Testimony to the U.S. Senate by

Barbara Simons
Chair, U.S. Public Policy Committee of the
Association for Computing Macinery
Washington, D.C.
http://www.acm.org/usacm/

Before the Subcommittee on Science, Technology and Space
Senate Commerce, Science, and Transporation Committee

Regarding S.1726, the "Promotion of Commerce
On-Line in the Digital Era (Pro-CODE) Act."

26 June 1996




Mr. Chairman and members of the Committee, I appreciate the opportunity to appear before you today and present testimony on this very timely and important legislation.

INTRODUCTION

I speak today on behalf of the USACM, the Association for Computing Machinery's Committee on public policy. ACM, founded in 1947, is an international non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact information technology has on the world's major social challenges. The Association's activities include the publication of scholarly journals and the sponsorship of special interest groups (SIGS) in numerous disciplines. The 70,000 ACM members who reside in the U.S. are academic, professional, scientific, and ordinary users of telecommunications technology and have a strong interest in the development of sound encryption policies.

USACM which I chair is particularly interested in policy and social issues involving network policy, including encryption, privacy, access, and education. The USACM was created by ACM to provide a means for promoting dialogue on technology policy issues with U.S. policy makers and the general public. The USACM responds to requests for information and technical expertise from U.S. government agencies and departments, seeks to influence relevant U.S. government policies on behalf of the computing community and the public, and provides information to ACM on relevant U.S. government activities. The USACM also identifies significant technical and public policy issues and brings them to the attention of the general public.

We also provide a World-Wide-Web site located at http://info.acm.org/usacm/ to educate our members and the public on information technology issues. At the site, we make available government documents, reports, policy statements, and links to other science policy resources. The site includes information on encryption policy.

The USACM has been involved with the cryptography issue since its inception. In fact, our first major undertaking was a report conceived as a response to the White House announcement of the Escrowed Encryption Initiative commonly called "Clipper." I have brought with me copies of the June 1994 USACM study entitled "Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy" . It discusses the development of a communications security policy which respects the need for confidentiality, integrity, and authenticity of data and still protects the interests of national security agencies. A balanced panel of computer scientists, security professionals, law enforcement officials, and civil liberties activists discussed issues including export controls, digital signatures, key escrow, and interoperability, as well as the Escrowed Encryption Standard. The in-depth report has been widely distributed in hard copy and to users of the internet around the world. (http://info.acm.org/reports/acm_crypto_study.html).

I'd like to request that the USACM report be entered into the hearing record.

As a starting point, the USACM has long encouraged open, informed debate on matters of technology policy. In its conclusion, the "Codes, Keys, and Conflicts" report states that the issues we face in response to the technical problems of communications security and cryptography "deserve careful and thoughtful public debate." In that light, I would like to discuss first the principles the USACM believes are of paramount importance in cryptography policy making, and then specifically address the provisions of the "Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act".

PRINCIPLES FOR POLICY MAKING

Encryption technologies have become widely available to individuals and businesses, affording computer users a level of security formerly available to only military, national security, and law enforcement agencies. The USACM believes that strong encryption tools are needed to support worldwide business operations, to maintain U.S. dominance in the information technologies, and to protect the rights of citizens to private conversations.

First, the USACM supports the development of public policies and technical standards for communications technologies only when they are conducted in an open forum in which all stakeholders may participate.

We agree with the recent findings of the National Resources Council report "Cryptography's Role in Securing the Information Society" that the debate on cryptography policy should occur without reference to classified information and secret processes. The rejection of the prosaic "if you only knew what we knew" was one of the prime principles of the NRC study. We agree that educated, open, balanced debate may ensue without reference to classified materials.

Not only is it imperative that we hold these debates in public forums and with unclassified sources but we must also educate the public on the issue so that they may participate as well. The USACM made the "Codes, Keys, and Conflicts" report available on the Internet so that it could be used as an educational tool by those unfamiliar with cryptography issues. We applaud your efforts, those of other sponsors of the legislation and the members of this Committee who not only introduced the Pro-CODE legislation and organized this hearing, but who also have spoken before a number of organizations, educating them on the importance of relaxing exports on cryptography.

Second, the USACM believes that the U.S. should not adopt any encryption policies which place U.S. companies at a competitive disadvantage in the global market.

To assure continued U.S. leadership in this important hi-tech sector, we believe it is critical for encryption policies to reflect the needs of the global market. The international demand for products which incorporate strong cryptographic tools is growing. Such products are widely available and produced by a number of nations. However, export regulations impose a de facto ban on the production of U.S. products that could meet this growing demand.

Many corporations are unwilling to manufacture the same product with differing key-length standards for national and international distribution. The report, "A Study of the International Market For Computer Software with Encryption," prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy reported that small "security-specific" software firms who limited their high security products to domestic buyers observed "a high level of foreign interest in purchasing their products." However because their "small size limited their ability to develop two versions of their products," and because the "security purposes [of the software] specifically requires them to incorporate strong encryption" they were unable to sell to the foreign buyers.

Finally, American companies are also losing ground in hardware computer products. Designs which incorporate the use of cryptography into the hardware platform are prevented from reaching the production stage until the policy debate is concluded. In the competitive and rapidly evolving technology industry, such delays can effectively kill innovation and product development.

Third, the USACM supports the use of encryption for privacy protection and encourages the development of technologies and institutional practices that will provide real privacy for the future users of the NII.

The USACM report emphasizes the need for a communications security policy that respects the need for confidentiality, integrity, and authenticity of data and that still protects the interests of national security agencies. The conflicting opinions of government agents (who believe escrowed encryption policies will result in widespread cryptography availability and thus greater privacy of data communications) and civil liberties activists (who argue that handing escrowed keys to the government eliminates all privacy for the citizenry) are contrasted.

We believe this conflict must be resolved in a manner that protects the privacy rights of Internet users. We support the efforts of the Subcommittee and other organizations that have held open debates on the privacy issue at which all interested parties are represented. The potential of the Global Information Infrastructure will not be realized until strong encryption tools are in place to ensure confidence in the privacy of the electronic transmission.

Fourth, the USACM remains opposed to the Clipper Chip proposal and urges the Administration to begin an open and public review of encryption policy.

The escrowed encryption initiative (EEI) and mandatory key escrow (MKE) raise vital issues of privacy, law enforcement, competitiveness, and scientific innovation that must be openly discussed. We also urge the administration to refrain from promoting any key escrow standard in international organizations until and if such policies are supported in the United States.

PRO-CODE LEGISLATION

The USACM strongly supports the "Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act" (S. 1726). The removal of export controls on cryptographic products and the placement of export control authority in the Commerce Department (rather than the State Department and the National Security Agency) will ensure the United State's prominence as the primary manufacturer of high-technology software and hardware. The prohibition on mandatory key escrow and restrictions on the Department of Commerce's ability to impose government-mandated encryption standards will also establish United States leadership in protecting the privacy rights of its citizens. We applaud the efforts of Senator Burns and the Subcommittee for tackling all these issues in one piece of legislation.

Removal of Export Controls

Current restrictions on the export of encryption technology harm the interests of the United States in three ways: they handicap American producers of software & hardware, they prevent the development of a secure information infrastructure, and they limit the ability of Americans using new on-line services to protect their privacy.

The Availability of Foreign- Made Cryptographic Systems
The software industry remains one of our country's most profitable and dominating industries. The U.S. holds 75% of the global market for packaged software. Most software companies make 35-40% of their revenue from exports; for some companies exports are as much as 50% of their business. Export restrictions essentially place an "earnings cap" on U.S. software publishers as they are restricted from producing encryption products

The Bush and Clinton Administrations have asserted that export controls do not cause U.S. firms to lose market share because there are, they claim, no foreign products and programs available. The statistics from a 1995 Software Producers Association (SPA) survey prove that this argument is untrue. Information gathered to date indicates that 210 foreign hardware, software, and combination products are available for text, file, and data encryption from 21 foreign countries. Of the 210 products, 129 employ strong DES encryption.

On the domestic front, SPA identified 288 products, 142 of which cannot be exported because they employ DES encryption, and thus cannot compete with the many available foreign products. In total, 498 cryptographic products have been identified to date that are developed or distributed by a total of 366 companies (211 foreign, 155 domestic) in at least 33 countries. Implementations of DES, RSA, and newer algorithms such as the International Data Encryption Algorithm which is incorporated into the popularized and freely distributed Pretty Good Privacy (PGP) encryption software program, are downloaded routinely on the Internet from sites all over the world.

There is no room left for doubt. Strong cryptographic products are widely available in over-seas markets. Foreign companies will not purchase products from the United States if they can purchase products with higher levels of security from other producers. By the time the first U.S. company is able to provide the government with data reflecting its lost market share due to export regulations, it will be too late to regain it.

Electronic Commerce and Security Issues
There are a variety of commercial groups interested in utilizing the Internet for business interactions and transactions. The Internet is a potentially inexpensive and pervasive channel for distribution of commercial products. Individuals connected for on-line services such as electronic mail, research, and entertainment would also like to order and pay for products on line, without having to phone or mail in a credit card number. Without interoperable encryption programs, commercial needs in an increasing global environment cannot be met.

U.S. companies that are competing internationally must be able to provide strong encryption in environments such as electronic commerce, where security concerns are paramount. US industries are "driving the demand for strong security," yet non-U.S. vendors are providing solutions. Strong evidence indicates that current policies are harmful to companies marketing encryption products. For example, the ISO standard for encryption in certain banking funds transfer applications is triple DES (a particularly strong variant of the U.S. Government's Data Encryption Standard). However, because triple DES is under export restriction by the U.S. Government, U.S. banks are unable to implement the international standard for their overseas transactions.

Perhaps a more insidious effect of export control policy is that electronic transactions on the Internet are not as secure as they could be. U.S. computer users are denied strong, easy-to-use encryption because most companies do not want to manufacture two sets of the same product or endure the burdensome process of applying to the State Department for an exception.

The removal of out-dated restrictions on exports will enable the creation of a Global Information Infrastructure sufficiently secure to provide seamless connectivity to customers previously unreachable by American companies. The United States is a leader in Internet commerce. However, Internet commerce requires cryptography. Thus American systems have been hindered by cold-war restraints on the necessary cryptography as these systems have moved from the laboratory to the marketplace. This legislation would open the market to secure, private, ubiquitous electronic commerce. The cost of not opening the market may include the loss of leadership in computer security technologies, just at the time when Internet users around the world need good security to launch commercial applications.

Moving Encryption to Commerce

Encryption programs are currently regulated by the State Department under the terms of the International Traffic in Arms regulations ("ITAR"). In addition to software products specifically designed for military purposes, the ITAR "Munitions List" includes a wide range of commercial software containing encryption capabilities. All ITAR information security technologies licenses are reviewed by the National Security Agency. The NSA also uses patent protection under the Invention Secrecy Act, enacted in 1952, to withhold a patent and order that an invention be kept secret if it is deemed in the interest of national security. The NSA retains a strong interest in maintaining control over encryption technologies which may be abused in the process of threatening national security. However we believe that continuing to allow NSA to control export regulations will impede the development of the information superhighway.


Key Escrow

On August 17, 1995, the Administration announced a new policy with regard to the export of encryption. Termed "commercial key escrow," the Administration's plan would conditionally allow industry to export 64-bit key encryption products (currently U.S. law allows the export of only 40-bit key programs). The plan differs from the previously proposed "Clipper Chip" in that a decryption key would be held in "escrow" not by the government itself, by a government certified third party. The government could obtain the decryption key from that third party only when "lawfully authorized."

We agree with the findings of the NRC report that key escrow is an untested proposition. A feasibility study must be performed on a smaller scale before it can be seriously proposed for commercial applications. We also believe that any mandatory key escrow policy would be a violation of users' privacy rights. While key escrow may be an appropriate tool in some special settings, we believe it would be wrong to impose such restrictions on users or businesses generally.

We further believe that it is necessary to go beyond the recommendation of the NRC report which states that products which employ a 56-bit DES algorithm provide an adequate level of security for general commercial use. In the report "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" written by an ad hoc panel of cryptographers and computer scientists, it was reported that a brute force attack could easily break a 56-bit key. We believe it would be inopportune to arbitrarily choose a key length which would be acceptable for export until further studies are performed.

We recognize that the government has a legitimate interest in protecting national security. However, the government's proposals are becoming increasingly difficult to achieve as strong encryption programs are available and extensively used worldwide. Whether the U.S. Government keeps current export controls in place, or attempts to impose restrictions even on domestic use of encryption, the role of the national security agencies will remain difficult. Thus, we suggest that a policy which serves the long term interests of our nation's security will not be one based on key escrow, but rather one that anticipates the widespread availability of strong encryption.

CONCLUSION

The USACM supports the Pro-CODE legislation. It is a forward-looking measure which is necessary to ensure the continued growth of the Internet. I would like to thank Chairman Burns and the other sponsors again for introducing the Pro-CODE Act and for allowing me to appear before you today. I hope my testimony will be useful to your deliberations, and I will be happy to answer any questions you might have.




Dr. Barbara Simons
Chair, U.S. Public Policy Committee of the
Association for Computing Machinery
Application Development Technology Institute
M24/E254
IBM Santa Teresa Laboratory
555 Bailey Ave.
San Jose, CA 95141

Phone: 408-463-5661
Fax: 408-463-2425

Email: simons@vnet.ibm.com

Dr. Simons received her Ph.D. in 1981 in computer science from the University of California at Berkeley. In 1980 she joined the Research Division of IBM, and she is currently a member of the Application Development Technology Institute in the IBM Software Solutions Division. Her main areas of research are compiler optimization and scheduling. Her dissertation solved a major open problem in scheduling theory, and she has received an IBM Research Division Award for work on clock synchronization. She has authored or co-authored many papers and two books. She is a National Lecturer for the Association for Computing Machinery (ACM).

Dr. Simons is a Fellow of both the American Association for the Advancement of Science (AAAS) and ACM. In 1992 she was awarded the CPSR Norbert Wiener Award for Professional and Social Responsibility in Computing, and she was recently selected as one of Open Computing's top 100 women in computing. Dr. Simons chairs USACM, the ACM U.S. Public Policy Committee. She was ACM secretary in 1990 - 92, and prior to that she was chair of the ACM Committee on Scientific Freedom and Human Rights. She was also vice-chair of SIGACT, the ACM Special Interest Group on Computer Science Theory, and she served as the Project Advisor to the Project on Funding Policy in Computer Science, which she organized. Dr. Simons was a co-founder of the U.C. Berkeley Computer Science Department Reentry Program for Women and Minorities.



USACM ACTIVITIES





USACM, 666 Pennsylvania Avnue S.E., Suite 301, Washington, D.C. 20003