As members of Americans for Computer Privacy, we write today to share with you our views on the Administration's recent encryption policy announcement, and to urge you to build on these reforms with legislation in the next Congress.
While we still have far to go, the Administration's September 16 policy move away from its total reliance on the flawed, mandatory "key recovery" concept and toward a less drastic export control regime validates our assertion that strong encryption is essential for promoting public safety, national security, law enforcement and the vibrant growth of global electronic commerce. It was a good first step.
Among the favorable elements of the Administration's announcement:
This first step, however, is just that. We continue to have much to cover so the citizens and businesses of this country can have true confidence in their security, privacy, safety, and economic competitiveness.
- Elimination of the key recovery requirement on exports of encryption products using 56-bit key lengths;
- Permission for American multinational companies to distribute and use robust encryption (key lengths longer than 56 bits) among their subsidiaries worldwide;
- Eligibility for exports of robust encryption to insurance companies, health and medical organizations, and on-line merchants for use between merchants and their customers; and
- Exports of "recoverable" robust encryption to most commercial firms and their subsidiaries.
First, because mass-market software and hardware products are inherently uncontrollable, the U.S. Government should abandon its futile efforts to control these products. Exporters of robust encryption products with key lengths over 56-bits to many end users must still apply for export licenses and wait out the weeks-long, unpredictable decision process before shipping. This allows foreign competitors to step in and gain control of the market.
Second, ACP proposed to the Administration that the U.S. allow sales of robust encryption to "legitimate and responsible organizations." Insurance, health and medical, and on-line merchants are a start, but there is a vast array of users who need strong encryption, such as energy suppliers, telecommunications providers, human rights organizations, and transportation services, among many others. U.S. companies should be permitted to sell to these valuable markets and maintain U.S. encryption leadership abroad.
Third, telecommunications and Internet service providers should not be excluded from favorable treatment for sales of "recoverable" products to favored countries. We proposed that recoverable products be exportable to all commercial end-users. These tools would enhance law enforcement and national security officials' ability to do their job.
We believe that finishing the job would provide significant national security, communications privacy, public safety and market growth benefits, as well as opportunities for legitimate law enforcement access. The Administration has said it will review this policy in one year. While we intend to work with them to make that happen, we believe the Congress can also help add impetus to that review with a renewed commitment to drafting legislation next year that shows the way toward fundamental reform.
We thank you for your commitment and look forward to working with you in the next Congress.
60 Plus Association
American Conservative Union
American Electronics Association
American Financial Services Association
American Petroleum Institute
American Privacy Protection Association
American Small Business Alliance
Americans for Tax Reform
AXENT Technologies, Inc.
BEA Systems, Inc.
Bowles Farming Company, Inc.
Business Software Alliance
Cellular Telecommunications Industry Association
Center for Democracy and Technology
Central Predicting Corporation
Citizens for a Sound Economy
Commercial Internet eXchange Association
Computer and Communications Industry Association
Computing Technology Industry Association
Consumer Electronics Manufacturers Association
Countrywide Home Loans
Electronic Industries Association
FTD Florist Association
Goodyear Tire & Rubber Co.
Information Technology Association of America
Institute of Electrical & Electronic Engineers-USA
Intellectual Protocols, LLC
Law Enforcement Alliance of America
Lotus Development Corporation
National Association of Manufacturers
National Retail Federation
National Rifle Association
National Venture Capital Association
Netscape Communications Corp.
Network Associates, Inc.
Raptor Systems, Inc.
RedCreek Communications, Inc.
RSA Data Security
SAS Institute Inc.
Silicon Valley Software Industry Coalition
Small Business Survival Committee
Software Publishers Association
United States Chamber of Commerce
United States Telephone Association
WatchGuard Technologies, Inc.