Congress Unscrambles Encryption Bills

By Anne Gallagher, Contributing WriterWhile Congress muddled through passage of year 2000 legislation, much remains on the information technology agenda for the rest of the year, including a battle over how far to lift export controls on encryption technology, an issue sure to heat up in the coming weeks.The Senate cleared the way for President Clinton to sign the Y2K liability limits bill when it pushed through the conference report on HR 775, after many last-minute negotiations and compromises before the July 4 weeklong recess. During conference, the Senate and House made many major changes to the bill.Legislation on the export of encryption technologies may prove just as difficult to pass as the Y2K bill. Congress will take up the encryption legislation and other unresolved IT-related issues before its next recess in late August.The House and Senate Commerce committees last month approved bills that would permit U.S. computer companies to sell enhanced encryption software overseas. The government currently restricts export of encryption stronger than 56 bits. However, the IT industry and supporters on Capital Hill want to see more flexibility. They argue that as technology advances, many businesses are at risk of having their valuable data compromised by insecure transmission. As that risk grows, so does the desire for better encryption capabilities.Although the House and Senate Commerce committees have minor differences in their respective encryption bills, there are no major sticking points, and the bills largely are favorable to the IT industry.The Senate Commerce Committee bill, the Promote Reliable On-Line Transactions to Encourage Commerce and Trade Act, S 798, creates an encryption export advisory board that would review exports and make judgments on sales to allied countries. The House Commerce Committee's version, the Security and Freedom Through Encryption Act, HR 850, requires the Commerce secretary to consult with Defense Department and Central Intelligence Agency officials before allowing cryptographic exports. However, several lawmakers said these bills would not be enough to protect military sensitive technology from falling into the wrong hands.While the legislation represents a victory for software providers and the IT industry, the encryption export fight is far from over. Moves to ease restrictions in the next few weeks are likely to draw harsh criticism from the Defense Department and congressional defense and intelligence committees. The congressional defense committees slated to take up the bills this month are not favorable to the legislation, suggesting a stumbling block awaits the industry lobby, which wants the bill passed.House Armed Services Committee Chairman Floyd Spence, R-S.C., warned at a recent hearing that HR 850 would create as many problems as it may solve."I believe that removing controls on the export of strong encryption products will significantly weaken the ability of the United States to protect its citizens against terrorists, drug dealers and other criminals in the future," Spence said.Deputy Defense Secretary John Hamre and National Security Agency Deputy Director Barbara McNamara also urged against the bill's passage at a recent House Armed Services Committee hearing."If enacted, the bill would effectively decontrol most commercial computer software encryption and specified hardware encryption exports to all destinations, even regions of instability," McNamara said. "It would also deprive the government of the opportunity to conduct a meaningful review of a proposed export to assure it is compatible with U.S. national security interests, and would also eliminate the ability to deny an export application if national security concerns are not adequately addressed."The House bill mandates the immediate decontrol of most commercial computer software encryption and specified hardware encryption exports after a one-time, 15-day technical review. It also eliminates encryption export controls if comparable products are available on the foreign market.Industry officials argue that there is no advantage to keeping the export controls in place. And, during the last year or so, the White House has been receptive to relaxing several controls.For example, in June 1997, Netscape Communications Corp. and Microsoft Corp. received permission to export software with encryption keys of up to 128 bits in length used exclusively for banking and financial transactions. Also, the Clinton administration has lifted controls on encryption products with key lengths up to 56 bits. And strong encryption products of any key length are now allowed to be exported, license-free, to several sectors of industry in 44 countries.While the defense committees are sure to put their mark on the bills, in the end it is likely that some form of expanded decontrol will move through Congress before year's end. Senate Appropriations Committee Chairman Ted Stevens, R-Alaska, recently said he feels like a one-man band fighting against those who want to relax the encryption export controls in the Senate. Stevens admitted he lacks the support to try to filibuster any bill that may come to the floor in the coming weeks.