16 September 1998
(Revised policy seeks difficult balance, Gore says) (4910) Washington -- Vice President Gore has announced revision to U.S. policy relaxing export controls on encryption, a compromise aiming to satisfy the interests of U.S. business, law enforcement and national security. Gore said a policy with the right balance was difficult to reach. He said the policy will be subject to scrutiny as technology and circumstances change. "Beginning today, American companies will be able to use encryption programs of unlimited strength when communicating between most countries," Gore said at a September 16 White House briefing. "Health, medical, and insurance companies will be able to use far stronger electronic protection for personal records and information. Law enforcement will still have access to criminally related information under strict and appropriate legal procedures. And we will maintain our full ability to fight terrorism and monitor terrorist activity that poses a grave danger to American citizens." According to the administration officials briefing reporters after Gore's remarks, following are some of the key elements of the revised policy: -- exports of 56-bit encryption are allowed to all but seven terrorism-supporting countries after one-time review of the product by the government. No longer required are plans by the exporters for developing key recovery products. These products allow users to break into their own scrambled messages if they somehow lose the algorithm key; they could also be used to assist law enforcement and national security agencies collect information. -- exports of key recovery products are allowed without restraint worldwide. -- exports of encryption software of unlimited strength are allowed to certain sectors in 45 countries after one-time review. Those sectors are insurance, health and medical (except biochemical and pharmaceuticals), on-line merchants, and foreign subsidiaries of U.S. companies. This policy already applied to banks and other financial institutions. -- exports are allowed to 42 countries under a Commerce Department export licensing arrangement of recovery-capable products used for development of networks and e-mail transmission. Excluded are exports to munitions manufacturers. All other license applications for encryption exports are to be considered case by case. Following is the official White House transcript of the briefing: (begin transcript) PRESS BRIEFING BY THE VICE PRESIDENT, DEPUTY CHIEF OF STAFF JOHN PODESTA, PRINCIPAL ASSOCIATE DEPUTY ATTORNEY GENERAL ROBERT LITT, ASSISTANT DIRECTOR OF THE FBI CAROLYN MORRIS, UNDER SECRETARY OF COMMERCE WILLIAM REINSCH, DEPUTY SECRETARY OF DEFENSE JOHN HAMRE, AND DEPUTY NATIONAL SECURITY ADVISOR JIM STEINBERG The Briefing Room 11:57 A.M. EDT THE VICE PRESIDENT: Good morning. While my colleagues are coming in here, let me acknowledge them. John Podesta is going to take over the podium after I complete my statement, and he is joined by Bob Litt of the Justice Department, Bill Reinsch of the Commerce Department -- Under Secretary for the Export Administration -- and John Hamre, Deputy Secretary of Defense. I also want to acknowledge Carolyn Morris of the FBI; Barbara McNamara of the National Security Agency; John Gordon, Deputy Director of the CIA. And you all should know that this process, the results of -- the interim results of which I'm announcing here, is a process that has been run principally by John Podesta and Jim Steinberg, Deputy at the National Security Council. And I also want to thank Sally Katzen at the NEC and David Beier on my staff for the work that they and many others have done on this. Some of you who have followed this issue know that it is probably one of the single most difficult and complex issues that you can possibly imagine. But we've made progress, and we're here this morning to announce an important new action that will protect our national security and our safety, and advance our economic interests and safeguard our basic rights and values in this new Information Age. The Information Age has brought us the Internet, an inter-connected global economy and the promise of connecting us all to the same vast world of knowledge. But with that exciting promise comes new challenges. We must make sure that in the Information Age you get information about the rest of the world and not the other way around. We must ensure that new technology does not mean new and sophisticated criminal and terrorist activity which leaves law enforcement outmatched -- we can't allow that to happen. And we must ensure that the sensitive financial and business transactions that now cruise along the information superhighway are 100 percent safe in cyberspace. Balancing these needs is no simple task, to say the least. That is why, in taking the next step toward meeting these complex goals, we worked very closely with members of Congress from both parties, House and Senate; with industry; with our law enforcement community and with our national security community. And as we move forward we want to keep working closely with all who share a stake in this issue -- especially law enforcement -- to constantly assess and reassess the effectiveness of our actions in this fast changing medium. Today I'm pleased to announce a new federal policy for the encryption and protection of electronic communication, a policy that dramatically increases privacy and security for families and businesses without endangering out national security. Beginning today, American companies will be able to use encryption programs of unlimited strength when communicating between most countries. Health, medical, and insurance companies will be able to use far stronger electronic protection for personal records and information. Law enforcement will still have access to criminally related information under strict and appropriate legal procedures. And we will maintain our full ability to fight terrorism and monitor terrorist activity that poses a grave danger to American citizens. With this new announcement, we will protect the privacy of average Americans because privacy is a basic value in the Information Age, indeed in any age. We will give industry the full protection that it needs to enable electronic commerce to grow and to thrive. And we will give law enforcement the ability to fight 21st century crimes with 21st century technology, so our families and businesses are safe, but on-line outlaws are not safe. In just a moment you will hear more of the details of this new policy, but I want to conclude by saying that this policy does reflect one of the greatest challenges of these new times. And to state it broadly, it's a challenge of how we can harness powerful new technology while protecting our oldest and most cherished values, such as privacy and safety. I'm grateful to those who have worked so hard to reach this balance. And with today's announcement I believe that all families and businesses have reason to feel safer, more secure and more confident as we approach the 21st century. And now I'd like to turn things over to White House Deputy Chief of Staff John Podesta. Q Mr. Vice President, before you go, can you tell us what you say to Democratic lawmakers who say the President ought to resign? THE VICE PRESIDENT: I disagree. Q How about the release of that tape? What do you think -- THE VICE PRESIDENT: The President is going to have a press conference shortly and I'm sure that you will not miss the opportunity at this national security press conference with the leader of a foreign country to raise all these questions. Q What about the videotape, should it be released? Q It was staged by the White House -- you know that, don't you? MR. PODESTA: Guess what? I'm here to talk about encryption. Okay. I can see the front row leaving here. (Laughter.) As the Vice President noted, Jim Steinberg and I have co-chaired our process in this matter. I volunteered for that duty because of my well-known fascination with The X Files, which most of you know about. As you know, this is an important and challenging issue that affects many of our interests in our society. And over the past year we've promoted a balanced approach to the issue, working with all segments of our government and working with industry to find a policy that promotes electronic commerce, preserves privacy, protects national security and law enforcement interests, and permits U.S. industry to secure global markets. Recognizing the importance of moving this issue forward, last March the Vice President asked us to intensify our dialogue with U.S. industry, to bring industry's technical expertise to bear on this issue with the hope of finding more innovative ways that we might assist law enforcement. We appreciate the efforts of Congress, the law enforcement community and particularly the industry groups. I would note the Computer Systems Policy Project and the Americans for Computer Privacy, who have been in an intensive dialogue with us over the past many months to foster an environment that has allowed us to come up with a policy which we believe has balanced the elements that are necessary in this regard. I think all the stakeholders in this process, on our side, as well as on private industry's side, now have a greater appreciation of the issues and intend to continue the dialogue, which I think we're most pleased by. Again, I think some of the people here from industry will be available at the stakeout later to take some comment. Based on the ideas discussed among the various stakeholders, today we're proposing an update to our policies that we've announced in the past. I'm going to serve kind of as M.C. We're going to start off with Bob Litt from the Justice Department and Carol Morris, who I asked to join us, from the FBI, to talk about the law enforcement-FBI concerns. Then we're going to turn to Bill Reinsch from the Commerce Department to talk about export control and electronic commerce. And finally you'll hear from Dr. Hamre from the Defense Department. I might ask Jim also to join us up here. Before I give up the floor to Bob and Carol, though, I want to stress that encryption policy is an ongoing process. It's one of adaptation; it's an evolutionary process. We intend to continue the dialogue, and over the course of the next year, determine what further updates are necessary as we work with industry to try to, again, come up with a policy that balances national security, law enforcement, and the real needs for privacy and security in electronic commerce. Thank you. Let me turn it over to Bob. MR. LITT: Thank you, John. Good afternoon. The Justice Department and the FBI and law enforcement in general is supportive, very supportive of today's announcement on the updating of our export controls on encryption products, particularly with respect to those products that allow law enforcement to obtain lawful access to the plain text of encrypted information. We have been very encouraged over the last few months by industry's efforts to work with us to develop and market strong encryption products that provide law-abiding citizens with the ability to protect the privacy of their communications and their electronically stored data while at the same time maintaining law enforcement's ability to ensure public safety when these products, when they become commercially available, are used in furtherance of serious criminal activity. Our goal is through whatever means to ensure that when we have the lawful authority to take steps to protect public safety, we have the ability to do so. And we have been working cooperatively with industry for many months to develop approaches that will deal with that. Carolyn Morris will now talk a little bit about the technical support center that is being proposed. MS. MORRIS: Thank you very much, Bob. Good afternoon, ladies and gentlemen. We in federal, state, and local law enforcement, are pleased with the administration's support to establish a technical support center. This center will provide federal, state, and local law enforcement with the resources and the technical capabilities we need to fulfill our investigative responsibilities. In light of strong, commercially available encryption products that are being proliferated within the United States, and when such products are used in the furtherance of serious criminal activity, this center becomes very, very critical to solving the encryption issues that we need to make cases. As a matter of fact, the FBI has already begun planning activities of this critical technical support center in anticipation of the availability of funds. The United States federal, local and state law enforcement community looks forward to a cooperative partnership with American industry, the Congress and the administration to ensure that this technical support center becomes a reality in the near future. With this center the American people can be assured that federal, state, and local law enforcement has the necessary resources and tools we need to fulfill our public safety mission. Thank you very much. UNDER SECRETARY REINSCH: With respect to export controls, the administration is updating its policy in three areas: Our existing policy and some revisions there, an expansion with respect to certain sectors, and an expansion with respect to so-called recoverable products. And let me address each of these separately. In keeping with the administration's reinvention initiatives, I'm going to try to do it in plain language -- or plain English, so that those of you that speak the vocabulary of encryption may find it too elementary, but we can go back and do it again in another language, if you want, later on in questions. With respect to our existing policy, we have for two years ending this December, permitted the export of 56-bit products after an initial one-time review without further review by the government. What we're announcing today is the maintenance of that window permanently. And so 56-bit products will be freed from export controls after a one-time review, in perpetuity, not ending at the end of this year. We are, however, removing the requirement for key recovery plans or key recovery commitments to be provided in return for that change, which was the initial condition that we extracted. In addition, we are continuing to permit the export of key recovery products -- products that contain those features -- without restraint worldwide. We are, however, going to simplify significantly our regulations that relate to those exports. In particular, we're going to eliminate the need for six-month progress reports for the plans that have been submitted, and we're going to eliminate the requirement for any prior reporting of key recovery agent information. For those of you that follow the regulations in detail, that means we're going to eliminate Supplement Five of our regulations on these matters. Now, with respect to sectors, we're making some new innovations in four areas. Some of you may be familiar with the fact that some time ago we announced expanded treatment of encryption products for export to banks and financial institutions. And what we did at that time, briefly, was to permit the export of encryption products of any length, any bit length, with or without key recovery features to banks and financial institutions in a list of 45 countries. What we are announcing today is, first, that we are adding insurance companies to the definition of financial institutions, so insurance companies will be treated the same way under this policy as banks and other financial institutions are now. In addition, we are providing the same kind of treatment for exports of these encryption products to the health and medical sector operating in the same set of countries. We are excluding from that biochemical and pharmaceutical producers. But the rest of the health and medical sector will be the beneficiary of the same kind of treatment. In addition, we are providing also this expanded treatment for that country group to on-line merchants that are operating in those countries. That means that for products that are like client-server applications, like SSL, will be able to be exported to those destinations. All these things will take place under what we call license exception, which means after initial one-time review to determine whether or not your product is, in fact, what you say it is, they can then go without any further review or intervention by the government to those locations. In addition, there is always the option in the export control system of coming in with an application to export these kinds of products to other destinations beyond the ones that I'm talking about right now, and those will be reviewed one by one on their merits. Finally, with respect to what we have come to refer to as a class of so-called recovery capable or recoverable products, and these are the products that, among others, include what has become known as the doorbell products, which are products that, among other things, will deal with the development of local area or wide area networks and the transmission of e-mail and other data over networks -- we are going to permit the export of those products under a presumption of approval and an export licensing arrangement to a list of 42 countries. And within those countries we are going to permit that export to commercial firms only within those countries. And both in that case and in the case of the on-line merchants that I referred to a few minutes ago, we are going to exclude manufacturers or distributors of munitions items, I think for obvious reasons. We can go into further details later, if you would like. I think for those of you that are interested in the nitty-gritty of all this stuff, BXA intends to post all the details, including the country lists, on its website and we should have that up later today. Thank you. DEPUTY SECRETARY HAMRE: Good morning. I'm here to speak on behalf of the national security community. I'm joined today by my enormously capable counterparts and colleagues, Deputy Director Barbara McNamara for the National Security Agency; and Deputy Director John Gordon from the Central Intelligence Agency. The national security establishment strongly supports this step forward. We think this is a very important advance in a crucial area for our security in the future. We in DOD had four goals when we entered these discussions. First was to strengthen our ability to do electronic commerce. We're the largest company in the world. Every month we write about 10 million paychecks. We write about 800,000 travel vouchers. One of our finance centers disburses $45 million an hour. We are a major, major force in business. And for that reason, we can't be efficient unless we can become fully electronic, and electronic commerce is essential for us. And this is an enormous step forward. Second, we must have strong encryption and a security structure for that in order to protect ourselves in cyberspace. Many of you know that we have experienced a number of cyber attacks during the last year. This will undoubtedly increase in the future. We need to have strong encryption because we're operating over public networks; 95 percent of all of our communications now go over public infrastructure -- public telephone lines, telephone switches, computer systems, et cetera. To protect ourselves in that public environment, we must have encryption and we must have a key recovery system for ourselves. The third goal that we had was to help protect America's infrastructure. One of the emerging national security challenges of the next decade is to protect this country, the homeland defense of this country, against attack. We must have strong encryption in order to do that, because most of this infrastructure now is being managed through distributed computer-based management systems, and this is an important step forward. Finally, it is very important that the Department of Defense and our colleagues in the national security establishment have the ability to prosecute our national security interests overseas. Terrorists and rogue nations are increasingly using these tools to communicate with each other and to lay their plans. We must have the ability to deal with that. And so this policy, it's a balanced and structured approach to be able to deal with all four of those problems. UNDER SECRETARY REINSCH: I apologize -- in listing my changes, I neglected one very important item that I want to go back to, and that is, in the sector area we are also announcing today the ability to export strong encryption of any bit length, with or without key recovery features, to subsidiaries of U.S. companies to all destinations in the world with the exception of the seven terrorist nations. MR. PODESTA: Okay, I think we're happy to take your questions now. If you could identify whom you're addressing, because there is a variety of expertise. And I would like to introduce one other person, Charlotte Knepper from the NSC staff, who has been instrumental in pulling this all together. Q John, this is a question for you. In October '96 and other White House statements on encryption, there has usually been a line also addressing the domestic side, saying that all Americans remain free to use any strength encryption. I didn't notice anything like that in today's announcement. Are there any conditions under which the White House would back domestic restrictions on encryption? MR. PODESTA: We haven't changed our policy, and the previous statements are certainly intact. We have made a number of policy statements in the past, since this administration came into office, and I think that you should view this as a step forward, building on the policies that we have put before the American public in the past. Q John, could I ask you one question about an un-encrypted matter? MR. PODESTA: Maybe. (Laughter.) Q Democrats on the Hill are now saying, and John Kerry is saying that the President's actions absolutely call for some sort of punishment. What are Democrats telling you about what they feel must be done at this point? MR. PODESTA: Well, I think I'm not going to stand here and take a lot of questions, but I'm going to give special dispensation, as a Catholic, today -- which is I'm going to return your phone calls later. But in deference to the people up here I think we'll handle it that way. But in specific response, I'll take one, which is that I think that we had a number of productive meetings with Democrats on both sides of the Hill yesterday. They view the President as a person who has led on the issues that are important to them, and I think what they want to do is get back to having him speak out and be a leader on the issues of education and the health care bill of rights, on saving Social Security. And I think they pointed at that and wanted to work with us on that. I think with regard to the question that you posed with regard to Senator Kerry, I think that's a matter that they are debating amongst themselves more than they are debating with the White House. I think it's probably presumptuous for us at this point to offer them assistance or guidance. I mean, the President has said that what he has done was wrong; he's apologized for it; he's asked for forgiveness. He is moving forward. And I think that this debate is going on, on Capitol Hill, but it's largely going on amongst members themselves. Q We haven't heard many of them say they want to get back to the work at hand. MR. STEINBERG: You heard John, and I'm going to leave it there. Let me just add a word in response, in connection with the domestic controls issue. I think one of the lessons that we've learned from this exercise is that -- actually, two lessons -- one, that trying to balance the various interests and equities in this is much less of a zero sum gain than I think some began to look at the question. That is, you heard from Dr. Hamre and others that many of the interests involved have common interests in making sure that we have secure and effective means of dealing with communications and stored data. And so we found, by looking in a very pragmatic way, that there were ways to solve these problems without very, kind of, broad-based solutions. In particular, I think the idea that there's no one-size-fits-all answer to the problems of meeting the various needs informs the decisions that we reached -- that there are a variety of different techniques that respond to the different aspects of the industry, the different aspects of the technology. I think that's what made the progress possible today, is that industry, agencies and Congress sat down together, pulled the problem apart, began to look at its different components and began to fashion very pragmatic solutions. And so I think we came to this discussion with a spirit of not looking for a kind of single or simple solution to the problem but, rather, how do you tackle and meet the various needs. And I think that's what led to this resolve. Q Could you talk a little more about the on-line merchants part of it? I mean, what do you have to do to qualify as an on-line merchant? Do you have to register or can anybody sort of set themselves up in business? UNDER SECRETARY REINSCH: I think the simplest way to respond to that right now is we'll have a definition in the reg that will be very clear as to what the criteria are for qualification. And those definitions have already been dealt with and agreed to, so we should have them up on the web site this afternoon. Q A question for Bill Reinsch. How do you handle, then, 128-bit, to which the Department has given export -- or has allowed to be exported after going through this review? Will 128 or things above 56-bit, will they require a license or will they still have to go through plans -- UNDER SECRETARY REINSCH: Well, with respect to the subsidiaries, the health sector, the banks, the financial institutions, the insurance companies, the on-line merchants, and the recoverable products as in the universe defined -- no. In the case of all but the recoverable products, they will all go on license exception, which means one-time review and then out the door. With respect to recoverable products, they will come in and go out pursuant to an export licensing arrangement, where we'll have to do a little tailoring depending upon the nature of the product. But there is a presumption of approval for the 42 countries that I indicated. And that's without reference to bit length -- 128 or more is all covered by that. Now, if you want to export an 128-bit product that is beyond any of those universes, then you would have to come in for an individual license application. Q A question for Mr. Litt. With regard to the technical support center, when do you expect that to be in operation? MR. LITT: I don't think we have a specific timetable yet. Obviously, it would be helpful for us to have it up and operational as soon as possible, but there are planning and budgetary issues that have to be dealt with. Q This is probably a question for Under Secretary Reinsch. The export exceptions now are essentially going to U.S. subsidiaries -- foreign subsidiaries of U.S. companies. I was wondering, could you be a little more specific -- what size company, what kind of company will be allowed to export powerful crypto to its foreign subsidiaries? UNDER SECRETARY REINSCH: That doesn't make any difference. The universe is determined by the end user, not by the nature of the American company. But it is not -- while part of this relates to subsidiaries of U.S. companies, that is correct, we also intend, on a case-by-case basis, to provide for favorable treatment for export of the same kind of thing to strategic partners of U.S. companies -- those foreign companies that are engaged in a closer, say, joint venture, that kind of relationship. Well, I think that's it. Q What about foreign companies that have U.S. subsidiaries, like Seaman's or -- or Chrysler -- can they get this encryption? UNDER SECRETARY REINSCH: Well, keep in mind, there are multiple universes here. If you're talking about the financial institutions, the banks and the insurance companies, those aren't necessarily American financial institutions. That's for export to any financial institution, and for their use in any of their branches, aside from the terrorist countries. This is true for the health sector; this is true for on-line merchants as well. Those are not restricted to U.S. companies. Obviously, if we're going to have a requirement for U.S. subs, it relates to U.S. subs, and wouldn't affect the examples you've described. Now, with respect to recoverable products, which actually is one of the areas where the companies you mentioned would probably be looking because they'd be looking to build a network among their various offices, affiliates of subsidiaries, dealers if necessary, worldwide, the recoverable provisions that I described could be exported to those companies within the territorial universe I described -- the 42 countries. Thank you very much. END 12:25 P.M. EDT (end transcript)