SUMMARY OF TESTIMONY OF ROBERT S. LITT, DEPUTY ASSISTANT ATTORNEY GENERAL, CONCERNING ENCRYPTION AND H.R. 695, BEFORE THE SUBCOMMITTEE ON TELECOMMUNICATIONS, TRADE AND CONSUMER PROTECTION,OBR THE HOUSE COMMERCE COMMITTEE
SEPTEMBER 4, 1997
The nation's policy on encryption must carefully balance important
competing interests. The Department of Justice has a vital stake
in the country's encryption policy because encryption may be used
not only to protect lawful data against unauthorized intruders,
it may also be used to conceal illegitimate materials from law
enforcement. While we support the spread of strong encryption,
we believe that the widespread dissemination of unbreakable encryption
without any accommodation for law enforcement access is a serious
threat to public safety and to the integrity of America's commercial
infrastructure.
Public safety and national security must be protected against
the threats posed by terrorists, organized crime, foreign intelligence
agents, and others. If unbreakable encryption proliferates without
accommodations for law enforcement, critical law enforcement tools,
including wiretapping and execution of search warrants, would
be nullified, and the potential harm to public safety could be
devastating. U.S. law enforcement and intelligence agencies do
not possess and cannot obtain the resources necessary to decrypt
large numbers of encrypted communications and stored data. Our
experiences demonstrate that this concern is not theoretical and
not exaggerated.
Our goal is to encourage the use of strong encryption to protect
privacy and commerce, but in a way that preserves (without
extending) law enforcement's ability to protect public safety
and national security. Accordingly, the Administration has promoted
the manufacture and use of key recovery products, aided the development
of a global key management infrastructure ("KMI"), and
liberalized United States restrictions on the export of robust
cryptographic products. We anticipate that market forces will
make key recovery products a defacto industry standard
and thus preserve the balance of privacy and public safety that
our Constitution embodies.
Because of its support for key recovery, the Department of Justice
cannot support H.R. 695 as it is presently drafted. The bill
would discourage the development of a KMI. The bill would also
eliminate all export controls on strong encryption and thus would
undermine public safety and national security by encouraging the
proliferation of unbreakable encryption. We believe it would
be unwise simply to lift export controls on encryption for the
sake of uncertain commercial benefits. This action would be particularly
imprudent when there is the possibility of balancing individual
privacy, public safety, and commercial needs through global adoption
of a key recovery system. As we have learned through extensive
international discussions in the last year, a consensus is now
emerging throughout much of the world that the most suitable approach
is the use of a "key recovery" or "trusted third
party" system.
We look forward to working with this Subcommittee as we continue
to develop and implement the Administration's approach.
TESTIMONY OF ROBERT S. LITT DEPUTY ASSISTANT ATTORNEY GENERAL CONCERNING ENCRYPTION AND H.R. 695 BEFORE THE SUBCOMMITTEE ON TELECOMMUNICATIONS, TRADE, AND CONSUMER PROTECTION OF THE HOUSE COMMERCE COMMITTEE
SEPTEMBER 4, 1997
Thank you, Mr. Chairman and members of the Subcommittee, for
providing me this opportunity to discuss with you the important
and complex issue of encryption. The Nation's policy on this
issue must carefully balance important competing interests, and
it is essential for all interested parties to recognize the validity
and importance of all of these interests. The Department of Justice,
whose interests I represent, has a vital stake in the country's
encryption policy. Encryption will provide all of us the ability
to protect lawful data against unauthorized intruders. But encryption
can also be used to conceal criminal activity from law enforcement.
Although the Department of Justice does not support H.R. 695
in its present form, we look forward to continuing the productive
discussions we have had with Congress on this issue, with the
goal of arriving at a policy that accommodates all of these interests.
In recent years, the issue of encryption has been vociferously
debated in the United States. Having participated actively in
these discussions, the Department of Justice believes today, as
strongly as ever, that the widespread dissemination of unbreakable
encryption without any accommodation for law enforcement access
is a serious threat to public safety and to the integrity of America's
commercial infrastructure. Our recent experiences only buttress
this conclusion.
For example, just last week, in San Francisco, a man named Carlos
Salgado, Jr. pleaded guilty to federal computer fraud and stolen
credit card trafficking charges for crimes that he tried to obscure
from law enforcement by his use of unbreakable encryption. Specifically,
Salgado had stolen over 80,000 credit card numbers and intended
to sell them for criminal purposes. These credit card accounts
had a combined credit limit (and a potential loss to the 1,214
issuing financial institutions) of about one billion dollars.
Salgado explicitly insisted on encrypting the stolen credit card
numbers before delivering them on a CD-ROM to his purchaser.
We were lucky in this case, because Salgado's purchaser was cooperating
with the FBI. But if we had discovered this case another way,
law enforcement could not have penetrated the information on Salgado's
CD-ROM. Crimes like this one have serious implications for law
enforcement's ability to protect commercial data as well as personal
privacy.
Let me be clear: The Department of Justice supports the spread
of strong encryption. Law enforcement's responsibilities and
concerns include protecting privacy and promoting commerce over
our nation's communications networks. For example, we prosecute
under existing laws those who violate the privacy of others by
illegal eavesdropping, hacking or theft of confidential information.
Indeed, last year the Administration sought, and Congress passed,
the National Information Infrastructure Protection Act of 1996,
to provide further protection to the confidentiality of stored
data. And we help promote commerce by enforcing the laws, including
those that protect intellectual property rights, and that combat
computer and communications fraud. (In particular, we help to
protect the confidentiality of business data through enforcement
of the recently enacted Economic Espionage Act.) Our support
for robust encryption is a natural outgrowth of our commitment
to protecting privacy for personal and commercial interests.
But the Department of Justice protects more than just privacy.
We also protect public safety and national security against the
threats posed by terrorists, organized crime, foreign intelligence
agents, and others. Moreover, we have the responsibility to prosecute
serious crime when it does occur. We are gravely concerned that
the proliferation and use of unbreakable encryption would
seriously undermine these duties to protect the American people,
even while we favor the spread of strong encryption products
that permit timely and legal law enforcement access and decryption.
The most easily understood example is electronic surveillance.
Courtauthorized wiretaps have proven to be one of the most successful
law enforcement tools in preventing and prosecuting serious crimes,
including drug trafficking and terrorism. We have used legal
wiretaps to bring down entire narcotics trafficking organizations,
to rescue young children kidnapped and held hostage, and to assist
in a variety of matters affecting our national security. In addition,
as society becomes more dependent on computers, evidence of crimes
is increasingly found in stored computer data, which can be searched
and seized pursuant to courtauthorized warrants.
But if unbreakable encryption proliferates, these critical law
enforcement tools would be nullified. Thus, for example, even
if the government satisfies the rigorous legal and procedural
requirements for obtaining a wiretap order, the wiretap would
be worthless if the intercepted communications of the targeted
criminals amount to an unintelligible jumble of noises or symbols.
Or we might legally seize the computer of a terrorist and be
unable to read the data identifying his or her targets, plans
and co-conspirators. The potential harm to law enforcement and
to the nation's domestic security could be devastating.
I want to emphasize that this concern is not theoretical, nor
is it exaggerated. Although use of encryption is only in its
infancy, we have already begun to encounter its harmful effects
in recent investigations, in addition to the Salgado case described
above.
In the Aldrich Ames spy case, Soviet intelligence operatives
directed Ames to encrypt computer files that he transmitted to
them.
Ramzi Yousef, recently convicted of conspiring to blow up 10
U.S.owned airliners in Asia, and his coconspirators apparently
stored information about their terrorist plot in an encrypted
computer file. (Yousef is also one of the alleged masterminds
of the World Trade Center bombing.)
One of the subjects in a child pornography case encrypted pornographic
images of children before sending the pictures out on the Internet.
The subject of a major international drugtrafficking case used
a telephone encryption device to seriously reduce the effectiveness
of a court-ordered wiretap.
In several major hacker cases, the subjects have encrypted computer
files, thereby concealing evidence of serious crimes. In one
such case, the government was unable to determine the full scope
of the hacker's activity because of the use of encryption.
These are just a few examples of recent cases involving encryption.
As encryption proliferates and becomes an ordinary component
of mass market items, and as the strength of encryption products
increases, the threat to public safety will increase proportionately.
It is for this reason that the Attorney General and the leaders
of many law enforcement organizations have written to the Congress
urging them to support an encryption bill that preserves law enforcement's
abilities to protect the public safety and our national security.
I have attached a copy of that letter to my statement and would
ask that it be made a part of the record.
Some have argued that people have a right to absolute immunity
from governmental intrusion, regardless of the costs to public
order and safety, and that any new technology that enhances absolute
privacy should go unrestricted. But the Founding Fathers recognized
that an absolute right to privacy was incompatible with an ordered
society, and so our Nation has never recognized such an absolute
right. Rather, the Fourth Amendment strikes a careful balance
between an individual's right to privacy and society's need, on
appropriate occasions, to intrude into that privacy. Our government
has always been permitted to invade a person's privacy, for example
by searching for and seizing personal communications and papers,
when it is necessary to prevent, solve, and prosecute crimes,
but, for the most part, we allow this only when the government
demonstrates "probable cause" and obtains a warrant
from the court.
Unbreakable encryption would upset our delicate constitutional
balance, which is one of the bedrock principles of our legal system,
by effectively nullifying a court's issuance of a search warrant
or wiretap order. The notion that advances in technology should
dictate public policy is backwards. Technology should serve society,
not rule it. Technology should promote public safety, not defeat
it.
Others claim that the fears of law enforcement are overstated.
They argue that U.S. law enforcement and intelligence agencies
can be given the resources necessary to decrypt encrypted communications.
Essentially, they argue that expensive, fast computers can be
used to decipher encrypted communications by "brute force"
which essentially means trying every possible "key"
(a sequence of symbols that determines the transformation from
plain text to ciphertext, and vice versa) until the right one
is found. They point to one highly publicized success of a group
that deciphered a message encrypted with a 56bit key and argue
that law enforcement can surely do the same.
Yet that example underscores the problems that accompany a "brute
force" approach. The successful group actually used over
14,000 computers and took over four months -- over ten million
hours of computer time -- to decrypt one single message. That's
really not practical for law enforcement if, for example, we're
trying to prevent a terrorist attack or find a kidnap victim.
And I hope you understand that law enforcement does not have
the resources to better that result in any meaningful way. Significantly,
the time needed to decrypt a message rises exponentially as the
length of the encryption key increases. If the message had been
encrypted with a 64-bit key, it would take 10,000 Pentium computers
on average 58years to crack a single message.
And a new message would require law enforcement to start again
from scratch because each message may be encrypted with a different
key. During 1995, for example, federal and state courts authorized
more than a thousand electronic surveillance court orders, resulting
in over two million intercepted communications, each of which
could require separate decryption. Given such numbers, brute
force attacks are not a feasible solution. This commitment of
time and resources is unavailable for every wiretap and every
search and seizure executed at federal, state, and local levels.
Additionally, law enforcement agencies at the federal, state,
and local level are finding that searches in routine, nonwiretap
cases now commonly result in the seizure of electronically stored
information. Because storage devices have increased in capacity
and decreased in price, the quantity of data seized in "ordinary"
cases continues to increase dramatically. If all of these communications
and stored files were DESencrypted, brute force attacks would
not provide a meaningful and timely solution. Thus, even if tens
of thousands of computers were obtained and coordinated (an expensive
undertaking, to say the least), the approximately 17,000 federal,
state, and local law enforcement agencies could not be given timely
access to the evidence we need to prevent and solve crimes.
Finally, many proponents of strong encryption advocate its proliferation
precisely because it cannot be decrypted by the government.
Thus, even if the government could acquire the ability to quickly
decrypt DESencrypted communications and information, many of the
advocates of absolute privacy would push for even greater key
lengths, on the ground that 56bit DES no longer provided acceptable
security. But greater key lengths would, of course, increase
the difficulty and cost of decrypting encrypted data even more.
We must recognize that it will always be easier and cheaper to
devise stronger cryptographic methods than to build computers
powerful enough to break them in a reasonable period of time.
Our goal, then, is to encourage the use of strong encryption
to protect privacy and commerce, but in a way that preserves law
enforcement's ability to protect public safety and national security
against terrorism and other criminal threats. We have engaged
in extensive international discussions on this topic over the
last two years, and a consensus is now emerging throughout much
of the world that the way to achieve this balance is through the
use of a "key recovery" or "trusted third party"
system. Under this system, a key for a given encryption product
would be deposited with a trusted third party or "recovery"
agent. (Some entities, such as large corporations, might be able
to hold their own keys, provided that certain procedural protections
were established to preserve the integrity of a law enforcement
investigation.) If the government had lawful authority to obtain
the encrypted information, for example by a search warrant or
a courtordered wiretap, it could likewise obtain the key from
the recovery agent in order to decrypt the information it was
entitled to get.
I want to emphasize particularly, because our position has often
been misrepresented, that a key recovery system would create no
new authority to obtain data, to examine personal records, or
to eavesdrop. Access to encrypted data could be obtained only
as part of a legally authorized investigation, and under the same
circumstances that today would authorize access to unencrypted
data. The same constitutional and statutory protections that
preserve every American's privacy interests today would prevent
unauthorized intrusions in a key recovery regime. All we would
be doing would be preserving law enforcement's ability to do what
it is legally and constitutionally entitled to do today. At the
same time, though, individuals and companies would gain the benefit
of strong cryptography to protect the confidentiality of their
data, whether in storage or in transmission.
Effective law enforcement is not, however, the only reason to
support a key recovery system. Business, as well, needs a routinely
available method of recovering encrypted information. For example,
a company might find that one of its employees had encrypted confidential
information in the company's files and then absconded with the
key, or just lost it. Without a key recovery system, the company
would be out of luck. Key recovery thus serves important private
interests as well.
In short, key recovery holds great promise for providing the
security and confidentiality that businesses and individuals want
and need, while preserving the government's ability to protect
public safety and national security. Thus, Administration policy
is to promote the manufacture and use of key recovery products,
to develop a global key management infrastructure ("KMI"),
and to liberalize United States restrictions on the export of
robust cryptographic products in the hope that market forces will
make such products a de facto industry standard.
For many months, we also have been engaged in serious discussions
on this subject with foreign governments, which are now anxious
to join us in developing international standards to address this
issue on a global scale. In fact, an experts working group of
the Organization for Economic Cooperation and Development has
issued a statement of principles that acknowledges the need to
consider public safety when establishing national cryptographic
policies. We believe that key recovery encryption will become
the worldwide standard for users of the GII. The United States
can be a leader in this process.
If key recovery encryption does become the worldwide standard,
U.S. businesses will be able to compete abroad effectively, retaining
and even expanding their market share. At the same time, law
enforcement agencies will have a legally authorized means of decrypting
encoded data. This approach would therefore effectively serve
the interests of all Americans.
The argument is sometimes made that key recovery encryption is
not the solution, because criminals will simply use nonkey recovery
encryption to communicate among themselves and to hide evidence
of their crimes. But we believe that if our companies develop
and market strong key recovery encryption products that will not
interoperate with nonkey recovery products and a global KMI arises,
key recovery products will become the worldwide standard. Under
those circumstances, many criminals will use key recovery products,
because products will be easily available from the mass market.
And even criminals need to communicate with legitimate organizations
such as banks, both nationally and internationally.
The cornerstone of our policy is encouraging the development
of key recovery products and a KMI to preserve the balance of
privacy and law enforcement that our Constitution embodies. For
this reason we cannot support H.R. 695 as it is presently drafted.
We believe that the bill would discourage the development of
a key management infrastructure. Moreover, we believe that the
central provision of the bill, Section 3 which would effectively
eliminate all export controls on strong encryption would undermine
public safety and national security by encouraging the proliferation
of unbreakable encryption.
The first problem that we see with H.R. 695 is its failure to
promote development of a key management infrastructure. The Administration
believes that the development of a key management infrastructure
is critically important for a safe society. H.R. 695 prohibits
laws that would require a keyholder to relinquish keys to third
parties under certain circumstances. Unfortunately, to the extent
that this provision would actually prohibit government from encouraging
KMI development, the provision would put public safety and national
security at risk and is inadvisable. For example, it might preclude
the United States government from utilizing useful and appropriate
incentives to use key recovery. The government might not be able
to require its own contractors to use key recovery or demand its
use in the legally required storage of records regarding such
matters as sales of controlled substances or firearms.
We also believe that export controls continue to play an important
role in the Administration policy of promoting development of
the KMI. We have heard, of course, the argument that the "genie
is already out of the bottle" that unbreakable cryptography
is already widely available overseas and over the Internet, that
its dissemination cannot be halted, and that regulation serves
only to handicap U.S. manufacturers seeking to sell their encryption
products overseas. We disagree vigorously for a number of important
reasons that I would like to explain to you today.
First of all, in recognition of the legitimate interests of U.S.
software manufacturers, the Administration, as this Subcommittee
is of course aware, has considerably liberalized export controls
for certain commercial encryption products. The Administration
transferred jurisdiction over commercial encryption products from
the Department of State to the Department of Commerce at the end
of December, a step that we expect will ease the burden on industry
by providing for faster and more transparent decisions on applications
for export licenses.
Most significantly, we have allowed unlimited export of key recovery
products as well as export of nonkey recovery 56bit encryption
during a twoyear transitional period by those companies that commit
to the development of key recovery products. This willingness
to permit unlimited export of products that incorporate key recovery
clearly demonstrates that the Administration is in favor of the
spread of strong encryption products, as long as they have accommodations
for law enforcement access.
Second, although unbreakable encryption products can be found
overseas, these products are not ubiquitous, in part because the
export of strong cryptography is controlled today by both the
U.S. and other countries. It is worth noting in this regard that
export of encryption over the Internet, like any other means of
export, is restricted under U.S. law. Although it is difficult
to completely prevent encryption products from being sent abroad
over the Internet, we believe that the present legal restrictions
have significantly limited the use of the Internet as a means
of evading export controls.
Third, the products that are available overseas are not widely
used because there is not yet an infrastructure to support the
distribution of keys among users and to provide interoperability
among the different products. Such an infrastructure will have
to be created in order to realize the full benefits of encryption,
and we should strive to ensure that it is created in a way that
preserves public safety.
Fourth, the quality of encryption products offered abroad varies
greatly, with some encryption products not providing the level
of protection advertised.
Finally, the vast majority of businesses and individuals with
a serious need for strong encryption do not and will not rely
on encryption downloaded from the Internet from untested sources,
but prefer to deal with known and reliable suppliers. For these
reasons, export controls continue to serve an important function.
It is also important to consider that our allies strongly concur
that unrestricted export of encryption would severely hamper law
enforcement objectives. Indeed, when the U.S. let it be known
at a December 1995 meeting of the OECD that it was considering
allowing the export of some stronger, nonrecoverable encryption,
many of our allies expressed dismay at the prospect of such an
action. They feared that unbreakable encryption would become
so internationally pervasive that criminal organizations and terrorists
would be able to use it freely. It follows that the elimination
of U.S. export controls, as provided by H.R. 695, would have an
even more devastating impact on international law enforcement.
It would be a terrible irony if this government which prides
itself on its leadership in fighting international crime were
to enact a law that would jeopardize public safety and weaken
law enforcement agencies worldwide.
In addition, it would be a mistake to assume that if the U.S.
were to lift export controls, U.S. companies would have unrestricted
access to foreign markets. This assumption ignores the likely
reaction of foreign governments to the elimination of U.S. export
controls. Up to now, most other countries have not needed to
restrict imports or the domestic use of encryption, largely because
export controls in the U.S. the world leader in computer technology
and other countries have made such restrictions unnecessary.
But given other countries' legitimate concerns about the potential
worldwide proliferation of unbreakable cryptography, we believe
that many of those countries would respond to any lifting of U.S.
export controls by imposing import controls, or by restricting
use of strong encryption by their citizens. For example, the
import and domestic manufacture, sale and use of encryption products
have already been restricted in France, Russia and Israel. And
the European Union is moving towards the adoption of a keyrecoverybased
key management infrastructure similar to that proposed by the
Administration. In the long run, then, U.S. companies might not
be any better off if U.S. export controls were lifted, but we
would have undermined our leadership role in fighting international
crime and damaged our own national security interests in the meantime.
In light of these factors, we believe it would be profoundly
unwise simply to lift export controls on encryption. The ability
of law enforcement to protect of national security, personal privacy,
and sensitive commercial data should not be sacrificed for the
sake of uncertain commercial benefits, especially when there is
the possibility of satisfying both security and commercial needs
simultaneously through global adoption of a key recovery system.
We as government leaders should embark upon the course of action
that best preserves the balance long ago set by the Framers of
the Constitution, preserving both individual privacy and society's
interest in effective law enforcement. We should promote encryption
products which contain robust cryptography but that also provide
for timely and legal law enforcement access and decryption. This
is the Administration's policy. We look forward to working with
this Subcommittee as we continue to develop and implement our
approach.
I would now be pleased to answer any questions you may have.