Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
Document 259 of 261.
Copyright 1999
Federal News Service,
Inc.
Federal News Service
View Related Topics
MARCH
4, 1999, THURSDAY
SECTION:
IN THE NEWS
LENGTH:
3198 words
HEADLINE:
PREPARED TESTIMONY OF
CRAIG MCLAUGHLIN
CHIEF TECHNOLOGY OFFICER
PRIVADA, INC.
BEFORE THE
HOUSE
JUDICIARY COMMITTEE
SUBCOMMITTEE ON COURTS AND INTELLECTUAL PROPERTY
BODY:
Good morning, Mr. Chairman and Members of the Subcommittee. Thank you for the opportunity to speak with you this morning about this important topic. I appreciate the efforts of Mr. Goodlatte, Ms. Lofgren and the cosponsors of the SAFE Act for their willingness to address this complex but important issue.
My name is Craig McLaughlin and I am the Chief Technology Officer at Privada, Inc., based in San Jose, CA. I am pleased to be testifying this morning on behalf of the Software & Information Industry Association (SIIA), the result of a merger between the Software Publishers Association and the Information Industry Association. SIIA represents 1400 member companies engaged in every aspect of electronic commerce and strongly supports H.R. 850, the Security and Freedom through Encryption (SAFE) Act.
The Role of Cryptography Encryption is tremendously important for securing electronic communications and transactions. As the Internet continues to increase, more individuals and businesses "go online," and companies shift their mission-critical operations to the Internet, the need for and importance of cryptography only grows.
As a result, the market for encryption is growing. Users routinely demand robust encryption products, and global sales of encryption products are expected to reach $20 billion by 2002.1 Companies in every sector are seeking to utilize security products to facilitate online sales, improve their own products, protect their intellectual property and secure their private data and communications.
There can be no question that the demand for encryption products is strong. A 1997 study identified over 1600 encryption products available from more than 900 companies in thirty countries. That same year, Trusted Information Systems found more than 650 encryption products produced abroad; almost 300 of these incorporated DES-level encryption. Encryption is routinely used in software, databases, networking products, telecommunications equipment, computer peripherals, electronic commerce and financial services. Without a doubt, encryption is one of the most important tools companies and individuals have in the digital environment.While we are beginning to realize the benefits of the global electronic marketplace, we are also realizing some of the challenges that users face. Computer crime, intellectual property theft and privacy fears are some of the issues that the Internet community is being forced to address. By using security products that incorporate robust encryption, companies and individuals can minimize these concerns.
One of the biggest challenges facing us today is the question of online privacy. While users want to take advantage of the Internet's vast resources, many are concerned about the collection and use of their
personal information.
According to some studies,
privacy
is the primary concern for online consumers. A Lou Harris poll recently found that 81 percent of Internet users and 79 percent of those who have purchased goods online are concerned about privacy.
My company, Privada, was founded in 1997 on the premise that individuals and organizations should have the ability to control access to and use of their personal information online - that every person should have the freedom to use the Internet responsibly, without sacrificing their privacy. We have developed a suite of products that allow individuals to protect their privacy while using the Internet for browsing, communications or purchases. Our products disassociate one's real-world identity from the online identity, ensuring that individuals can take advantage of the Internet while protecting themselves and their families online.
Companies like mine have worked hard to develop technological solutions that address these concerns, providing both individuals and businesses with the tools needed to assure their privacy. Such efforts help promote a secure online environment and improve user confidence, helping the vibrant electronic commerce market continue to grow.
Current Encryption Policy
The current policy of restricting encryption exports is, I respectfully submit, outdated and counterproductive. The Administration's approach to encryption exports, like others before it, has sought to balance the needs of law enforcement and national security with the needs of Internet users, but instead has only created a situation in which U.S. industry is at a competitive disadvantage to its foreign counterparts, where online communications and transactions may remain vulnerable, where users do not have robust tools to protect their privacy and that ultimately threatens to undermine our technological leadership in this critical area.
Let me address each of these points in some more detail.
Current policy is outdated.
The current administration policy has evolved from an era in which encryption was regulated as a munition. Encryption products were largely used to provide a level of secrecy for electronic data and communications. Not widely available, export restrictions on encryption and related products could be relatively effective in limiting the spread of these products around the world.
With the growth of electronic networks, though, the effectiveness of restrictions is seriously compromised. Digital networks cross national borders and reach around the globe. Data flows across the country and around the world in an instant, often without the user knowing where the data is originating or terminating. International networks have made it possible for individual users to take advantage of resources previously unavailable to them and for companies to develop new markets around the world.
More importantly, perhaps, is the fact that encryption is no longer used to simply scramble the text of secret messages. The use of encryption has evolved to include authentication and certification, data integrity and network security applications. These applications are widely used in virtually every industry today and are critical to the further development and use of networks in everyday life.
One example is the protection of sensitive information from misappropriation by unauthorized parties, or misuse by otherwise authorized, but negligent or malicious parties, to a transaction. Encryption is the only practical means by which parties to an online communication can trust that each is who he claims to be. It is the only practical way to guarantee that the communication between those parties remains private.
A further example may be helpful. Many Members of Congress - including yourselves, l'm sure - receive e-mail from their constituents. Some of you choose to reply to your constituents viaregular postal mail, but I am sure that many of you choose to use e-mail as a means to communicate with the citizens in your districts. It's effective and inexpensive.
Without technologies like digital signatures, though, your constituents can never really be confident that the message actually came from your office or that the message wasn't modified during the transmission process. Digital signatures, which rely on the enabling technology of encryption, provide users the ability to certify and authenticate the message and therefore trust that the message is authentic. Just as a letter on your stationery with your signature provides a level of confidence, digital signature provide similar assurances for recipients of electronic communications.
Such capabilities are critical for both business and individuals seeking to take advantage and use the Internet. Without robust tools, no one can be assured that their online activities remain private and that their online transactions are trustworthy. Companies are rapidly developing innovative technologies and applications for use on public networks and users are just as rapidly integrating these capabilities into their everyday lives. To ensure that this market continues to grow, consumer concerns like privacy, authentication and security must be addressed. Without encryption, we simply can't do it. We must be able to use and widely deploy encryption if we are to help users protect against the inherent vulnerabilities of public networks.
Current policy puts U.S. companies at a competitive disadvantage.
Second, U.S. policy puts U.S. companies like mine at a competitive disadvantage compared to our foreign counterparts. This is an issue that affects us directly at Privada. Because of the current export controls, U.S. companies face restrictions which prevent them from offering competitive products in the global marketplace - restrictions which foreign competitors do not face. Internet users, whether corporate or individual, are sufficiently sophisticated to seek and demand robust encryption tools in the products they use to facilitate their own online activities. Companies that cannot offer these features face an uphill battle in an extremely competitive marketplace.
As a result, companies who choose to incorporate encryption into their products are faced with a Faustian choice. They can either use strong encryption and forgo the lucrative export market, orthey can use weaker encryption for their export products, thereby rendering them unattractive to potential customers. Companies who choose to forgo exports face a significant challenge. In the era of the global electronic marketplace, to have products that cannot be sold on the foreign market is a tremendous disadvantage. For many software and information companies, foreign sales account for a large percentage of their total annual sales; to simply be forced to abandon this market is obstacle that our foreign competitors simply do not face.
Some companies choose an alternative route. They choose to export products that incorporate weaker encryption, placing them at a significant disadvantage to their competitors abroad. Users understand the value of encryption, and simply do not want products that are weak or easily broken. Further, because multiple product lines must be developed, production costs - and thus the cost of products and services - rise. Companies who choose this route often find that their potential international customers go elsewhere to find products that meet their need for robust privacy and security products.
This dichotomy between their foreign counterparts and US companies is so pronounced a foreign competitor of Privada has used it to market its services.
Current policy limits the ability of companies and individuals to protect data and communications.
Perhaps the most problematic aspect of current policy is that without strong encryption products, data and communications remain unprotected. With robust encryption, companies and individuals have the tools they need to ensure that their online activities and data are secure, protected and authentic.
Without strong encryption, our products and others cannot provide the level of security that customers are demanding. When forced to use weaker encryption, products and services are vulnerable, undermining the very sense of security and confidence that we seek to instill and foster. In fact, they actually weaken protections by generating a false sense of security - as has been said many times, weak cryptography is worse than none at all.For my company and others working to develop technological tools to help users protect their privacy, the ability to use and incorporate strong encryption into our offerings is critical. Encryption is the core component of the technologies we develop to help users control how their personal information is collected and used. Without it, our mission is unachievable, and the privacy of millions of individuals is at risk.
Current policy ultimately undermines our technological leadership.
Finally, I think that it is critical that we consider what the impact of the current policy will be on our technological leadership in the future. The United States has benefited tremendously from the vibrant technology industries that have seen such rapid innovation and growth in recent years. As has been widely reported in the press and as implied by our competitor's actions, the methods, algorithms and technologies being discussed today are globally known, understood and published. At its very core, encryption relies on mathematics. And while U.S. manufacturers have developed a wide array of products that incorporate these technologies, there is no reason to believe that competing products developed abroad would not meet users' functionality and performance standards.
As I mentioned earlier, foreign products are widely available. Many have downplayed the quality of these products and services, instead believing that foreign customers automatically assume that U.S.- developed software, information and electronic commerce products are inherently better than their international counterparts. This is simply not true. As I mentioned above, encryption technologies are well understood and available. There is no reason to believe that US products are simply better because they originated here, and it is important not to discount the viability of these foreign products.
The ultimate result, of course, is that companies face restricted markets, unfair competition and reduced sales, resulting in less revenues for research and development of new products. For hightech industries, especially in software, electronic commerce and information, R&D costs are often quite significant. Without robust sales to fuel additional development, companies cannot afford to innovate or create new products that meet the rapidly changing needs of the electronicmarketplace. While it unrealistic to predict that those of us who produce products and services that incorporate encryption will inevitably go out of business or move abroad, it not unreasonable to be very worried about the long-term impact that market restrictions will have on our ability to innovate and lead. Without further research and development, we risk losing the leadership that we have developed in this critical market segment.
The Need for Policy Reform
Clearly, a new approach is needed. It is important that Congress address this issue in a timely manner. We often speak of "Internet time" to refer to the quickly changing electronic environment, and it is critical that our policies remain appropriate to facilitate continued growth.
At the same time, we recognize that there are lingering concerns about the misuse of encryption the very concerns that have driven the current restrictions. I suggest, though, that a more proactive, forward-looking approach may actually enhance the objectives of the current policy while providing U.S. industry with continued access to robust encryption tools.
How could such a balance be possible? First, let me suggest that maintaining U.S. technological leadership is critical. We must be able to attract and keep those talented individuals and companies that have driven the growth in the industry. If these capabilities move elsewhere or our leadership is compromised, our ability to work with law enforcement and provide assistance will be greatly reduced. As outlined above, we are not going to be able to do so if our companies cannot compete abroad or face unnecessary restrictions on their ability to do so.
In addition, we must provide the tools so that all of our industries can take advantage of new technologies. Economic espionage and computer crime are tremendous threats, and any company that uses computers in any fashion is evaluating ways to make their systems more secure and to protect their data more effectively.
To ensure that these organizations, whether they be grocery stores, pharmaceutical research firms or educational facilities, have access to robust tools, we must ensure that our companies are able to develop these products.
The Administration has long recognized the value that encryption has for securing electronic systems. Its recent proposed revisions to the export restrictions, which allow for the export of 56-bit encryption and stronger products for certain sectors, underscore the importance of encryption. I think that it is unrealistic and perhaps a bit short- sighted to assume that the best approach is to regulate which sectors should be able to deploy advanced security products, rather than letting the market and individual users decide what their security requirements are.
Second, companies throughout the industry are developing products that strike the delicate balance between the need for privacy and security with the need to access information. While it may not be feasible for individual users to purchase or deploy many of these products, companies, including those who provide online access to individuals, are beginning to demand these products.
An example may be helpful. Companies, for example, may wish to encrypt their corporate communications to protect their trade secrets or proprietary information. But they also recognize that there may be situations where they need to reconstruct an event or access protected information. The activities of an employee suspected of divulging corporate secrets may need to be investigated, for example. Several products on the market today allow for such access without compromising the security of the original data or communications.
Please do not misconstrue my comments - this is not an endorsement for key recovery. Our products, for example, do not incorporate key recovery but can be used to provide access if needed. That companies are developing such alternatives is simply a recognition that some customers demand such functionality and the market is responding appropriately. Companies must be given the opportunity to respond to market preferences without the intervention of the government because only individual consumers can make decisions regarding what products and protections are appropriate to their unique situation.
Finally, it is important to realize that encryption is widely available from any number of sources, and that maintaining outdated policies will not meet the Administration's objectives. We all know that this genie is out of the bottle, to repeat an oft-used phrase. We cannot simply accept that our export restrictions are effective just because we hope that they are. We must recognize the realities of the market today and adapt our policies before we lose the advantages that we enjoy.
Conclusion
In conclusion, I submit that it is critical that Congress act quickly to remove export provisions on encryption products to ensure that our companies can compete fairly and effectively in the international marketplace and continue to provide users with the tools that they need to protect their privacy and security online. By freeing the market and allowing U.S. companies to take full advantage of the global market for these products, we can ensure that every company and individual has access to technologies that enhance this growing market.
I urge the Members of the Committee to support liberalizing encryption export provisions and to support H.R. 850.
Thank you.
NOTE:
1 Economic Strategy Institute, 1998.
END
LOAD-DATE:
March 6, 1999
Document 259 of 261.
Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.