary, amended, on May 22, 1997 (H. Rept. 105-108). On May 22, 1995, the referral to the Committee on International Relations was extended through July 11, 1997, and on June 26, 1997, the referral to the Committee on International Relations was extended for a period ending not later than July 25, 1997. On June 26, 1997, the bill was referred, in addition, to Committees on Commerce, National Security, and the Permanent Select Committee on Intelligence for a period ending not later than September 5, 1997, for consideration of such provisions of the bill and the amendment reported by the Committee on the Judiciary as fall within the jurisdiction of those committees pursuant to clause 1(3) and (k), rule X and rule XLVIII, respectively. On May 8, 1997, the Subcommittee on International Economic Policy and Trade held a hearing entitled: ``Encryption: Individual Right to Privacy vs. National Security.'' Witnesses for this hearing included: Hon. William Reinsch, Under Secretary of Commerce, Bureau of Export Administration; Hon. William Crowell, Deputy Director, National Security Agency; Hon. Robert Litt, Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice; Mr. John Gage, Director, Science Office, Sun Microsystems, Inc.; Mr. Humphrey Polanen, General Manager, Network Security Products Group, Sun Microsystems, Inc.; Jerry Berman, Executive Director, Center for Democracy and Technology; Tom Parenty, Director of Security, Sybase Corporation; and Stephen T. Walker, President and CEO, Chairman of the Board of Directors, Trusted Information Systems. On May 29, 1997, the Full Committee held a Members briefing on H.R. 695, ``the Security and Freedom through Encryption (SAFE) Act.'' Speakers for the briefing included Hon. Louis Freeh, Director, Federal Bureau of Investigation and Hon. William Crowell, Deputy Director, National Security Agency. On June 4, 1997, the Subcommittee on International Economic Policy and Trade held a Members Briefing on the future of U.S.-European trade relations. Speakers for the briefing included: Hon. David L. Aaron, U.S. Ambassador to the Organization for Economic Cooperation and Development (OECD); H.E. Hugo Paemen, Head of the Delegation to the United States of the Commission of the European Union; and Dr. Dominique vanderMensbrugghe, Senior Economist, OECD Development Center. On June 24, 1997, the Subcommittee on International Economic Policy and Trade held a mark-up of H.R. 695, ``the Security and Freedom through Encryption (SAFE) Act''. Witnesses included: Congressman Bob Goodlatte. Amendment.-- An en bloc amendment was offered by Ros-Lehtinen, Gejdenson, Campbell and Sherman. The amendment removes the distinction between mass market and customized software thus ensuring that customized software is also subject to liberalized export controls. It expands section 3 on exports of encryption by including consumer products which do not necessarily fall under the umbrella of ``computing'' products but which also require and use encryption. It broadens the scope and definition of ``generally available'' to include hardware with encryption capabilities. The amendment also adds a fourth section to the bill in the form of a sense of Congress regarding international cooperation. The amendment passed by voice vote. A motion to report the bill, as amended, to the Full Committee passed by a roll call vote, as follows: Voting yes: Ros-Lehtinen, Manzullo, Chabot, Campbell, Blunt, Brady, Rohrabacher, Gejdenson, Danner, Hilliard, Sherman, Rothman, Clement, Luther. Voting no: Bereuter. Passed: 14 1. On June 26, 1997, the Full Committee held a classified Members briefing on the impact of H.R. 695, ``the Security and Freedom through Encryption (SAFE) Act'' on national security and law enforcement activities. Speakers for the briefing included: Hon. Louis Freeh, Director, Federal Bureau of Investigation; Hon. William Crowell, Deputy Director, National Security Agency; Hon. William Reinsch, Under Secretary of Commerce, Bureau of Export Administration. On July 22, 1997, the Full Committee marked up the bill in open session, pursuant to notice. The Committee first adopted the amendment recommended by the Subcommittee on International Economic Policy by unanimous consent, as original text for the purposes of amendment. Representatives Goodlatte and Lofgren and representatives of the Administration (The Hon. William Reinsch, Under Secretary of Commerce; Mr. Jim Kallstrom, Federal Bureau of Investigation; Mr. James R. Taylor, National Security Agency; and Mr. Anthony Bocchichio of the Drug Enforcement Agency) responded to questions from members during the course of the markup. After further consideration, on that date, a quorum being present, the Full Committee by voice vote ordered the bill reported to the House with the recommendation that the bill, as amended, do pass. Rollcall votes on amendments In compliance with clause (2)(l)(2)(B) of rule XI of the Rules of the House of Representatives, the record of committee roll call votes on final passage or amendments during the full committee's consideration of H.R. 695 is set out below, as is a report of the full committee's final action on the bill. Description of Amendment, Motion, Order, or Other Proposition (votes during markup of H.R. 695--July 22, 1997) Vote No. 1.--Gilman amendment provide that certain items could not be exported if in the opinion of the President they would endanger the national security. Voting Yes: Gilman, Leach, Bereuter, Gallegly, Fox, Hamilton, Berman, Menendez, Brown, Danner, Rothman, Clement, and Davis. Voting No: Smith, Ros-Lehtinen, Ballenger, Rorhabacher, Manzullo, Royce, King, Chabot, Sanford, Houghton, Campbell, Blunt, Moran, Brady, Gejdenson, Ackerman, Hastings, Hilliard, Capps, Sherman, Wexler, and Luther. Ayes, 13. Noes, 22. Note: The bill was subsequently ordered reported favorably, amended, by voice vote, a quorum being present, on July 22, 1997. SECTION-BY-SECTION ANALYSIS Section 1. Short Title This section states that this Act may be cited as the ``Security and Freedom Through Encryption (SAFE) Act''. Section 2. Sale And Use Of Encryption This section states that, in general, Part I of Title 18, United States Code, is amended by adding a new chapter after chapter 121. This section also creates ``Chapter 122-Encrypted Wire And Electronic Information'' which includes sections; 2801. Definitions., 2802. Freedom To Use Encryption., 2803. Freedom to Sell Encryption., 2804. Prohibition On Mandatory Key Escrow., 2805. Unlawful Use Of Encryption in the furtherance of a criminal act. Section 2801 is titled ``Definitions'' and provides definitions for ``person'' ``State'' ``wire communication'' ``electronic communication'', ``investigative or law enforcement officer'', judge of competent jurisdiction'', ``electronic storage'', ``encrypt'', ``encryption'', ``key'', and ``United States person''. Many of these definitions were taken explicitly from 18 U.S.C. 2810. New section 2802 states that it is legal for any person in the United States or any United States person in a foreign country, to use any form of encryption regardless of the algorithm, key length, or technique used in the encryption. New section 2803 states that it is legal for any person in the United States to sell in interstate commerce encryption products using any form of encryption regardless of the algorithm, key length, or technique used. The Committee intends that Sections 2802 and 2803 be read as limitations on government power. They should not be read as overriding otherwise lawful employer policies concerning employee use of the employers computer system, nor as limiting the employer's otherwise lawful means for remedying violations of those policies. New section 2804 specifically prohibits requiring any person in lawful possession of an encryption key to turn that key over to another person. This section prevents any form of mandatory key escrow system with an exception for any law enforcement personnel or a member of the intelligence community. New section 2805 make it a crime to use encryption unlawfully in furtherance of some other crime. This new crime is punishable with a sentence of 5 years for a first offence and 10 years. This section requires that for a person to violate this section that person must be found guilty of some other federal felony crime and was deliberately using encryption to avoid detection of that other federal felony crime. Subsection 2(b) of H.R. 695 provides for a conforming amendment to the table of chapters in Title 18. Section 3. Export of Encryption Subsection 3(a) of H.R. 695 amends the Export Administration Act by creating a new subsection (g) entitled ``Computers and Related Equipment,'' to 50 U.S.C. App. 2416. New subsection (g)1 place all encryption products, except those specifically designed or modified for military use, under the jurisdiction of the Secretary of Commerce. New subsection (g)2 allows encryption software that is generally available or in the public domain, like mass-market software products, to be exported freely except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (but only to the to the extent that the authority of such Act is not exercised to extend controls imposed under this Act.). The Subcommittee on International Economic Policy and Trade, on an amendment offered by Chair Ros-Lehtinen and Ranking Member Gejdenson, and others, amended Subsection (g)2 on a voice vote in Subcommittee to include certain other consumer products, or component or subassembly (provided those components are not capable of military or intelligence end use in its condition as exported.), which have encryption capabilities that are inaccessible to the end user and which are commercially available within the United States or abroad. These product as discussed by the Subcommittee are consumer products such as small dish satellite receivers, digital video disk players, smart cards, Web TV, etc. These products, which are commercially available within the United States or abroad, were viewed by the Subcommittee as being clearly and purely for consumer end-use and not for military purposes. The Ros-Lehtinen amendment also amended (g)2 to include customized software for an otherwise lawful purpose by a specific purchaser or group of purchasers. New subsection (g)3 requires the Secretary of Commerce to allow other encryption software to be exported unless there is substantial evidence that will be put to military or terrorist uses or that it will be reexported without U.S. authorization. New subsection (g)4 requires the Secretary to allow the export of hardware with encryption capabilities when the Commerce Department finds that it is commercially available from foreign suppliers without effective restrictions. New subsection (g)5 provides definitions for this subsection. The subcommittee amendment offered by Chair Ros-Lehtinen, and others also amended this subsection to include the same consumer products added to subsection (g)2. As the Ros-Lehtinen amendment adopted in the Subcommittee on International Economic Policy and Trade stated, the Committee would like to reiterate that, with the ever increasing use of computer technology and computer information (hardware and software) in consumer product lines for protection of privacy, information security, and intellectual property interests, it intends this legislation to cover all devices--whether traditional computing devices or convergent consumer products that incorporate encryption. The applications covered by this legislation include video, audio, and data communications systems and telecommunication equipment. Hardware and software containing encryption, such as encoders, decoders, and network terminals, which are essential to protect the video signal, are therefore included under section 3(a) of this Act. As well as video, audio, data communications systems containing encryption and decryption capability are used by cable, satellite, and wireless delivery systems. This legislation is also intended to include set-top devices and other terminals where the encryption is not directly available to the user but is used for purposes such as pay per view, and hardware such as network computers, telephones or cable modems, satellite uplinks and downlinks. Subsection 3(b) of H.R. 695 provides that for the purposes of carrying out the amendment made by subsection 3(a), the Export Administration Act shall be deemed to be in effect. This statement is necessary because Congress failed to reauthorize the Export Administration Act and it expired in 1994. The Administration maintains the Export Administration Act policies by executive order. The Committee plans to reauthorize the Export Administration Act in this Congress. Section 4. Sense of Congress Regarding International Cooperation This section asks on the President to call an international conference for the purpose of achieving an agreement among the encryption producing countries on policies which will ensure that the free use and trade of this technology does not hinder mutual technology. COMMITTEE OVERSIGHT FINDINGS In compliance with clause 2(l)(3)(A) of rule XI of the Rules of the House of Representatives, the Committee reports the findings and recommendations of the Committee, based on oversight activities under clause 2(b)(1) of rule X of the Rules of the House of Representatives, are incorporated in the descriptive portions of this report. COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT FINDINGS No findings or recommendations of the Committee on Government Reform and Oversight were received as referred to in clause 2(l)(3)(D) of rule XI of the Rules of the House of Representatives. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. APPLICABILITY TO THE LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. CONSTITUTIONAL AUTHORITY STATEMENT In compliance with clause 2(l)(4) of rule XI of the Rules of the House of Representatives, the Committee cites the following specific powers granted to the Congress in the Constitution as authority for enactment of H.R. 695 as reported by the Committee: Article I, section 8, clause 1 (relating to providing for the common defense and general welfare of the United States); and Article I, section 8, clause 18 (relating to making all laws necessary and proper for carrying into execution powers vested by the Constitution in the government of the United States). NEW BUDGET AUTHORITY AND TAX EXPENDITURES, CONGRESSIONAL BUDGET OFFICE COST ESTIMATE The Committee expects to adopt a cost estimate of the Congressional Budget Office as its submission of any new required information on new budget authority, new spending authority, new credit authority, or an increase or decrease in the national debt, which it expects to provide in a supplemental report. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. U.S. Congress, Congressional Budget Office, Washington, DC, July 25, 1997. Hon. Benjamin Gilman, Chairman, Committee on International Relations, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed mandates statement for H.R. 695, the Security and Freedom Through Encryption (SAFE) Act. CBO's analysis of the bill's federal costs will be sent to you as soon as it is completed. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contacts are Pepper Santalucia (for the state and local impact) and Matt Eyles (for the private-sector impact). Sincerely, Jane E. O'Neill, Director. Enclosure. CONGRESSIONAL BUDGET OFFICE MANDATES STATEMENT H.R. 695--Security and Freedom Through Encryption (SAFE) Act H.R. 695 would allow individuals in the United States to use and sell any form of encryption and would prohibit states or the federal government from requiring individuals to relinquish the key to encryption technologies to any third party. The bill also would prevent the Bureau of Export Administration in the Department of Commerce from restricting the export of most nonmilitary encryption products. Finally, H.R. 695 would establish criminal penalties and fines for the willful use of encryption technologies in committing criminal offenses. The bill would prohibit states from requiring persons to make encryption keys available to another person or entity. This prohibition would be an intergovernmental mandate as defined in the Unfunded Mandates Reform Act of 1995 (UMRA). However, states would bear no costs as a result of this mandate because none currently require the registration or availability of such keys. H.R. 695 contains no private-sector mandates as defined in UMRA. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED In compliance with clause 3 of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italic and existing law in which no change is proposed is shown in roman): TITLE 18, UNITED STATES CODE * * * * * * * PART I--CRIMES Chap. Sec. 1. General provisions 1 * * * * * * * 122. Encrypted wire and electronic information 2801 * * * * * * * CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION 2801. Definitions. 2802. Freedom to use encryption. 2803. Freedom to sell encryption. 2804. Prohibition on mandatory key escrow. 2805. Unlawful use of encryption in furtherance of a criminal act. 2801. Definitions As used in this chapter-- (1) the terms ``person'', ``State'', ``wire communication'', ``electronic communication'', ``investigative or law enforcement officer'', ``judge of competent jurisdiction'', and ``electronic storage'' have the meanings given those terms in section 2510 of this title; (2) the terms ``encrypt'' and ``encryption'' refer to the scrambling of wire or electronic information using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such information; (3) the term ``key'' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire or electronic information that has been encrypted; and (4) the term ``United States person'' means-- (A) any United States citizen; (B) any other person organized under the laws of any State, the District of Columbia, or any commonwealth, territory, or possession of the United States; and (C) any person organized under the laws of any foreign country who is owned or controlled by individuals or persons described in subparagraphs (A) and (B). 2802. Freedom to use encryption Subject to section 2805, it shall be lawful for any person within any State, and for any United States person in a foreign country, to use any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. 2803. Freedom to sell encryption Subject to section 2805, it shall be lawful for any person within any State to sell in interstate commerce any encryption, regardless of the encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. 2804. Prohibition on mandatory key escrow (a) Prohibition.--No person in lawful possession of a key to encrypted information may be required by Federal or State law to relinquish to another person control of that key. (b) Exception for Access for Law Enforcement Purposes.--Subsection (a) shall not affect the authority of any investigative or law enforcement officer, acting under any law in effect on the effective date of this chapter, to gain access to encrypted information. 2805. Unlawful use of encryption in furtherance of a criminal act Any person who willfully uses encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a court of competent jurisdiction-- (1) in the case of a first offense under this section, shall be imprisoned for not more than 5 years, or fined in the amount set forth in this title, or both; and (2) in the case of a second or subsequent offense under this section, shall be imprisoned for not more than 10 years, or fined in the amount set forth in this title, or both. * * * * * * * SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979 Sec. 17. (a) * * * * * * * * * * (g) Certain Consumer Products, Computers, and Related Equipment.-- (1) General rule.--Subject to paragraphs (2), (3), and (4), the Secretary shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except that which is specifically designed or modified for military use, including command, control, and intelligence applications. (2) Items not requiring licenses.--No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of-- (A) any consumer product commercially available within the United States or abroad which-- (i) includes encryption capabilities which are inaccessible to the end user; and (ii) is not designed for military or intelligence end use; (B) any component or subassembly designed for use in a consumer product described in subparagraph (A) which itself contains encryption capabilities and is not capable of military or intelligence end use in its condition as exported; (C) any software, including software with encryption capabilities-- (i) that is generally available, as is, and is designed for installation by the purchaser; (ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or (iii) that is customized for an otherwise lawful use by a specific purchaser or group of purchasers; (D) any computing device solely because it incorporates or employs in any form-- (i) software (including software with encryption capabilities) that is exempted from any requirement for a validated license under subparagraph (C); or (ii) software that is no more technically complex in its encryption capabilties than software that is exempted from any requirement for a validated license under subparagraph (C) but is not designed for installation by the purchaser; (E) any computer hardware that is generally available, solely because it has encryption capabilities; or (F) any software or computing device solely on the basis that it incorporates or employs in any form interface mechanisms for interaction with other hardware and software, including hardware, and software, with encryption capabilities. (3) Software with encryption capabilities.--The Secretary shall authorize the export or reexport of software with encryption capabilities for nonmilitary end uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be-- (A) diverted to a military end use or an end use supporting international terrorism; (B) modified for military or terrorist end use; or (C) reexported without any authorization by the United States that may be required under this Act. (4) Hardware with encryption capabilities.--The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available outside the United States from a foreign supplier, without effective restrictions. (5) Definitions.--As used in this subsection-- (A) the term ``encryption'' means the scrambling of wire or electronic information using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such information; (B) the term ``generally available'' means-- (i) in the case of software (including software with encryption capabilities), software that is offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; and (ii) in the case of hardware with encryption capabilities, hardware that is offered for sale, license, or transfer to any person without restriction, whether or not for consideration, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; (C) the term ``as is'' means, in the case of software (including software with encryption capabilities), a software program that is not designed, developed, or tailored by the software publisher for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the software program; (D) the term ``is designed for installation by the purchaser'' means, in the case of software (including software with encryption capabilities) that-- (i) the software publisher intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software program on a computing device and has supplied the necessary instructions to do so, except that the publisher may also provide telephone help line services for software installation, electronic transmission, or basic operations; and (ii) the software program is designed for installation by the purchaser without further substantial support by the supplier; (E) the term ``computing device'' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data; and (F) the term ``computer hardware'', when used in conjunction with information security, includes, but is not limited to, computer systems, equipment, application-specific assemblies, modules, and integrated circuits. DISSENTING VIEWS While well-intentioned, this bill's one-dimensional focus on the decontrol of encryption products would upset the vital balance that U.S. policy seeks to strike between the competitiveness of American industry and U.S. national security and law enforcement goals. The bill would prohibit any licensing or review of exports of encrypted software and hardware items. Consequently, its implementation would not only hinder our national security efforts but also undermine the Administration's ability to forge an international consensus on the use and implementation of national key recovery policies. While SAFE Act advocates correctly point out that the Administration has not yet achieved a multilateral consensus endorsing its preference for a key management infrastructure approach on encryption issues, it should be noted that recent cryptography guidelines adopted by the Organization for Economic Cooperation and Development have stressed the need to balance privacy, law enforcement, national security concerns, and commercial interests. They also underline the fact that failure to coordinate these policies could cripple the global information network and impede international trade. A July policy brief published by the Brookings Institution by Kenneth Flamm on ``Deciphering the Cryptography Debate'' noted along the same lines that: ``A level playing field, with common global rules of the game, is needed to avoid giving economic rivals competitive advantages over one another. The administration made an important and correct decision in seeking an international consensus on the key recovery approach to strong encryption and must be sure to continue to work hard in seeking this common global approach. While it has yet to achieve such a consensus within the OECD, many of the key players with the technical capability to ship advanced cryptography products and affect global markets--Britain, France and (quietly) Japan--are supporting the U.S. approach, and if a few more (like Germany and Israel) can be brought on board, the critical mass around which the core of an international agreement can be assembled will exist.'' If enacted in its current form, this bill would undermine any prospects for achieving such consensus and would compel a number of the OECD countries to put additional import restrictions in place blocking the entry of our strongest encryption products. We recognize that the development of strong encryption can play a vital role in the development of electronic commerce and promoting privacy but the development of key recovery policies is essential to head off a potential crisis in the years ahead for our law enforcement authorities. If strong encryption is in widespread use in the near future, it will make it virtually impossible to decipher encrypted communications. Brute force attacks to crack encryption algorithms in that type of environment are not feasible or realistic, especially in the time sensitive cases where law enforcement needs access to encrypted files to save lives. By removing all controls on the export of any software and hardware with encryption capabilities, this bill threatens U.S. national security and law enforcement interests. With respect to U.S. national security, encrypted communications make it more difficult for U.S. intelligence agencies to monitor communications relating to terrorism, weapons proliferation, military operations, and other threats to U.S. national security interests. The Administration does not dispute the contention of U.S. software manufacturers that encryption products are in use around the world. But the Administration also points out that these products are not yet being widely used by individuals, groups, and governments whose activities pose threats to U.S. security and safety. As we understand it, the goal of U.S. export control policy is not to prevent the spread of encryption worldwide--something which clearly cannot be done--but to slow down the spread of these products enough to give U.S.-led diplomacy an opportunity to achieve increased multilateral cooperation on common export control policies and on the adoption of a global key management infrastructure. Such an international key management infrastructure would enable U.S. intelligence and law enforcement agencies to cooperate with their counterparts in friendly countries in gaining access to communications that threaten common security and safety interests. The elimination of all U.S. controls on encryption exports will also jeopardize domestic law enforcement. We recognize that encryption is essential to the fulfillment of the promise of electronic commerce and to the protection of individual privacy in a networked world. But encryption also complicates the mission of U.S. law enforcement agencies, because it can make it impossible for law enforcement personnel to understand data and communications to which they have been granted access under court order or other proper legal authority. This is why current U.S. policy seeks to promote the adoption of key recovery features in encryption products used in the United States. Export controls are a key component of this policy. Under current practice, U.S. firms are permitted to export powerful encryption products if they already include key recovery features or if they pledge to develop such features during the next two years. If we eliminate all U.S. export controls, as this bill would do, the federal government will therefore lose one of its most important means for promoting the development of key recovery in the U.S. market. That will harm U.S. law enforcement. Lawful wiretapping and duly authorized court-ordered access to information and materials on a timely basis are essential tools for police and law enforcement authorities. If this legislation were to be enacted in its present form, the resultant proliferation of global and interconnected encryption has the very real potential to deny our local, state and federal authorities the timely access they now enjoy to data and other communications, even after a court order has been issued. More than one half the annual court-ordered wire taps are at the state and local level, and of the national total for all such wire taps, more than 70% are for drug-related cases. Congressional action on this legislation has the potential to affect our cities and towns where the devastating impact of illicit drugs already causes nearly $70 billion in annual societal costs. We ought not to add to that carnage and destruction by denying law enforcement one of the most effective tools against this scourge, timely access to lawful requests for information needed to combat these crimes. Attorney General Janet Reno, our nation's chief law enforcement officer, urged the members of our Committee to consider the effects of this legislation in her July 18, 1997, letter to the International Relations Committee. She said that ``* * * the misuse of encryption technology will become a matter of life and death in many instances. That is why we urge you to adopt a balanced approach.'' We invite the attention of Members to correspondence from our Nation's law enforcement and national security leaders, appended below. During the full committee's consideration of H. R. 695, Chairman Gilman offered an amendment which would have helped to create this necessary balance in the bill. It would have provided the President the authorities to control the export and reexport of encrypted items if he determines that they would adversely affect our national security and our ability to fight crimes such as drug trafficking, terrorism and espionage. This amendment was, unfortunately, not adopted. Other Committees of the House including National Security, Intelligence and Commerce will now review this legislation through September 5 before it is considered by the full House later this year. We urge our colleagues on these Committees as well as our colleagues on the International Relations and the Judiciary Committees to review this legislation very carefully and consider its impact on our society and our ability to fight terrorism and protect our national security interests. Benjamin A. Gilman. Lee H. Hamilton. Doug Bereuter. Office of the Attorney General, Washington, DC, July 18, 1997. Dear Member of Congress: Congress is considering a variety of legislative proposals concerning encryption. Some of these proposals would, in effect, make it impossible for the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Secret Service, Customs Service, Bureau of Alcohol, Tobacco and Firearms, and other federal, state, and local law enforcement agencies to lawfully gain access to criminal telephone conversations or electronically stored evidence possessed by terrorists, child pornographers, drug kingpins, spies and other criminals. Since the impact of these proposals would seriously jeopardize safety and national security, we collectively urge you to support a different, balanced approach that strongly supports commercial and privacy interests but maintains our ability to investigate and prosecute serious crimes. We fully recognize that encryption is critical to communications security and privacy, and that substantial commercial interests are at stake. Perhaps in recognition of these facts, all the bills being considered allow market forces to shape the development of encryption products. We, too, place substantial reliance on market forces to promote electronic security and privacy, but believe that we cannot rely solely on market forces to protect the public safety and national security. Obviously, the government cannot abdicate its solemn responsibility to protect public safety and national security. Currently, of course, encryption is not widely used, and most data is stored, and transmitted, in the clear. As we move from a plain text world to an encrypted one, we have a critical choice to make: we can either (1) choose robust, unbreakable encryption that protects commerce and privacy but gives criminals a powerful new weapons, or (2) choose robust, unbreakable encryption that protects commerce and privacy and gives law enforcement the ability to protect public safety. The choice should be obvious and it would be a mistake of historic proportions to do nothing about the dangers to public safety posed by encryption without adequate safeguards for law enforcement. Let there be no doubt: without encryption safeguards, all Americans will be endangered. No one disputes this fact; not industry, not encryption users, no one. We need to take definitive actions to protect the safety of the public and security of the nation. That is why law enforcement at all levels of government--including the Justice Department, Treasury Department, the National Association of Attorneys General, International Association of Chiefs of Police, the Major City Chiefs, the National Sheriffs' Association, and the National District Attorneys Association--are so concerned about this issue. We all agree that without adequate legislation, law enforcement in the United States will be severely limited in its ability to combat the worst criminals and terrorists. Further, law enforcement agrees that the widespread use of robust non-key recovery encryption ultimately will devastate our ability to fight crime and prevent terrorism. Simply stated, technology is rapidly developing to the point where powerful encryption will become commonplace both for routine telephone communications and for stored computer data. Without legislation that accommodates public safety and national security concerns, society's most dangerous criminals will be able to communicate safely and electronically store data without fear of discovery. Court orders to conduct electronic surveillance and court-authorized search warrants will be ineffectual, and the Fourth Amendment's carefully-struck balance between ensuring privacy and protecting public safety will be forever altered by technology. Technology should not dictate public policy, and it should promote, rather than defeat, public safety We are not suggesting the balance of the Fourth Amendment be tipped toward law enforcement either. To the contrary, we only seek the status quo, not the lessening of any legal standard or the expansion of any law enforcement authority. The Fourth Amendment protects the privacy and liberties of our citizens but permits law enforcement to use tightly controlled investigative techniques to obtain evidence of crimes. The result has been the freest country in the world with the strongest economy. Law enforcement has already confronted encryption in high-profile espionage, terrorist, and criminal cases. For example: An international terrorist was plotting to blow up 11 U.S.-owned commercial airliners in the Far East. His laptop computer, which was seized in Manila, contained encrypted files concerning this terrorist plot; A subject in a child pornography case used encryption in transmitting obscene and pornographic images of children over the Internet; and A major international drug trafficking subject recently used a telephone encryption device to frustrate court-approved electronic surveillance. And this is just the tip of the iceberg. Convicted spy Aldrich Ames, for example, was told by the Russian Intelligence Service to encrypt computer file information that was to be passed to them. Further, today's international drug trafficking organizations are the most powerful, ruthless and affluent criminal enterprises we have ever faced. We know from numerous past investigations that they have utilized their virtually unlimited wealth to purchase sophisticated electronic equipment to facilitate their illegal activities. This has included state of the art communication and encryption devices. They have used this equipment as part of their command and control process for their international criminal operations. We believe you share our concern that criminals will increasingly take advantage of developing technology to further insulate their violent and destructive activities. Requests for cryptographic support pertaining to electronic surveillance interceptions from FBI Field Offices and other law enforcement agencies have steadily risen over the past several years. There has been an increase in the number of instances where the FBI's and DEA's court-authorized electronic efforts were frustrated by the use of encryption that did not allow for law enforcement access. There have also been numerous other cases where law enforcement, through the use of electronic surveillance, has not only solved and successfully prosecuted serious crimes but has also been able to prevent life-threatening criminal acts. For example, terrorists in New York were plotting to bomb the United Nations building, the Lincoln and Holland Tunnels, and 26 Federal Plaza as well as conduct assassinations of political figures. Court-authorized electronic surveillance enabled the FBI to disrupt the plot as explosives were being mixed. Ultimately, the evidence obtained was used to convict the conspirators. In another example, electronic surveillance was used to stop and then convict two men who intended to kidnap, molest, and kill a child. In all of these cases, the use of encryption might have seriously jeopardized public safety and resulted in the loss of life. To preserve law enforcement's abilities, and to preserve the balance so carefully established by the Constitution, we believe any encryption legislation must accomplish three goals in addition to promoting the widespread use of strong encryption. It must establish: A viable key management infrastructure that promotes electronic commerce and enjoys the confidence of encryption users; A key management infrastructure that supports a key recovery scheme that will allow encryption users access to their own data should the need arise, and that will permit law enforcement to obtain lawful access to the plain text of encrypted communications and data; and An enforcement mechanism that criminalizes both improper use of encryption key recovery information and the use of encryption for criminal purposes. Only one bill, S. 909 (the McCain/Kerrey/Hollings bill), comes close to meeting these core public safety, law enforcement, and national security needs. The other bills being considered by Congress, as currently written, risk great harm to our ability to enforce the laws and protect our citizens. We look forward to working to improve the McCain/Kerrey/Hollings bill. In sum, while encryption is certainly a commercial interest of great importance to this Nation, it is not solely a commercial or business issue. Those of us charged with the protection of public safety and national security, believe that the misuse of encryption technology will become a matter of life and death in many instances. That is why we urge you to adopt a balanced approach that accomplishes the goals mentioned above. Only this approach will allow police departments, attorneys general, district attorneys, sheriffs, and federal authorities to continue to use their most effective investigative techniques, with court approval, to fight crime and espionage and prevent terrorism. Sincerely your, Janet Reno, Attorney General; Louis Freeh, Director, Federal Bureau of Investigation; Thomas A. Constantine, Director, Drug Enforcement Administration; Raymond W. Kelly, Undersecretary for Enforcement, U.S. Department of Treasury; John W. Magaw, Director, Bureau of Alcohol, Tobacco and Firearms; Barry McCaffrey, Director, Office of National Drug Control Policy; Lewis C. Merletti, Director, United States Secret Service; George J. Weise, Commissioner, United States Customs Service. The Secretary of Defense, Washington, DC, July 21, 1997. Dear Member of Congress: Recently you received a letter from the nation's senior law enforcement officials regarding US encryption policies. I am writing today to express my strong support for their views on this important issue. As you know, the Department of Defense is involved on a daily basis in countering international terrorism, narcotics trafficking, and the proliferation of weapons of mass destruction. The spread of unbreakable encryption, as a standard feature of mass market communication products, presents a significant threat to the ability of the US and its allies to monitor the dangerous groups and individuals involved in these activities. Passage of legislation which effectively decontrols commercial encryption exports would undermine U.S. efforts to foster the use of strong key recovery encryption domestically and abroad. Key recovery products will preserve governments' abilities to counter worldwide terrorism, narcotics trafficking and proliferation. It is also important to note that the Department of Defense relies on the Federal Bureau of Investigation for the apprehension and prosecution of spies. Sadly, there have been over 60 espionage convictions of federal employees over the last decade. While these individuals represent a tiny minority of government employees, the impact of espionage activities on our nation's security can be enormous. As the recent arrests of Nicholson, Pitts and Kim clearly indicate, espionage remains a very serious problem. Any policies that detract from the FBI's ability to perform its vital counterintelligence function, including the ability to perform wiretaps, inevitably detract from the security of the Department of Defense and the nation. Encryption legislation must also address the nation's domestic information security needs. Today, approximately 95% of DoD communications rely on public networks; other parts of government, and industry, are even more dependent on the trustworthiness of such networks. Clearly, we must ensure that encryption legislation addresses these needs. An approach such as the one contained in S. 909 can go a long way toward balancing the need for strong encryption with the need to preserve national security and public safety. I hope that you will work with the Administration to enact legislation that addresses these national security concerns as well as the rights of the American people. I appreciate your consideration of these views. Sincerely, Bill Cohen. International Association of Chiefs of Police, Alexandria, VA, July 21, 1997. Dear Member of Congress: Enclosed is a letter sent to you by the Attorney General, the Director of National Drug Control Policy and all the federal law enforcement heads concerning encryption legislation being considered by congress. Collectively we, the undersigned, represent over 17,000 police departments including every major city police department, over 3,000 sheriffs departments, nearly every district attorney in the United States and all of the state Attorneys General. We fully endorse the position taken by our federal counterparts in the enclosed letter. As we have stated many times, Congress must adopt a balanced approach to encryption that fully addresses public safety concerns or the ability of state and local law enforcement to fight crime and drugs will be severely damaged. Any encryption legislation that does not ensure that law enforcement can gain timely access to the plaintext of encrypted conversations and information by established legal procedures will cause grave harm to public safety. The risk cannot be left to the uncertainty of market forces or commercial interests as the current legislative proposals would require. Without adequate safeguards, the unbridled use of powerful encryption soon will deprive law enforcement of two of its most effective tools, court authorized electronic surveillance and the search and seizure of information stored in computers. This will substantially tip the balance in the fight against crime towards society's most dangerous criminals as the information age develops. We are in unanimous agreement that congress must adopt encryption legislation that requires the development, manufacture, distribution and sale of only key recovery products and we are opposed to the bills that do not do so. Only the key recovery approach will ensure that law enforcement can continue to gain timely access to the plaintext of encrypted conversations and other evidence of crimes when authorized by a court to do so. If we lose this ability--and the bills you are considering will have this result--it will be a substantial set back for law enforcement at the direct expense of public safety. Sincerely yours, Darrell L. Sanders, President, International Association of Chiefs of Police. James E. Doyle, President, National Association of Attorneys General. Fred Scoralic, President, National Sheriffs' Association. William L. Murphy, President, National District Attorneys Association.