The House Judiciary Committee passed the Security and Freedom through Encryption Act (SAFE), which would cut the red tape for U.S. companies that want to sell strong encryption overseas. The House International Relations Committee will now debate the bill.
Under SAFE, companies would only have to submit to a one-time review from the Commerce Department to ship generally available crypto products. However, to placate law enforcement concerns, the legislation also makes it a felony to use encryption in the furtherance of a crime. Civil liberties groups have likened the stipulation to slapping on extra penalties when a kidnapper types a ransom note vs. handwriting the letter because the use of a typewriter could make it harder to investigate the crime.
The government has long regulated encryption under weapons controls, based on law enforcement assertions that tech-savvy criminals can use the products to conceal their activity. But opponents of the rules say they are costing the software industry profits and threatening global computer users' privacy.
"Narcotics traffickers, cyberterrorists, and other criminals are not going to respect export restrictions on encryption when they don't respect our drug laws or any other chapter or section of our criminal code," Rep. Zoe Lofgren (D-California), who cosponsored SAFE with Rep. Bob Goodlatte (R-Virginia), said in a statement.
"[The current] system, according to the experts, costs too much, is too complex, or is too insecure. And the emphasis is on the lack of security," she added.
The committee rejected Rep. Bill McCollum's (R-Florida) amendment requiring that products allow "immediate" plain-text access to encrypted material as a condition for export.
"Whether these features are called 'key escrow,' 'key recovery,' or 'plain-text access,' they still introduce serious security risks for the end user," said Alan Davidson staff counsel for the Center for Democracy and Technology.
As part of a piecemeal concession plan, the White House has updated its policy to allow for the export of 56-bit encryption products after a one-time technical review. The administration also removed a requirement that those products must include "key recovery" mechanisms, which give companies or law enforcement officials with court orders a way to get access to encrypted data via a "spare key."
Still, 56-bit products have been easily cracked, so the software industry and privacy advocates want the rules further relaxed to make it easier to ship heftier encryption, such as 128-bit, without mandatory key recovery features or continuous reviews.
But supporters are encouraged that SAFE is once again gaining ground, and that it cleared the Judiciary Committee today basically unchanged.
"Foreign availability of strong encryption begs the question as to why the United States continues to insist on unilateral export controls," Robert Holleyman, chief executive of the Business Software Alliance, said in a statement. "The only country who is being hurt by this short-sighted policy is the United States."
This is the third time SAFE has been considered by Congress. It gained 249 sponsors in the House last year but died after going through five renditions--one of which aimed to give law enforcement quick access to unlock secure messages within the United States during criminal investigations.