Return to Library
Carol M. Morrissey has been the Legislative Specialist for the Washington, D. C. office of Chicago’s Sidley & Austin for 11 years. She is a lawyer and legislative expert who has also authored a Congressional update column for the last 4 years.
Encryption legislation is all the rage on Capitol Hill. The 105th Congress has accepted and embraced the new age of information technology, spawning a whole new genre of technology related legislation. Encryption, or the encoding of information and communications to protect them from unauthorized uses, is a volatile issue involving national security, private industry and privacy rights.
The seriousness of the situation has encouraged some “heavy hitters” to weigh in on the subject. Senator McCain (R-AZ), the Chairman of the Senate Commerce committee, is the sponsor of the Secure Public Networks Act (S. 909), which is cosponsored by Senators Kerrey (D-NE) and Hollings (D-SC). The Secure Public Networks Act seeks to facilitate the creation of secure public networks for the export of encrypted products, provide law enforcement with the tools to prevent illegal activity and protect the privacy of users.
The key word here is balance. Sen. McCain has attempted to build a middle ground upon which industry and law enforcement can meet. He has made it clear that although he supports a free market, he will not support any legislation which is contrary to national security concerns. During markup in June, the committee adopted a Sen. Kerry (D-MA) amendment creating an Encryption Advisory Board. The Board is to consist of industry and government representatives and will evaluate the market for stronger encryption (greater than 56 bit DES) and report their recommendations to the President. Also adopted was a Sen. Frist (R-TN) amendment requiring law enforcement to utilize a subpoena process to obtain key recovery information and mandating government systems to operate with key recovery systems (“key recovery” or “key escrow” is the provision of a copy of the encryption key to a third party).
Also pending in the Senate are the Encryption Communications Privacy Act (S. 376), sponsored by Sen. Leahy (D-VT) and the Promotion of Commerce On-Line in the Digital Era or PRO-CODE, Act (S. 377), sponsored by Sen. Burns (R-MO). These bills, unlike S. 909 which was reported out favorably by Senate Commerce in June, have not been marked up in committee. They seek to bar government mandated key recovery and provide computer users the freedom to choose any encryption method to protect the privacy of online communications and computer files. Accordingly, they call for a rollback on current export restrictions so industry can meet the demand for stronger encryption. Due to national security concerns, there are exceptions for military end-uses, terrorist activities and embargoed nations. Sen. Burns attempted to amend S. 909 with the text of his bill during markup, but his amendment was defeated.
The House encryption vehicle is H.R. 695 , Security and Freedom Through Encryption Act (SAFE) , sponsored by Rep. Goodlatte (R-VA) (see www.house.gov/goodlatte/ for statements and text of bill). SAFE has been marked up and reported out by no fewer than five committees (that in and of itself is testimony to the phalanx of issues involved here) and was placed on the House Calendar on September 29 of this year (once placed on the House Calendar a bill can be called up for consideration before the full House of Representatives). SAFE thus has the ambiguous distinction amongst the encryption legislation of having progressed the farthest legislatively, although in reality, it is still too controversial to be called up for a floor vote.
As introduced, SAFE proposed to loosen export and domestic restrictions on encryption products, prohibit the government from requiring a key recovery system, create criminal penalties for the unlawful use of encryption in furtherance of a crime and modernize U.S. export controls to create a level commercial playing field for U. S. companies in foreign markets. The bill currently stands between the committees and the House floor and still must answer to the demands of law enforcement and industry. As amended, the law enforcement community says the bill provides for voluntary key recovery and therefore does not give them the desired access. The computer industry claims that although key escrow is facially voluntary, the constraints placed on the industry by the bill would render it mandatory in practice. Rep. Solomon (R-NY), the Chairman of the Rules committee, has stated that he will not allow H.R. 695 to the floor unless it contains the Reps. Oxley (R-OH)Manton (D-NY) language requiring key recovery for all encryption products.
The Administration position is best articulated by the testimony of Undersecretary for Export Administration, William Reinsch, before the House subcommittee on Telecommunications on September 4 (this testimony and other encryption related information can be accessed at www.bxa.doc.gov). The Administration does not support mandatory key recovery, but believes that the market will create a strong demand for key recovery on its own to reflect the varying uses of encryption in the commercial marketplace. Participation in key escrow would therefore be voluntary. Domestic users should have the freedom to select any type or strength of encryption. Guidelines for the release of escrow information to law enforcement must be developed. The misuse of keys and encryption to further crime must the criminalized.
Therefore, the Administration does not support H.R. 695. SAFE provides for export liberalization which is far too sweeping and the decontrol of encryption products place severe limits on government review, posing a risk to national security and law enforcement. However, the Administration supports the criminal penalties and the law enforcement provisions. At this point, the Administration is supporting the McCain bill, S. 909, as the most workable vehicle since it attempts to strike a balance between the needs of industry, law enforcement and national security.
The Federal Bureau of Investigation, as the proponent of law enforcement in America, has taken a different stance than the Administration. This position is illustrated by the testimony of the Director of the FBI, Louis J. Freeh, on the issue of encryption before the Select Committee on Intelligence, the Senate Committee on Technology, Terrorism and Government Information and Senate Judiciary Committee which are all available from the FBI homepage at www.fbi.gov (click on Congressional Affairs). In a nutshell, mandatory domestic key recovery would provide law enforcement agencies with the tools necessary to pursue criminal activity by being able to gain access to encrypted information. Therefore, H.R. 695 (SAFE)with the inclusion of the Oxley/Manton amendment mentioned above, would be supported by the FBI.
The industry has come out squarely behind SAFE (with a caveat) and against S. 909 (see SPA homepage at www.spa.org, click on Government Affairs, go to Encryption.). According to the SPA, S. 909 is not a compromise in any sense of the word, but a piece of legislation which panders to law enforcement and government restraints, sacrificing the privacy of industry and individuals. The caveat is that SAFE as amended and pending floor action may end up with mandatory domestic key recovery. In that case, the industry would be unable to throw its support behind the bill.
Encryption legislation is essentially currently gridlocked. The first session of the 105th Congress will most likely come to a close within the next two to three weeks. Sen. McCain has said that he would like to bring a bill to the floor for a vote, but will not sacrifice national security to industry’s demands. The President has indicated that he will not sign a bill allowing a free for all in encryption exports. The SAFE legislation will not be brought up for a vote until a compromise can be reached and the parties at issue are now maintaining that they will attempt to iron out their differences during the recess. There is little doubt that sometime during the second session of the 105th Congress we will see encryption legislation on the floor of the House and Senate, but as the saying goes, “it ain’t’ gonna to be pretty.”
For additional legislation on privacy issues go to www.epic.org/privacy/bill_track.html.