THE ENCRYPTION DEBATE: INTELLIGENCE ASPECTS

CRS Report for Congress
The Encryption Debate: Intelligence Aspects
Keith G. Tidball
and Richard A. Best, Jr.
Specialist in National Defense
Foreign Affairs and National Defense Division
Summary
The 106th Congress is expected to resume an ongoing debate on restricting the
export of sophisticated computer encryption systems. In the 105th Congress strong
support for removing encryption export restrictions and allowing U.S. software firms
to compete in the world marketplace was balanced by concern that widespread
availability of such systems could undercut important law enforcement and intelligence
interests. No encryption legislation passed in the 105th Congress. The Clinton
Administration relaxed some restrictions on encryption sales based on existing export
legislation, but opposes the complete lifting of restrictions out of concern that use of
highly sophisticated encryption might hinder law enforcement and intelligence
collection efforts. The views of law enforcement agencies have been forcefully set forth
by FBI Director Louis Freeh, but less has been said about the implications for the
collection of foreign intelligence especially by the National Security Agency (NSA)
which is responsible for acquiring information from foreign communications. Although
such concerns are necessarily shrouded in secrecy, they are likely to have an important
influence in the ongoing congressional debate. This report will not be updated.
Background
Encryption and decryption are methods of using cryptography, the science of writing
and reading messages in code, to safeguard the confidentiality of data and
communications. A message that is encrypted is electronically scrambled—translated by
a computer according to an equation or algorithm into unreadable text that can only be
understood by someone who possesses the key to unscramble it, or decrypt, it. Simple
encryption systems can be “broken” by brute force—using computers to try every possible
combination. Messages encrypted by the stronger systems now becoming available can
be broken only after many years of computer time or if there is access to the key.
To better protect their information, businesses and consumers want the stronger
computer encryption products that have become available in recent years. Encryption
software producers also want the opportunity to sell stronger encryption products
competitively in international markets. At present no restrictions govern the sale or use


Congressional Research Service ˜ The Library of Congress

of any encryption product in the United States, but, pursuant to statutes that govern
exports in general, successive Administrations have placed limits on the sales of strong
encryption products abroad. Recognizing that some sophisticated encryption products are
available from foreign firms or are downloadable from the Internet, the Clinton
Administration has sought to accommodate—at least to some extent—the demands of the
software industry that export restrictions be lifted or at least modified. Executive Order
13026 of November 15, 1996, permits exports of strong encryption systems if producers
create and maintain key recovery agents (essentially spare keys) that can be made
available to duly authorized government entities. In September 1998 the Administration
announced an intention to permit the sales of strong encryption products (after a one-time
review) to financial institutions, insurance companies, and to the health and medical1
sector in some 45 nations.
Many in Congress advocate legislation that would remove export regulations (with
narrow exceptions) and allow U.S. firms to take advantage of worldwide demands for
encryption products. At the same time, law enforcement officials are concerned that
stronger encryption may serve to protect the communications of those engaged in illegal
activity. Federal, state, and local authorities conduct approximately 1,200 court-ordered
criminal wiretaps each year,2 but law enforcement specialists are faced with growing
difficulties in gathering information protected by sophisticated encryption. Investigators
have discovered encrypted communications in a minimum of 500, and possibly up to
1000, criminal cases over the past few years, and the number of criminal cases is growing
at an estimated annual rate of 50-100 percent.3 According to Louis Freeh, Director of the
Federal Bureau of Investigation (FBI), “Law enforcement remains in unanimous
agreement that the widespread use of robust non-recoverable encryption will ultimately
devastate our ability to fight crime and terrorism. Uncrackable encryption allows, and
will continue to allow with increasing regularity, drug lords, terrorists, and even violent
gangs to communicate about their criminal intentions with impunity and to maintain
electronically stored evidence of the crimes impervious to lawful search and seizure.”4


1 For further information and analysis of encryption technology, discussion of the debate between
the Administration and industry representatives, and the status of legislation, see CRS Issue Brief
IB96039, Encryption Technology: Congressional Issues.
2 Roberto Suro and Elizabeth Corcoran. “U.S. Law Enforcement Wants Keys to High-Tech
Cover,” Washington Post, March 30, 1998, p. A4.
3 Dorothy E. Denning and William E. Baugh, Jr., Encryption and Evolving Technologies: Tools
of Organized Crime and Terrorism, U.S. Working Group on Organized Crime, (Washington:
National Strategy Information Center, 1997), p. 13.
4 Prepared testimony for hearing before the House Appropriations Subcommittee for the
Departments of Commerce, Justice, and State, the Judiciary, and related Agencies, March 5,

1998. For an extensive discussion of the relationship of law enforcement and encryption issues,


see Charles Doyle, Encryption, Key Recovery & Law Enforcement: Selected Legal Issues and
Legislative Proposals, CRS Report 97-845 A, September 12, 1997. In testimony on September
3, 1997 before the Subcommittee on Technology, Terrorism, and Government Information of the
Senate Judiciary Committee, Director Freeh advocated that even encryption systems sold within
the United States be required to include key recovery provisions. In effect, Freeh has urged
tighter restrictions on the encryption industry even as industry leaders were pressing for
relaxation of current regulations. Freeh’s views have not, however, been adopted by the Clinton
Administration.

Free speech advocates and civil libertarians support the removal of export controls
and strongly oppose facilitating government access to private communications. Any key
recovery process, they note, is only so reliable as the custodians of the keys. Further, they
argue that on balance strong encryption serves law enforcement by deterring or preventing
such abuses as credit card theft and hostile efforts to tamper with databases. It is also
pointed out that in some foreign countries human-rights advocates must shield their
communications from hostile governments which might be able to obtain key recovery
documentation if it exists.
The Role of the National Security Agency
More widespread use of sophisticated encryption systems outside the United States
would also have significant implications for national defense and intelligence
policymaking and operations. In general, law enforcement agencies gather and analyze
information to support efforts to prosecute illegal activities; foreign intelligence agencies
gather and analyze information to support national security policymaking, diplomacy, and
military operations. Extensive overlap exists between the efforts of law enforcement and
foreign intelligence agencies, especially in such areas as narcotics trafficking and
terrorism. A considerable body of legislation, however, separates the roles, missions, and
authorities of intelligence agencies from those of the FBI and other law enforcement
agencies.
Ongoing efforts of the U.S. Government to acquire foreign intelligence through
signals intelligence (sigint) are necessarily kept secret.5 There is an extensive historical
literature about U.S. sigint efforts during the World War II era, based in part on
documents available in the National Archives;6 the massive Cold War sigint effort has
been discussed in various journalistic accounts, but is not widely appreciated by the
public.7 In post-Cold War years officials have been somewhat more forthcoming about
the U.S. sigint effort.
Responsible for sigint, as well as the protection of official U.S. communications, is
the National Security Agency (NSA), headquartered at Fort Meade, Maryland.
Reportedly Maryland’s largest employer,8 NSA was created by presidential
memorandum on November 1, 1952 consolidating separate sigint elements of the military
services. The Director, NSA, at present Army Lieutenant General Kenneth A. Minihan,
traditionally has been a military officer of flag rank with a civilian deputy. NSA is part
of the Defense Department but has a recognized independent status as a collector of


5 See 18 USC 798.
6During World War II U.S. cryptanalysts had great success in breaking Japanese diplomatic and
naval codes. In discovering plans to attack Midway Island, they contributed to a crucial defeat
of the Japanese fleet. Many observers believe that U.S. sigint efforts directly contributed to the
shortening of the war by at least a year.
7See James Bamford, The Puzzle Palace: A Report on NSA, America’s Most Secret Agency
(Boston: Houghton Mifflin, 1982) and the series of articles by Scott Shane and Tom Bowman,
“No Such Agency,” Baltimore Sun, December 3-15, 1995.
8 Shane and Bowman, December 3, 1995.

intelligence relating to both military and non-military topics for the entire federal
government.
Along with imagery and reporting by human agents, sigint is a major source of
intelligence and is the most expensive of the intelligence disciplines. The Senate
Intelligence Committee has noted, “By collecting and analyzing signals intelligence, U.S.
intelligence agencies seek to understand the policies, intentions, and plans of foreign state
and nonstate actors. Signals intelligence plays an important role in the formation of
American foreign and defense policy. It is also a significant factor in U.S. efforts to
protect its citizens and soldiers against terrorism, the proliferation of weapons of mass
destruction, narcotics trafficking, international crime and other threats to our nation’s
securi t y.”9
NSA officials have been involved in the preparation of the Administration’s
initiatives on encryption providing technical advice and serving as public spokesmen. In
testimony prepared for the House National Security Committee in July 1997, NSA’s
Deputy Director, William P. Crowell, argued that the Administration’s goal was to create
an international framework in which the use of strong encryption will grow. Specifically,
he advocated a requirement for key recovery capabilities (i.e. keys to encryption systems
would be held by third parties). Such keys would logically be desired by any company
concerned about emergency or back-up access to its data. They would, according to the
Administration’s position, be available to law enforcement agencies with proper
authorization and, potentially, to intelligence agencies. Crowell acknowledged the
widespread availability of encryption systems from foreign companies or downloadable
from the Internet, but argued that legitimate consumers will seek out the infrastructure
support that U.S. firms can best provide; few companies would trust an encryption system
downloaded from the Internet.
Although FBI Director Freeh has had a higher public profile, NSA officials have
made clear to Congress their serious concern about loosening export restrictions on
sophisticated encryption systems. Crowell testified to the House National Security
Committee that the immediate decontrol of strong encryption products “would make our
signals intelligence mission much more difficult and ultimately result in the loss of
intelligence.... This would greatly complicate our exploitation of foreign targets, including
military targets.”10
NSA officials are undoubtedly concerned that widespread use of strong encryption
will frustrate their ability to provide sigint regarding foreign entities, including terrorist
groups operating internationally. NSA officials anticipate that American encryption
software backed by an extensive infrastructure, when marketed, is likely to become a
standard for international commercial communications. If arrangements for legal access


9 U.S. Congress, Senate, 105th Congress, 2nd session, Select Committee on Intelligence,
Authorizing Appropriations for Fiscal Year 1999 for the Intelligence Activities of the United
States Government and the Central Intelligence Agency Retirement and Disability System and
for Other Purposes, S. Rept. 105-185, May 7, 1998, p. 15.
10Quoted in U.S. Congress, House of Representatives, 105th Congress, 1st session, Committee on
National Security, Security and Freedom Through Encryption (SAFE) Act of 1997, House Rept.

105-108, Part 3, September 12, 1997, p. 5.



to such communications are not made, vast quantities of information of vital importance
to the national security will be unavailable. This is likely even though some foreign
entities will make use of non-U.S. encryption systems. NSA officials indicate a desire
to see U.S. software manufacturers remain competitive in international markets and
believe that U.S. systems will remain the standard even with key recovery in place. It is
often noted that ordinary telephones continue to be used for sensitive communications
because they are convenient and reliable even though more secure systems exist.
Legislative Proposals
Although the strength of encryption products sold and used in the U.S. is not
regulated, pursuant to the International Emergency Economic Powers Act and other
legislation11 strict limits are imposed on the types of encryption that can be exported.
Legislative proposals have been introduced that would preempt export current regulations
for encryption systems and allow the U.S. software industry to market their products
worldwide.
H.R. 695, introduced by Representative Goodlatte on February 12, 1997 became the
focus of interest in the House. It would prohibit requirements that exported encryption
systems include capabilities to permit recovery by third parties as well as eliminate export
controls on “generally available” commercial encryption except for military end-uses or
to identified individuals or organizations in specific foreign countries. H.R. 695, with
over 245 co-sponsors, was strongly backed by the software industry. It was approved by
the Judiciary, International Relations, and Commerce Committees with only minor
amendments and had support by some in the House leadership.
It nonetheless elicited strong opposition not only from law enforcement officials, but
also from defense and intelligence agencies. Subsequent to briefings by NSA and other
agencies, the National Security and Intelligence Committees amended H.R. 695 in
September 1997 to impose by statute restrictions on encryption exports that the original
bill was designed to eliminate. The National Security Committee concluded that
“[u]nrestricted export of capabilities that make it more difficult for the United States to
comprehend the plans and activities of hostile military forces could significantly degrade
the technological advantage presently held by U.S. combat forces.”12 The Committee
proposed an amendment to the legislation that would give the President statutory authority
to determine the maximum level of encryption products that could be exported without
a license, with exceptions to be made with the concurrence of the Secretary of Defense.
Arguing that the original version of H.R. 695 “left our intelligence and intelligence-
related capabilities at considerable risk,”13 the Intelligence Committee went further and


11The background of this legislation is discussed in Glennon J. Harrison et al., Export
Administration Legislation, CRS Report 96-492E, August 27, 1996. See also Jeanne J. Grimmett,
Encryption Export Controls, CRS Report 97-837 A, September 12, 1997.
12H. Rept. 105-108, Part 3, p. 3.
13U.S. Congress, House of Representatives, 105th Congress, 1st session, Permanent Select
Committee on Intelligence, Security and Freedom Through Encryption (“SAFE”) Act of 1997,
House Rept. 105-108, Part 4, September 16, 1997, p. 14. Some Members also noted that a policy
built on different regulations for domestic and foreign sales complicates the possibility of

inserted a new section (2803) making it unlawful to sell in interstate or foreign commerce
any encryption product that does not provide duly authorized persons an immediate
decryption capability. The Intelligence Committee stated that “it is important to the
country’s security interests” that the “the intelligence community [be able] to continue to
support our policy makers, deployed forces, and U.S. interests at home and overseas.”14
In the Senate, S. 909, introduced by Senators McCain, Kerrey, and Hollings
essentially codified existing domestic use and export policies. It was strongly opposed
by the software industry and was not scheduled for floor consideration. S. 2067,
introduced by Senator Ashcroft on May 12, 1998, would remove encryption export
restrictions and establish a National Electronic Technologies Center to provide
information about sophisticated technological developments to concerned government
agencies. Another bill, H.R. 1903 that would encourage various efforts to enhance the
security of communications without addressing the export of encryption systems was
passed by the House on September 16, 1997, but the Senate did not take action on it.
Senate Majority Leader Trent Lott strongly advocated modernizing export controls
of encryption, 15 and in June 1998 House Speaker Newt Gingrich indicated that he would
personally chair a task force to design a plan to ease encryption restrictions.16 The 105th
Congress adjourned, however, without floor action on encryption bills. Although the
Clinton Administration has placed emphasis on establishing a dialogue between affected
agencies and the encryption industry, and has further liberalized export regulations in
September 1998, no agreement is expected to be achieved in the near future. As one
industry spokesman noted: “Both sides, on the outer edges of the debate, have enough
votes to cancel each other out—in Congress and even in the Administration.”17
Conclusion
The Government’s need for signals intelligence is a significant factor in the
encryption debate, but it is one that cannot, for security reasons, be fully analyzed in
public discourse. NSA officials have repeatedly stressed the dangers of widespread use
of strong encryption systems by foreign entities. They have argued, in particular, that H.R.
695 “would directly threaten national security.” Although some both in the executive
branch and Congress are inclined to support the position of the software industry, it
appears that any consensus will, to some extent, accommodate NSA’s concerns.


effective international cooperation on encryption policies. Additional Views of Representatives
Dicks, Skelton, and Bishop, ibid., p. 44.
14Ibid., p. 26.
15Congressional Record, October 21, 1997, pp. S10879-10881.
16 Lisa M. Bowman, “Gingrich Talks Tech in the Valley,” Ziff Davis Net News, June 30, 1998.
17Aaron W. Cross of IBM, quoted in Congressional Quarterly, June 13, 1998, p. 1591.