Document: Statement by Sen. McCain re introduction of Protect Act, 4/15/99.

Statement by Sen. McCain in the Congressional Record.
Re: introduction of S 798, the PROTECT Act, an encryption bill.
Date: April 15, 1999.
Source: Congressional Record, April 15, 1999, page S3771.

Mr. McCAIN. Mr. President, yesterday I introduced a bill to `Promote Reliable On-Line Transactions to Encourage Commerce and Trade,' the PROTECT Act. This legislation seeks to promote electronic commerce by encouraging and facilitating the use of encryption in interstate commerce consistent with the protection of United States law enforcement and national security goals and missions.

During the last Congress, there was a very intense debate surrounding the encryption issue. That debate, as with any discussion regarding encryption technology, centered around the challenge of balancing free trade objectives with national security and law enforcement interests. There were various proposals put forward. None, however, emerged as a viable solution. In the end, the debate became polarized, as many became entrenched upon basic approaches, losing sight of the overall policy objectives upon which everyone generally agreed.

It was my objective to get outside the box of last year's debate. In the past, balancing commercial and national security interests has been treated as a zero sum game, as if the only way to forward commercial interest was at the expense of national security, or vice versa. This is simply not the case. Certainly, advanced encryption technologies present a unique set of challenges for the national security and law enforcement community. However, these challenges are not insurmountable.

What the PROTECT Act does, is to lay out a forward-looking approach to encryption exportation, a course that puts into place a rational, fact-based procedure for making export decisions, that places high priority on bringing the national security and law enforcement community up to speed in a digital age, and that ultimately provides a national security backstop to make certain that advanced encryption products do not fall into the hands of those who would threaten the national security interests of the United States.

Title I of the legislation deals with domestic encryption. The bill establishes that private sector use, development, manufacture, sale, distribution and import of encryption products, standards and services shall be voluntary and market driven. Further, the government is prevented from tying encryption used for confidentiality to encryption used for authentification. It is established that it is lawful for any person in the United States, and for any U.S. person in a foreign country, to develop, manufacture, sell, distribute, import, or use any encryption product.

The PROTECT Act prohibits mandatory government access to plaintext. The bill prohibits the government from standards setting or creating approvals or incentives for providing government access to plaintext, while preserving existing authority for law enforcement and national security agencies to obtain access to information under existing law.

Title II of the legislation deals with government procurement procedures. The bill makes clear that it shall be the policy of the Federal government to permit the public to interact with the government through commercial networks and infrastructure and protect the privacy and security of any electronic communications and stored information obtained by the public.

The Federal government is encouraged to purchase encryption products for its own use, but is required to ensure that such products will interoperate with other commercial encryption products, and the government is prohibited from requiring citizens to use a specific encryption product to interact with the government.

Title II of the PROTECT Act authorizes and directs NIST to complete establishment of the Advanced Encrytion Standard by January 1, 2002. Further, the bill ensures the process is led by the private sector and open to comment. Beyond the NIST role in establishing the AES, the Commerce Department is expressly prohibited from setting encryption standards--including U.S. export controls--for private computers.

A critical component of the PROTECT Act is improving the government's technological capabilities. Much of the concern from law enforcement and national security agencies is rooted in the unfortunate reality that the government lags desperately behind in their understanding of advanced technologies, and their ability to achieve goals and missions in the digital age.