PREPARED STATEMENT OF
SENATOR ORRIN G. HATCH
U.S. SENATE
BEFORE THE SENATE JUDICIARY COMMITTEE
HEARING ON ENCRYPTION, KEY RECOVERY, AND
PRIVACY PROTECTION IN THE INFORMATION AGEJuly 9, 1997
Although encryption has historically been a technology reserved for national security and military applications, the explosive growth of both electronic communications and stored data has enhanced the need to develop means to protect business, governmental, and individual communications and information from improper access and use. A direct deterrent to economic espionage, consumer or commercial theft or fraud, or improper eavesdropping of private information or communications, is the encryption of such information. By employing mathematical algorithms, which convert electronic information into meaningless text, encryption prevents anyone other than a keyholder, who has the algorithm necessary to unscramble or decrypt this information, from gaining access to the information. The importance of meaningful legislation in this area cannot be understated. Consider for instance that consumer confidence in a secure network is deemed essential to the development of such things as on line commerce, which is projected to grow from last year's $500 million to as much as $12 billion by the year 2000.1 The difficulty in evaluating a meaningful encryption policy is that, while its employment does protect the privacy of legitimate business and personal interests, it can also be used for the opposite effect, namely, by criminals to hide their communications and operations from the lawful, court ordered access. Such illicit use presents a direct threat not just to law enforcement and national security interests.Balanced against these concerns, the advent of the Global Information Infrastructure (GII) and its applications has heightened the need for information privacy. Such concerns have resulted in a dramatic increase in demand by consumers for security in their electronic communications and stored data. In an effort to address this need, as it has in virtually all other areas in computer software and hardware development, United States industry has stepped up to the plate and become the world's leader in the research and development of commercial encryption. A 1996 report of the U.S. National Research Council entitled, Cryptography's Role in Securing the Information Society, confirms the need for robust commercial encryption wherein it concludes that without strong cryptography to provide security for the GII, U.S. national and economic security will be at risk.
Today, Americans throughout this nation enjoy the ability to use, and industry is free to market, commercial encryption of any strength domestically without restriction. The focus of Congressional debate is the export and dissemination of United States encryption products abroad and the development of key recovery features that allow law enforcement access to encrypted communications under appropriate circumstances. The export control issue has been the focus of serious debate both in government and the public domain centered primarily on the viability of linking a relaxation of such controls to a key recovery requirement. In the Congress this debate has closely examined the propriety of such relaxation and why it is or isn't important to link these controls to key recovery, without examining the subject of key recovery itself.
On such an important National Security and business issue, one would expect the executive branch to lead. Unfortunately, the Clinton Administration has been all over the map, floating policy options which range from maintaining the status quo, to carving out new exceptions for financial institutions software. The administration now appears to be abandoning attempts to directly link key recovery to export controls. Instead, an effort has been initiated to tie key recovery to "certificate authorities" which are entities responsible for authenticating digital or electronic signatures. The need for such authorities are recognized as indispensable to the integrity and development of electronic commerce. Such effort to develop a meaningful key recovery infrastructure which allows access under appropriate circumstances to law enforcement and national security is embodied in S.909, introduced by Senators McCain and Kerrey and reported out of the commerce committee just last week.
The concept of key recovery at first blush appears rather simple. Like giving an extra set of house keys to your neighbor, it is simply a means of allowing access to decryption information should the need arise. Considerable controversy arises, however, as to whether the development of such a system will create an inherent vulnerability into the security of the GII. Nonetheless, there appears to be little dispute that the development of some form of key recovery is inevitable. What is not at all clear and serves as a primary basis for this hearing is whether our national encryption policy should be based upon a government mandated or controlled key recovery scheme, whether the government should remove itself from this debate and allow for a purely market driven development of key recovery, or whether there exists a true middle ground whereby government and industry can work together in a manner that strikes a reasonable compromise between these competing interests.
Congress is now acting as a broker for these competing interests. This committee must serve as a forum for open debate in this area, and to work in a bi-partisan fashion to devise meaningful legislation which attempts to promote the interests of American business while working to protect the legitimate concerns of law enforcement and national security.
In closing, it appears that the development of a global key recovery framework is a necessary and inevitable development in the best interests of not only law enforcement, but international commerce as well. While encouraging the implementation of such an infrastructure, it is our responsibility to ensure that U.S. business remains competitive in this increasingly world wide market. Should this Congress fail to take action on this issue, I am fearful that the end result will be U.S. Companies moving production off-shore and foreign business interests engaging in greater proliferation of robust encryption in an effort to wrestle control of the international hardware and software markets from United States business.
The end result of either of these developments is a greater proliferation of encryption abroad posing a direct threat to our national security as well as both domestic and international law enforcement. Today we are pleased to have on our first panel two individuals who have worked tirelessly to bring about a meaningful resolution to the encryption debate, FBI Director Louis Freeh, and William Crowell, Deputy Director of the National Security Agency.
I look forward to both of your testimony.
1 U.S. News & World Report, Exposed Online, p.60 (June 23, 1997)