Report text available as:

(PDF provides a complete and accurate display of this text.) Tip?


105th Congress                                            Rept. 105-108
                        HOUSE OF REPRESENTATIVES

 1st Session                                                     Part 2
_______________________________________________________________________


 
           SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT

                                _______
                                

                 July 25, 1997.--Ordered to be printed

_______________________________________________________________________


 Mr. Gilman, from the Committee on International Relations, submitted 
                             the following

                              R E P O R T

                             together with

                            DISSENTING VIEWS

                        [To accompany H.R. 695]

    The Committee on International Relations, to whom was 
referred the bill (H.R. 695) to amend title 18, United States 
Code, to affirm the rights of United States persons to use and 
sell encryption and to relax export controls on encryption, 
having considered the same, report favorably thereon with an 
amendment and recommend that the bill as amended do pass.
    The amendment is as follows:
  Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Security and Freedom Through 
Encryption (SAFE) Act''.

SEC. 2. SALE AND USE OF ENCRYPTION.

  (a) In General.--Part I of title 18, United States Code, is amended 
by inserting after chapter 121 the following new chapter:

        ``CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION

``2801. Definitions.
``2802. Freedom to use encryption.
``2803. Freedom to sell encryption.
``2804. Prohibition on mandatory key escrow.
``2805. Unlawful use of encryption in furtherance of a criminal act.

``Sec. 2801. Definitions

  ``As used in this chapter--
          ``(1) the terms `person', `State', `wire communication', 
        `electronic communication', `investigative or law enforcement 
        officer', `judge of competent jurisdiction', and `electronic 
        storage' have the meanings given those terms in section 2510 of 
        this title;
          ``(2) the terms `encrypt' and `encryption' refer to the 
        scrambling of wire or electronic information using mathematical 
        formulas or algorithms in order to preserve the 
        confidentiality, integrity, or authenticity of, and prevent 
        unauthorized recipients from accessing or altering, such 
        information;
          ``(3) the term `key' means the variable information used in a 
        mathematical formula, code, or algorithm, or any component 
        thereof, used to decrypt wire or electronic information that 
        has been encrypted; and
          ``(4) the term `United States person' means--
                  ``(A) any United States citizen;
                  ``(B) any other person organized under the laws of 
                any State, the District of Columbia, or any 
                commonwealth, territory, or possession of the United 
                States; and
                  ``(C) any person organized under the laws of any 
                foreign country who is owned or controlled by 
                individuals or persons described in subparagraphs (A) 
                and (B).

``Sec. 2802. Freedom to use encryption

  ``Subject to section 2805, it shall be lawful for any person within 
any State, and for any United States person in a foreign country, to 
use any encryption, regardless of the encryption algorithm selected, 
encryption key length chosen, or implementation technique or medium 
used.

``Sec. 2803. Freedom to sell encryption

  ``Subject to section 2805, it shall be lawful for any person within 
any State to sell in interstate commerce any encryption, regardless of 
the encryption algorithm selected, encryption key length chosen, or 
implementation technique or medium used.

``Sec. 2804. Prohibition on mandatory key escrow

  ``(a) Prohibition.--No person in lawful possession of a key to 
encrypted information may be required by Federal or State law to 
relinquish to another person control of that key.
  ``(b) Exception for Access for Law Enforcement Purposes.--Subsection 
(a) shall not affect the authority of any investigative or law 
enforcement officer, acting under any law in effect on the effective 
date of this chapter, to gain access to encrypted information.

``Sec. 2805. Unlawful use of encryption in furtherance of a criminal 
                    act

  ``Any person who willfully uses encryption in furtherance of the 
commission of a criminal offense for which the person may be prosecuted 
in a court of competent jurisdiction--
          ``(1) in the case of a first offense under this section, 
        shall be imprisoned for not more than 5 years, or fined in the 
        amount set forth in this title, or both; and
          ``(2) in the case of a second or subsequent offense under 
        this section, shall be imprisoned for not more than 10 years, 
        or fined in the amount set forth in this title, or both.''.
  (b) Conforming Amendment.--The table of chapters for part I of title 
18, United States Code, is amended by inserting after the item relating 
to chapter 33 the following new item:

``122. Encrypted wire and electronic information............    2801''.

SEC. 3. EXPORTS OF ENCRYPTION.

  (a) Amendment to Export Administration Act of 1979.--Section 17 of 
the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended 
by adding at the end thereof the following new subsection:
  ``(g) Certain Consumer Products, Computers, and Related Equipment.--
          ``(1) General rule.--Subject to paragraphs (2), (3), and (4), 
        the Secretary shall have exclusive authority to control exports 
        of all computer hardware, software, and technology for 
        information security (including encryption), except thatwhich 
is specifically designed or modified for military use, including 
command, control, and intelligence applications.
          ``(2) Items not requiring licenses.--No validated license may 
        be required, except pursuant to the Trading With The Enemy Act 
        or the International Emergency Economic Powers Act (but only to 
        the extent that the authority of such Act is not exercised to 
        extend controls imposed under this Act), for the export or 
        reexport of--
                  ``(A) any consumer product commercially available 
                within the United States or abroad which--
                          ``(i) includes encryption capabilities which 
                        are inaccessible to the end user; and
                          ``(ii) is not designed for military or 
                        intelligence end use;
                  ``(B) any component or subassembly designed for use 
                in a consumer product described in subparagraph (A) 
                which itself contains encryption capabilities and is 
                not capable of military or intelligence end use in its 
                condition as exported;
                  ``(C) any software, including software with 
                encryption capabilities--
                          ``(i) that is generally available, as is, and 
                        is designed for installation by the purchaser;
                          ``(ii) that is in the public domain for which 
                        copyright or other protection is not available 
                        under title 17, United States Code, or that is 
                        available to the public because it is generally 
                        accessible to the interested public in any 
                        form; or
                          ``(iii) that is customized for an otherwise 
                        lawful use by a specific purchaser or group of 
                        purchasers;
                  ``(D) any computing device solely because it 
                incorporates or employs in any form--
                          ``(i) software (including software with 
                        encryption capabilities) that is exempted from 
                        any requirement for a validated license under 
                        subparagraph (C); or
                          ``(ii) software that is no more technically 
                        complex in its encryption capabilties than 
                        software that is exempted from any requirement 
                        for a validated license under subparagraph (C) 
                        but is not designed for installation by the 
                        purchaser;
                  ``(E) any computer hardware that is generally 
                available, solely because it has encryption 
                capabilities; or
                  ``(F) any software or computing device solely on the 
                basis that it incorporates or employs in any form 
                interface mechanisms for interaction with other 
                hardware and software, including hardware, and 
                software, with encryption capabilities.
          ``(3) Software with encryption capabilities.--The Secretary 
        shall authorize the export or reexport of software with 
        encryption capabilities for nonmilitary end uses in any country 
        to which exports of software of similar capability are 
        permitted for use by financial institutions not controlled in 
        fact by United States persons, unless there is substantial 
        evidence that such software will be--
                  ``(A) diverted to a military end use or an end use 
                supporting international terrorism;
                  ``(B) modified for military or terrorist end use; or
                  ``(C) reexported without any authorization by the 
                United States that may be required under this Act.
          ``(4) Hardware with encryption capabilities.--The Secretary 
        shall authorize the export or reexport of computer hardware 
        with encryption capabilities if the Secretary determines that a 
        product offering comparable security is commercially available 
        outside the United States from a foreign supplier, without 
        effective restrictions.
          ``(5) Definitions.--As used in this subsection--
                  ``(A) the term `encryption' means the scrambling of 
                wire or electronic information using mathematical 
                formulas or algorithms in order to preserve the 
                confidentiality, integrity, or authenticity of, and 
                prevent unauthorized recipients from accessing or 
                altering, such information;
                  ``(B) the term `generally available' means--
                          ``(i) in the case of software (including 
                        software with encryption capabilities), 
                        software that is offered for sale, license, or 
                        transfer to any person without restriction, 
                        whether or not for consideration, including, 
                        but not limited to, over-the-counter retail 
                        sales, mail order transactions, phone order 
                        transactions, electronic distribution, or sale 
                        on approval; and
                          ``(ii) in the case of hardware with 
                        encryption capabilities, hardware that is 
                        offered for sale, license, or transfer to any 
                        person without restriction, whether or not for 
                        consideration, including, but not limited to, 
                        over-the-counter retail sales, mail order 
                        transactions, phone order transactions, 
                        electronic distribution, or sale on approval;
                  ``(C) the term `as is' means, in the case of software 
                (including software with encryption capabilities), a 
                software program that is not designed, developed, or 
                tailored by the software publisher for specific 
                purchasers, except that such purchasers may supply 
                certain installation parameters needed by the software 
                program to function properly with the purchaser's 
                system and may customize the software program by 
                choosing among options contained in the software 
                program;
                  ``(D) the term `is designed for installation by the 
                purchaser' means, in the case of software (including 
                software with encryption capabilities) that--
                          ``(i) the software publisher intends for the 
                        purchaser (including any licensee or 
                        transferee), who may not be the actual program 
                        user, to install the software program on a 
                        computing device and has supplied the necessary 
                        instructions to do so, except that the 
                        publisher may also provide telephone help line 
                        services for software installation, electronic 
                        transmission, or basic operations; and
                          ``(ii) the software program is designed for 
                        installation by the purchaser without further 
                        substantial support by the supplier;
                  ``(E) the term `computing device' means a device 
                which incorporates one or more microprocessor-based 
                central processing units that can accept, store, 
                process, or provide output of data; and
                  ``(F) the term `computer hardware', when used in 
                conjunction with information security, includes, but is 
                not limited to, computer systems, equipment, 
                application-specific assemblies, modules, and 
                integrated circuits.''.
  (b) Continuation of Export Administration Act.--For purposes of 
carrying out the amendment made by subsection (a), the Export 
Administration Act of 1979 shall be deemed to be in effect.

SEC. 4. SENSE OF CONGRESS REGARDING INTERNATIONAL COOPERATION.

  (a) Findings.--The Congress finds that--
          (1) implementing export restrictions on widely available 
        technology without the concurrence of all countries capable of 
        producing, transshipping, or otherwise transferring that 
        technology is detrimental to the competitiveness of the United 
        States and should only be imposed on technology and countries 
        in order to protect the United States against a compelling 
        national security threat; and
          (2) the President has not been able to come to agreement with 
        other encryption producing countries on export controls on 
        encryption and has imposed excessively stringent export 
        controls on this widely available technology.
  (b) Sense of Congress.--It is the sense of the Congress that the 
President should immediately take the necessary steps to call an 
international conference for the purpose of coming to an agreement with 
encryption producing countries on policies which will ensure that the 
free use and trade of this technology does not hinder mutual security.

                         Background and Purpose

    H.R. 695, the Security and Freedom Through Encryption 
(SAFE) Act, represents a strong bipartisan effort to bring U.S. 
laws on the export of encryption technology into the present 
and future, by looking at the actual technological developments 
taking place on the world stage. The SAFE Act enjoys strong 
support in the House as reflected by the overwhelming number of 
co-sponsors, including a majority of the Members of the 
Committee on International Relations.
    While differences still remain and the debate continues 
between U.S. economic and commercial priorities and individual 
civil liberties, on the one hand, and the needs and concerns of 
law enforcement and national security agencies, the SAFE Act is 
generating the political will to reform the existing regulatory 
process to meet today's realities.
    Encryption has been defined as referring to the use of 
software or hardware to scramble wire or electronic information 
using mathematical formulas or algorithms in order to preserve 
the confidentiality, integrity, or authenticity of, and prevent 
unauthorized recipients from accessing or altering such 
information. While anyone can encrypt a message, only an 
authorized person can convert a scrambled message back into its 
original form.
    The basic idea of modern encryption, or cryptography, is 
that any message can be represented as a set of numbers (the 
plaintext) used to transform the plaintext into a different set 
of numbers (the ciphertext). Simply stated, keys consist of a 
series of ones and zeros (called ``bits'), and are described in 
terms of their ``length'', which is corresponds to the number 
of possible combinations that can be used to decode a 
particular message. A 40-bit key means that the number of 
possible combinations of ones and zeros equals 2 to the 40th 
power. It then follows that a 56-bit key is 2 to the 56th 
power, which means that it is 2 to the 16th power stronger that 
a 40-bit key.
    Once the exclusive domain of the national security and 
intelligence sectors, encryption now has an expanded 
application, impacting the everyday lives of millions of 
Americans. Today, banking systems, stock markets, air traffic 
control systems, credit bureaus, telephone networks, weather 
satellites, social security system, television networks, 
civilian and government payrolls, and the Internet are all 
directly affected by a flow of data managed by countless 
computers and telecommunication networks around the world. 
Computer technology now serves as the nervous system of modern 
society.
    It is increasingly difficult to protect the privacy and 
confidentiality of transactions at all levels, and increasingly 
important to do so. The Justice Department has estimated that 
annual losses related to computer security breaches could be as 
high as $7 billion. If this were adjusted to include the number 
of undocumented cases by companies reluctant to report such 
intrusions, the figure could be even higher. The National 
Counterintelligence Center in their ``Annual Report to Congress 
on Foreign Economic Collection and Industrial Espionage'' 
concluded that such ``specialized technical operations 
(including computer intrusions, telecommunications targeting 
and intercept, and private sector encryption weaknesses) 
account for the largest portion of economic and industrial 
information lost by corporations.''
    Therefore, stronger encryption tools are widely viewed as 
the key to providing security and privacy for the information 
superhighway.
    Current U.S. policy restricts the export of ``strong'' 
encryption hardware or software products with keys greater than 
40 bits long--determined to be gravely inadequate by numerous 
experts. The current Administration proposal, which would allow 
the export of 56-bit encryption, is viewed as not meeting the 
needs of U.S. companies to conduct business in a secure manner 
with their suppliers, their business partners, their customers, 
and even their affiliated companies outside the United States.
    Supporting the need for higher encryption standards is the 
fact that, on the same day that the companion legislation--the 
McCain-Kerrey bill--was introduced in the Senate calling for a 
56-bit limit on encryption exports, a group of independent 
programmers and researchers cracked a 56-bit code using 
computers linked across the Internet. This successful breaking 
of 56-bit encryption clearly demonstrates the anachronistic 
nature of current U.S. law and reflects how out-of-touch the 
Administration's policy is with the needs of the global 
marketplace.
    The Administration's proposal would only allow the export 
of 56-bit encryption for those who promise to build in ``key 
recovery''. ``Key recovery'' or ``key escrow'' essentially 
means that when stored data or electronic communications are 
encrypted, a third party has a copy of the key needed to 
decrypt the information. As presented by proponents of this 
policy, escrowed encryption is intended to provide for 
encryption protection for legitimate uses but also enable law 
enforcement officials to gain access to the key when it is 
necessary to decode the plaintext data as part of an 
investigation.
    This has been interpreted as an attempt to use the export 
control process to manipulate and control the market for and 
expansion of encryption technology, by making it easy to export 
products with key recovery and difficult for those products 
without. The logical basis for this policy is flawed as it is 
rooted in the wrongful assumption that foreign competitors can 
be convinced to alter their policy to parallel what U.S. policy 
is calling for. The current policy is not based on fact but on 
the optimistic view that the U.S. can influence other countries 
not to export strong encryption without an escrow system.
    Speculation does not make for good laws. Individually and 
as a unit, many of our European allies have clearly illustrated 
their commitment to allow market forces andindividual needs to 
dictate the levels of encryption. In its April 1997 proposal entitled, 
``A European Initiative in Electronic Commerce'', the European Union 
stated as key elements of the Initiative to ensure a framework which 
``boosts the trust and confidence of businesses for investments and 
consumers to make use of electronic commerce by dismantling remaining 
legal and regulatory barriers and preventing the creation of new 
obstacles.'' It goes on to say that: ``The use of strong encryption 
which ensures the confidentiality of both sensitive commercial and of 
personal data is one of the foundation stones of electronic commerce . 
. . The Community (European Community) shall work at the international 
level towards the removal of trade barriers for encryption products.''
    Even the more conservative recommendations made in March 
1997 by the Council of the Organization for Economic 
Cooperation and Development, clearly state that: ``Users should 
have access to cryptography that meets their needs, so that 
they can trust in the security of information and 
communications systems, and the confidentiality and integrity 
of data on those systems.'' The Council further underscores 
that: ``Government controls on cryptographic methods . . . 
should respect user choice to the greatest extent possible . . 
. and should not be interpreted as implying that governments 
should initiate legislation which limits user choice.'' 
Finally, they add: ``The development and provision of 
cryptographic methods should be determined by the market in an 
open and competitive environment. Such an approach would best 
ensure that solutions keep pace with changing technology, the 
demands of users and evolving threats to communications systems 
security.''
    While U.S. companies are kept at 40-bit encryption or at 
56-bit with the condition that they commit to develop key 
recovery, non-U.S. exporters, particularly the countries of the 
European Union, are producing packages that include encryption 
technology using 128 bits leaving American companies far behind 
in the race to capture new markets.
    Furthermore, American companies are placed at a competitive 
disadvantage by being forced to create and deploy two separate 
systems to meet two separate standards. Because of the 
nightmare this would create, most U.S. businesses end up making 
their exportable products subject to the same restrictions as 
their domestic products. By not allowing U.S. industries to 
provide secure products in the face of strong foreign 
competitors who are not restricted by outdated export controls, 
current law is hurting U.S. businesses. No one will buy 
encryption products for which the U.S. government can obtain a 
key. A recent report by the CEOs of 13 large American 
technology companies concluded that the U.S. computer industry 
could potentially lose up to $30-60 billion annually by the 
year 2000 due to these export controls.
    At a fundamental level, evaluating the value of key 
recovery systems in and of themselves, eleven of the world's 
top cryptographers concluded that key recovery systems would 
create new vulnerabilities. A key recovery system would create 
serious difficulties as it would require a vast infrastructure 
of recovery agents and oversight entities to manage access to 
the keys. In their May 1997 report entitled, ``The Risks of Key 
Recovery, Key Escrow, and Trusted Third Party Encryption'', 
these experts also determined that ``the field of cryptography 
has no experience in deploying secure systems of this scope and 
complexity'' and that such systems could potentially cost many 
billions of dollars.
    Key recovery systems do not even meet the national security 
needs on which the policy is based on. The Software Publishers 
Association has documented hundreds of foreign encryption 
products already widely available abroad and which criminals, 
terrorists, and foreign governments have access to. It is the 
upstanding, law-abiding citizen who suffers.
    The fact is that strong encryption helps to further the 
goals of law enforcement and national security, more than key 
recovery could ever hope to. In its landmark report on 
encryption policy, the blue-ribbon National Research Council 
concluded the following about the use of strong encryption:

          If cryptography can protect the trade secret and 
        proprietary information of business and thereby reduce 
        economic espionage (which it can), it also supports in 
        a most important manner the job of law enforcement. If 
        cryptography can help protect nationally critical 
        information systems and networks against unauthorized 
        penetration (which it can), it also supports the 
        national security of the United States.

    In summary, if U.S. laws are not changed soon, not as 
mandated by the Administration's policy or its companion 
legislation in the Senate, but as H.R. 695 attempts to do, 
world standards for security technology will shift away from 
the U.S. as customers buy products from foreign manufacturers. 
The U.S. government will not have a view into the security 
technology that replaces U.S. technology as the world 
standards. U.S. industries will lose control of information 
security technologies which are vital to economic security. It 
will cost the U.S. economy billions of dollars and hundreds of 
thousands of jobs.
    On July 7, 1997, German Economics Minister Guenter Rexrodt 
called for the removal of restrictions on encryption technology 
in his opening remarks for a two-day conference on Internet 
commerce attended by 40 government ministers from the European 
union, the United States, Russia, Japan and Canada. ``Users can 
only protect themselves against having data manipulated, 
destroyed or spied on through the use of strong encryption 
procedures,'' Rexrodt said, ``that is why we have to use all of 
our powers to promote such procedures instead of blocking 
them.''
    Individual Americans and U.S. businesses should be afforded 
the same protection and the same opportunities as other 
countries provide their own people and industries.H.R. 695--the 
SAFE Act--does just that. It is aimed at correcting the unfair and 
unsafe situation that currently exists under current law as it: 
prohibits export controls on ``generally available'' commercial 
encryption except for military end-users or to identified individuals 
or organizations in specific foreign countries; does not require 
reporting for companies after export; prohibits mandatory use of key 
recovery; denies liability protection and penalties for key holders; 
denies foreign government access to keys under specified conditions if 
key holder is used voluntarily; prohibits U.S. government and law 
enforcement access to keys by court order if key holder is used 
voluntarily; codifies existing domestic use policy; gives the Secretary 
of Commerce exclusive jurisdiction over export of commercial encryption 
except for military end-uses or to identified individuals or 
organizations in specific foreign countries.
    In essence, H.R. 695 prevents economic espionage while 
protecting hundreds of thousands of American jobs by affording 
all Americans the freedom to use any type of encryption 
anywhere in the world; by allowing any type of encryption to be 
sold in the United States; and creates a level playing field by 
permitting the export of the generally available software, 
hardware, and other encryption-related computer products.
    The Committee hopes that other Members realize the need, 
value, and importance of H.R. 695 as it works its way through 
the legislative process. In the interest of the American 
people, of U.S. economic leadership and growth, and of national 
security, the Committee hopes that the House will pass the SAFE 
Act.

                            Committee Action

    H.R. 695 was introduced by Representative Goodlatte on 
February 12, 1997, and referred to the Committee on Judiciary 
and in addition to the Committee on International Relations for 
a period subsequently to be determined by the Speaker. It was 
reported to the House by the Committee on the Judiciary, 
amended, on May 22, 1997 (H. Rept. 105-108). On May 22, 1995, 
the referral to the Committee on International Relations was 
extended through July 11, 1997, and on June 26, 1997, the 
referral to the Committee on International Relations was 
extended for a period ending not later than July 25, 1997.
    On June 26, 1997, the bill was referred, in addition, to 
Committees on Commerce, National Security, and the Permanent 
Select Committee on Intelligence for a period ending not later 
than September 5, 1997, for consideration of such provisions of 
the bill and the amendment reported by the Committee on the 
Judiciary as fall within the jurisdiction of those committees 
pursuant to clause 1(3) and (k), rule X and rule XLVIII, 
respectively.
    On May 8, 1997, the Subcommittee on International Economic 
Policy and Trade held a hearing entitled: ``Encryption: 
Individual Right to Privacy vs. National Security.'' Witnesses 
for this hearing included: Hon. William Reinsch, Under 
Secretary of Commerce, Bureau of Export Administration; Hon. 
William Crowell, Deputy Director, National Security Agency; 
Hon. Robert Litt, Deputy Assistant Attorney General, Criminal 
Division, U.S. Department of Justice; Mr. John Gage, Director, 
Science Office, Sun Microsystems, Inc.; Mr. Humphrey Polanen, 
General Manager, Network Security Products Group, Sun 
Microsystems, Inc.; Jerry Berman, Executive Director, Center 
for Democracy and Technology; Tom Parenty, Director of 
Security, Sybase Corporation; and Stephen T. Walker, President 
and CEO, Chairman of the Board of Directors, Trusted 
Information Systems.
    On May 29, 1997, the Full Committee held a Members briefing 
on H.R. 695, ``the Security and Freedom through Encryption 
(SAFE) Act.'' Speakers for the briefing included Hon. Louis 
Freeh, Director, Federal Bureau of Investigation and Hon. 
William Crowell, Deputy Director, National Security Agency.
    On June 4, 1997, the Subcommittee on International Economic 
Policy and Trade held a Members Briefing on the future of U.S.-
European trade relations. Speakers for the briefing included: 
Hon. David L. Aaron, U.S. Ambassador to the Organization for 
Economic Cooperation and Development (OECD); H.E. Hugo Paemen, 
Head of the Delegation to the United States of the Commission 
of the European Union; and Dr. Dominique vanderMensbrugghe, 
Senior Economist, OECD Development Center.
    On June 24, 1997, the Subcommittee on International 
Economic Policy and Trade held a mark-up of H.R. 695, ``the 
Security and Freedom through Encryption (SAFE) Act''. Witnesses 
included: Congressman Bob Goodlatte.
    Amendment.--An en bloc amendment was offered by Ros-
Lehtinen, Gejdenson, Campbell and Sherman. The amendment 
removes the distinction between mass market and customized 
software thus ensuring that customized software is also subject 
to liberalized export controls. It expands section 3 on exports 
of encryption by including consumer products which do not 
necessarily fall under the umbrella of ``computing'' products 
but which also require and use encryption. It broadens the 
scope and definition of ``generally available'' to include 
hardware with encryption capabilities. The amendment also adds 
a fourth section to the bill in the form of a sense of Congress 
regarding international cooperation. The amendment passed by 
voice vote.
    A motion to report the bill, as amended, to the Full 
Committee passed by a roll call vote, as follows:
    Voting yes: Ros-Lehtinen, Manzullo, Chabot, Campbell, 
Blunt, Brady, Rohrabacher, Gejdenson, Danner, Hilliard, 
Sherman, Rothman, Clement, Luther.
    Voting no: Bereuter.
    Passed: 14-1.
    On June 26, 1997, the Full Committee held a classified 
Members briefing on the impact of H.R. 695, ``the Security and 
Freedom through Encryption (SAFE) Act'' on national security 
and law enforcement activities. Speakers for the briefing 
included: Hon. Louis Freeh, Director, Federal Bureau of 
Investigation; Hon. William Crowell, Deputy Director, National 
Security Agency; Hon. William Reinsch, Under Secretary of 
Commerce, Bureau of Export Administration.
    On July 22, 1997, the Full Committee marked up the bill in 
open session, pursuant to notice. The Committee first adopted 
the amendment recommended by the Subcommittee on International 
Economic Policy by unanimous consent, as original text for the 
purposes of amendment. Representatives Goodlatte and Lofgren 
and representatives of the Administration (The Hon. William 
Reinsch, Under Secretary of Commerce; Mr. Jim Kallstrom, 
Federal Bureau of Investigation; Mr. James R. Taylor, National 
Security Agency; and Mr. Anthony Bocchichio of the Drug 
Enforcement Agency) responded to questions from members during 
the course of the markup.
    After further consideration, on that date, a quorum being 
present, the Full Committee by voice vote ordered the bill 
reported to the House with the recommendation that the bill, as 
amended, do pass.

                      Rollcall votes on amendments

    In compliance with clause (2)(l)(2)(B) of rule XI of the 
Rules of the House of Representatives, the record of committee 
roll call votes on final passage or amendments during the full 
committee's consideration of H.R. 695 is set out below, as is a 
report of the full committee's final action on the bill.

Description of Amendment, Motion, Order, or Other Proposition (votes 
        during markup of H.R. 695--July 22, 1997)

    Vote No. 1.--Gilman amendment provide that certain items 
could not be exported if in the opinion of the President they 
would endanger the national security.
    Voting Yes: Gilman, Leach, Bereuter, Gallegly, Fox, 
Hamilton, Berman, Menendez, Brown, Danner, Rothman, Clement, 
and Davis.
    Voting No: Smith, Ros-Lehtinen, Ballenger, Rorhabacher, 
Manzullo, Royce, King, Chabot, Sanford, Houghton, Campbell, 
Blunt, Moran, Brady, Gejdenson, Ackerman, Hastings, Hilliard, 
Capps, Sherman, Wexler, and Luther.
    Ayes, 13. Noes, 22.
    Note: The bill was subsequently ordered reported favorably, 
amended, by voice vote, a quorum being present, on July 22, 
1997.

                      Section-by-Section Analysis

                         Section 1. Short Title

    This section states that this Act may be cited as the 
``Security and Freedom Through Encryption (SAFE) Act''.

                 Section 2. Sale And Use Of Encryption

    This section states that, in general, Part I of Title 18, 
United States Code, is amended by adding a new chapter after 
chapter 121.
    This section also creates ``Chapter 122-Encrypted Wire And 
Electronic Information'' which includes sections; 2801. 
Definitions., 2802. Freedom To Use Encryption., 2803. Freedom 
to Sell Encryption., 2804. Prohibition On Mandatory Key 
Escrow., 2805. Unlawful Use Of Encryption in the furtherance of 
a criminal act.
    Section 2801 is titled ``Definitions'' and provides 
definitions for ``person'' ``State'' ``wire communication'' 
``electronic communication'', ``investigative or law 
enforcement officer'', judge of competent jurisdiction'', 
``electronic storage'', ``encrypt'', ``encryption'', ``key'', 
and ``United States person''. Many of these definitions were 
taken explicitly from 18 U.S.C. 2810.
    New section 2802 states that it is legal for any person in 
the United States or any United States person in a foreign 
country, to use any form of encryption regardless of the 
algorithm, key length, or technique used in the encryption.
    New section 2803 states that it is legal for any person in 
the United States to sell in interstate commerce encryption 
products using any form of encryption regardless of the 
algorithm, key length, or technique used. The Committee intends 
that Sections 2802 and 2803 be read as limitations on 
government power. They should not be read as overriding 
otherwise lawful employer policies concerning employee use of 
the employers computer system, nor as limiting the employer's 
otherwise lawful means for remedying violations of those 
policies.
    New section 2804 specifically prohibits requiring any 
person in lawful possession of an encryption key to turn that 
key over to another person. This section prevents any form of 
mandatory key escrow system with an exception for any law 
enforcement personnel or a member of the intelligence 
community.
    New section 2805 make it a crime to use encryption 
unlawfully in furtherance of some other crime. This new crime 
is punishable with a sentence of 5 years for a first offence 
and 10 years. This section requires that for a person to 
violate this section that person must be found guilty of some 
other federal felony crime and was deliberately using 
encryption to avoid detection of that other federal felony 
crime.
    Subsection 2(b) of H.R. 695 provides for a conforming 
amendment to the table of chapters in Title 18.

                    Section 3. Export of Encryption

    Subsection 3(a) of H.R. 695 amends the Export 
Administration Act by creating a new subsection (g) entitled 
``Computers and Related Equipment,'' to 50 U.S.C. App. 2416.
    New subsection (g)1 place all encryption products, except 
those specifically designed or modified for military use, under 
the jurisdiction of the Secretary of Commerce.
    New subsection (g)2 allows encryption software that is 
generally available or in the public domain, like mass-market 
software products, to be exported freely except pursuant to the 
Trading With The Enemy Act or the International Emergency 
Economic Powers Act (but only to the to the extent that the 
authority of such Act is not exercised to extend controls 
imposed under this Act.). The Subcommittee on International 
Economic Policy and Trade, on an amendment offered by Chair 
Ros-Lehtinen and Ranking Member Gejdenson, and others, amended 
Subsection (g)2 on a voice vote in Subcommittee to include 
certain other consumer products, or component or subassembly 
(provided those components are not capable of military or 
intelligence end use in its condition as exported.), which have 
encryption capabilities that are inaccessible to the end user 
and which are commercially available within the United States 
or abroad. These product as discussed by the Subcommittee are 
consumer products such as small dish satellite receivers, 
digital video disk players, smart cards, Web TV, etc. These 
products, which are commercially available within the United 
States or abroad, were viewed by the Subcommittee as being 
clearly and purely for consumer end-use and not for military 
purposes. The Ros-Lehtinen amendment also amended (g)2 to 
include customized software for an otherwise lawful purpose by 
a specific purchaser or group of purchasers.
    New subsection (g)3 requires the Secretary of Commerce to 
allow other encryption software to be exported unless there is 
substantial evidence that will be put to military or terrorist 
uses or that it will be reexported without U.S. authorization.
    New subsection (g)4 requires the Secretary to allow the 
export of hardware with encryption capabilities when the 
Commerce Department finds that it is commercially available 
from foreign suppliers without effective restrictions.
    New subsection (g)5 provides definitions for this 
subsection. The subcommittee amendment offered by Chair Ros-
Lehtinen, and others also amended this subsection to include 
the same consumer products added to subsection (g)2.
    As the Ros-Lehtinen amendment adopted in the Subcommittee 
on International Economic Policy and Trade stated, the 
Committee would like to reiterate that, with the ever 
increasing use of computer technology and computer information 
(hardware and software) in consumer product lines for 
protection of privacy, information security, and intellectual 
property interests, it intends this legislation to cover all 
devices--whether traditional computing devices or convergent 
consumer products that incorporate encryption. The applications 
covered by this legislation include video, audio, and data 
communications systems and telecommunication equipment. 
Hardware and software containing encryption, such as encoders, 
decoders, and network terminals, which are essential to protect 
the video signal, are therefore included under section 3(a) of 
this Act. As well as video, audio, data communications systems 
containing encryption and decryption capability are used by 
cable, satellite, and wireless delivery systems. This 
legislation is also intended to include set-top devices and 
other terminals where the encryption is not directly available 
to the user but is used for purposes such as pay per view, and 
hardware such as network computers, telephones or cable modems, 
satellite uplinks and downlinks.
    Subsection 3(b) of H.R. 695 provides that for the purposes 
of carrying out the amendment made by subsection 3(a), the 
Export Administration Act shall be deemed to be in effect. This 
statement is necessary because Congress failed to reauthorize 
the Export Administration Act and it expired in 1994. The 
Administration maintains the Export Administration Act policies 
by executive order. The Committee plans to reauthorize the 
Export Administration Act in this Congress.

    Section 4. Sense of Congress Regarding International Cooperation

    This section asks on the President to call an international 
conference for the purpose ofachieving an agreement among the 
encryption producing countries on policies which will ensure that the 
free use and trade of this technology does not hinder mutual 
technology.

                      Committee Oversight Findings

    In compliance with clause 2(l)(3)(A) of rule XI of the 
Rules of the House of Representatives, the Committee reports 
the findings and recommendations of the Committee, based on 
oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

         Committee on Government Reform and Oversight Findings

    No findings or recommendations of the Committee on 
Government Reform and Oversight were received as referred to in 
clause 2(l)(3)(D) of rule XI of the Rules of the House of 
Representatives.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                Applicability to the Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

                   Constitutional Authority Statement

    In compliance with clause 2(l)(4) of rule XI of the Rules 
of the House of Representatives, the Committee cites the 
following specific powers granted to the Congress in the 
Constitution as authority for enactment of H.R. 695 as reported 
by the Committee: Article I, section 8, clause 1 (relating to 
providing for the common defense and general welfare of the 
United States); and Article I, section 8, clause 18 (relating 
to making all laws necessary and proper for carrying into 
execution powers vested by the Constitution in the government 
of the United States).

New Budget Authority and Tax Expenditures, Congressional Budget Office 
                             Cost Estimate

    The Committee expects to adopt a cost estimate of the 
Congressional Budget Office as its submission of any new 
required information on new budget authority, new spending 
authority, new credit authority, or an increase or decrease in 
the national debt, which it expects to provide in a 
supplemental report.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, July 25, 1997.
Hon. Benjamin Gilman,
Chairman, Committee on International Relations,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed mandates statement for H.R. 695, the 
Security and Freedom Through Encryption (SAFE) Act. CBO's 
analysis of the bill's federal costs will be sent to you as 
soon as it is completed.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contacts are Pepper 
Santalucia (for the state and local impact) and Matt Eyles (for 
the private-sector impact).
            Sincerely,
                                         Jane E. O'Neill, Director.
    Enclosure.

             congressional budget office mandates statement

H.R. 695--Security and Freedom Through Encryption (SAFE) Act

    H.R. 695 would allow individuals in the United States to 
use and sell any form of encryption and would prohibit states 
or the federal government from requiring individuals to 
relinquish the key to encryption technologies to any third 
party. The bill also would prevent the Bureau of Export 
Administration in the Department of Commerce from restricting 
the export of most nonmilitary encryption products. Finally, 
H.R. 695 would establish criminal penalties and fines for the 
willful use of encryption technologies in committing criminal 
offenses.
    The bill would prohibit states from requiring persons to 
make encryption keys available to another person or entity. 
This prohibition would be an intergovernmental mandate as 
defined in the Unfunded Mandates Reform Act of 1995 (UMRA). 
However, states would bear no costs as a result of this mandate 
because none currently require the registration or availability 
of such keys. H.R. 695 contains no private-sector mandates as 
defined in UMRA.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3 of rule XIII of the Rules of the 
House of Representatives, changes in existing law made by the 
bill, as reported, are shown as follows (new matter is printed 
in italic and existing law in which no change is proposed is 
shown in roman):

                      TITLE 18, UNITED STATES CODE

          * * * * * * *

                             PART I--CRIMES

Chap.                                                               Sec.
1.     General provisions.........................................     1
     * * * * * * *
122.  Encrypted wire and electronic information...................  2801
          * * * * * * *

         CHAPTER 122--ENCRYPTED WIRE AND ELECTRONIC INFORMATION

2801. Definitions.
2802. Freedom to use encryption.
2803. Freedom to sell encryption.
2804. Prohibition on mandatory key escrow.
2805. Unlawful use of encryption in furtherance of a criminal act.

Sec. 2801. Definitions

  As used in this chapter--
          (1) the terms ``person'', ``State'', ``wire 
        communication'', ``electronic communication'', 
        ``investigative or law enforcement officer'', ``judge 
        of competent jurisdiction'', and ``electronic storage'' 
        have the meanings given those terms in section 2510 of 
        this title;
          (2) the terms ``encrypt'' and ``encryption'' refer to 
        the scrambling of wire or electronic information using 
        mathematical formulas or algorithms in order to 
        preserve the confidentiality, integrity, or 
        authenticity of, and prevent unauthorized recipients 
        from accessing or altering, such information;
          (3) the term ``key'' means the variable information 
        used in a mathematical formula, code, or algorithm, or 
        any component thereof, used to decrypt wire or 
        electronic information that has been encrypted; and
          (4) the term ``United States person'' means--
                  (A) any United States citizen;
                  (B) any other person organized under the laws 
                of any State, the District of Columbia, or any 
                commonwealth, territory, or possession of the 
                United States; and
                  (C) any person organized under the laws of 
                any foreign country who is owned or controlled 
                by individuals or persons described in 
                subparagraphs (A) and (B).

Sec. 2802. Freedom to use encryption

  Subject to section 2805, it shall be lawful for any person 
within any State, and for any United States person in a foreign 
country, to use any encryption, regardless of the encryption 
algorithm selected, encryption key length chosen, or 
implementation technique or medium used.

Sec. 2803. Freedom to sell encryption

  Subject to section 2805, it shall be lawful for any person 
within any State to sell in interstate commerce any encryption, 
regardless of the encryption algorithm selected, encryption key 
length chosen, or implementation technique or medium used.

Sec. 2804. Prohibition on mandatory key escrow

  (a) Prohibition.--No person in lawful possession of a key to 
encrypted information may be required by Federal or State law 
to relinquish to another person control of that key.
  (b) Exception for Access for Law Enforcement Purposes.--
Subsection (a) shall not affect the authority of any 
investigative or law enforcement officer, acting under any law 
in effect on the effective date of this chapter, to gain access 
to encrypted information.

Sec. 2805. Unlawful use of encryption in furtherance of a criminal act

  Any person who willfully uses encryption in furtherance of 
the commission of a criminal offense for which the person may 
be prosecuted in a court of competent jurisdiction--
          (1) in the case of a first offense under this 
        section, shall be imprisoned for not more than 5 years, 
        or fined in the amount set forth in this title, or 
        both; and
          (2) in the case of a second or subsequent offense 
        under this section, shall be imprisoned for not more 
        than 10 years, or fined in the amount set forth in this 
        title, or both.
          * * * * * * *
                              ----------                              


          SECTION 17 OF THE EXPORT ADMINISTRATION ACT OF 1979

  Sec. 17. (a) * * *
          * * * * * * *
  (g) Certain Consumer Products, Computers, and Related 
Equipment.--
          (1) General rule.--Subject to paragraphs (2), (3), 
        and (4), the Secretary shall have exclusive authority 
        to control exports of all computer hardware, software, 
        and technology for information security (including 
        encryption), except that which is specifically designed 
        or modified for military use, including command, 
        control, and intelligence applications.
          (2) Items not requiring licenses.--No validated 
        license may be required, except pursuant to the Trading 
        With The Enemy Act or the International Emergency 
        Economic Powers Act (but only to the extent that the 
        authority of such Act is not exercised to extend 
        controls imposed under this Act), for the export or 
        reexport of--
                  (A) any consumer product commercially 
                available within the United States or abroad 
                which--
                          (i) includes encryption capabilities 
                        which are inaccessible to the end user; 
                        and
                          (ii) is not designed for military or 
                        intelligence end use;
                  (B) any component or subassembly designed for 
                use in a consumer product described in 
                subparagraph (A) which itself contains 
                encryption capabilities and is not capable of 
                military or intelligence end use in its 
                condition as exported;
                  (C) any software, including software with 
                encryption capabilities--
                          (i) that is generally available, as 
                        is, and is designed for installation by 
                        the purchaser;
                          (ii) that is in the public domain for 
                        which copyright or other protection is 
                        not available under title 17, United 
                        States Code, or that is available to 
                        the public because it is generally 
                        accessible to the interested public in 
                        any form; or
                          (iii) that is customized for an 
                        otherwise lawful use by a specific 
                        purchaser or group of purchasers;
                  (D) any computing device solely because it 
                incorporates or employs in any form--
                          (i) software (including software with 
                        encryption capabilities) that is 
                        exempted from any requirement for a 
                        validated license under subparagraph 
                        (C); or
                          (ii) software that is no more 
                        technically complex in its encryption 
                        capabilties than software that is 
                        exempted from any requirement for a 
                        validated license under subparagraph 
                        (C) but is not designed for 
                        installation by the purchaser;
                  (E) any computer hardware that is generally 
                available, solely because it has encryption 
                capabilities; or
                  (F) any software or computing device solely 
                on the basis that it incorporates or employs in 
                any form interface mechanisms for interaction 
                with other hardware and software, including 
                hardware, and software, with encryption 
                capabilities.
          (3) Software with encryption capabilities.--The 
        Secretary shall authorize the export or reexport of 
        software with encryption capabilities for nonmilitary 
        end uses in any country to which exports of software of 
        similar capability are permitted for use by financial 
        institutions not controlled in fact by United States 
        persons, unless there is substantial evidence that such 
        software will be--
                  (A) diverted to a military end use or an end 
                use supporting international terrorism;
                  (B) modified for military or terrorist end 
                use; or
                  (C) reexported without any authorization by 
                the United States that may be required under 
                this Act.
          (4) Hardware with encryption capabilities.--The 
        Secretary shall authorize the export or reexport of 
        computer hardware with encryption capabilities if the 
        Secretary determines that a product offering comparable 
        security is commercially available outside the United 
        States from a foreign supplier, without effective 
        restrictions.
          (5) Definitions.--As used in this subsection--
                  (A) the term ``encryption'' means the 
                scrambling of wire or electronic information 
                using mathematical formulas or algorithms in 
                order to preserve the confidentiality, 
                integrity, or authenticity of, and prevent 
                unauthorized recipients from accessing or 
                altering, such information;
                  (B) the term ``generally available'' means--
                          (i) in the case of software 
                        (including software with encryption 
                        capabilities), software that is offered 
                        for sale, license, or transfer to any 
                        person without restriction, whether or 
                        not for consideration, including, but 
                        not limited to, over-the-counter retail 
                        sales, mail order transactions, phone 
                        order transactions, electronic 
                        distribution, or sale on approval; and
                          (ii) in the case of hardware with 
                        encryption capabilities, hardware that 
                        is offered for sale, license, or 
                        transfer to any person without 
                        restriction, whether or not for 
                        consideration, including, but not 
                        limited to, over-the-counter retail 
                        sales, mail order transactions, phone 
                        order transactions, electronic 
                        distribution, or sale on approval;
                  (C) the term ``as is'' means, in the case of 
                software (including software with encryption 
                capabilities), a software program that is not 
                designed, developed, or tailored by the 
                software publisher for specific purchasers, 
                except that such purchasers may supply certain 
                installation parameters needed by the software 
                program to function properly with the 
                purchaser's system and may customize the 
                software program by choosing among options 
                contained in the software program;
                  (D) the term ``is designed for installation 
                by the purchaser'' means, in the case of 
                software (including software with encryption 
                capabilities) that--
                          (i) the software publisher intends 
                        for the purchaser (including any 
                        licensee or transferee), who may not be 
                        the actual program user, to install the 
                        software program on a computing device 
                        and has supplied the necessary 
                        instructions to do so, except that the 
                        publisher may also provide telephone 
                        help line services for software 
                        installation, electronic transmission, 
                        or basic operations; and
                          (ii) the software program is designed 
                        for installation by the purchaser 
                        without further substantial support by 
                        the supplier;
                  (E) the term ``computing device'' means a 
                device which incorporates one or more 
                microprocessor-based central processing units 
                that can accept, store, process, or provide 
                output of data; and
                  (F) the term ``computer hardware'', when used 
                in conjunction with information security, 
                includes, but is not limited to, computer 
                systems, equipment, application-specific 
                assemblies, modules, and integrated circuits.

                            DISSENTING VIEWS

    While well-intentioned, this bill's one-dimensional focus 
on the decontrol of encryption products would upset the vital 
balance that U.S. policy seeks to strike between the 
competitiveness of American industry and U.S. national security 
and law enforcement goals. The bill would prohibit any 
licensing or review of exports of encrypted software and 
hardware items. Consequently, its implementation would not only 
hinder our national security efforts but also undermine the 
Administration's ability to forge an international consensus on 
the use and implementation of national key recovery policies.
    While SAFE Act advocates correctly point out that the 
Administration has not yet achieved a multilateral consensus 
endorsing its preference for a key management infrastructure 
approach on encryption issues, it should be noted that recent 
cryptography guidelines adopted by the Organization for 
Economic Cooperation and Development have stressed the need to 
balance privacy, law enforcement, national security concerns, 
and commercial interests. They also underline the fact that 
failure to coordinate these policies could cripple the global 
information network and impede international trade.
    A July policy brief published by the Brookings Institution 
by Kenneth Flamm on ``Deciphering the Cryptography Debate'' 
noted along the same lines that:
    ``A level playing field, with common global rules of the 
game, is needed to avoid giving economic rivals competitive 
advantages over one another. The administration made an 
important and correct decision in seeking an international 
consensus on the key recovery approach to strong encryption and 
must be sure to continue to work hard in seeking this common 
global approach. While it has yet to achieve such a consensus 
within the OECD, many of the key players with the technical 
capability to ship advanced cryptography products and affect 
global markets--Britain, France and (quietly) Japan--are 
supporting the U.S. approach, and if a few more (like Germany 
and Israel) can be brought on board, the critical mass around 
which the core of an international agreement can be assembled 
will exist.''
    If enacted in its current form, this bill would undermine 
any prospects for achieving such consensus and would compel a 
number of the OECD countries to put additional import 
restrictions in place blocking the entry of our strongest 
encryption products.
    We recognize that the development of strong encryption can 
play a vital role in the development of electronic commerce and 
promoting privacy but the development of key recovery policies 
is essential to head off a potential crisis in the years ahead 
for our law enforcement authorities. If strong encryption is in 
widespread use in the near future, it will make it virtually 
impossible to decipher encrypted communications. Brute force 
attacks to crack encryption algorithms in that type of 
environment are not feasible or realistic, especially in the 
time sensitive cases where law enforcement needs access to 
encrypted files to save lives.
    By removing all controls on the export of any software and 
hardware with encryption capabilities, this bill threatens U.S. 
national security and law enforcement interests.
    With respect to U.S. national security, encrypted 
communications make it more difficult for U.S. intelligence 
agencies to monitor communications relating to terrorism, 
weapons proliferation, military operations, and other threats 
to U.S. national security interests. The Administration does 
not dispute the contention of U.S. software manufacturers that 
encryption products are in use around the world.
    But the Administration also points out that these products 
are not yet being widely used by individuals, groups, and 
governments whose activities pose threats to U.S. security and 
safety. As we understand it, the goal of U.S. export control 
policy is not to prevent the spread ofencryption worldwide--
something which clearly cannot be done--but to slow down the spread of 
these products enough to give U.S.-led diplomacy an opportunity to 
achieve increased multilateral cooperation on common export control 
policies and on the adoption of a global key management infrastructure. 
Such an international key management infrastructure would enable U.S. 
intelligence and law enforcement agencies to cooperate with their 
counterparts in friendly countries in gaining access to communications 
that threaten common security and safety interests.
    The elimination of all U.S. controls on encryption exports 
will also jeopardize domestic law enforcement. We recognize 
that encryption is essential to the fulfillment of the promise 
of electronic commerce and to the protection of individual 
privacy in a networked world. But encryption also complicates 
the mission of U.S. law enforcement agencies, because it can 
make it impossible for law enforcement personnel to understand 
data and communications to which they have been granted access 
under court order or other proper legal authority.
    This is why current U.S. policy seeks to promote the 
adoption of key recovery features in encryption products used 
in the United States. Export controls are a key component of 
this policy. Under current practice, U.S. firms are permitted 
to export powerful encryption products if they already include 
key recovery features or if they pledge to develop such 
features during the next two years. If we eliminate all U.S. 
export controls, as this bill would do, the federal government 
will therefore lose one of its most important means for 
promoting the development of key recovery in the U.S. market. 
That will harm U.S. law enforcement.
    Lawful wiretapping and duly authorized court-ordered access 
to information and materials on a timely basis are essential 
tools for police and law enforcement authorities. If this 
legislation were to be enacted in its present form, the 
resultant proliferation of global and interconnected encryption 
has the very real potential to deny our local, state and 
federal authorities the timely access they now enjoy to data 
and other communications, even after a court order has been 
issued.
    More than one half the annual court-ordered wire taps are 
at the state and local level, and of the national total for all 
such wire taps, more than 70% are for drug-related cases. 
Congressional action on this legislation has the potential to 
affect our cities and towns where the devastating impact of 
illicit drugs already causes nearly $70 billion in annual 
societal costs. We ought not to add to that carnage and 
destruction by denying law enforcement one of the most 
effective tools against this scourge, timely access to lawful 
requests for information needed to combat these crimes.
    Attorney General Janet Reno, our nation's chief law 
enforcement officer, urged the members of our Committee to 
consider the effects of this legislation in her July 18, 1997, 
letter to the International Relations Committee. She said that 
``* * * the misuse of encryption technology will become a 
matter of life and death in many instances. That is why we urge 
you to adopt a balanced approach.'' We invite the attention of 
Members to correspondence from our Nation's law enforcement and 
national security leaders, appended below.
    During the full committee's consideration of H. R. 695, 
Chairman Gilman offered an amendment which would have helped to 
create this necessary balance in the bill. It would have 
provided the President the authorities to control the export 
and reexport of encrypted items if he determines that they 
would adversely affect our national security and our ability to 
fight crimes such as drug trafficking, terrorism and espionage. 
This amendment was, unfortunately, not adopted.
    Other Committees of the House including National Security, 
Intelligence and Commerce will now review this legislation 
through September 5 before it is considered by the full House 
later this year. We urge our colleagues on these Committees as 
well as our colleagues on the International Relations and the 
Judiciary Committees to review this legislation very carefully 
and consider its impact on our society and our ability to fight 
terrorism and protect our national security interests.

                                   Benjamin A. Gilman.
                                   Lee H. Hamilton.
                                   Doug Bereuter.
                                ------                                

                            Office of the Attorney General,
                                     Washington, DC, July 18, 1997.
    Dear Member of Congress: Congress is considering a variety 
of legislative proposals concerning encryption. Some of these 
proposals would, in effect, make it impossible for the Federal 
Bureau of Investigation (FBI), Drug Enforcement Administration 
(DEA), Secret Service, Customs Service, Bureau of Alcohol, 
Tobacco and Firearms, and other federal, state, and local law 
enforcement agencies to lawfully gain access to criminal 
telephone conversations or electronically stored evidence 
possessed by terrorists, child pornographers, drug kingpins, 
spies and other criminals. Since the impact of these proposals 
would seriously jeopardize safety and national security, we 
collectively urge you to support a different, balanced approach 
that strongly supports commercial and privacy interests but 
maintains our ability to investigate and prosecute serious 
crimes.
    We fully recognize that encryption is critical to 
communications security and privacy, and that substantial 
commercial interests are at stake. Perhaps in recognition of 
these facts, all the bills being considered allow market forces 
to shape the development of encryption products. We, too, place 
substantial reliance on market forces to promote electronic 
security and privacy, but believe that we cannot rely solely on 
market forces to protect the public safety and national 
security. Obviously, the government cannot abdicate its solemn 
responsibility to protect public safety and national security.
    Currently, of course, encryption is not widely used, and 
most data is stored, and transmitted, in the clear. As we move 
from a plain text world to an encrypted one, we have a critical 
choice to make: we can either (1) choose robust, unbreakable 
encryption that protects commerce and privacy but gives 
criminals a powerful new weapons, or (2) choose robust, 
unbreakable encryption that protects commerce and privacy and 
gives law enforcement the ability to protect public safety. The 
choice should be obvious and it would be a mistake of historic 
proportions to do nothing about the dangers to public safety 
posed by encryption without adequate safeguards for law 
enforcement.
    Let there be no doubt: without encryption safeguards, all 
Americans will be endangered. No one disputes this fact; not 
industry, not encryption users, no one. We need to take 
definitive actions to protect the safety of the public and 
security of the nation. That is why law enforcement at all 
levels of government--including the Justice Department, 
Treasury Department, the National Association of Attorneys 
General, International Association of Chiefs of Police, the 
Major City Chiefs, the National Sheriffs' Association, and the 
National District Attorneys Association--are so concerned about 
this issue.
    We all agree that without adequate legislation, law 
enforcement in the United States will be severely limited in 
its ability to combat the worst criminals and terrorists. 
Further, law enforcement agrees that the widespread use of 
robust non-key recovery encryption ultimately will devastate 
our ability to fight crime and prevent terrorism.
    Simply stated, technology is rapidly developing to the 
point where powerful encryption will become commonplace both 
for routine telephone communications and for stored computer 
data. Without legislation that accommodates public safety and 
national security concerns, society's most dangerous criminals 
will be able to communicate safely and electronically store 
data without fear of discovery. Court orders to conduct 
electronic surveillance and court-authorized search warrants 
will be ineffectual, and the Fourth Amendment's carefully-
struck balance between ensuring privacy and protecting public 
safety will be forever altered by technology. Technology should 
not dictate public policy, and it should promote, rather than 
defeat, public safety
    We are not suggesting the balance of the Fourth Amendment 
be tipped toward law enforcement either. To the contrary, we 
only seek the status quo, not the lessening of any legal 
standard or the expansion of any law enforcement authority. The 
Fourth Amendment protects the privacy and liberties of our 
citizens but permits law enforcement to use tightly controlled 
investigative techniques to obtain evidence of crimes. The 
result has been the freest country in the world with the 
strongest economy.
    Law enforcement has already confronted encryption in high-
profile espionage, terrorist, and criminal cases. For example:
          An international terrorist was plotting to blow up 11 
        U.S.-owned commercial airliners in the Far East. His 
        laptop computer, which was seized in Manila, contained 
        encrypted files concerning this terrorist plot;
          A subject in a child pornography case used encryption 
        in transmitting obscene and pornographic images of 
        children over the Internet; and
          A major international drug trafficking subject 
        recently used a telephone encryption device to 
        frustrate court-approved electronic surveillance.
And this is just the tip of the iceberg. Convicted spy Aldrich 
Ames, for example, was told by the Russian Intelligence Service 
to encrypt computer file information that was to be passed to 
them.
    Further, today's international drug trafficking 
organizations are the most powerful, ruthless and affluent 
criminal enterprises we have ever faced. We know from numerous 
past investigations that they have utilized their virtually 
unlimited wealth to purchase sophisticated electronic equipment 
to facilitate their illegal activities. This has included state 
of the art communication and encryption devices. They have used 
this equipment as part of their command and control process for 
their international criminal operations. We believe you share 
our concern that criminals will increasingly take advantage of 
developing technology to further insulate their violent and 
destructive activities.
    Requests for cryptographic support pertaining to electronic 
surveillance interceptions from FBI Field Offices and other law 
enforcement agencies have steadily risen over the past several 
years. There has been an increase in the number of instances 
where the FBI's and DEA's court-authorized electronic efforts 
were frustrated by the use of encryption that did not allow for 
law enforcement access.
    There have also been numerous other cases where law 
enforcement, through the use of electronic surveillance, has 
not only solved and successfully prosecuted serious crimes but 
has also been able to prevent life-threatening criminal acts. 
For example, terrorists in New York were plotting to bomb the 
United Nations building, the Lincoln and Holland Tunnels, and 
26 Federal Plaza as well as conduct assassinations of political 
figures. Court-authorized electronic surveillance enabled the 
FBI to disrupt the plot as explosives were being mixed. 
Ultimately, the evidence obtained was used to convict the 
conspirators. In another example, electronic surveillance was 
used to stop and then convict two men who intended to kidnap, 
molest, and kill a child. In all of these cases, the use of 
encryption might have seriously jeopardized public safety and 
resulted in the loss of life.
    To preserve law enforcement's abilities, and to preserve 
the balance so carefully established by the Constitution, we 
believe any encryption legislation must accomplish three goals 
in addition to promoting the widespread use of strong 
encryption. It must establish:
          A viable key management infrastructure that promotes 
        electronic commerce and enjoys the confidence of 
        encryption users;
          A key management infrastructure that supports a key 
        recovery scheme that will allow encryption users access 
        to their own data should the need arise, and that will 
        permit law enforcement to obtain lawful access to the 
        plain text of encrypted communications and data; and
          An enforcement mechanism that criminalizes both 
        improper use of encryption key recovery information and 
        the use of encryption for criminal purposes.
    Only one bill, S. 909 (the McCain/Kerrey/Hollings bill), 
comes close to meeting these core public safety, law 
enforcement, and national security needs. The other bills being 
considered by Congress, as currently written, risk great harm 
to our ability to enforce the laws and protect our citizens. We 
look forward to working to improve the McCain/Kerrey/Hollings 
bill.
    In sum, while encryption is certainly a commercial interest 
of great importance to this Nation, it is not solely a 
commercial or business issue. Those of us charged with the 
protection of public safety and national security, believe that 
the misuse of encryption technology will become a matter of 
life and death in many instances. That is why we urge you to 
adopt a balanced approach that accomplishes the goals mentioned 
above. Only this approach will allow police departments, 
attorneys general, district attorneys, sheriffs, and federal 
authorities to continue to use their most effective 
investigative techniques, with court approval, to fight crime 
and espionage and prevent terrorism.
            Sincerely your,
                    Janet Reno, Attorney General; Louis Freeh, 
                            Director, Federal Bureau of Investigation; 
                            Thomas A. Constantine, Director, Drug 
                            Enforcement Administration; Raymond W. 
                            Kelly, Undersecretary for Enforcement, U.S. 
                            Department of Treasury; John W. Magaw, 
                            Director, Bureau of Alcohol, Tobacco and 
                            Firearms; Barry McCaffrey, Director, Office 
                            of National Drug Control Policy; Lewis C. 
                            Merletti, Director, United States Secret 
                            Service; George J. Weise, Commissioner, 
                            United States Customs Service.
                                ------                                

                                  The Secretary of Defense,
                                     Washington, DC, July 21, 1997.
    Dear Member of Congress: Recently you received a letter 
from the nation's senior law enforcement officials regarding US 
encryption policies. I am writing today to express my strong 
support for their views on this important issue.
    As you know, the Department of Defense is involved on a 
daily basis in countering international terrorism, narcotics 
trafficking, and the proliferation of weapons of mass 
destruction. The spread of unbreakable encryption, as a 
standard feature of mass market communication products, 
presents a significant threat to the ability of the US and its 
allies to monitor the dangerous groups and individuals involved 
in these activities. Passage of legislation which effectively 
decontrols commercial encryption exports would undermine U.S. 
efforts to foster the use of strong key recovery encryption 
domestically and abroad. Key recovery products will preserve 
governments' abilities to counter worldwide terrorism, 
narcotics trafficking and proliferation.
    It is also important to note that the Department of Defense 
relies on the Federal Bureau of Investigation for the 
apprehension and prosecution of spies. Sadly, there have been 
over 60 espionage convictions of federal employees over the 
last decade. While these individuals represent a tiny minority 
of government employees, the impact of espionage activities on 
our nation's security can be enormous. As the recent arrests of 
Nicholson, Pitts and Kim clearly indicate, espionage remains a 
very serious problem. Any policies that detract from the FBI's 
ability to perform its vital counterintelligence function, 
including the ability to perform wiretaps, inevitably detract 
from the security of the Department of Defense and the nation.
    Encryption legislation must also address the nation's 
domestic information security needs. Today, approximately 95% 
of DoD communications rely on public networks; other parts of 
government, and industry, are even more dependent on the 
trustworthiness of such networks. Clearly, we must ensure that 
encryption legislation addresses these needs. An approach such 
as the one contained in S. 909 can go a long way toward 
balancing the need for strong encryption with the need to 
preserve national security and public safety. I hope that you 
will work with the Administration to enact legislation that 
addresses these national security concerns as well as the 
rights of the American people.
    I appreciate your consideration of these views.
            Sincerely,
                                                        Bill Cohen.
                                ------                                

             International Association of Chiefs of Police,
                                     Alexandria, VA, July 21, 1997.
    Dear Member of Congress: Enclosed is a letter sent to you 
by the Attorney General, the Director of National Drug Control 
Policy and all the federal law enforcement heads concerning 
encryption legislation being considered by congress. 
Collectively we, the undersigned, represent over 17,000 police 
departments including every major city police department, over 
3,000 sheriffs departments, nearly every district attorney in 
the United States and all of the state Attorneys General. We 
fully endorse the position taken by our federal counterparts in 
the enclosed letter. As we have stated many times, Congress 
must adopt a balanced approach to encryption that fully 
addresses public safety concerns or the ability of state and 
local law enforcement to fight crime and drugs will be severely 
damaged.
    Any encryption legislation that does not ensure that law 
enforcement can gain timely access to the plaintext of 
encrypted conversations and information by established legal 
procedures will cause grave harm to public safety. The risk 
cannot be left to the uncertainty of market forces or 
commercial interests as the current legislative proposals would 
require. Without adequate safeguards, the unbridled use of 
powerful encryption soon will deprive law enforcement of two of 
its most effective tools, court authorized electronic 
surveillance and the search and seizure of information stored 
in computers. This will substantially tip the balance in the 
fight against crime towards society's most dangerous criminals 
as the information age develops.
    We are in unanimous agreement that congress must adopt 
encryption legislation that requires the development, 
manufacture, distribution and sale of only key recovery 
products and we are opposed to the bills that do not do so. 
Only the key recovery approach will ensure that law enforcement 
can continue to gain timely access to the plaintext of 
encrypted conversations and other evidence of crimes when 
authorized by a court to do so. If we lose this ability--and 
the bills you are considering will have this result--it will be 
a substantial set back for law enforcement at the direct 
expense of public safety.
            Sincerely yours,
                                   Darrell L. Sanders,
                                           President, International 
                                               Association of Chiefs of 
                                               Police.
                                   James E. Doyle,
                                           President, National 
                                               Association of Attorneys 
                                               General.
                                   Fred Scoralic,
                                           President, National 
                                               Sheriffs' Association.
                                   William L. Murphy,
                                           President, National District 
                                               Attorneys Association.