Newsgroups: sci.crypt From: Danny Weitzner Subject: Summary of House Cryptography Export Controls Hearing Date: 13 Oct 1993 15:14:12 GMT Organization: Electronic Frontier Foundation Message-ID: <29h604$9jj@kragar.eff.org> Lines: 106 Distribution: world October 12, 1993 House Foreign Affairs Committee Subcommittee on Economic Policy, Trade, and the Enviornment Hearing on mass market cryptography and export controls Rep. Sam Gejdenson (D-Conn.), Chair [A hopefully informative and probably biased account of the hearing by EFF] Committee Members present: Gejdenson, Cantwell (D-Wash.), Fingerhut (D-Ohio), Rohrbacher (R-Calif.) Manzullo (R-Ill.) Witnesses: PANEL 1 (Open) J. Hendren, Arkansas Systems (A data security firm that does a lot of international banking work) Ray Ozzie, IRIS Associates for Business Software Alliance (Lotus Notes developer) Stephen Walker, Trusted Information Systems for Software Publishers Association Philip Zimmermann, PGP developer Don Harbert, Digital Eqiupment Corp. PANEL 2 (Secret Session) NSA representative Opening Statement of Gejdenson: "This hearing is about the well intentioned attempts of the National Security Agency to try to control the uncontrollable.... The NSA itself acknowledges that if you have a long distance telephone line and a modem, you can send this software anywhere in the world. If you have a computer and a modem you can take this software off of the Internet anywhere in the world.... I do not question the value of the information sought by the National Security Agency. But once it is determined that the dispersion of this software cannot be controlled, then however much we might want to protect our ability to obtain information, it is beyond our means to do so. Just as in the case of telecommunications, the National Security Agency is attempting to put the genie back in the bottle. It won't happen; and a vibrant and productive sector of American indsutry may be sacrificed in the process." The main points raised by witnesses were these: 1. DES and other strong encryption which is barred by ITAR is in the public domain and available on the global market from foreign software manufacturers: -Ray Ozzie used his laptop and a modem to show how to get a DES implementation from ftp.germany.eu.net. The committee loved it and most of them seemed to understand what was going on on the screen, even though they had never heard of ftp. -Stephen Walker described the results of an SPA study which uncovered over 250 cryptography packages which offer DES-based or stronger algorithms. -Phil Zimmermann testified that he designed PGP from publicly available information. 2. Foreign DES implementations are just as good as US versions. Surprisingly enough, this is a contentious issue. Some members of the committee seemed to have been told by someone or another that foreign versions of DES may not be as strong as those that are made in the USA. If this were true, then export controls might still be justified despite the numerous foreign versions of DES on the market. In my view, this is a pretty desperate argument. -Steve Walker demonstrated that all DES works the same way by encrypting a passage from Mozart's Eine Kleine Nachtmusik with several different foreign DES packages, and then decrypting them. Surprise! They all sounded just the same. 3. Lots of money is being lost by US software/hardware vendors: -Don Harbert from DEC told of loses of over $70 Million in just the last few months. -BSA estimates that export controls exclude access to a global market the is $6-9 Billion. 4. People want their privacy -Phil Zimmermann told the committee about his experience with PGP users and how badly people need and want to protect their privacy in electronic environments Committee Responses: Overall, the committee was quite sympathetic to the witnesses. Chairman Gejdenson seemed very supportive of changing export controls. Rep. Dana Rohrbacher, no flaming liberal, said, "the cold war is over. I sympathize with everything that has been said here." Danny Weitzner Senior Staff Counsel, EFF +1 202 544 3077