Bill Wiedemann Testifies On Privacy in the Digital Age: Encryption and Mandatory Access

Statement of
Bill Wiedemann, Founder and Executive Vice President
RedCreek Communications
Before The
Subcommittee on the Constitution, Federalism and Property Rights
Senate Committee on the Judiciary

On

Privacy in the Digital Age: Encryption and Mandatory Access

March 17, 1998

Mr. Chairman and members of the Subcommittee, thank you for providing me with this opportunity to testify before you today. Encryption is a subject of vital importance to our industry.

Privacy and PolicyPrivacy and Policy

Privacy is considered a fundamental right by all citizens of the United States. Our government has always fully protected this right, whether we are communicating in our homes, through the postal service or over the telephone network. A new communications medium, the Internet, has emerged as the preferred, or certainly a very commonly used, infrastructure. Today we can send email to friends, customers and business colleagues. We do this because it is easy, it allows us to compose our thoughts, and it provides us with a record of the “dialogue.”

We can also use the Internet as an infrastructure to conduct commerce.

How many of us have bought something on the Internet?

Those that haven’t yet bought something on the Internet, how many would if they could be assured that it would be safe, secure and private?

Well I am here today to tell you that it is safe, secure and private to communicate and conduct business over the Internet. Software programs are available that enable our existing email and browsers to perform the necessary functions of privacy that make our messages and transactions secure. A major reason individuals in the United States are not using the Internet for ordering products and services is they are not informed that the security of their credit card number is guaranteed by their credit card supplier.

Current policy does not allow U.S. companies to sell data privacy solutions, unless the encryption is 40 bits or less. U.S.-based companies use strong encryption for communications within the United States and Canada but are prevented from using the same products with strong encryption when their communications go outside the United States. The exportable versions contain encryption that is reduced to 40 bits. Therefore, to securely communicate on a global basis, companies obtain a strong encryption add-on from a foreign supplier.

Law enforcement has indicated that the 40 bit export restriction helps them to apprehend criminals. It only hinders the use of these enabling Internet technologies because companies are forced to use foreign suppliers rather than the preferred United States encryption solutions that are contained in the U.S. versions of Internet email and browser products.

Controls on the export of encryption technology, the technology that enables us to attain privacy over the Internet, have curtailed this market and have left some with a feeling that the Internet is not yet safe for communications and transactions. A most important fact is that it has only curtailed the use of security solutions. It has not stopped it. Talented engineers and resourceful entrepreneurs in overseas countries have designed plug-ins and add-ons to our favorite email and Internet browser programs. I am sure many of you have seen the articles and quotes from these foreign companies hoping the U.S. government does not change its policy of restricting the export of strong encryption. This restrictive policy is what created and sustains their business. As I said earlier, security is not a problem today for email because foreign companies have solved the problem. The current U.S. policy accomplishes nothing to help law enforcement apprehend criminals. It only curtails the use and therefore growth of the market because global users of these enabling business solutions would prefer not to have to install and support these foreign add-ons for their overseas users.

Internet GrowthGrowth

While commerce will grow from $8 billion in 1997 to over $300 billion in 2002 and the number of email users, currently 50 million, doubles every 3 months, an even bigger growth opportunity is the use of the Internet for corporate networks. The Internet will drive the interconnection of corporate offices, remote/mobile users, and business partners. The advantages of the Internet, widely available connections, and low cost access are big expense control and productivity drivers for corporate America. Remote and mobile employees can now telecommute with unlimited access to their corporate resources for as little as $20 dollars per month. Corporate offices can be interconnected for monthly costs that are less than half of other wide area network technologies.

A corporate network based on the Internet is possible because of two things:

    • A widely available quality network

Strong encryption to ensure privacy

Without strong encryption corporations would not consider putting their private information on the Internet. Strong encryption also provides an impenetrable boundary between the hackers on the public Internet and the users and data on a corporation’s private network.

Enterprising companies have recognized this opportunity to provide strong encryption and thereby facilitate secure corporate communications over the Internet. RedCreek recognized the shortcomings in current security solutions and set out to design next generation products. Previous solutions were too slow, too bulky, too costly, and were based on proprietary technology, due to the lack of interoperability standards. U.S. companies such as RedCreek have responded to the need for high performance, small size, low cost, standards-based solutions. Due to this progress in security solutions, companies such as AT&T;, MCI, and Sprint can now provide secure corporate connectivity over the Internet.

The availability of a quality network and high-performance security solutions are enabling the explosive potential for the Internet as a corporate networking solution. However, corporations must have the opportunity to obtain strong encryption from a U.S. supplier to address their global networking needs. Today corporations are forced to use foreign company solutions for their overseas locations. As the revenue from security products is handed to foreign suppliers, the current market leading position of U.S.-based companies like RedCreek is jeopardized.

Privacy through strong encryptionthrough strong encryption

Currently we have the ability to export 40 bit encryption to all but seven embargoed countries. Forty bit encryption is not perceived to be strong enough by worldwide corporate customers. Do you remember how you safe you felt when your parents gave you your first lock for your bicycle? It was probably four tumblers with numbers between zero and nine on each dial. You felt safe and secure because your parents told you that you were safe as long as you didn’t let anyone know the combination. Your first day at school somebody unlocked your bike and took it for a ride before locking it back up. How did they do this? What they did is simply try every possible combination. It probably took less than 15 minutes.

Industry standard trusted encryption can only be broken using the same “brute force” method of trying every key. It is commonly understood that a 40 bit key can be discovered by trying all possible combinations in about a week using several hundred computers. A 56 bit key is 64,000 times as many possible combinations as a 40 bit key. Therefore a 56 bit key would take 64,000 times longer or 64,000 times more computers than a 40 bit key. A 128 bit key is commonly believed to be the length of key necessary to assure privacy of personal and corporate communications. While 128 bit is the approved key length for financial transactions, the US government currently restricts general export of data privacy encryption to 40 bits.

Financial institutions and U.S.-based companies can use 56 bit data encryption for their overseas offices; however, this is still well below the accepted minimum of 128 bits for data privacy. Consequently users who desire to take advantage of the benefits of these technologies must buy products with unrestricted strong encryption for deployment in the United States and Canada and use foreign suppliers for their overseas offices and partners. Companies such as Timestep in Canada, and Radguard in Israel are not restricted and are shipping solutions that are alternatives to the currently superior solutions available in the United States.

Meeting the needs of law enforcementthe needs of law enforcement

The existing export policy has prevailed to date, due to US-based law enforcement professing that these controls are necessary to enable them to pursue criminal activity. Suppose there were a 40 mph speed limit on exported automobiles. Would this enable law enforcement to better pursue criminal activity? Certainly this would not assist law enforcement as automobiles are available overseas that can go faster than 40 mph. Yet law enforcement continues to indicate that a 40 bit restriction on the export of encryption, even when stronger encryption is available overseas, enables them to pursue criminal activities.

Law enforcement’s current proposal is to allow 56 bit encryption to be shipped outside of the United States as long as they can get access to a copy of the encryption key. How many of us would be willing to make a copy of our house key and car key available to U.S. and foreign governments without prior notification of the use of our key? Many people consider this type of government access to our encryption keys an extreme invasion of privacy.

However there are ways to give law enforcement the protection they require, and allow corporations to use the strong encryption, which enables the use of the Internet for worldwide corporate communications. Hewlett Packard recently obtained U.S. government approval for their VerSecure technology allowing U.S. suppliers to ship 128 bit strong encryption products overseas. The reason that the Hewlett Packard approach was approved is that exported products are shipped with “dormant” encryption. The encryption product provides no encryption until it is “enabled” by a foreign entity or government. Foreign countries that have been approved by the United States include the United Kingdom, Australia, Denmark, France, and Germany.

Law enforcement’s desire is to recover data by methods afforded them today with wiretaps. Any method of data recovery by law enforcement should use the currently established legal practices for obtaining permission to install a wiretap. If the desired data is encrypted for privacy, the wiretap would need to be installed at a point where clear (unencrypted) data is available.

Another method for keeping strong encryption products out of the hands of criminals is to allow the sale of strong encryption only to recognized companies and then require them to take precautions in the deployment of the solutions.

Summary

Mr. Chairman and members of the Subcommittee, privacy is a fundamental right of all people. Strong encryption is a tool that enables people and businesses to communicate securely. U.S.-based companies are currently the leaders in this technology. Current export restrictions foster foreign suppliers of encryption solutions.

The Internet facilitates communication between individuals and businesses. Strong encryption, from preferred U.S. suppliers, enables individuals and businesses to take advantage of the low cost and wide availability of the Internet.