PROTECT ACT of 1999 (Promote Reliable On Line Transactions To Encourage Commerce and Trade)
[Text of the Bill]
By Mr. McCAIN (for himself, Mr. Burns, Mr. Wyden, Mr. Leahy, Mr. Abraham, and Mr. Kerry):
S. 798. A bill to promote electronic commerce by encouraging and facilitating the use of encryption in interstate commerce consistent with the protection of national security, and for other purposes; to the Committee on Commerce, Science, and Transportation.
[From the Congressional Record]
INTRODUCTION OF THE `PROTECT' ACT
Mr. McCAIN. Mr. President, yesterday I introduced a bill to `Promote Reliable On-Line Transactions to Encourage Commerce and Trade,' the PROTECT Act. This legislation seeks to promote electronic commerce by encouraging and facilitating the use of encryption in interstate commerce consistent with the protection of United States law enforcement and national security goals and missions.
During the last Congress, there was a very intense debate surrounding the encryption issue. That debate, as with any discussion regarding encryption technology, centered around the challenge of balancing free trade objectives with national security and law enforcement interests. There were various proposals put forward. None, however, emerged as a viable solution. In the end, the debate became polarized, as many became entrenched upon basic approaches, losing sight of the overall policy objectives upon which everyone generally agreed.
It was my objective to get outside the box of last year's debate. In the past, balancing commercial and national security interests has been treated as a zero sum game, as if the only way to forward commercial interest was at the expense of national security, or vice versa. This is simply not the case. Certainly, advanced encryption technologies present a unique set of challenges for the national security and law enforcement community. However, these challenges are not insurmountable.
What the PROTECT Act does, is to lay out a forward-looking approach to encryption exportation, a course that puts into place a rational, fact-based procedure for making export decisions, that places high priority on bringing the national security and law enforcement community up to speed in a digital age, and that ultimately provides a national security backstop to make certain that advanced encryption products do not fall into the hands of those who would threaten the national security interests of the United States.
Title I of the legislation deals with domestic encryption . The bill establishes that private sector use, development, manufacture, sale, distribution and import of encryption products, standards and services shall be voluntary and market driven. Further, the government is prevented from tying encryption used for confidentiality to encryption used for authentification. It is established that it is lawful for any person in the United States, and for any U.S. person in a foreign country, to develop, manufacture, sell, distribute, import, or use any encryption product.
The PROTECT Act prohibits mandatory government access to plaintext. The bill prohibits the government from standards setting or creating approvals or incentives for providing government access to plaintext, while preserving existing authority for law enforcement and national security agencies to obtain access to information under existing law.
Title II of the legislation deals with government procurement procedures. The bill makes clear that it shall be the policy of the Federal government to permit the public to interact with the government through commercial networks and infrastructure and protect the privacy and security of any electronic communications and stored information obtained by the public.
The Federal government is encouraged to purchase encryption products for its own use, but is required to ensure that such products will interoperate with other commercial encryption products, and the government is prohibited from requiring citizens to use a specific encryption product to interact with the government.
Title II of the PROTECT Act authorizes and directs NIST to complete establishment of the Advanced Encrytion Standard by January 1, 2002. Further, the bill ensures the process is led by the private sector and open to comment. Beyond the NIST role in establishing the AES, the Commerce Department is expressly prohibited from setting encryption standards--including U.S. export controls--for private computers.
A critical component of the PROTECT Act is improving the government's technological capabilities. Much of the concern from law enforcement and national security agencies is rooted in the unfortunate reality that the government lags desperately behind in their understanding of advanced technologies, and their ability to achieve goals and missions in the digital age.
This legislation expands NIST's Information Technology Laboratory duties to include: (a) obtaining information regarding the most current hardware, software, telecommunications and other capabilities to understand how to access information transmitted across networks; (b) researching and developing new and emerging techniques and technologies to facilitate access to communications and electronic information; (c) researching and developing methods to detect and prevent unwanted intrusions into commercial computer networks; (d) providing assistance in responding to information security threats at the request of other Federal agencies and law enforcement; (e) facilitating the development and adoption of `best information security practices' between the agencies and the private sector.
The duties of the Computer System Security and Privacy Board are expanded to include providing a forum for communication and coordination between industry and the Federal government regarding information security issues, and fostering dissemination of general, nonproprietary and nonconfidential developments in important information security technologies to appropriate federal agencies.
Title V of the legislation deals with the export of encryption products. The Secretary of Commerce is granted sole jurisdiction over commercial encryption products, except those specifically designed or modified for military use, including command and control and intelligence applications. The legislation clarifies that the U.S. government may continue to impose export controls on all encryption products to terrorist countries, and embargoed countries; that the U.S. government may continue to prohibit exports of particular encryption products to specific individuals, organizations, country, or countries; and that encryption products remain subject to all export controls imposed for any reason other than the existence of encryption in the product.
Encryption products utilizing a key length of 64 bits or less are decontrolled. Further, certain additional products may be exported or reexported under license exception. These include: recoverable products; encryption products to legitimate and responsible entities or organizations and their strategic partners, including on-line merchants; encryption products sold or licensed to foreign governments that are members of NATO, ASEAN, and OECD; computer hardware or computer software that does not itself provide encryption capabilities, but that incorporates APIs of interaction with encryption products; and technical assistance or technical data associated with the installation and maintenance of encryption products.
The Commerce Department is required to make encryption products and related computer services eligible for a license exception after a 15-day, one-time technical review. Exporters may export encryption products if no action is taken within the 15-day period.
A formal process is established whereby encryption products employing a key length greater than 64 bits may be granted an exemption from export controls. Under the procedures established by this legislation, encryption products may be exported under license exception if: the Secretary of Commerce determines that the product or service is exportable under the Export Administration Act, or if the Encryption Export Advisory Board created under this Act determines, and the Secretary agrees, that the product or services is, generally available, publicly available, or a comparable encryption product is available, or will be available in 12 months, from a foreign supplier.
As referenced, the PROTECT Act creates an Encryption Export Advisory Board to make recommendations regarding general, public and foreign availability of encryption products to the Secretary of Commerce who must make such decisions to allow an exemption. The Secretary's decision is subject to judicial review. The President may override any decision of the Board or Secretary for purposes of national security without judicial review. This process is critical. It ensures that the manufacturer or exporter of an encryption product may rely upon the Board's determination that the product is generally or publicly available or that a comparable foreign product is available, and may thus export the product without consequences. However, a critical national security backstop is provided. Regardless of the recommendation of the board, or the decision of the Secretary, the President is granted the absolute authority to deny the export of encryption technology in order to protect U.S. national security interest. However, a process of review is established whereby market-availability, and other relevant information may be gathered and presented in order to ensue that such determinations are informed and rational.
Any products with greater than a 64 bit key length that has been granted previous exemptions by the administration are grandfathered, and decontrolled for export. Upon adoption of the AES, but not later than January 1, 2002, the Secretary must decontrol encryption products if the encryption employed is the AES or its equivalent.
Finally, the PROTECT Act prohibits the Secretary from imposing any reporting requirements on any encryption product not subject to U.S. export controls or exported under a license exception.
Mr. President, as I have stated, my purpose in putting this legislation together was to get outside the zero sum game thinking that has become so indicative of the debate surrounding the encryption export controls. I would like to commend the outstanding and creative leadership of Senator Burns on this issue. He is a leader on technology issues in the Senate, and has played an invaluable role in developing this approach. I look forward to working with him, and our other original cosponsor in building the support necessary to see the PROTECT Act signed into law during this Congress.
Mr. BURNS. Mr. President, as the Members of the Senate know, for several years I have advocated the enactment of legislation that would facilitate the use of strong encryption . Beginning in the 104th Congress, I have introduced legislation that would ensure that the private sector continues to take the lead in developing innovative products to protect the security and confidentiality of our electronic information including the ability to export such American products.
I am pleased to rise today to introduce with my Chairman, Senator McCain, the PROTECT ACT of 1999 (Promote Reliable On Line Transactions To Encourage Commerce and Trade). The bill reflects a number of discussions we have had this year about the importance of encryption in the digital age to promote electronic commerce, secure our confidential business and sensitive personal information, prevent crime and protect our national security by protecting the commercial information systems and electronic networks upon which America's critical infrastructures increasingly rely. I am extremely pleased to join with him in introducing this important legislation.
While this bill differs in important respects from the PRO-CODE legislation I introduced in the previous Congress, I do think it accomplishes a number of very important objectives. Specifically, the bill:
Prohibits domestic controls;
Guarantees that American industry will continue to be able to come up with innovative products;
Immediately decontrols encryption products using key lengths of 64 bits or less;
Permits the immediate exportability of 128 bit encryption in recoverable encryption products and in all encryption products to a broad group of legitimate and responsible commercial users and to users in allied countries;
Recognizes the futility of unilateral export controls on mass market products and where there are foreign alternatives and so permits the immediate exportability of strong encryption products whenever a public-private advisory board and the Secretary of Commerce determines that they are generally available, publicly available, or available from foreign suppliers;
Directs NIST to complete establishment of the Advanced Encryption Standard with 128 bit key lengths (the DES successor) by January 1, 2002 (and ensures that it is led by the private sector and open to public comment); and
Decontrols thereafter products incorporating the AES or its equivalent.
Today, we are in a world that is characterized by the fact that nearly everyone has a computer and that those computers are, for the most part, connected to one another. In light of that fact, it is becoming more and more important to ensure that our communications over these computer networks are conducted in a secure way. It is no longer possible to say that when we move into the information age, we'll secure these networks, because we are already there. We use computers in our homes and businesses in a way that couldn't have been imagined 10 years ago, and these computers are connected through networks, making it easier to communicate than ever before. This phenomenon holds the promise of transforming life in States like Montana, where health care and state-of-the-art education can be delivered over networks to people located far away from population centers. These new technologies can improve the lives of real people, but only if the security of information that moves over these networks is safe and reliable.
The problem today is that our computer networks are not as secure as they could be; it is fairly easy for amateur hackers to break into our networks. They can intercept information; they can steal trade secrets and intellectual property; they can alter medical records; the list is endless. One solution to this, of course, is to let individuals and businesses alike to take steps to secure that information. Encryption is one technology that accomplishes that.
I am proud that today I have been able to join with Senator McCain to introduce this legislation which will enable Americans to use the Internet with confidence and security.
Mr. LEAHY. Mr. President, this is the third Congress in which I have introduced and sponsored legislation to update our country's encryption policies. My objective has been to bolster the competitive edge of our Nation's high-tech companies, allow Americans to protect their online and electronically stored confidential information, trade secrets and intellectual property, and promote global electronic commerce. I am pleased to join Senators McCain, Wyden and Burns, in this continuing effort with the `Promote Reliable On-Line Transactions to Encourage Commerce and Trade (PROTECT) Act of 1999.'
In May 1996, I chaired a hearing on the Administration's ill-fated Clipper Chip key escrow encryption program that drove home the need for relaxed export controls on strong encryption . U.S. export controls on encryption technology were having a clear negative effect on the competitiveness of American hi-tech companies. Moreover, these controls were discouraging the use of strong encryption domestically since manufacturers generally made and marketed one product for both for export and for domestic use here. At that hearing I heard testimony about 340 foreign encryption products that were available worldwide--including for import into the United States--155 of which employed encryption in a strength that American companies were prohibited from exporting. That number has grown exponentially. As of December, 1997, there were 656 foreign encryption products available from 474 vendors in 29 different foreign countries.
American companies certainly do not enjoy a monopoly on encryption know-how. The U.S. Commerce Department's National Institute for Standard and Technology (NIST) is developing an Advanced Encryption Standard (AES) to update the U.S. Data Encryption Standard (DES), the current global encryption standard. Only 5 of the 15 AES candidate algorithms submitted to NIST for evaluation were proposed from American companies or individuals. The remaining proposals came from Australia, Canada, France, Germany, Japan, Korea, United Kingdom, Israel, Norway, and Belgium.
In the 104th Congress, I introduced encryption legislation on March 5, 1996, with Senators Burns, Dole, Murray and others, to help Americans better protect their online privacy and allow American companies to compete more effectively in the global hi-tech marketplace. Specifically, the `Encrypted Communications Privacy Act of 1996,' S. 1587, would have relaxed export controls on strong encryption and promoted the widespread use of encryption to protect the security, confidentiality and privacy of online communications and stored electronic data. This bill would have legislatively confirmed the freedom of Americans to use and sell in the United States any encryption technology that most appropriately met their privacy and security needs. In addition, this bill would have relaxed export controls to allow the export of encryption products when comparable strength encryption was available from foreign suppliers, and encryption products that were generally available or in the public domain.
In the years since that bill was introduced, the Administration has made some positive changes in its export policies. In October 1996, the Administration allowed the export of 56-bit DES encryption by companies that agreed to develop key recovery systems. This policy was supposed to sunset in two years. I strongly criticized this policy at the time, warning that this `sunset' provision `does not promote our high-tech industries overseas.' In fact, when the time came last year to return to the old export regime that allowed the export of only 40-bit encryption , the Administration relented and continues to permit the export of 56-bit encryption , with the condition of developing encryption programs with recoverable keys.
The proposals I made in 1996 made sense then, and versions of these provisions are incorporated into the PROTECT Act today.
Specifically, the PROTECT Act would provide immediate relief by allowing the export of encryption using key lengths of up to 64 bits. In addition, stronger encryption (more than 64-bit key lengths) would be exportable under a license exception, upon determination by a new Encryption Export Advisory Board that the product or service is generally available, publicly available or a comparable product is available from a foreign supplier. This determination is subject to approval by the Secretary of Commerce and to override by the President on national security grounds.
This relief is important since the time and effort to crack 56-bit DES encryption is getting increasingly short. Indeed, earlier this year, a group of civilian computer experts broke a 56-bit encrypted message in less than 24 hours, beating a July 1998 effort that took 56 hours.
The breaking of 56-bit encryption comes as no surprise to those doing business, engaging in research, or conducting their personal affairs online. While 56-bit encryption may still serve as the global standard, this will not be the situation for much longer. 128-bit encryption is now the preferred encryption strength.
For example, in order to access online account information from the Thrift Savings Plan for Federal Employees, Members and congressional staff must use 128-bit encryption . If you use weaker encryption , a screen pops up to say `you cannot have
access to your account information because your Web browser does not have Secure Socket Layer (SSL) and 128-bit encryption (the strong U.S./Canada-only version).'
Likewise, the Department of Education has set up a Web site that allows prospective students to apply for student financial aid online. Significantly, the Education's Department states that `[t]o achieve maximum protection we recommend you use 128-bit encryption .'
These are just a couple examples of government agencies or associated organizations directing or urging Americans to use 128-bit encryption . We should assume that people in other countries are getting the same directions and recommendations. Unfortunately, while American companies can fill the demand for this strong encryption here, they are not permitted to sell it abroad for use by people in other countries.
Significantly, the PROTECT Act would permit the export of 128-bit (and higher) AES products by January 1, 2002. While not providing relief as quickly as I have urged in other encryption legislation, including the E-PRIVACY Act, S. 2067, in the last Congress, this bill moves in the right direction, and provides a sunset for unworkable encryption export controls. In my view, this bill would give most Internet users access to the strongest tools they need to protect their privacy starting in 2002--a long time by Net standards, but time our law enforcement and intelligence agencies say they need to address the global proliferation of strong encryption .
Encryption is a critical tool for Americans to protect their privacy and safeguard their confidential electronic information, such as credit card numbers, personal health information, or private messages, from online thieves and snoops. This is important to encourage the continued robust growth of electronic commerce. A March 1999 report of the Vermont Internet Commerce Research Project that I commissioned analyzed barriers to Internet commerce in my home State, and found that `the strongest obstacle among consumers' was the perceived lack of security.
Focusing on the export regime for encryption technology is only one aspect, albeit an important one, in the larger debate over how best to protect privacy in a digital and online environment. Legislation to provide encryption export relief is a start, but we also have important work to do in addressing broader privacy issues, such as establishing standards for law enforcement access to decryption assistance. I look forward to working with Senators McCain, Wyden and Burns on passage of the PROTECT Act as well as other privacy legislation.
Mr. KERRY. Mr. President, today I join my esteemed colleagues, Senators McCain, Burns, Wyden, Leahy and Abraham in introducing legislation that will encourage sales of US information technology products while at the same time protecting our national security interests. The Promote Reliable On-Line Transactions to Encourage Commerce and Trade (PROTECT) Act of 1999 is an important first step that recognizes that as the Internet becomes more of a presence in global commerce, there must be guarantees and assurances that business and personal information remains confidential. It also recognizes that the US companies are leaders in creating the technology that serves this vital purpose, and that these companies are integral to our growing economy.
United States information technology companies have been frustrated by what they perceive as too-stringent controls on the export of their encryption products. These controls have served a vital purpose in protecting national security interests. The realities of the marketplace and the technology sector, however, suggest that it time to loosen our grip somewhat on the export controls we impose. Although the US is the leader in producing high quality, strong encryption products, other countries also have the ability to produce comparable products. We must recognize this reality and understand that while export controls can slow the spread of encrypted products, they cannot stop it. Importantly, controls that do not recognize this reality put our software industry at a disadvantage as it tries to compete in the global market.
Nothing, of course, is more important than our national security. This legislation maintains strong guidelines to ensure that encryption technology is not sold to countries that pose a threat to our national security. It puts in place a number of reasonable checks to make certain that US encryption technology does not get into the wrong hands. At the same time, it takes into consideration that where encryption products are generally or publicly available, we should not unduly limit their sale to responsible entities in NATO, OECD or ASEAN countries. To do so would not only cause potential harm to US industry, but it could also have an unintended negative impact on our own security.
I applaud Senator McCain for taking this first step towards resolving a complicated problem. As we work through this and other legislation that attempts to address the issue of encryption exports, I hope we can incorporate the best features into the strongest possible bill.
Return to the EPIC Crypto Page