August 11, 1995
The Honorable Albert Gore Vice President of the United States The White House Washington, DC 20500
Dear Mr. Vice President;
It has been three years since the U.S. Government permitted the export of mass market software programs with moderate encryption (RC2/RC4 with 40-bit keys). In February 1994, we wrote to you regarding the way in which the limitation on encryption strength was harming our companies in the global marketplace and urged further export control liberalization. A year ago you wrote to Representative Maria Cantwell agreeing to study further the short-run impact of existing export controls and to reassess controls based on those studies. You also agreed that the Administration needed to take action in 1994 to ensure that American companies were able to include information security features in their software in order to maintain their international competitiveness. You called for government to work with industry on exportable key escrow encryption systems that would "provide strong encryption, be acceptable to computer users worldwide, and address the national security needs as well."
More than a year has gone by since your letter to Representative Cantwell. Our companies still are not able to export software with encryption strengths readily available in programs and products from other sources. We also do not know any more about what we need to do to develop software using key escrow encryption which can be exported and which is internationally saleable. Therefore, we are writing to you today to urge the Administration to:
* immediately permit the export of generally available software programs with data encryption capabilities employing the Data Encryption Standard (DES) algorithm or other algorithms at comparable strengths; and
* develop as soon as possible, in consultation with industry, specific detailed criteria to implement the key escrow encryption policies set forth in your letter so that our companies will know in advance with with certainty what we need to do to be able to export our software programs if we wish to employ even stronger encryption (e.g. triple DES, RC2/RC4 with 128-bit keys).
The Honorable Albert Gore August 11, 1995 Page 2
The widespread availability of programs employing DES or its equivalent from foreign vendors, the Internet and domestic sources (transferred abroad via public telephone line and computer modem) continues to put us at a competitive disadvantage. Our situation has worsened as computer awareness of and demand for information security skyrockets, foreign encryption programs and products proliferate, and continuing advances in computing power make decryption efforts cheaper and faster.
We believe the time for further study is over. We ask for immediate action to liberalize export controls to permit the inclusion of DES-level encryption in generally available software programs so that in the short run we can at least maintain our international position.
Our companies pledged a year ago to work with the Administration to make commercial key escrow encryption systems a reality. Because the Government ultimately would have access to encrypted communications, such systems could use very strong encryption thereby providing greater information protection and privacy in the Global Information Infrastructure. As you recognized in your letter, in order to be workable such systems would have to be voluntary, exportable, based on non-classified algorithms, implementable in software, and permit the use of private sector key escrow agents. We understood that this new policy would enable the U.S. software industry to export programs that meet computer-user demands in the U.S. and abroad and thus would enable us to remain internationally competitive.
Unfortunately, a year has gone by and yet we do not know any more about what we need to do to develop software using key escrow encryption which can be exported and that we believe will be purchased by users worldwide.
There has been only minimal consultation with the software industry and that has been with respect to basic questions such as: ensuring users' choice of algorithm and key lengths, binding the key escrow system to the use of strong encryption pursuant to commercial practices; and permitting foreign users to escrow keys with foreign entities (relying on existing bilateral law enforcement and national security arrangements).
But there has been no discussion with the software industry about detailed functional policy criteria -- akin to what occurred in 1992 -- that will give companies the guidance they need to actually develop software incorporating key escrow encryption features. Moreover, we believe such criteria should continue to tell us what we need to do - not how we should do it - since our architectural and programming approaches may be quite different.
The Honorable Albert Gore August 11, 1995 Page 3
We urge the Administration to set forth as soon as possible detailed criteria developed in consultation with industry. We are confident this can be done quite quickly once government and industry representatives sit down together. Most importantly, we want to emphasize that any policy that does not provide such specific parameters will not help our companies develop the software that will enable them to compete in the global marketplace.