A bill that would relax the current federal policy on exporting data-security technology sailed through a House subcommittee this week and appears to be gaining momentum - despite a constant drumbeat of dissent from the Justice Department and concerns about the criminal penalties in the bill.
Assistant Attorney General Andrew Fois wrote to members of the House Judiciary subcommittee on Courts and Intellectual Property this week urging them to oppose the Security and Freedom through Encryption Act, saying, "The bill would severely compromise law enforcement's ability to protect the American people from the threats posed by terrorists, organized crime, child pornographers, drug cartels, financial predators, hostile foreign intelligence agents, and other criminals."
That's an impressive list of bad guys. But it's not likely to slow down the bill, which now has 79 co-sponsors - including a majority of the members on the full Judiciary Committee, its next stop, said a spokesperson for the bill's sponsor, Republican Representative Bob Goodlatte of Virginia. The only crack in support for the SAFE legislation was an announcement this week by Representative Gerald Solomon (R-New York) that he was withdrawing from the roster of sponsors because of Justice and Defense department concerns.
Why is a law-and-order club like the Republican Congress not heeding prosecutors' warnings of doom? The best guess is that the law straddles two bread-and-butter themes: It defines a new class of digital felony, so members can look tough on crime. The clincher is the argument, made both on Capitol Hill and by the encryption industry, that a looser approach on cryptography export is needed to keep US firms competitive.
"The bill has the law-enforcement provisions in it," said Ellen Stroud, a Goodlatte aide. "We are trying to fight crime, and trying to prevent crime by letting people protect their information. We've addressed those concerns up front."
SAFE would roll back the administration's current policy of mandatory key escrow for exported encryption products and would lift restrictions on the strength of encryption that can be exported. This means that data-security companies wanting to compete on the global market would be able to offer the strongest encryption possible. Administration officials say this would undermine public safety and national security because law enforcement could not crack crucial data regarding, for example, a planned terrorist attack, much in the same way national security agencies use wiretapping.
"The bill discourages formation of a key management infrastructure that addresses the needs of public safety, economic security, and privacy," Fois said in his letter.
Last month, the Clinton administration floated a draft bill to members of Congress that would uphold the current federal policy on exporting encryption (no data security technologies stronger than 56-bit encryption can be exported), and would all but require participation in a key-management system. So far, no one has stepped up to sponsor the proposal.
And though a coalition of Net liberty advocates has urged the Judiciary Committee to reconsider provisions that create penalties for using encryption to further a crime of up to five years in prison for a first offense, and up to 10 years for a second offense, they say the bill is a good framework for the development of electronic commerce while improving individual privacy.
"This bill does not prohibit key recovery, but it does prohibit key recovery by law enforcement, which is good from a privacy standpoint and an important distinction to make," said Jonah Seiger of the Center for Democracy and Technology. "SAFE expands the current law in a not insignificant way, though there is no such thing as perfect legislation."
