U.S. Policy on Encryption

It is our view that the United States government should protect our Right to Privacy.

The right of the people to be secure in their persons, papers and effects, against unreasonable searches and seizures, shall not be violated…
– the Fourth Amendment to the U.S. Constitution

In the United States today, Americans are free to protect the privacy of their computer files and communications by using the strongest encryption technology available. But the Administration’s FBI and even some Members of Congress want to take away that freedom by outlawing your ability to communicate and store information in a way that is not relatively quick and easy for the government to read.

Encryption is technology that “encodes” computer files and communications, much like a combination lock secures a filing cabinet. On the global front, strong encryption products are widely available from foreign manufacturers, but Administration policy hamstrings American companies by preventing them from exporting equally strong products. It is costing both American jobs and American leadership in the global information economy.

A solid majority in the U.S. House of Representatives has cosponsored a bill to protect the freedoms Americans currently enjoy when it comes to computer privacy and to lift restrictions on the sale of U.S. encryption products overseas. That bill is the Security and Freedom through Encryption (SAFE) Act (H.R. 850), championed by Reps. Bob Goodlatte (R-VA) and Zoe Lofgren (D-CA).

Any legislation passed should protect our privacy.

Any bill that Congress passes affecting encryption should ensure that American citizens, businesses, and institutions can continue to buy and use the strongest encryption technology available to protect themselves, their customers and their stakeholders from crime, without fear of unwarranted government intrusion. The SAFE Act would do just that.

Why? Computer technology has rapidly become a fundamental element of day-to-day life. Encryption is what protects computer files and communications from eavesdroppers, thieves, and other criminals. It protects medical records, corporate trade secrets, data on personal buying habits, air-traffic control centers, legal documents, credit histories, hospital databases, credit card transactions, e-mail and government files.

But the Administration and the FBI have other ideas.

For every encryption code, there exists a “key” to unlock that code, much like a bank card PIN number provides access to a bank account or the proper numerical sequence opens a combination lock. For years, the Administration has pursued a policy of “key recovery” to enable federal agencies to more easily access confidential personal and business electronic files and communications. To that end, the FBI now proposes far-reaching legislation that threatens to put the “key” to your locked computer files, and the “keys” to other locked computer files with information about you, in the hands of government-approved “third parties.” In fact, your existing freedom to encrypt data and communications without giving some “third party” a “key” would be outlawed.

The FBI’s goal is to obtain access to those keys without your knowledge in order to investigate criminal activity. The result would be a vastly overreaching and unprecedented system of information access that would allow the government to obtain more personal information than ever before.

It would turn inside-out your Fourth Amendment right against unlawful search and seizure by making you a criminal if you refuse to supply encryption “keys” from government-approved “third parties.” In essence, your ability to communicate and store information in a way that is not relatively quick and easy for the government to read would be prohibited by law.

Here is how the FBI plan would threaten your rights:

FBI Director Louis Freeh compares his proposal to wiretapping telephones after obtaining a court warrant. But if Congress requires “third parties” to hold encryption “keys,” that are subject to a warrant, it would do more than allow court-ordered wiretaps. It would require you to store computer data only in formats that law enforcement can easily understand and conveniently access — often without your knowledge. It would provide law enforcement greater access to private information, which is fundamentally intrusive and threatens our constitutionally protected right to privacy.

No government policy can ensure that encryption “keys” deposited with “third parties” will be handled responsibly. In a 1996 Presidential Commission report on encryption policy, the National Research Council (NRC) warned, “Escrowed encryption [encryption for which a third party holds a key] by design introduces a system weakness … and so if the procedures that protect against improper use of that access somehow fail, information is left unprotected.” As the number of keys that would require proper storage multiplies daily – reaching into the billions – holding “third party” key-holders accountable would be virtually impossible.

If strangers could unlock encrypted computer files containing confidential information about you – whether stored at your home, a hospital, an insurance company or bank – that information could fall into the wrong hands. Health records, credit card numbers, credit histories and tax information protected by encryption could all become more vulnerable to misuse.

Strong encryption enhances law enforcement. The widespread use of strong encryption – when users hold their own “keys” – actually helps law enforcement fight crime by deterring criminals from viewing, tampering with or stealing private information. Imagine the potential increase in computer crimes if all the information on computers and information networks protected by encryption became more susceptible to theft or tampering because encryption keys were being widely misused under a misguided government policy.

U.S. companies are missing out on a critical growth opportunity and are losing global, technological leadership that benefits U.S. law enforcement. In addition, air traffic control centers, electric-power grids, defense systems, financial services, oil and gas producers and suppliers, telecommunications networks and the stock market all operate and communicate by computer. If “third-party” key recovery “introduces a system weakness,” as the National Research Council (NRC)points out, these infrastructures will be at greater risk.

Any legislation should better position the U.S. in world markets.

Back in 1991, a multilateral agreement among Western nations ended restrictions on the export of most encryption products, but the U.S. maintained its rigid controls. Today, while that policy hamstrings U.S. manufacturers, companies from more than 20 other nations have developed hundreds of products to take advantage of the booming demand among law-abiding customers for strong encryption.

Furthermore, Americans are losing jobs. A Computer Systems Policy Project study showed the restrictions could cost the U.S. economy $60 billion and 200,000 high-skill, high-wage jobs by the year 2000. The NRCwarned in early 1996, “U.S. export controls may stimulate the growth of significant foreign competition for U.S. vendors to the detriment of both U.S. national security interests and U.S. businesses and industry.” That impact is being felt today.

Encryption is a fundamental building block of the information age. Any bill Congress passes should ease the restrictions on the export of strong encryption products to allow U.S. industries to compete on a level playing field in a booming global market.

Congress must act today!

Americans for Computer Privacy enthusiastically supports the Security and Freedom through Encryption (SAFE) Act (H.R. 850), championed by Reps. Bob Goodlatte (R-VA) and Zoe Lofgren (D-CA), and cosponsored by a solid majority of the U.S. House. The legislation would:

Affirm Americans’ freedom to use the strongest possible encryption. Defeat attempts to force Americans to provide the government or some government-approved “third party” with “keys” to their encrypted information.
Allow the U.S. to compete in the rapidly growing global market for strong encryption products.