Received: from well.com (declan@well.com [206.15.64.10])
by smtp.well.com (8.8.6/8.8.4) with ESMTP
id GAA20344; Thu, 4 Sep 1997 06:30:51 -0700 (PDT)
Date: Thu, 4 Sep 1997 06:30:47 -0700 (PDT)
From: Declan McCullagh
To: cypherpunks@toad.com
Subject: Senate Judiciary and Louis Freeh crypto-hearing transcript
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 8BIT
Status: RO
---------- Forwarded message ----------
SENATE JUDICIARY COMMITTEE
TERRORISM, TECHNOLOGY & GOVERNMENT
INFORMATION SUBCOMMITTEE
CHAIR: SENATOR JON KYL (R-AZ)
TESTIFYING: FBI DIRECTOR LOUIS FREEH
226 DIRKSEN SENATE OFFICE BUILDING
WEDNESDAY, SEPTEMBER 3, 1997, 2 PM
SEN. KYL: The conferences are just coming to a
close. As a result, I am informed that the ranking member,
Senator Feinstein, will be here very shortly; and when she
arrives, we'll give her the opportunity to make a statement. So
we should expect other members shortly. But in view of the
agenda that we have, the number of witnesses we want to hear
from today, I'd like to begin the hearing at this time.
The purpose of this hearing is to explore how
encryption is affecting the way that we deal with criminals,
terrorists and the security needs of our businesses. Our
subcommittee, which has the responsibility for technology,
terrorism and government information, is a fitting focal point
for an in-depth examination of the ramifications of encryption
for public safety and national security.
Three panels of distinguished witnesses will share their
views on these topics. In panel one we will hear from the
director of the Federal Bureau of Investigation on the use of
encryption by criminals, terrorists and spies and the impact of
the usage on law enforcement. In panel two we'll learn the
results of a recent study and some real- life examples of how
criminals and terrorists are using encryption in an attempt to
thwart law enforcement efforts. The last panel will offer
insights from industry on their specific security concerns.
The United States is leading the world into the
information age, an age in which information rather than
industrial mechanics will likely be a dominant commodity. As
the U.S. information-based economy has become more
efficient via the use of computing and communication
technologies, our society has become increasingly vulnerable
because of our dependency on the available and predictable
operation of these technologies. Encryption has the potential
to limit the risks that these dependencies have introduced. But
if used unwisely it also has the potential to undermine the
responsibilities that Congress and the Constitution give to our
nation's law enforcement and national security agencies. So
the issue that I would like to address today is how to get the
good encryption widely used without allowing it to be used
against society. If we do not address the encryption issue
from this perspective, we will wind up increasing the risks to
our economy, citizens and national security rather than
decreasing them.
There have been other hearings held earlier this year on
the encryption topic which have looked at important questions
of commerce and privacy and export control policy. When I
examine what has been said to date and what had been
proposed in some encryption bills, I was struck by the fact that
some of these efforts seem to be addressing this as a zero-sum
game: privacy versus public safety, industry versus
government. Too often I've seen the encryption issue
mischaracterized as one that is about enabling encryption
exporters to increase profits overseas. I am offended by the
notion that public safety should have to take a back seat to
short-term corporate opportunity; and so are the great majority
of leaders in the business community. In fact, I suspect that
there is a broader community of interests we share as
Americans that rests on the need to maximize all of these
goals. I think that it's fair to say that just about everyone here
in this room will benefit to some degree from the
government's ability to deal with encryption used by criminals
and terrorists. Law enforcement is already beginning to
encounter the harmful effects of encryption. For example, the
masterminds of the World Trade Center bombing were also
plotting to blow up 11 U.S.-owned airliners. Data regarding
this terrorist plan was found in encrypted computer files found
after the arrest of these terrorists, and their destructive plan
was never carried out.
Such counterculture use of encryption is not limited to
international terrorists. Child pornographers for example are
using encryption to hide pornographic images of children that
they transmit across the Internet. With the explosive impact of
the Internet and computers, we can only expect more cases like
that ‹ like this. And that's one reason why I sponsored an
amendment last year that became law with the Economic
Espionage Act, requiring the United States Sentencing
Commission to begin reporting to Congress this year on the
use of encryption to facilitate or conceal criminal conduct. I
will be very interested in seeing the results of that report, as I
am sure my colleagues are as well.
The law enforcement community ‹ locally, nationally
and abroad ‹ is extremely concerned about this serious threat
posed by the use of encryption by violent criminals, terrorists,
child pornographers, drug traffickers and the like since it will
prevent them from performing their public safety
responsibilities. On another score, corporate security
managers need to protect corporate information and
communications systems against industrial espionage, and are
increasingly turning to encryption as part of the answer. At
the same time they are concerned about the security of their
personnel and facilities in the face of criminal and terrorist
threats. Not to be overlooked is the concern that rogue
employees could use encryption as an electronic shredder and
hold companies hostage by encrypting corporate information
and withholding the encryption key.
Finally, our government has long used encryption to
protect vital government information systems. In an era of
information warfare, protecting the nation's critical
infrastructures against terrorists and other threats will require
the strategic use of encryption and other protective measures.
This subcommittee will have the opportunity to hear more
about this from the director of central intelligence, who has
offered to meet with us in closed session at a later date.
In light of these vital concerns, we need to stay
focused on the goal that I defined moments ago. That is, how
to get good encryption widely used without allowing it to be
used against society. I believe that we can and must define
such a balanced encryption policy so that our citizens and
businesses will continue to thrive as we enter the information
age, and I hope that our hearing today will be a step in that
direction.
Before I introduce our first witness, since Senator
Feinstein is not here, Senator Leahy, would you like to make
any comments before we begin?
SEN. PATRICK LEAHY (D-VT): I do have a few, if
I might, Mr. Chairman. And I put my full statement in the
record. But I commend you and Senator Feinstein for holding
this hearing, because there is a double-edged sword when you
come to encryption, and you reflect that ‹ it has both good
and bad use, and we have to figure out how we keep the good
and get rid of the bad.
We have the U.S. working group ‹ they're ‹ a
report by Dorothy Denning and William Baugh on behalf of
the U.S. Working Group on Organized Crime, concludes that
no one approach to encryption will be foolproof. And I think
one of the problems has been everybody has looked for a
foolproof approach, and there is none.
We're all worried about what happens when the
criminals use encryption to thwart police surveillance, or if
you have the spies or the terrorist group that you referred to ‹
not only here but other places ‹ that is a concern. And the
working group I think estimates a somewhere from 50 to 100
percent increase in the future of criminal groups using
encryption. This is all extremely unnerving in one way. But I
think if you maintain export restrictions on strong encryption
technology you are not going to have an answer by doing that.
The working group said that export controls do not keep
unbreakable encryption out of the hands of criminals entirely.
Export controls simply make the privacy and valuable
proprietary information of Americans and American
businesses more vulnerable to on-line theft and economic
espionage and other crimes.
The National Research Council's crises report
recommended relaxation of export controls. Encryption we
know is an effective method for promoting intellectual
property. Senator Kyl and I are concerned about software
piracy and have sponsored legislation, the
Criminal Copyright Improvement Act, S. 1044, to
address the problem of large-scale wilful copyright
infringements on the Internet. But if you encrypt copyright
software so that only the legitimate users get access, that's one
way you combat that intellectual piracy.
But if you mandate, even coerce, the use of key
recovery encryption, that is not the solution. The working
group report points out that key recovery systems could
potentially be abused either by government or by the people
operating key recovery services. And when the administration
makes no secret of its efforts to promote adoption of a global
key recovery system so that governments around the world
will have access to the decoding keys, this concerns me
greatly. The working group report warns about the security
risks of this effort, stating, "it's hard to see how a global key
recovery infrastructure can avoid exploitation by organized
crime, especially considering the integration of organized
crime with governments, such as Russia. If key recovery is
adopted on a large scale, strong boundaries have to be created"
‹ and so on.
It brought the same alarm the Leahy-Burns Encrypted
Communications Act, S. 376, pending before this Judiciary
Committee ‹ very strict requirements before you could
release any decryption key to a foreign government.
I think the administration put the proverbial cat before
the horse by promoting key recovery without having in place
privacy safeguards, defining how and under what
circumstances law enforcement and other users can get
decryption keys.
So I think this is a very important hearing. I look
back, Director Freeh, to when we had the digital telephony bill
before us, and I must say, Mr. Chairman ‹ had some
discussions with the director about this. We went to as secure
a venue as we could find, knowing how important this was.
And I will release a certain amount of secrecy here, Mr.
Chairman, by saying with that secure venue, with the dirt
roads near my farm in Vermont where for several days the
director and I would go out at the crack of dawn and go hiking
up and down miles of these dirt roads discussing encryption.
It's one sided ‹ he could discuss it with a great deal more
breath that I could, but we did this. And basically I raise the
fact that the digital telephony bill was a way ‹ which finally
brought this apparent ‹ we had from the left to the right, from
civil liberties groups, privacy groups, law enforcement,
telephone companies ‹ everybody was off in a different
direction. We finally got everybody into one room, and just
basically said, "Okay, how are we going to do this?" ‹ and
we did it. I think that's what you're trying to do, Mr.
Chairman, and I commend you for it.
I would also say, director, that while you were there of
course we had the terrible situation in New Hampshire and
Vermont with the firefight with Carl Drega who murdered four
people, two law enforcement officers, seriously wounded
John Piper (sp), Border Patrol agent John Piper (sp). You
and I went and visited him in the hospital. You recall that he
was barely able to speak ‹ all kinds of tubes going on him,
an oxygen mask, attended by his wife and lovely 10-year-old
daughter Hannah. I just want you to know that he went home
from the hospital and he is in much, much better shape. His
family tells me there's going to be a complete recovery, and
again they thank you for your taking the time to go and visit
him. And I thank you, Mr. Chairman.
SEN. KYL: Well, thank you, Senator Leahy. I
certainly concur with you that taking a walk in the beautiful
Vermont woods would be preferable to being in a stuffy
secure facility to discuss these issues ‹ and some by their
nature do need to be discussed in a classified setting. But
fortunately today we are able to discuss a great deal publicly,
and we are blessed to have as our lead-off witness the director
of the Federal Bureau of Investigation, Louis Freeh. We have
had the opportunity to discuss encryption policy with Director
Freeh during the course of prior hearings in this committee,
first at the FBI oversight hearing on June 4th, where the
director and I discussed the needs of law enforcement as
pertains to encryption; and, second, at the hearing on key
recovery infrastructure that the full Judiciary Committee held
on June 25th.
To set the stage for today's hearings, we've asked
Director Freeh to expound on how the use of encryption by
organized crime and terrorists adversely impacts the FBI's
very important role in preventing and investigating criminal
and domestic terrorist activity, as well as the bureau's vital
counterintelligence responsibilities. We're also eager to gain a
finer understanding of the way in which the FBI works with
corporate America in addressing their pressing security
concerns.
Before you begin, director, I would like to insert into
the record a compilation of letters from the secretary of
defense, the attorney general, the directors of the Secret
Service, Customs and Drug Enforcement Agency, the Bureau
of Alcohol, Tobacco and Firearms, the Office of National
Drug Control Policy and yourself, the International
Associations of Chiefs of Police and Attorneys General, the
National Association of Sheriffs and District Attorneys ‹ all
stating unequivocally that encryption policy must not
jeopardize national security and public safety. Without
objection those will be entered into the record, and on that
note, Director Freeh, we thank you. Welcome.
MR. FREEH: Thank you, Mr. Chairman. Senator
Leahy, good afternoon. It's a pleasure as always to be before
the committee. Let me echo Senator Leahy's compliment to
you, Mr. Chairman, for holding this hearing, continuing this
very important discussion and really supplying some
leadership with respect to an issue which is not a privacy
versus law enforcement issue, but really a public safety issue
balanced with the great commercial interests at stake.
Senator Leahy, as we did discuss on those dirt roads,
let me compliment you for your leadership in these very
difficult areas, going back as you noted to the digital telephony
problem which many people said could not be solved ‹ it was
too complex, it was too expensive. Nobody could agree to it.
And with your leadership you achieved a monumental piece of
legislation, as far as I am concerned, that balance the law
enforcement needs with the privacy needs ‹ in fact,
enhancing privacy concerns in portions of that bill.
When I became director just about four years ago this
week ‹ although it seems much longer at times ‹ I was told
by the technical experts and people who advise the FBI
director on these matters, that the issue at stake in the next
couple of years would be the continuing ability to conduct
court-authorized wiretaps and electronic surveillance, which as
everyone on this committee well knows is the most important
and efficient law enforcement technique ‹ not just in the
criminal area, but in the national security area. And it is a
technique which is not only the bailiwick of the federal
authorities. In 1996 51 percent of the electronic surveillance
orders int he United States were given to the federal
government. The other 49 percent were given to states and
local prosecutors and police departments. This is a universal
technique, and one which is reserved for the most difficult
cases ‹ the complex organized crime cases, crimes of
terrorism, crimes of financial complexity, violent crimes, and
on the local and state level kidnapping and other cases where
that particular technique is required because no other technique
can obtain the evidence for which there is probable cause.
I was told as I became the director that there were two
aspects to the threat against court-authorized electronic
surveillance. One was access, and that's the digital telephony
issue: Will the common carriers and the manufacturers build
systems and switches and software which will continue ‹ not
give, but continue to give us access per court order to
conversations of a criminal nature? We had had that ability
since 1968. The change from the analog system to the digital
system threatened to de facto take away that ability because
there would be no more alligator clips to snap on to easy-
access points, because switches would be made in the
software. Against a lot of doubt and a lot of resistance, this
Congress ‹ Senator Leahy in particular ‹ and many other
people working on that objective, solved this very complex
access problem. And although not completely resolved or
implemented, we are well on our way to solving that access
problem and preserving what is the single most important
technique in law enforcement and national security cases.
There is another side to the threat to electronic
surveillance, and that is the problem which encryption poses.
If we are able to access with a court warrant the conversations
of criminals and spies and terrorists, but we can't understand
it, or it's going to take, as my associate Bill Crowell (sp) says,
26 trillion years to decrypt a message bit, we're out of
business with respect to that technique. It is of little use to us
in the information age when the encryption is so robust that
even a court order ‹ even an order of an Article 3
constitutional judge, cannot access that on a real-time basis.
So that is the issue that we are now debating, and it is, as you
very well point out, Mr. Chairman, not a debate between
privacy and law enforcement; it's a public safety question.
And what the law enforcement components represented in the
letters that you've just entered in the record have said, is that
we are in favor of encryption. In fact, we are in favor of the
most robust encryption available.
We want the American companies ‹ the American
manufacturers ‹ to remain as they are now the dominant
industry in the world, controlling about 75 percent of the
international market. However, we say that we have to
balance that economic policy, which is a very important one,
with the public safety needs of the people that we are obligated
to protect ‹ both against criminals and against national
security threats. If we are unable to access and decrypt real-
time, with a court warrant in hand, conversations of criminals
and people who would commit horrible crimes ‹ even crimes
like the one that Senator Leahy refers to ‹ we will be hard up
to defend the country in many respects. That is why in my
previous testimony I have said that unless we have some
solution to unbreakable encryption we will be devastated with
respect to our ability to fight crime and terrorism. That is not
an exaggeration on my part; it is the consensus of many law
enforcement professionals and technical experts who have
studied this problem over many, many years. We seek and
request a balanced encryption policy ‹ one that will promote
robust encryption but will provide under very unique and
infrequent circumstances pursuant to a court order the ability
of my investigators or other investigators for state and local
authorities to go in and solve a kidnapping case ‹ to find the
victim, to prevent an act of terrorism, to dismantle an
organized crime group or a drug cartel. Without that technique
we will be unable to deal with that issue.
We also believe that the legislative approach is
necessary because we cannot leave to private industry the task
of solving this problem for law enforcement. We have an
interest for instance in communications in transit ‹ the actual
discussion of crimes by people for whom we have probable
cause to believe are committing crimes. Many people in
industry and many companies who are developing key
recovery systems on their own ‹ about 30 companies right
now ‹ are more focused on the stored-data aspect of this
issue as opposed to the in-transit communications which are of
immediate importance to law enforcement. So for that and
many other reasons we cannot leave the solution to the
business community, as some would suggest.
We do believe, as shown by recent events, that many
companies ‹ many responsible companies for very good
business objectives are developing their own key recovery
systems to protect the users of encryption so that they can get
access to their own products when deprived of those by other
criminals or people who would steal their secrets. So we do
believe that there is a legitimate policy role to be played by the
government and by the Congress in the form of legislation.
We have looked at the various pieces of legislation that
are before the Congress, both in the House and the Senate.
We think that parts of all of them represent objectives for
which we would agree. The control of encryption, depriving
criminals from the use of encryption in the commission of
criminal acts, restrictions on the government with respect to
accessing and decrypting materials. However, none of those
bills in my opinion give law enforcement the minimal
safeguards which it needs to preserve this technique and use it
effectively.
We believe that what is necessary more than anything
else right now is this balanced approach between robust
encryption and legitimate court-authorized access. And I don't
think that we should be deluded by the argument that the genie
is out of the bottle, there is nothing we can do ‹ it is
hopeless. They said that actually about digital telephony
problems back in 1994. We think that a key recovery system
can be established, that the government can promote it on a
voluntary basis. Industry, which is already in many respects
constructing such an infrastructure, will respond to that
support, and that we can create the ability to protect people in
the 21st century. We are not arguing, nor have we ever
argued, that we are going to have a 100 percent perfect
solution. That's not the case. John Gotti never implicated
himself on a telephone conversation with one of his
confederates, because he was aware of the fact that law
enforcement agents might be listening to that, and he took
precautions to protect himself. Drug cartels, organized crime
organizations, terrorists, take similar precautions to protect
themselves. They will kept encryption that will not be
accessible in any key recovery context. They will do that, and
they do it right now. But what we cannot afford to do is reach
a situation where all of the potential access points for a court-
ordered access are denied to us because what is proliferated is
robust encryption without a key recovery infrastructure,
without any points of access or interest where a court order
can be effectuated.
We think that the Senate bill, the 909 bill, which comes
the closest to meeting law enforcement's minimal needs, is a
outstanding initiative ‹ an attempt to deal with this very
difficult problem. We have worked, and we will look forward
to working very closely to add to that bill what we believe to
be necessary accommodations for law enforcement, and ones
which will give us a more balanced approach.
The problem with respect to encryption cannot be dealt
with merely in the context of export controls. Encryption
products limited by export controls do relate directly to the
national security and foreign policy interests. However, law
enforcement, as it must be in the United States, is more
concerned about the significant and growing threats to public
safety which could be caused by the proliferation and use
within the United States of a communications infrastructure
that supports the use of strong encryption but does not support
law enforcement's immediate decryption needs. So we are
looking to the Congress, as in all the letters reflected in the
record now, for some type of assistance with respect to
protection against unbreakable domestic encryption. And we
have noted, as I did in my testimony in 909, some very
positive initiatives in that direction.
You gave in your opening statement, Mr. Chairman,
several examples of cases where criminals ‹ pedophiles,
terrorists ‹ have begun to take advantage of the encryption
technology to the detriment of law enforcement, as well as the
people who are ultimately victims of those acts. We could cite
many others to you. Recently a DEA electronic surveillance
order was completely frustrated by the use of encryption by
the subjects of that surveillance. Although there are now very
few instances of these types of impediments, our own
experience, and our experience from talking to our state and
local counterparts, is that this is really just the tip of the
iceberg. This is the opening of the window which unless
addressed at this point will pose for us in the very few years
ahead substantial problems and impediments in the execution
of court orders ‹ not our own orders, but orders signed by
judges who have found probable cause for us to seize
communications or records. Without some decryption ability
those records will become meaningless because nobody will
understand them in time to use them in an appropriate way.
Over the past few years, law enforcement has grappled
with this issue. It is one of the few issues where I can say that
there is unanimous agreement not just on the federal level, but
on the state and local level ‹ by the Sheriffs Association, the
International Association of Chiefs of Police, who passed a
resolution in this regard ‹ it's going to be a subject of their
convention next month in Orlando ‹ the National Association
of District Attorneys, representatives of literally hundreds of
thousands of law enforcement officers around the country who
have depended vitally on the effective use of court-authorized
electronic surveillance to perform their very difficult jobs in the
most dangerous cases. We will not be able to protect the
country in the way that we are expected to do it, in the way
that we have done it, if we lose this technique.
We are not asking for any new powers or any new
authorities. That's another misnomer which I am happy to
correct once again. We rely for our request on the Fourth
Amendment to the Constitution, where the framers in 1791
balanced the privacy that people were entitled to in their houses
and their papers with the legitimate need of law enforcement,
upon a showing of probable cause, to a federal judge in this
case, the ability to breach that privacy and security because the
commission of a crime or the planned commission of a crime
have such a great impact on the safety and the society of the
community that the framers decided that upon a sufficient
showing of probable cause and the issuance of a court order,
that privacy expectation would be overcome and we would be
allowed to seize evidence of a crime.
We're not asking for new authority to seize any
conversations or papers. The (broad?) requirement would still
be maintained. We would still have to procure an order from
an Article III judge to seize a paper or a conversation. But we
would also then be entitled to understand what we've seized.
If we can seize it but we can't understand it, it becomes a
(nullity?) and, de facto, we lose that power of search and
seizure which we've had, which the country has had since
1791, balanced very carefully against privacy and the
expectations of privacy.
So I want to say one more time that we're not asking
for any new powers or new authorities. We're asking for a
Fourth Amendment that works in the information age. When
it was designed by the framers, they didn't contemplate,
obviously, digital telephony and encryption. I think to deprive
law enforcement of that power, that constitutional power,
would be a dramatic alteration not only in the Fourth
Amendment but in the ability of law enforcement officers to do
their job pursuant to (warrants?).
There is nothing in any of the recommendations that
the government has made which enlarges or expands our
powers in any way. What it does, quite frankly, is ensure that
the powers that we've used for over 200 years, controlled by
courts and juries ultimately, are powers which will be viable
and relative in an information age when people are using 120-
bit encryption.
As my friend in the NSA tells me, to break 120-bit
encryption, it would take 26 trillion times the age of the
universe to decipher one criminal bit or one message bit in
order to respond and take some appropriate action. We can't
function that way. If the decision is made that electronic
surveillance and court-authorized electronic surveillance is
important but not as important as the commercial interests
which go with robust and unbreakable encryption, it seems to
me that's a decision that the Congress could make and the
country could make. But I think it would be an ill-advised one
and that we would be paying the price for many years to come
for the deprivation of what have proven to be the most
important law enforcement techniques, and techniques which
are very well controlled.
There's no argument and there's no body of proof,
even a small portion, which shows that the federal, state and
local prosecutors and agents have abused electronic
surveillance. In fact, as I (mentioned?), in 1996 there were
only 1149 electronic surveillance orders in the whole country.
That's adding up state, local and federal.
This is a very unique and very infrequently used
technique. The impact, however, is that it's used in the most
important cases. It was used in the case up in New York
where individuals were planning to blow up the Holland
Tunnel and several bridges and infrastructure in New York. It
was used in other cases where people were going to blow up
airlines in the Pacific. It's used routinely by state and local
authorities in kidnapping cases, extortion cases.
We want to preserve that technique. Obviously we
want to balance it against the legitimate privacy and
commercial interests, and we think that the best way to do that
is legislation which achieves that balance. And except for 909,
the other pieces of legislation don't, in my view, attempt to
balance those two interests at all. In fact, they're completely
one-sided with respect to the commercial interests.
So we're ready to work, as we have done, with the
committees, with the industry, to try to resolve the situation. I
think Senator Leahy is right. If everybody sits down and
maybe locks themselves in a room, I think they can agree on
something. But I think if we don't, the country is going to
pay the price in the years to come.
SEN. KYL: Director Freeh, thank you very much. I
indicated that Senator Feinstein was delayed somewhat at the
beginning of the hearing. Senator Feinstein, if you'd like to
make any comments now before we question Director Freeh,
this would be the time.
SEN. DIANNE FEINSTEIN (D-CA): Thank you
very much, Mr. Chairman. I would. I thank you for holding
this hearing and for your interest in the subject. Coming from
California, at least trying very hard to represent a huge and
burgeoning Silicon Valley industry, this whole issue is a very
key and critical one.
I've heard Director Freeh testify on this issue, I
believe, twice before. And if I may venture, I think his views
are fully representative, almost without exception, of the entire
federal, state and local law enforcement communities of the
United States. And I think they have to be given considerable
weight and due diligence.
I, for one, am very concerned. Director Freeh, you've
pointed out where encryption has been used successfully by
terrorists, whether it's the Ohmshinrikkio cult in Japan or the
Manila situation with the airlines or the New York situation.
Also in California it was used in a multi-county gambling
enterprise. I understand the Cali drug cartel uses encryption
with some of its personnel sources or personnel statements.
You've mentioned that you think one bill comes close
to providing some of the guarantees that we need. The bottom
line is I think probably nothing other than some form of
mandatory key recovery really does the job. The situation that
I have always had when I talk about this is, "Well, how can
we compete, then, with other countries that don't have these
requirements?"
I mean, I, for one, believe that the public safety issue
is a paramount issue because everybody's going to stop using
the telephone or any other forms of communication to
participate in an act of complicity to commit a crime and use an
encryption system on a computer. I mean, that's going to be
kind of (de reguerre?) unless we have some methodology, and
two, some infrastructure that's able to protect everybody's
rights ‹ the right to privacy as well as the right, as you've
pointed out, for a judge to give an order and for law
enforcement to be able to punctuate that encryption system and
pull out of it what it needs to break an important case.
Whether this can come from something short of
mandatory key recovery, I don't know. But I think in effect,
Mr. Chairman, this is our challenge. And I suspect we think
very much alike on this issue. So I look forward to the
testimony. And I won't go on now because I have some
questions after you ask yours that I hope Director Freeh would
be willing to come forward and state with some specificity in
what he thinks could provide this kind of balanced system that
can protect privacy rights as well as public safety.
SEN. KYL: Thank you very much, Senator Feinstein.
Once again, you and I are in complete agreement. And I also
would underscore a point you made, and that is that the letters
which I did insert in the record prior to your arrival uniformly
state the position that Director Freeh has stated here. He noted
that, and in his testimony indicated that the federal and state
law enforcement is unanimous in its view that there needs to
be this balanced approach of which he spoke.
I would like to begin by going directly to the question
that you just posed and ask it very specifically. Director
Freeh, in your prepared statement, and I'll quote from it, you
say that S. 909 ‹ and incidentally, before I do that, let me
compliment my colleague, Senator McCain from Arizona, as
one of the two key authors of that legislation; the other, the
ranking member of the Intelligence Committee, Senator
Kerrey, the Intelligence Committee on which I also sit.
Both of those senators have tried very hard to achieve
this balanced approach, and they've been pummeled pretty
hard, particularly by one side, which believes that the
legislation should be perhaps more oriented toward the
commercial interests. But I want to compliment both of them,
and in particular my colleague from Arizona for his efforts
here.
But you say in your testimony that S. 909 still does not
contain sufficient assurances that the impact on public safety
and effective law enforcement caused by the widespread use of
encryption will be adequately addressed. What are law
enforcement's needs in this specific regard, and how can the
proposals put forth in S. 909 be improved to meet those
needs?
MR. FREEH: Senator, the main concern, as I
expressed in my testimony, for myself and my state and local
colleagues is domestic access pursuant to a court order. We
believe that some export controls are necessary for national
security reasons and otherwise. But the bulk of our work and
the entire majority, for the most part, of state and local efforts
are going to be focused on the domestic use of encryption.
What we would recommend from a law enforcement
point of view is that the legislation contain a provision that
would require the manufacturers of encryption products and
services, those which will be used in the United States or
imported into the United States for use, include a feature
which would allow for the immediate, lawful decryption of the
communications or the electronic information once that
information is found by a judge to be in furtherance of a
criminal activity or a national security matter.
There are a number of ways that that could be
implemented, but what we believe we need as a minimum is a
feature implemented and designed by the manufacturers of the
products and services here that will allow law enforcement to
have an immediate lawful decryption of the communications in
transit or the stored data. That could be done in a mandatory
manner. It could be done in an involuntary manner. But the
key is that we would have the ability, once we have the court
order in hand, to get that information and get it real-time
without waiting for what it would take for a supercomputer to
give us, which is too long for life or safety reasons.
SEN. KYL: Now, S. 909 currently calls for a
voluntary system of key recovery use so that, theoretically,
two members of a drug cartel could communicate in an
encrypted way without ever taking advantage of the system
that has a key recovery system in it. On the other hand, for
most communication or data storage that exists, sooner or later
even criminals tend, for convenience sake, to need to use the
system. And in those situations where they're using a system
where voluntarily key recovery has been provided, then law
enforcement would have access to that.
As I understand it, what you are suggesting here ‹
and I am aware, by the way, that the Department of Justice,
the FBI, private industry, many other folks, are trying to work
together in a way to find just exactly the right language to
approach this issue. And I appreciate your efforts and urge
you to continue that effort.
As I understand it, what you are suggesting here is that
whether or not the legislation requires, in a mandatory way, a
key recovery system, as it would in the limited situation where
a government contractor is dealing with the federal
government, or whether it's voluntary, as it is for everyone
else under S. 909, in either case, at least the manufacturer
would have to build into the system the capability for a key
recovery system, should the users decide to take advantage of
it. Is that correct?
MR. FREEH: That's very ‹ it's very accurately
descriptive of what I meant. It's like ‹ maybe this is a bad
analogy, but an air bag in a car; that the manufacturer is
required in some states and federally to provide it, and now
there's discussions about giving the user the ability to activate
it or deactivate it, depending upon their own assessment of its
efficacy and their safety needs. And I think we're talking
about something very similar.
SEN. KYL: I remember back in the early days when
you could buy a car that either had the tape deck in it or not.
But if you didn't want to buy the tape deck, there was kind of
a blank hole in the dashboard, but at least you could put it in
there if you wanted to. And that's similar to what you're
suggesting here.
MR. FREEH: Yes. I think the legislation has to begin
by requiring the manufacturers to have the feature available
and then take up the larger and maybe more complex
discussion about how that's enabled. Is it done voluntary by
the user? Is the network provider of the service required to
have that immediate decryption ability because they're
providing a public service? And there's a lot of permutations
of that which we're trying to work through. But the key
concept ‹ you've hit the nail right on the head, Senator.
SEN. KYL: And this would be a much easier and less
expensive requirement in the production of the systems, would
it not, than that which was required in the digital telephone
legislation, which actually required constructing a pretty
sophisticated system by the system constructors?
MR. FREEH: Yes, I believe it would be much more
cost-effective and much more efficient. In that system, the
government set standards for the industry to build to and said
it would pay them so much money to retrofit systems that
didn't meet those standards. Here we're not saying the key
recovery standard X, Y, Z. We're telling the manufacturers
that they need to have a feature that would allow immediate
decryption, and they can do that in the cheapest, most efficient
way that they can design. And I think they can do that fairly
easily.
SEN. KYL: I appreciate it very much. Is there
anything else that you wish to add in terms of suggestions for
improving S. 909? Again, I know you're still working on this
and you may want to wait for another opportunity to expand.
But if there's anything else that you'd like to add at this time,
I'd invite you to do so.
MR. FREEH: Senator, just the point that I made
before, that I think it's a worthwhile issue for discussion to
look at whether network service providers should also be
required to have some immediate decrypting ability to respond
to a court order. We work, as you know, particularly in the
pedophile cases, with on-line services who give us, when we
run up against encryption, court-authorized access to
information that is the subject of crimes. And that deals in
many respects with our problem, particularly as networks
proliferate and more and more people use them for
communications. It also maintains the court-authorized
requirement and it also gives us the balance that I think is
required in a policy that's going to work.
SEN. KYL: And a final point I would make; you've
made it over and over, and yet whenever I discuss this, people
seem to misunderstand. In no way are you asking for any
additional legal authority for either seizure or wiretap. Is that
correct?
MR. FREEH: That's correct, Senator. I mean, maybe
as an example ‹ I've used this once or twice before ‹ right
now, if we have a search warrant, we have probable cause that
someone in a residence, for instance, has evidence of an
ongoing past or future crime. The judge signs it. We go into
the residence and, say, in the garage or not in the main
structure, we find a box or a safe.
Many assistant U.S. attorneys ‹ and I did this myself
when I was one ‹ (inaudible) ‹ might go back to the court
and get another warrant to go inside the safe box on the theory
that it was not within the scope of the original warrant and the
expectation of privacy might be different; all those legal
arguments.
What we're talking about here is maybe two warrants.
We're going to have the authority to seize the evidence,
whether it's a conversation or stored data. And now we need
another warrant to unlock what we've already seized, because
if we don't know what it means, it doesn't make any sense.
So we're not asking for any additional authority. We're
maybe going through the requirement two times, which
actually gives people more protection.
SEN. KYL: I think the way you put it was asking for
a Fourth Amendment that works in the information age.
MR. FREEH: Yes, sir.
SEN. KYL: I thought that was a good way to put it.
Senator Feinstein?
SEN. FEINSTEIN: I have three questions, if I might,
Mr. Chairman.
Presently today, U.S. countries can export 56-bit
technology only if they've pledged to develop key recovery
systems within two years. And the McCain-Kerrey legislation
eliminates export restrictions on 56-bit products, 56-and-
below products. My question is, do you favor this?
MR. FREEH: I think if it's balanced with a key
recovery system, particularly one which domestically gives up
some immediate decrypting ability under a court order, I do
favor it. I think it's ‹
SEN. FEINSTEIN: So you would say, though, that
you favor it if there is a key recovery system ‹
MR. FREEH: Yes, ma'am.
SEN. FEINSTEIN: ‹ only.
MR. FREEH: Exactly.
SEN. FEINSTEIN: Okay. Now, let's go to 128-bit
encryption products that do not have key recovery. They're
currently exported from other countries or imported from other
countries to international customers. And they're also
available domestically. What would your position be there?
MR. FREEH: Well, if we had legislation that required
the immediate decryptability of any product used, sold or
distributed in the United States, our domestic law enforcement
interests would be protected. If we did not have such
legislation, obviously the introduction of that type of robust
encryption into the United States without any key recovery
requirement or decryption ability would be very, very
dangerous for us. We would not be able to, with a court order
in our hands, decrypt or understand those algorithms.
Now, it works both ways. Many other countries ‹
France, Russia and Israel in particular ‹ have outlawed the
importation and use of encryption in their countries because
they have recognized the same public safety issues that we
have. I think once countries that began that type of
exportation, particularly the United States started to export
those types of products overseas, you would see great
resistance from many other countries.
SEN. FEINSTEIN: Again, I tend to agree with you.
Let me go to my third question. I don't see how anything
short of mandatory key recovery accomplishes your purpose.
Am I correct? Or if not, what specifically would accomplish
your purpose? A voluntary system doesn't accomplish your
purpose because the Cali drug cartel isn't going to participate
on a computer with a voluntary key encryption system.
They're going to go to one that doesn't have one. So how
does anything short of mandatory key recovery solve the
problem?
MR. FREEH: Mandatory key recovery, to the extent
that it was implemented, would be the best law enforcement
solution. I would not be candid with you if I told you
anything other than that.
SEN. FEINSTEIN: No, I'm just saying not solution.
How does ‹ it can't solve the problem. I mean, it's a step
forward. Anything is a step forward. But it still is a massive
loophole that everyone would take use of.
MR. FREEH: But there are massive loopholes right
now. I mean, from person to person, from cartel to cartel, the
encryption products which would defeat law enforcement are
available and are used. Our concern is that if we have mass
proliferation of unbreakable encryption, there are no
infrastructures that are established to find some recovery
points along the chain of information flow or storage.
If the government of the United States, which is the
largest consumer, I think, of encryption products
domestically, doesn't require key recovery in the products it
buys, if we don't ask our on- line services for access, if we
don't do all the things which are doable, in my view, then
nothing is going to work because there are going to be no
alternatives to access.
I think we can design a system short of mandatory key
recovery which will work certainly better than no system at all.
And I think the precepts of 909 and some additions which
could be added thereto will give law enforcement at least a
fighting chance, which is really what we're asking for in this
context, to keep a technique which is very valuable.
I don't think we'll ever solve the problem 100 percent.
There are loopholes now. There will be loopholes even with a
mandatory key recovery system. What we want to try to do is
design an
infrastructure which will give us as many access points
for that court order as possible. And that's the end game that
we're involved in right now.
SEN. FEINSTEIN: See, I think that there's a very
realistic concern. You know, if you have information that
somebody is using computers to practice terrorist acts, it
seems to me the ability to go to a judge, get a court order and
be able to punctuate that computer in a timely way is really
where the public safety is going to be met in a positive way.
And what I'm kind of concerned about is that every
time anybody talks about mandatory key recovery, it's as if
it's something terrible, when the whole world and everybody
else really ought to come to grips with cyberspace as a whole
new communication system, and not to afford the same rights
for law enforcement in cyberspace that they have with the
telephone. It's going to just create enormous problems
downstream.
MR. FREEH: Senator, I agree with you.
SEN. FEINSTEIN: I mean, I tend to be very robust
on the side of having a system which exists for every
computer that it cannot be used for criminal purposes without
at least some degree of penetration.
MR. FREEH: Yes. No, I agree with you.
SEN. FEINSTEIN: But you're being so nice about it,
and so kind of ‹
MR. FREEH: Well, I would use the word practical.
SEN. FEINSTEIN: Maybe you have been beaten up
more than I have so far. (Laughter.) I don't know.
MR. FREEH: The ‹ the position that I think we are
left to is ‹ look, if I could convince everybody in this town
‹ I mean, everybody in this town ‹ that we needed
mandatory key recovery, and that that was something doable, I
would certainly work very hard in that regard. I ‹ my sense
is and my experience, having worked on this for three or four
years, is that that is not the case ‹ for very good reasons
people of good faith with legitimate arguments not being able
to universally accept that system. So ‹
SEN. FEINSTEIN: Could you go into those reasons
‹
MR. FREEH: Sure ‹
SEN. FEINSTEIN: ‹ that you feel are the good faith
reasons?
MR. FREEH: The good faith reasons are that it would
retard American industry. As you pointed out, somebody
overseas faced with a product that has an embedded security
feature in it, or one that does not, is going to pick the latter
product. I don't think that's the case myself. I think people
buy software for spreadsheets and other
features, and not out of concern for embedded security
features. Every time we pick up our telephone we know that if
somebody ‹ a sheriff or FBI agent has convinced a judge that
we are using that phone for criminal purposes somebody is
going to be listening and recording every word that we make.
But we still use the phone. In fact, people still use the phone
even in the commission of crimes ‹ because it's a convenient
and available and exclusive infrastructure and network that
they have to use.
Another argument is that it's a violation of privacy
rights. I think that's a bogus argument. Nobody is
advocating or suggesting access to encrypted information
unless there is a predicate finding by a judge that somebody is
committing a crime or about to commit a crime. I think there's
a lot of arguments that, you know, are made in good faith and
because the objectives of that particular position support that
argument.
But we are talking about, as I think you very accurately
described, is a new technology, a new environment, a new
century, and people are going to be communicating on the
Internet as they communicate now on telephones. So what we
are saying is let's transport the Fourth Amendment from the
18th century to the 21st century, maintaining all the protections
that the Framers guaranteed in that amendment. We are not
advocating anything different. But the technology is going to
require real-time access, which we will not get in a system that
abandons the argument that we need a balanced policy here.
SEN. FEINSTEIN: So if it weren't ‹ if those points
could be satisfied, the two sort of good faith points you've just
raised, either in an international agreement or some other ‹ in
some other manner ‹ mandatory key recovery you think
would be acceptable to everyone?
MR. FREEH: Yes. Yes, I do.
SEN. FEINSTEIN: Thank you very much.
SEN. KYL: Thank you, Senator Feinstein. That's an
excellent point.
I would like to just ask one final question. We are all
absolutely committed to the protection of our constitutional
rights. And, by the way, encryption helps to advance the
rights of privacy that are at least implicated in the Constitution
‹ or implied. Absent the ability of law enforcement to use
traditional law enforcement techniques of being able to tap a
computer just like you would tap a telephone, if a judge is
convinced that you have cause to believe a crime is being
committed, is it not true that actually constitutional rights could
be ‹ I don't want to use the word "jeopardized" ‹ but at
least under somewhat more threat by virtue of the kinds of
techniques that law enforcement would have to resort to? In
other words, if you ‹ if brute force techniques don't work,
and
you've certainly made that point, and others have made
the point too ‹ and you don't have this ability through key
recovery, what other options do you have for conducting
authorized surveillance, and what are the implications of those
options to people's personal privacy?
MR. FREEH: Well, I think the implications are very
serious. Let me just give you the example of a ‹
SEN. KYL: Or also the risk to law enforcement ‹
MR. FREEH: Yes ‹
SEN. KYL: ‹ which I think is also in play.
MR. FREEH: If we convince a ‹ we convince an
Article 3 judge that someone is using their phone to commit a
crime, judge issues an order which we serve on the telephone
company, which allows us access to hear those conversations
‹ a key part of the judge's order is what they call the
minimization provisions, which mean if during the course of a
conversation the monitors determine that this is an innocent
conversation, not related to the crimes which are predicated in
the court order, they shut it off ‹ they turn it off and maybe
they put it on four or five minutes later to spot check to see if a
criminal conversation is now taking place. The reason for that
is very obvious. It's to limit the intrusive use and impact of
that technique ‹ the same with the microphone surveillance.
If the only way we could get access to decrypted information
would be a court order which allowed an intrusion into
someone's home or office so an agent could literally stand
over the shoulder of the operator to see what was being
decrypted, that would be an entirely larger intrusion ‹ both
personally and I think also in its constitutional impact. It
would also be very dangerous for the law enforcement agents
if every time they wanted to get access to decrypted material
they had to do things which would expose them to greater risk
and greater harm. So I think both from a constitutional
protection point of view and a law enforcement safety point of
view this is maintaining what we currently use to minimize the
surveillance of innocent conduct, but also to enable our agents
to work out there safely.
SEN. KYL: Thank you. Senator Feinstein, did you
have anything else at this point?
SEN. FEINSTEIN: No, I have no other questions.
SEN. KYL: Senator Leahy will not be able to return,
but would like to submit some questions. And I will simply
announce for the record that we will keep the record open for a
reasonable time here. And certainly Senator Leahy will be
permitted to submit questions, and he may provide some to
you, Director Freeh.
Once again we thank you very, very much for your
testimony here. I want to personally compliment you for your
dedication to this, for trying to come up with the best answers,
for your commitment to the Constitution ‹ but also for the
protection of the people of this country ‹ protection that has
been entrusted partially to you. I commend you for your
service and appreciate your testimony today.
MR. FREEH: Thank you, Mr. Chairman. Thank
you, senator.
###