TO THE BEST OF THE COMMITTEE'S KNOWLEDGE, the goals of U.S. cryptography policy have not been explicitlyformalized and articulated within the government. However, senior government officials have indicated that U.S. cryptography policy seeks to promote thefollowing objectives:
• Deployment of encryption adequate and strong enough to protect electronic commerce that may be transacted on the future information infrastructure;
• Development and adoption of global (rather than national) standards and solutions;
• Widespread deployment of products with encryption capabilitiesfor confidentiality that enable legal access for law enforcement and national security purposes; and
• Avoidance of the development of defacto cryptography standards (either domestically or globally) that do not permit access for law enforcement and national security purposes, thus ensuring that the use of such products remains relatively limited.
Many analysts believe that these goals are irreconcilable. To the extent that this is so, the U.S. government is thus faced with a policy problem requiring a compromise among these goals that is tolerable, though by assumption not ideal with respect to any individual goal. Such has always been the case with many issues that generate social controversybalancing product safety against the undesirability of burdensome regulation on product vendors, public health against the rights of individuals to refuse medical treatment, and so on.
As of this writing, U.S. cryptography policy is still evolving, and the particular laws, regulations, and other levers that government uses to influence behavior and policy are under review or are being developed.
Chapter 4 is devoted to the subject of export controls, which dominate industry concerns about national cryptography policy. Many senior executives in the information technology industry perceive these controls as a major limitation on their ability to export products with encryption capabilities. Furthermore, because exports of products with encryption capabilities are governed by the regime applied to technologies associated with munitions, reflecting the importance of cryptography to national security, they are generally subject to more stringent controls than are exports of other computer-related technologies.
Chapter 5 addresses the subject of escrowed encryption. Escrowed encryption is a form of encryption intended to provide strong protection for legitimate uses but also to permit exceptional access by government officials, by corporate employers, or by end users under specified circumstances. Since 1993, the Clinton Administration has aggressively promoted escrowed encryption as a basic pillar of national cryptography policy. Public concerns about escrowed encryption have focused on the possibilitiesforfailure in the mechanisms intended to prevent improper access to encrypted information, leading to losses of confidentiality.
Chapter 6 addresses a variety of other aspects of national cryptography policy and public concerns that these aspects have raised.