Senate Commerce Committee Holds Hearing on PROTECT Act
(June 11, 1999) The Senate Commerce Committee held a hearing on Thursday morning, June 10, on Sen. McCain's encryption bill, the PROTECT Act. Sen. John McCain introduced his bill on April 14. Since then, it has been opposed by administration officials, and described as not going far enough by encryption proponents, who tend to favor HR 850, the SAFE Act.
|Summary of Encryption
S 798, PROTECT Act.
HR 850, SAFE Act.
S 798, the Promote Reliable On Line Transactions to Encourage Commerce and Trade (PROTECT) Act, is sponsored by Sen. John McCain (R-AZ), the Chairman of the Senate Commerce Committee. However, Sen. McCain did not participate in the hearing. His Y2K Act was being debated on the Senate floor.
Sen. Conrad Burns (R-MT), who is a cosponsor of the PROTECT Act, chaired the hearing. Other cosponsors include Patrick Leahy (D-VT), Ron Wyden (D-OR), Spencer Abraham (R-MI), and John Kerry (D-MA).
Sen. John Kerry (D-MA), a recent convert to the pro-encryption camp, spoke in favor of the PROTECT Act at the hearing. He stated in his opening statement that he had long supported "a cautious approach." However, Sen. Kerry stated that "I have a change of mind at this point, and I want to express that. I think that it is time to reframe the debate on encryption. As time goes on and availability abroad of strong encryption products continues to grow, it becomes more and more difficult to accept that we alone can control the development of this marketplace."
He concluded: "I am open to arguments regarding whether we should expand them even further than the PROTECT Act. But, I believe that is an important first step."
Sen. John Ashcroft (R-MO), who sponsored the E-Privacy Act in the 105th Congress (S 2067), stated that he would re-introduce that bill soon. He accused of the Clinton-Gore administration of having a "fairly hostile view to the unregulated domestic use of encryption." He also criticized the administration for its encryption export policies.
Sen. Ashcroft commended Sen. McCain for sponsoring the PROTECT Act. He said in his opening statement that "I think the the PROTECT Act is a strong step in the right direction toward protecting American privacy rights and American industry, but I think it can go farther."
Rep. Bob Goodlatte (R-VA) (web site | bio), who has emerged as the most active public proponent of strong encryption legislation in the 106th Congress, testified at the hearing as the lead off witness.
What They Said
Members of Congress
|Opening Statement of Sen.
Opening Statement of Sen. Kerry.
Opening Statement of Sen. Ashcroft.
Testimony of Rep. Goodlatte.
Prepared Testimony of Witnesses
Reinsch, Under Sec. of Commerce.
James Robinson, Asst. Atty. Gen., DOJ.
Barbara McNamara , Deputy Director, NSA.
Jim Bizdos, Vice Chairman, Security Dynamics
David Aucsmith, Chief Security Architect, Intel.
Lance Hoffman, George Washington Univ.
Rep. Goodlatte stated in his prepared testimony that "I couldn't agree more with the domestic-related provisions" of the PROTECT Act, "which -- like the SAFE Act -- prevent the Administration from placing roadblocks on the information superhighway by prohibiting the government from mandating a back door into the computer systems of private citizens and businesses. Additionally, both the PROTECT Act and the SAFE Act ensure that all Americans have the right to choose any security system to protect their confidential information."
The Clinton-Gore administration, which opposes the PROTECT Act, as well as other encryption bills, sent three officials to testify: William Reinsch (Commerce Dept.), Barbara McNamara (NSA), and James Robinson (DOJ).
James Robinson stated that the administration's policy is "encouraging the use of recoverable encryption products." He recited the same buzzwords that administration officials have been citing at prior hearings, including "drug traffickers," "national security," and "images of child pornography."
The National Security Agency's Barbara McNamara, who has become a regular at Congressional hearings on encryption, once again waxed nostalgic about how the U.S. Navy cracked the Japanese naval code in World War II, and warned that encryption legislation threatens national security.
William Reinsch provided the same testimony that he has recited at countless previous Congressional hearings on encryption bills. He stated that "the administration continues to support a balanced approach," that "we have been consulting with industry," and that "the Administration opposes this legislation."
Excerpts from the PROTECT Act
|Sec. 202: "No department, agency, or instrumentality of the United States ... may purchase an encryption product for its use unless the product will interoperate with other commercially-available encryption products, including products without a decryption key, access to a key, key recovery information, or any other plaintext access capability."|
|Sec. 103: "No department, agency, or instrumentality of the United States ... may (1) require that; (2) set standards for; (3) condition any approval on; (4) create incentives for; or (5) tie any benefit to, a requirement that, a decryption key, access to a key, key recovery information, or any other plaintext access capability be (A) required to be built into computers hardware or software for any purpose; (B) given to any other person (including a department, agency, or instrumentality of the United States or an entity in the private sector that may be certified or approved by the United States or a State) ... other than for encryption products for the use of the United States Government or a State government."|
In addition, his prepared statement obliquely addressed administration plans to compel use of recoverable encryption. Reinsch stated that Section 103 of the PROTECT Act "contains a provision that would prohibit the U.S. government from conditioning any approval on the fact that a product is recoverable."
He added that "One such provision in Section 202 requires that encryption products used by the Government must interoperate with other encryption products... Section 202 also appears to prevent mandatory use of recoverable encryption when communicating with the U.S. Federal, state, and local governments. This would appear to preclude an agency from requiring key recovery or recoverable products ... "
Rep. Goodlatte described the Administration's views on these domestic use sections in his prepared testimony. "Amazingly enough, the Administration wants to mandate a back door into peoples' computer systems in order to access their private communications. In fact, the Administration has stated that if people do not "voluntarily" create this back door, it may seek legislation forcing them to give the government access to their information, by mandating a "key recovery" system requiring people to give the keys to decode their communications to a government-approved third party. This is the technological equivalent of mandating that the government be given a key to every home in America."
Unlike encryption proponents at some recent House hearings, the members of the Senate Commerce Committee, with the exception of Sen. Ashcroft, did not take a confrontational approach with the administration representatives.
Sen. Burns stated that "I want to make it pretty clear that we should be, as policy makers, giving our security people the funds and resources, that their technology can stay maybe a quarter step ahead of the technology that is generally accepted around the world. I think there we have fallen down a little bit. But, I think that our security people can do the job that they are paid to do, and do a great job of it. But we have got to give them the funds ..."
He asked only one question of the administration witnesses. He asked the NSA's McNamara, "Why is it that we have not been very successful in our negotiations with other countries to come up with some kind of international policy with regard to use of, or the export of, robust encryption?" She responded, "I think we have had success, Mr. Chairman." She continued with a discussion of the Wassenaar Arrangement.
Sen. Ashcroft asked Reinsch if "128 bit encryption is widely available and widely used today." Reinsch responded: "No. I would say that it is available. Whether it is widely available today is a judgment call. If it is not widely available today, it will be soon. It is becoming the state of the art if you will." He also stated: "Whether it is widely used or not is a more complicated question."
Sen. Ashcroft then asked the Reinsch: "It is only illegal to export the encryption. It is not illegal to import the encryption?" Reinsch responded: "That is correct. There are no restraints on domestic use, or on imports." Sen. Ashcroft then asked if it were legal for terrorists to import German produced encryption into the United States. Reinsch said: "Yes, there is no -- it was never the intent of our policy to deal with them."
Sen. Ashcroft condemned this policy. "Well, it seems to me that that is the threat that you keep saying that we are avoiding by having this policy. Yet you just described that it is not our intent to stop that threat with our policy. And, to use that as the basis for not allowing our companies to compete, at a time when you say we don't care if other companies compete in that way, gets to the heart of what confounds me about our policy here."
He continued: "We have basically said that every other country that wants to, can go ahead and do this, in the world. And terrorists can use it, and have complete access to the utilization of this encrypted, for all the bad reasons. But, American firms can't be involved in export. That is where the disconnect comes with this Senator."
Excerpt from the PROTECT Act
|Sec. 102. "... it is lawful for any person within any State, and for any United States person in a foreign country, to develop, manufacture, sell, distribute, import, or use any encryption product, regardless of the encryption algorithm selected, encryption length chosen, existence of key recovery, or other plaintext access capability, or implementation or medium used."|
"You said that Section 102 provides an incentive to move the development of encryption offshore," said Sen. Ashcroft. "It seems to me that we have just described the administration's policy as a monumental incentive to move encryption offshore, because we have indicated that offshore produced encryption can be used both to send and receive any robust encrypted material from the United States."
Both Reinsch and McNamara responded to Sen. Ashcroft's criticism. Reinsch state: "This is not a policy, and perhaps there is no policy, that is going to be very tight with respect to our ability to prevent the kinds of people who side with terrorists, in your example, from obtaining and using robust encryption. We don't believe that we can deal with every situation. The goal of our policy is to try to promote use in the marketplace of products that are law enforcement and national security friendly, recognizing that a determined, committed terrorist who wants to use encryption can find ways around such a policy. But we believe by making, if we can, by, through market forces, the market standard, if you will, products that are more friendly to the interests of my two colleagues."
McNamara also responded. "The fact that one terrorist is using strong encryption, that they either bought in the U.S. [or Europe] is not what we are concerned about. On an individual basis, the U.S. government, I believe, is smart enough to figure a way to solve that particular problem foreign threat, that particular problem. What we are talking about here is the issue of putting in place legislation which would allow ubiquitous use of encryption," said McNamara. "We can always solve an individual problem with an individual solution. But the subject of ubiquitous encryption has a dramatic impact on our ability to do our national security duties."
Finally, the Commerce Committee heard from an industry panel. David Aucsmith, Chief Security Architect for Intel Corporation, stated that, "Given the breathtaking pace at which information technology is developing around the globe, the only way to sustain America's competitive edge is to adopt policies that will let American industry maintain leadership in the area of information technology."
Mr. Aucsmith, who also appeared on behalf of the Business Software Alliance, said that, "We urge the Committee to pass the PROTECT ACT with further amendments that would make the bill more fully comport with technological and market realities."
He concluded that "the Act still does not grant widespread exportability for mass market and publicly available encryption products."
The Committee also heard testimony from Jim Bidzos, Vice Chair of Security Dynamics, which is the parent company of RSA Data Security. "The PROTECT Act is an improvement over current Administration policy," said Mr. Bidzos, but, it "should be further improved." He was also representing Americans for Computer Privacy at the hearing.
"ACP commends Sen. McCain for introducing the PROTECT Act," he continued. "However, the legislation could be improved by further lifting current export restrictions."
The Committee also heard from Professor Lance Hoffman, Director of the
Cyberspace Policy Institute at George Washington University. He testified
regarding a study which he conducted which shows the widespread availability of
strong encryption products around the world.
The members of the Commerce Committee who participated in the hearing included John Ashcroft (R-MO), Conrad Burns (R-MT), Max Cleland (D-GA), Byron Dorgan (D-ND), Bill Frist (R-TN), Slade Gorton (R-WA), and Olympia Snowe (R-ME).