13 October 1998
(Balance must be struck to protect business, society) (2740) Washington -- David Aaron, U.S. undersecretary of commerce for international trade, says a balance is needed with strong encryption software so that both electronic commerce and civil society get the protection they need. Aaron said the balance must be struck so that law enforcement agencies will be able to carry out court-authorized surveillance to combat terrorists, drug traffickers, child pornographers, and other criminals. "We believe the answer lies in cryptographic systems that provide trustworthy security services along with lawful access," Aaron said. "By lawful access, I refer to a range of technologies designed to permit the plain text recovery of encrypted data and communications under a court order or other lawful means that safeguards civil liberties." He said the United States is not wedded to a single approach. He said the approach is to be found in an industry-led, market-based solution to helping law enforcement. He delivered the remarks to a Federation of German Chambers of Industry and Commerce luncheon in Bonn, Germany, October 13. A copy of the text was made available in Washington. Following is the text of Aaron's remarks as prepared for delivery: (begin text) Federation of German Chambers of Industry and Commerce Luncheon Prepared Remarks for David L. Aaron, U.S. Under Secretary of Commerce for International Trade October 13, 1998 "The Truth about U.S. Encryption Policy" Thank you for the opportunity to meet with you today. My remarks will focus on encryption, which is an essential part of the future of electronic commerce. I want to tell the "truth" about US encryption policy because over the last few months in Germany, there have been a discouraging number of distortions and misrepresentations of our policy placed on the public record. Some of them attack the integrity of the United States government. It is particularly sad and surprising to hear such things from officials of a country with whom we have the closest friendship and alliance. These assertions must be corrected before they have a negative effect on our bilateral relationship. I have read the speeches from German government officials and politicians that you have heard. I have read the same headlines that you have read. "U.S. encryption policy is an attempt to dominate the global encryption market." "Keys to U.S. encryption products in Germany must be deposited within the U.S." "Key recovery products provide a back-door for U.S. intelligence services." "U.S. encryption products violate German laws." All of these assertions are untrue. I am here today to tell you the truth so that you can decide for yourselves what products to use to protect your privacy, to secure your electronic transactions, and to save your valuable business records. I would like to begin with a brief description of our policy, the reasons for it, and then answer these specific charges in detail. U.S. Encryption Policy As U.S. Special Envoy for Cryptography, I've had the pleasure of meeting with a large number of U.S. and foreign industry leaders. They have all impressed upon me the crucial importance of robust encryption for the future of their enterprises and to safeguard electronic commerce. The U.S. government agrees that strong encryption to protect privacy, and commerce, is a must. But strong encryption also poses serious dangers for public safety. Law enforcement's use of electronic surveillance is and has been an essential tool in terrorism cases and many criminal investigations. Encryption threatens to take this tool away -- not only preventing court-authorized surveillance but also more frequent lawful searches and seizures of computers and their files. Already our U.S. Justice Department and drug enforcement agencies have encountered important examples of instances where encryption has been used by terrorists, drug traffickers, child pornographers, and other criminals. For example, Ramzi Yousef, a key figure in the World Trade Center bombing and an employee of Osama Bin Laden, used encryption to conceal his plans to blow-up 11 U.S. airliners in Southeast Asia. We expect the criminal use of unbreakable encryption to increase as it becomes widely available and easy to use. For a country like Germany which is the target of foreign mafias and has been the site of numerous terrorist incidents, the elimination of any possible use of lawful police surveillance poses obvious dangers. Clearly, a balance must be struck between the needs of businesses and consumers and the protection of society as a whole. What is the answer? We believe the answer lies in cryptographic systems that provide trustworthy security services along with lawful access. By lawful access, I refer to a range of technologies designed to permit the plain text recovery of encrypted data and communications under a court order or other lawful means that safeguards civil liberties. We are not wedded to any single technology approach. Key management infrastructures, key recovery and other recoverable products that provide lawful access are some of the ways to achieve a reasonable balance. We believe that seeking industry-led, market-based solutions is the best approach to helping law enforcement. To promote such cooperation, last March, Vice President Gore called for an intensive dialogue between the government and U.S. industry, the law enforcement community, and privacy groups. This dialogue has been productive, resulting in a number of policy refinements which will benefit all involved, including foreign companies interested in purchasing strong U.S. encryption. In September, we announced the following steps: Encryption of any strength, with any key length, with or without key recovery, will now be permitted for export, under license exception, to several sectors, including banking, insurance, health and medical organizations, and on-line merchants, in Western Europe, Japan and Australia. Export to end-users or destinations outside this will be considered on a case-by-case basis. The new guidelines will also allow encryption hardware and software products with an encryption strength up to 56-bit DES or equivalent to be exported without a license to all users outside the seven terrorist countries (Iran, Iraq, Libya, Syria, Sudan, North Korea, and Cuba). Under the new guidelines, these DES products are not required to have key recovery. To assist law enforcement, we will continue to promote the development of key recovery products by easing our regulatory requirements for such products. Our policy of encouraging this market is clearly working; both U.S. and foreign companies are developing key recovery and recoverable products in response to customer demand. For example, no company wants to have its files locked up permanently by a disgruntled employee. In this connection, exporters will no longer need to name nor or submit additional information on the reliability of a key recovery agent prior to export. So if you want a U.S. key recovery product, and decide to use that feature, we don't want to know, nor do we care, who you chose as your key recovery agent. Our policy on key recovery is clear. It is not key escrow. We are not saying, nor have we ever said, that everyone has to escrow their keys with the U.S. government or that they even have to escrow keys with a third party. We are not saying that keys must be held in the U.S. This has always been true despite contrary assertions by some German officials. In fact, we have approved a number of exports where foreign users, some here in Germany, are carrying out self-escrow -- that is, they hold their own recoverable keys. Our recent step to eliminate the review of key recovery agents should erase any conceivable misunderstanding by your government officials. Finally, we will also support the export of products which we have come to refer to as "recovery capable" or "recoverable." These are products that deal with the development of local or wide area networks and the transmission of e-mail and other data over networks. These so-called "recoverable" products allow for recovery of plain text by a systems or network administrator without the cooperation of the user. We will permit the export of these products to commercial firms in most major countries, including Western Europe, Japan and Australia, for their internal business use. Germany is obviously included in this group. What does all this mean? It means that it is up to each foreign government to decide its own policy on lawful access, key recovery and the like. And each foreign company using U.S. encryption products can do what it likes within those laws. This does not mean we will cease promoting crypto that provides lawful access - particularly at home but also abroad. Aside from export controls, we will continue to use government purchasing power. The U.S. government will use strong encryption with key recovery for its own internal communications and with the public. To standardize government purchases, the Department of Commerce has convened a technical, industry advisory committee to develop a Federal standard for key recovery which should be completed soon. We have successfully demonstrated the practicality of key recovery through ten U.S. Government pilot projects. We now plan to bring some of these pilots to production. For example, one pilot project involves the electronic filing of patent applications over the Internet with the U.S. Patent and Trademark Office, incorporating digital signature and encryption. We also are considering new pilots projects. Balancing the competing needs of commerce, privacy and public safety has been no simple task. As we move forward with this policy, we plan to continue working closely with all of the stakeholders: industry, Congress, law enforcement, privacy groups and the national security community to constantly assess and reassess the effectiveness of our actions in this changing medium. We will also continue to consult closely with foreign governments so as to encourage the growth of secure global electronic commerce without jeopardizing our struggle against international terrorism and crime. Deconstructing the Myths Against this backdrop, I would like to spend a few minutes deconstructing some of those myths you have been hearing about our policy. To be frank, I find some of these statements not only false, but difficult to understand. Perhaps it is all a misunderstanding, but we have engaged in an extensive dialogue with German government officials for more than two years; my colleagues and I have met with German officials and industry on numerous occasions to discuss our policy and answer your questions. We have gone to great lengths to ensure transparency and understanding of our policy. This message has been communicated not only at the working level, but at the highest levels of the German government. We stand ready to continue this dialogue. So while the reasons for these latest statements are hard to fathom, I will continue to try to make our position understood. Our relationship is too important, too productive to allow these misrepresentations to poison the waters. During my visit, I will be meeting with German and U.S. industry, individuals who may be part of the new government, and the press, in an ongoing effort to dispel these myths. Myth No. 1: "U.S. encryption policy is an attempt to dominate the global encryption market." This is a criticism I have heard often. Think about it for a minute. If it were true, we would simply drop our export controls and open the floodgates. All one has to do is read some of the websites of our encryption producers or trade publications like Wired magazine to see that U.S. producers believe that we are seriously disadvantaging them in the world market. The U.S. software industry feels particularly handicapped by the fact that they are not permitted to freely export 128 bit encryption as are some of their competitors. As a matter of fact, a number of foreign firms, some based in Germany, have used U.S. encryption export controls, as part of their marketing campaigns. So this charge is simply ludicrous on its face. Myth No. 2: "Keys to US encryption products in Germany must be deposited within the US." One of the principal, and surprising, criticisms is that the primary objective of U.S. encryption policy is to make the U.S. the repository for all encryption keys. As I have repeatedly told German officials and have said here today, nothing could be further from the truth. Our export regulations explicitly allow for key recovery agents abroad and self-escrow of keys by companies and users. Myth No. 3: "The U.S. supports key recovery products to give a back-door for US intelligence services." This is closely related to the previous charge and is particularly offensive. Let me say it again, the U.S. government has not and does not require that keys be held in the US for access by the U.S. government. As I mentioned earlier, one of the recent updates to our policy is the elimination of any type of U.S. government review of key recovery agents. We have instead decided that other governments can decide whether their key recovery agents, if they have any, are reliable. That was the only reason we wanted such a review in the first place. Anyone who continues to make such an accusation ought to come forward with some evidence to back up the charge. Otherwise it will be hard to escape the conclusion that this is being done for commercial advantage. Myth No. 4: "U.S. encryption products violate German laws." Frankly, this one continues to mystify me. The Bundestag's Enquete Commission recently issued a report contending that U.S. regulations may conflict with German laws such as the Basic Law, the Penal Code, the Federal Data Protection Act and the Telecommunications Act. However, no evidence or argument was presented to support this claim. Certainly it is not our intention to break German laws. Indeed it is difficult to imagine how this could be the case given the flexibility of our policy. As I have just explained, but will repeat as often as necessary, the U.S. government has not and does not require that keys be held in the U.S. for access by the U.S. government -- if this is the concern. As for keys held abroad, who holds the keys is up to the customer or user and the relevant foreign government. As is the case in any criminal investigation involving our two countries, U.S. law enforcement will work with German law enforcement under existing bilateral arrangements to exchange evidence and information including possibly keys or access to plain text but only to the extent that the German government approves. The Need for International Cooperation It is clear that no widely used encryption systems, nor any successful national policy, will be possible without international cooperation. As U.S. Special Envoy, my goal is an international consensus on the development of key management and recovery framework that will foster robust and dependable security for the global information infrastructure while protecting public safety and national security. Three key issues for cooperation are emerging: the need for harmonized export control policies, the development of compatible infrastructures and the need for law enforcement cooperation. These are the real issues we need to address, not the myths. We plan to continue to work with your government, in the appropriate international fora, as we move forward. German-American cooperation and understanding have been crucial to dealing with a host of post-cold war dangers, from proliferation of weapons of mass destruction to fighting terrorism and crime. Lawful access to encryption is an essential element in this struggle. This is not to say that there is no room for honest differences between our two countries on encryption. And certainly Germany has the right to develop its own policy - indeed U.S. policy specifically takes this into account. But it is time we put behind us the erroneous myths and suspicions that have confounded our cooperation in this area. I am confident that if we focus on the facts both the tenor and the strengths of our traditional cooperation can be restored. I would be happy to answer any questions you might have. (end text)