ADMINISTRATION'S UPDATED ENCRYPTION POLICY (Senate - September 17, 1998)

[Page: S10515]

Mr. LEAHY. Mr. President, when the Administration first announced the encryption policy that has been in effect for the past two years, I warned on October 1, 1996, that:

The general outline of the Administration's plan smacks of the government trying to control the marketplace for high-tech products. Only those companies that agree to turn over their business plans to the government and show that they are developing key recovery systems, will be rewarded with permission to sell abroad products with DES encryption, which is the global encryption standard.

The Administration announced yesterday that it is finally fixing this aspect of its encryption policy. New Administration guidelines will permit the export of 56-bit DES encryption without a license, after a one time technical review, to all users outside the seven terrorist countries. No longer will the Administration require businesses to turn over business plans and make promises to build key recoverable products for the freedom to export 56-bit DES.

In 1996, I also raised serious questions about the Administration's proposal to pull the plug on 56-bit DES exports in two years. I warned at the time that this `sunset' provision `does not promote our high-tech industries overseas.' I specifically asked,

Does this mean that U.S. companies selling sophisticated computer systems with DES encryption overseas must warn their customers that the supply may end in two years? Customers both here and abroad want stable suppliers, not those jerked around by their government.

I am pleased that the Administration has also changed this aspect of its policy and adopted an export policy with no `sunset.' Instead, the Administration will conduct a review of its policy in one year to determine how well it is working.

Indeed, while 56-bit encryption may still serve as the global standard, this will not be the situation for much longer. 128-bit encryption is now the preferred encryption strength.

In fact, to access online account information from the Thrift Savings Plan for Federal Employees, Members and congressional staff must use 128-bit encryption. If you use weaker encryption, a screen pops up to say `you cannot have access to your account information because your Web browser does not have Secure Socket Layer (SSL) and 128-bit encryption (the strong U.S./Canada-only version).'

Likewise, the Department of Education has set up a Web site that allows prospective students to apply for student financial aid online. Significantly, the Education Department states that `[t]o achieve maximum protection we recommend you use 128-bit encryption.'

These are just a couple examples of government agencies or associated organizations directing or urging Americans to use 128-bit encryption. We should assume that people in other countries are getting the same directions and recommendations. Unfortunately, while American companies can fill the demand for this strong encryption here, they will still not be permitted to sell this strength encryption abroad for use by people in other countries.

Nevertheless, the Administration's new encryption policy announced today moves in the right direction to bolster the competitive edge of our Nation's high-tech companies, allow American companies to protect their confidential and trade secret information and intellectual property in communications with subsidiaries abroad, and promote global electronic commerce. These are objectives I have sought to achieve in encryption legislation that I have introduced and cosponsored with bipartisan support in this and the last Congress.

I remain concerned, however, that privacy safeguards and standards for law enforcement access to decryption assistance are ignored in the Administration's new policy. These are critical issues that continue to require our attention.

END