Opening Statement of Sen. John Ashcroft (R-MO).
Re: Senate Commerce Committee hearing on S 798, PROTECT Act.

Date: June 10, 1999.
Source: Office of Sen. Ashcroft. This document was created by scanning a fax copy, and converting to HTML.
ashcroft.jpg (8791 bytes)

Statement of Senator John Ashcroft
Hearing on the PROTECT Act
June 10, 1999

Thank you Mr. Chairman. I want to thank the Chairman for holding this hearing today to address an issue that I believe is central to the future of this country's ability to remain the worldwide leader in the electronic technology industry, and that is the development and availability of data encryption technology. Encryption of sensitive electronic data is essential to our modern economy. State and national infrastructures, financial transactions, and of course, the burgeoning field of Internet commerce all depend on the ability of companies, institutions, and individuals to securely transmit electronic data. And American products are at the forefront of this industry.

But for years now, since before I first came to Capitol Hill, American manufacturers of encryption technology have been hamstrung in their effort to compete in the global market for these products by export controls that reflect a complete misunderstanding of the incredibly dynamic and fluid nature of encryption technology. We've tried for over four years to remedy that situation -- I introduced the E-Privacy bill last Congress and intend to reintroduce it shortly in this Congress -- but, unfortunately nothing has been accomplished by way of assistance to law enforcement, or to industry, or most importantly to the users of encryption in this country.

Unfortunately, a significant barrier to progress on this issue has been the Administration, which has taken an active and open position against permitting the export of encryption technology, and indeed, a fairly hostile view to the unregulated domestic use of encryption. The Administration bases its position on the grounds that robust encryption presents risks to law enforcement and national security, a view that I think will be shown to be mistaken by today's testimony. In addition, there has not always been agreement here in Congress about the need to free our technology industry from these export restrictions. I am happy to note that this appears to have changed. The Chairman's PROTECT Act, which we are here to discuss today, demonstrates that there is a growing consensus that the Administration is mistaken, and that deregulation of encryption in necessary in order for us to maintain our leadership position in this industry. I want to commend the Chairman for helping to build that consensus. I think that the PROTECT Act is a big step in the right direction on encryption -- in fact, it shares many of the same principles and provisions included in my E-Privacy bill. However, I do think that the PROTECT Act needs to go further in two ways:

First, the PROTECT Act needs to reflect the lightning fast nature of development in this industry, and institute export relief that will not make the products eligible for decontrol obsolete by the time the approval process is complete.

The Administration has long taken the route of regulating encryption exports based on the bit length of the product, with little regard to the current state of the technology. It began with permitting the export of 40-bit technology seven years ago, and only agreed last fall to increase the limit to 56 bit technology. Of course, the standard for generally available products worldwide is already 128 bit technology -- that's where the competition is -- so the [begin page 2] Administration's position is already sorely outdated. In fact, months ago I came to a meeting of this Committee with an advertisement from the Internet, which was from Seimens company in Germany advertising robust 128 bit encryption, saying that you can't get this from a U.S. manufacturer. The advertisement also indicated, however, that if you buy this you can use it in the United States and you can use it overseas as well, and, so if you want to have robust encryption buy it from Seimens. The Administration has decided to tie the hands of the U.S. encryption industry. To me that's a disaster, but it is also compounded by people beginning to develop relationships with foreign software providers as a result of the unavailability of 128 bit or robust encryption on the part of U.S. Providers.

To see the Germans eagerly promoting this potential, and to have people from my own state of Missouri say, "John, we have an office in Singapore, we have to be able to speak with them confidentially and communicate with them, and the government is making it impossible for us to send the encryption that we can use domestically. We can't send it to our office in Singapore because we are ineligible to export it." I don't want the situation to be such that I have to say, "Well, go to Seimens in Germany." From Seimens you can buy the encryption that can be sent into the United States and from Seimens in Germany it can be sent to Singapore and so you can have your cake and eat it too by dealing with a non-domestic firm. For us to have a policy which provides for the slitting of our own throats, in an technology arena, where we have held the lead and must continue to hold the lead, I think is foolhardy to say the least. If we are to mark the next century as an "American Century," or even to celebrate next week as high technology week in the Senate, we must be forward thinking and acting.

The PROTECT Act deregulates products up to 64 bits, which is a good start. The problem is that the Act delays general decontrol of 128 bit technology until 2002 -- by which time it will almost certainly be as obsolete as 56 bit encryption is today. In the interim, PROTECT permits individual exceptions for higher bit technology export, but it creates a regulatory approval board and a process that can take up to 60 days to determine whether a product is already generally available -- something that quite frankly can be determined by surfing the Internet for a little while. With all due respect, Us process is too long, which is why in the E-Privacy bill we give the Administration a one-time, 15 day review of products that are generally available before they are permitted to export them. I urge my colleagues to press our panelists on the second panel for answers on whether they can remain competitive if we wait that long.

The second area where I think the PROTECT Act can go farther is in the explicit deliniation of the rights and procedural protections of Americans in their ability to use encryption and be secure in their use of encrypted data, While the PROTECT Act clearly affirms this right, it is relatively silent on the balance of procedural protections between Americans' privacy interests and legitimate law enforcement efforts. I do not think it can afford to be silent on this issue.

The Administration and the FBI have over time indicated support for language that would mandate key recovery for all domestic encryption, and alternatively supported several suggested approaches that would make using domestic key escrow a practical -- though not legal -- [begin page 3] necessity. Director Freeh has gone so far as to mention the need for a new Fourth Amendment that considers the "realities" of the digital age. I think we need a new and improved approach to domestic encryption, not a new updated version of the Fourth Amendment. I, for one, am not eagerly awaiting the FBI's new release of Fourth Amendment 2.0 or First Amendment '98. I am, however, eager to hear what the Administration's current position is on key recovery and key escrow.

My E-Privacy bill sets out specific procedures for balancing the legitimate interests of law enforcement with the privacy rights of Americans, and I hope that any final legislation passed by the Senate would include such provisions.

Those are my two observations. Again, I think the the PROTECT Act is a strong step in the right direction toward protecting American privacy rights and American industry, but I think it can go farther. I look forward to hearing from our panelists today, and engaging them is a serious discussion of these issues. Thank you Mr. Chairman.