These views from Democratic legislators on the SAFE crypto bill is excerpted from House Report 105-108, dated May 22, 1997, which reports on the recent hearing testimony, DoJ's critique, and Goodlatte's responses to administration criticism. It cites the Blaze et al report on the risks of key recovery, Sun's alliance with Elvis, current litigation and non-US commercial exploitation of the crypto stalemate. http://jya.com/hr105-108.htm (94K) ----- ADDITIONAL MINORITY VIEWS John Conyers, Jr. Rick Boucher. Zoe Lofgren. Maxine Waters. William Delahunt. Martin T. Meehan. We offer these additional views not to foment dissent but to encourage dialogue with the Administration on the issues related to encryption. We would like to work with federal law enforcement and national security agencies to address their concerns. We sympathize with the difficulties faced by investigative and security agencies in combating crime, terrorism, and espionage. We believe it is quite legitimate for the Administration to be concerned about the uncertain impact that strong and ubiquitous encryption products may have on law enforcement and national security agencies. We realize that it may ultimately become impossible for government agencies to decipher intercepted or retrieved data and communications that have, by encryption, been transformed into a seemingly unintelligible form. We recognize the days of cracking strong codes are nearly gone. Unbreakable codes (256-bit key algorithms can generate more possible solutions than there are particles in the known universe) are already widely known. Private security experts and sophisticated hackers have already realized this and are beginning to develop ways of attacking the vulnerable points before and after the information is encrypted (i.e., on the sender's hard drive or at a ``good-guy'' recipient such as a bank). We suspect that law enforcement and national security experts within the government are acquiring similar capabilities. But these alternative (and more subtle) approaches are not reflected in the Administration's current public policy toward encryption. The Administration's current encryption policy, a policy that runs back at least to the Bush Administration, creates more problems than it resolves. The policy is a combination of encryption export controls and a key escrow system by which the key to the code encrypting the information is to be held by a third party (so it may be made available to the government). We need to be honest about this situation. We don't expect most narcotics traffickers, terrorists, or criminals to respect export restrictions on encryption when they don't respect our underlying drugs or weapons laws. And we don't generally expect anyone who employs encryption in furtherance of a crime to readily give their keys to some third party so they may be made available to the government. The Administration maintains that there is a commercial need for key recovery. While that may be true to some extent, there appears to be little or no demand for the all- encompassing system they want to mandate. Experts have uniformly concluded the government's proposed system is either excessively costly and complex or insecure. In part, this is true because the government seeks access to real-time communications and data transmissions, rather than the ability to recover stored data. The Administration insists it doesn't want domestic restrictions on encryption. We are concerned, however, that the Administration policy does have this effect. Development of software programs, including those utilizing encryption, occurs at an amazingly rapid pace, so it is not feasible for computer software and hardware companies to develop separate products for export and for domestic use. As a result, as a practical matter, only products that are exportable, with weaker encryption or with government-approved key recovery-escrow, can be marketed at present. We fear that current encryption policy, encouraging as it does weaker encryption, makes every American more vulnerable to illicit or surreptitious access to our computer files, our phone conversations, and personal information, and thus exposes our citizens to hackers, terrorists, and thieves. It is ironic that what is trumpeted as an aid to law enforcement may instead compromise individual and corporate security. What we have here is not only a combination of export controls and a key recovery system that does not work, we have a system that compromises the competitiveness and security of this nation's software and hardware industry, as well as our privacy rights. As conceded by Administration witnesses, the proposed key recovery system can succeed only as long as there is no non-conforming encryption software readily available in the market. But there is already an abundance of such software, some of it freeware, that is readily available over the Internet. The proposed key recovery system can not work unless the United States persuades every other nation to adopt key recovery. We can safely say we are unlikely to obtain the agreement of Libya, Iran, Iraq, or North Korea. In addition, the efforts to date of David Aaron, U.S. Ambassador to the Organization for Economic Cooperation and Development (OECD), to obtain a consensus in support of key recovery resulted instead in a consensus opposing it. The Administration's policy has therefore been a strong market incentive: (a) for non-participants (in the Administration's key escrow program) to make non-standard, secure encryption available, and (b) for U.S. companies to set up abroad in "encryption havens'' so they may legally market strong, secure encryption products to customers who decline to make their "international key'' available to diverse governments around the world. There are already U.S. companies establishing ties with foreign companies in Japan, Russia, and elsewhere. Nor is this policy without its cost. It is estimated that, if the U.S. persists in its current policy through the year 2000, we shall lose 200,000 jobs and $60 billion each year. This is what it will cost this nation to lose the cryptography lead we enjoy and the competitive expertise necessary to maintain our market position. Unfortunately, our discussions to date with law enforcement and intelligence agencies have not admitted of the possibility of any further relaxation of export restrictions as part of the broader process essential to resolving this complex question. Nor has the Administration offered to consider alternatives to its key escrow or key recovery system. H.R. 695 need not be the end of the process but the beginning of a real dialogue. This is what we would like to happen. We continue to remain hopeful that the Administration will acknowledge the shortcomings of its current policy and sincerely hope that this will happen soon lest more serious damage be done to our industry, to our security and to our privacy. [End exceprt]