Prepared testimony of Robert Litt before the House Commerce Committee's Subcommittee on Telecommunications, Trade and Consumer Protection.
Date: September 4, 1997.

Source: Department of Justice.

SUMMARY OF TESTIMONY OF ROBERT S. LITT,
DEPUTY ASSISTANT ATTORNEY GENERAL,
CONCERNING ENCRYPTION AND H.R. 695, BEFORE THE
SUBCOMMITTEE ON TELECOMMUNICATIONS, TRADE AND CONSUMER PROTECTION, OBR THE HOUSE COMMERCE COMMITTEE

SEPTEMBER 4, 1997

The nation's policy on encryption must carefully balance important competing interests. The Department of Justice has a vital stake in the country's encryption policy because encryption may be used not only to protect lawful data against unauthorized intruders, it may also be used to conceal illegitimate materials from law enforcement. While we support the spread of strong encryption, we believe that the widespread dissemination of unbreakable encryption without any accommodation for law enforcement access is a serious threat to public safety and to the integrity of America's commercial infrastructure.

Public safety and national security must be protected against the threats posed by terrorists, organized crime, foreign intelligence agents, and others. If unbreakable encryption proliferates without accommodations for law enforcement, critical law enforcement tools, including wiretapping and execution of search warrants, would be nullified, and the potential harm to public safety could be devastating. U.S. law enforcement and intelligence agencies do not possess and cannot obtain the resources necessary to decrypt large numbers of encrypted communications and stored data. Our experiences demonstrate that this concern is not theoretical and not exaggerated.

Our goal is to encourage the use of strong encryption to protect privacy and commerce, but in a way that preserves (without extending) law enforcement's ability to protect public safety and national security. Accordingly, the Administration has promoted the manufacture and use of key recovery products, aided the development of a global key management infrastructure ("KMI"), and liberalized United States restrictions on the export of robust cryptographic products. We anticipate that market forces will make key recovery products a de facto industry standard and thus preserve the balance of privacy and public safety that our Constitution embodies.

Because of its support for key recovery, the Department of Justice cannot support H.R. 695 as it is presently drafted. The bill would discourage the development of a KMI. The bill would also eliminate all export controls on strong encryption and thus would undermine public safety and national security by encouraging the proliferation of unbreakable encryption. We believe it would be unwise simply to lift export controls on encryption for the sake of uncertain commercial benefits. This action would be particularly imprudent when there is the possibility of balancing individual privacy, public safety, and commercial needs through global adoption of a key recovery system. As we have learned through extensive international discussions in the last year, a consensus is now emerging throughout much of the world that the most suitable approach is the use of a "key recovery" or "trusted third party" system.

We look forward to working with this Subcommittee as we continue to develop and implement the Administration's approach.

TESTIMONY OF ROBERT S. LITT
DEPUTY ASSISTANT ATTORNEY GENERAL
CONCERNING ENCRYPTION AND H.R. 695
BEFORE THE SUBCOMMITTEE ON TELECOMMUNICATIONS,
TRADE, AND CONSUMER PROTECTION
OF THE HOUSE COMMERCE COMMITTEE

SEPTEMBER 4, 1997

Thank you, Mr. Chairman and members of the Subcommittee, for providing me this opportunity to discuss with you the important and complex issue of encryption. The Nation's policy on this issue must carefully balance important competing interests, and it is essential for all interested parties to recognize the validity and importance of all of these interests. The Department of Justice, whose interests I represent, has a vital stake in the country's encryption policy. Encryption will provide all of us the ability to protect lawful data against unauthorized intruders. But encryption can also be used to conceal criminal activity from law enforcement. Although the Department of Justice does not support H.R. 695 in its present form, we look forward to continuing the productive discussions we have had with Congress on this issue, with the goal of arriving at a policy that accommodates all of these interests.

In recent years, the issue of encryption has been vociferously debated in the United States. Having participated actively in these discussions, the Department of Justice believes today, as strongly as ever, that the widespread dissemination of unbreakable encryption without any accommodation for law enforcement access is a serious threat to public safety and to the integrity of America's commercial infrastructure. Our recent experiences only buttress this conclusion.

For example, just last week, in San Francisco, a man named Carlos Salgado, Jr. pleaded guilty to federal computer fraud and stolen credit card trafficking charges for crimes that he tried to obscure from law enforcement by his use of unbreakable encryption. Specifically, Salgado had stolen over 80,000 credit card numbers and intended to sell them for criminal purposes. These credit card accounts had a combined credit limit (and a potential loss to the 1,214 issuing financial institutions) of about one billion dollars. Salgado explicitly insisted on encrypting the stolen credit card numbers before delivering them on a CD-ROM to his purchaser. We were lucky in this case, because Salgado's purchaser was cooperating with the FBI. But if we had discovered this case another way, law enforcement could not have penetrated the information on Salgado's CD-ROM. Crimes like this one have serious implications for law enforcement's ability to protect commercial data as well as personal privacy.

Let me be clear: The Department of Justice supports the spread of strong encryption. Law enforcement's responsibilities and concerns include protecting privacy and promoting commerce over our nation's communications networks. For example, we prosecute under existing laws those who violate the privacy of others by illegal eavesdropping, hacking or theft of confidential information. Indeed, last year the Administration sought, and Congress passed, the National Information Infrastructure Protection Act of 1996, to provide further protection to the confidentiality of stored data. And we help promote commerce by enforcing the laws, including those that protect intellectual property rights, and that combat computer and communications fraud. (In particular, we help to protect the confidentiality of business data through enforcement of the recently enacted Economic Espionage Act.) Our support for robust encryption is a natural outgrowth of our commitment to protecting privacy for personal and commercial interests.

But the Department of Justice protects more than just privacy. We also protect public safety and national security against the threats posed by terrorists, organized crime, foreign intelligence agents, and others. Moreover, we have the responsibility to prosecute serious crime when it does occur. We are gravely concerned that the proliferation and use of unbreakable encryption would seriously undermine these duties to protect the American people, even while we favor the spread of strong encryption products that permit timely and legal law enforcement access and decryption.

The most easily understood example is electronic surveillance. Courtauthorized wiretaps have proven to be one of the most successful law enforcement tools in preventing and prosecuting serious crimes, including drug trafficking and terrorism. We have used legal wiretaps to bring down entire narcotics trafficking organizations, to rescue young children kidnapped and held hostage, and to assist in a variety of matters affecting our national security. In addition, as society becomes more dependent on computers, evidence of crimes is increasingly found in stored computer data, which can be searched and seized pursuant to courtauthorized warrants.

But if unbreakable encryption proliferates, these critical law enforcement tools would be nullified. Thus, for example, even if the government satisfies the rigorous legal and procedural requirements for obtaining a wiretap order, the wiretap would be worthless if the intercepted communications of the targeted criminals amount to an unintelligible jumble of noises or symbols. Or we might legally seize the computer of a terrorist and be unable to read the data identifying his or her targets, plans and co-conspirators. The potential harm to law enforcement and to the nation's domestic security could be devastating.

I want to emphasize that this concern is not theoretical, nor is it exaggerated. Although use of encryption is only in its infancy, we have already begun to encounter its harmful effects in recent investigations, in addition to the Salgado case described above.

• In the Aldrich Ames spy case, Soviet intelligence operatives directed Ames to encrypt computer files that he transmitted to them.
• Ramzi Yousef, recently convicted of conspiring to blow up 10 U.S.owned airliners in Asia, and his coconspirators apparently stored information about their terrorist plot in an encrypted computer file. (Yousef is also one of the alleged masterminds of the World Trade Center bombing.)
• One of the subjects in a child pornography case encrypted pornographic images of children before sending the pictures out on the Internet.
• The subject of a major international drugtrafficking case used a telephone encryption device to seriously reduce the effectiveness of a court-ordered wiretap.
• In several major hacker cases, the subjects have encrypted computer files, thereby concealing evidence of serious crimes. In one such case, the government was unable to determine the full scope of the hacker's activity because of the use of encryption.

These are just a few examples of recent cases involving encryption. As encryption proliferates and becomes an ordinary component of mass market items, and as the strength of encryption products increases, the threat to public safety will increase proportionately. It is for this reason that the Attorney General and the leaders of many law enforcement organizations have written to the Congress urging them to support an encryption bill that preserves law enforcement's abilities to protect the public safety and our national security. I have attached a copy of that letter to my statement and would ask that it be made a part of the record.

Some have argued that people have a right to absolute immunity from governmental intrusion, regardless of the costs to public order and safety, and that any new technology that enhances absolute privacy should go unrestricted. But the Founding Fathers recognized that an absolute right to privacy was incompatible with an ordered society, and so our Nation has never recognized such an absolute right. Rather, the Fourth Amendment strikes a careful balance between an individual's right to privacy and society's need, on appropriate occasions, to intrude into that privacy. Our government has always been permitted to invade a person's privacy, for example by searching for and seizing personal communications and papers, when it is necessary to prevent, solve, and prosecute crimes, but, for the most part, we allow this only when the government demonstrates "probable cause" and obtains a warrant from the court.

Unbreakable encryption would upset our delicate constitutional balance, which is one of the bedrock principles of our legal system, by effectively nullifying a court's issuance of a search warrant or wiretap order. The notion that advances in technology should dictate public policy is backwards. Technology should serve society, not rule it. Technology should promote public safety, not defeat it.

Others claim that the fears of law enforcement are overstated. They argue that U.S. law enforcement and intelligence agencies can be given the resources necessary to decrypt encrypted communications. Essentially, they argue that expensive, fast computers can be used to decipher encrypted communications by "brute force" which essentially means trying every possible "key" (a sequence of symbols that determines the transformation from plain text to ciphertext, and vice versa) until the right one is found. They point to one highly publicized success of a group that deciphered a message encrypted with a 56bit key and argue that law enforcement can surely do the same.

Yet that example underscores the problems that accompany a "brute force" approach. The successful group actually used over 14,000 computers and took over four months -- over ten million hours of computer time -- to decrypt one single message. That's really not practical for law enforcement if, for example, we're trying to prevent a terrorist attack or find a kidnap victim. And I hope you understand that law enforcement does not have the resources to better that result in any meaningful way. Significantly, the time needed to decrypt a message rises exponentially as the length of the encryption key increases. If the message had been encrypted with a 64-bit key, it would take 10,000 Pentium computers on average 58 years to crack a single message.

And a new message would require law enforcement to start again from scratch because each message may be encrypted with a different key. During 1995, for example, federal and state courts authorized more than a thousand electronic surveillance court orders, resulting in over two million intercepted communications, each of which could require separate decryption. Given such numbers, brute force attacks are not a feasible solution. This commitment of time and resources is unavailable for every wiretap and every search and seizure executed at federal, state, and local levels.

Additionally, law enforcement agencies at the federal, state, and local level are finding that searches in routine, nonwiretap cases now commonly result in the seizure of electronically stored information. Because storage devices have increased in capacity and decreased in price, the quantity of data seized in "ordinary" cases continues to increase dramatically. If all of these communications and stored files were DESencrypted, brute force attacks would not provide a meaningful and timely solution. Thus, even if tens of thousands of computers were obtained and coordinated (an expensive undertaking, to say the least), the approximately 17,000 federal, state, and local law enforcement agencies could not be given timely access to the evidence we need to prevent and solve crimes.

Finally, many proponents of strong encryption advocate its proliferation precisely because it cannot be decrypted by the government. Thus, even if the government could acquire the ability to quickly decrypt DESencrypted communications and information, many of the advocates of absolute privacy would push for even greater key lengths, on the ground that 56bit DES no longer provided acceptable security. But greater key lengths would, of course, increase the difficulty and cost of decrypting encrypted data even more. We must recognize that it will always be easier and cheaper to devise stronger cryptographic methods than to build computers powerful enough to break them in a reasonable period of time.

Our goal, then, is to encourage the use of strong encryption to protect privacy and commerce, but in a way that preserves law enforcement's ability to protect public safety and national security against terrorism and other criminal threats. We have engaged in extensive international discussions on this topic over the last two years, and a consensus is now emerging throughout much of the world that the way to achieve this balance is through the use of a "key recovery" or "trusted third party" system. Under this system, a key for a given encryption product would be deposited with a trusted third party or "recovery" agent. (Some entities, such as large corporations, might be able to hold their own keys, provided that certain procedural protections were established to preserve the integrity of a law enforcement investigation.) If the government had lawful authority to obtain the encrypted information, for example by a search warrant or a courtordered wiretap, it could likewise obtain the key from the recovery agent in order to decrypt the information it was entitled to get.

I want to emphasize particularly, because our position has often been misrepresented, that a key recovery system would create no new authority to obtain data, to examine personal records, or to eavesdrop. Access to encrypted data could be obtained only as part of a legally authorized investigation, and under the same circumstances that today would authorize access to unencrypted data. The same constitutional and statutory protections that preserve every American's privacy interests today would prevent unauthorized intrusions in a key recovery regime. All we would be doing would be preserving law enforcement's ability to do what it is legally and constitutionally entitled to do today. At the same time, though, individuals and companies would gain the benefit of strong cryptography to protect the confidentiality of their data, whether in storage or in transmission.

Effective law enforcement is not, however, the only reason to support a key recovery system. Business, as well, needs a routinely available method of recovering encrypted information. For example, a company might find that one of its employees had encrypted confidential information in the company's files and then absconded with the key, or just lost it. Without a key recovery system, the company would be out of luck. Key recovery thus serves important private interests as well.

In short, key recovery holds great promise for providing the security and confidentiality that businesses and individuals want and need, while preserving the government's ability to protect public safety and national security. Thus, Administration policy is to promote the manufacture and use of key recovery products, to develop a global key management infrastructure ("KMI"), and to liberalize United States restrictions on the export of robust cryptographic products in the hope that market forces will make such products a de facto industry standard.

For many months, we also have been engaged in serious discussions on this subject with foreign governments, which are now anxious to join us in developing international standards to address this issue on a global scale. In fact, an experts working group of the Organization for Economic Cooperation and Development has issued a statement of principles that acknowledges the need to consider public safety when establishing national cryptographic policies. We believe that key recovery encryption will become the worldwide standard for users of the GII. The United States can be a leader in this process.

If key recovery encryption does become the worldwide standard, U.S. businesses will be able to compete abroad effectively, retaining and even expanding their market share. At the same time, law enforcement agencies will have a legally authorized means of decrypting encoded data. This approach would therefore effectively serve the interests of all Americans.

The argument is sometimes made that key recovery encryption is not the solution, because criminals will simply use nonkey recovery encryption to communicate among themselves and to hide evidence of their crimes. But we believe that if our companies develop and market strong key recovery encryption products that will not interoperate with nonkey recovery products and a global KMI arises, key recovery products will become the worldwide standard. Under those circumstances, many criminals will use key recovery products, because products will be easily available from the mass market. And even criminals need to communicate with legitimate organizations such as banks, both nationally and internationally.

The cornerstone of our policy is encouraging the development of key recovery products and a KMI to preserve the balance of privacy and law enforcement that our Constitution embodies. For this reason we cannot support H.R. 695 as it is presently drafted. We believe that the bill would discourage the development of a key management infrastructure. Moreover, we believe that the central provision of the bill, Section 3 which would effectively eliminate all export controls on strong encryption would undermine public safety and national security by encouraging the proliferation of unbreakable encryption.

The first problem that we see with H.R. 695 is its failure to promote development of a key management infrastructure. The Administration believes that the development of a key management infrastructure is critically important for a safe society. H.R. 695 prohibits laws that would require a keyholder to relinquish keys to third parties under certain circumstances. Unfortunately, to the extent that this provision would actually prohibit government from encouraging KMI development, the provision would put public safety and national security at risk and is inadvisable. For example, it might preclude the United States government from utilizing useful and appropriate incentives to use key recovery. The government might not be able to require its own contractors to use key recovery or demand its use in the legally required storage of records regarding such matters as sales of controlled substances or firearms.

We also believe that export controls continue to play an important role in the Administration policy of promoting development of the KMI. We have heard, of course, the argument that the "genie is already out of the bottle" that unbreakable cryptography is already widely available overseas and over the Internet, that its dissemination cannot be halted, and that regulation serves only to handicap U.S. manufacturers seeking to sell their encryption products overseas. We disagree vigorously for a number of important reasons that I would like to explain to you today.

First of all, in recognition of the legitimate interests of U.S. software manufacturers, the Administration, as this Subcommittee is of course aware, has considerably liberalized export controls for certain commercial encryption products. The Administration transferred jurisdiction over commercial encryption products from the Department of State to the Department of Commerce at the end of December, a step that we expect will ease the burden on industry by providing for faster and more transparent decisions on applications for export licenses.

Most significantly, we have allowed unlimited export of key recovery products as well as export of nonkey recovery 56bit encryption during a twoyear transitional period by those companies that commit to the development of key recovery products. This willingness to permit unlimited export of products that incorporate key recovery clearly demonstrates that the Administration is in favor of the spread of strong encryption products, as long as they have accommodations for law enforcement access.

Second, although unbreakable encryption products can be found overseas, these products are not ubiquitous, in part because the export of strong cryptography is controlled today by both the U.S. and other countries. It is worth noting in this regard that export of encryption over the Internet, like any other means of export, is restricted under U.S. law. Although it is difficult to completely prevent encryption products from being sent abroad over the Internet, we believe that the present legal restrictions have significantly limited the use of the Internet as a means of evading export controls.

Third, the products that are available overseas are not widely used because there is not yet an infrastructure to support the distribution of keys among users and to provide interoperability among the different products. Such an infrastructure will have to be created in order to realize the full benefits of encryption, and we should strive to ensure that it is created in a way that preserves public safety.

Fourth, the quality of encryption products offered abroad varies greatly, with some encryption products not providing the level of protection advertised.

Finally, the vast majority of businesses and individuals with a serious need for strong encryption do not and will not rely on encryption downloaded from the Internet from untested sources, but prefer to deal with known and reliable suppliers. For these reasons, export controls continue to serve an important function.

It is also important to consider that our allies strongly concur that unrestricted export of encryption would severely hamper law enforcement objectives. Indeed, when the U.S. let it be known at a December 1995 meeting of the OECD that it was considering allowing the export of some stronger, nonrecoverable encryption, many of our allies expressed dismay at the prospect of such an action. They feared that unbreakable encryption would become so internationally pervasive that criminal organizations and terrorists would be able to use it freely. It follows that the elimination of U.S. export controls, as provided by H.R. 695, would have an even more devastating impact on international law enforcement. It would be a terrible irony if this government which prides itself on its leadership in fighting international crime were to enact a law that would jeopardize public safety and weaken law enforcement agencies worldwide.

In addition, it would be a mistake to assume that if the U.S. were to lift export controls, U.S. companies would have unrestricted access to foreign markets. This assumption ignores the likely reaction of foreign governments to the elimination of U.S. export controls. Up to now, most other countries have not needed to restrict imports or the domestic use of encryption, largely because export controls in the U.S. the world leader in computer technology and other countries have made such restrictions unnecessary. But given other countries' legitimate concerns about the potential worldwide proliferation of unbreakable cryptography, we believe that many of those countries would respond to any lifting of U.S. export controls by imposing import controls, or by restricting use of strong encryption by their citizens. For example, the import and domestic manufacture, sale and use of encryption products have already been restricted in France, Russia and Israel. And the European Union is moving towards the adoption of a keyrecoverybased key management infrastructure similar to that proposed by the Administration. In the long run, then, U.S. companies might not be any better off if U.S. export controls were lifted, but we would have undermined our leadership role in fighting international crime and damaged our own national security interests in the meantime.

In light of these factors, we believe it would be profoundly unwise simply to lift export controls on encryption. The ability of law enforcement to protect of national security, personal privacy, and sensitive commercial data should not be sacrificed for the sake of uncertain commercial benefits, especially when there is the possibility of satisfying both security and commercial needs simultaneously through global adoption of a key recovery system.

We as government leaders should embark upon the course of action that best preserves the balance long ago set by the Framers of the Constitution, preserving both individual privacy and society's interest in effective law enforcement. We should promote encryption products which contain robust cryptography but that also provide for timely and legal law enforcement access and decryption. This is the Administration's policy. We look forward to working with this Subcommittee as we continue to develop and implement our approach.

I would now be pleased to answer any questions you may have.