Good morning Mister Chairman and members of the committee, my name is Philip Karn and I live in San Diego, California. Like my fellow panelists, I am an engineer with a strong personal interest in the security of computer and communications networks. We are all founding members of the Internet Privacy Coalition.
I speak this morning for both myself and my employer, Qualcomm Incorporated. Qualcomm develops and manufactures advanced digital cellular and personal communications systems. With our rapid growth and the local defense industry cutbacks we're now the largest private employer in San Diego County.
I would like to thank you for inviting me to testify this morning, and also for raising this issue outside the closed doors of the Executive Branch. In my opinion, you've already won half the battle as the Administration's present encryption policy simply cannot withstand serious public scrutiny.
We need export controls on bombs and missiles. But it's just absurd to apply these same laws to publicly available software and products.
At your June 12 hearings, Senator Pressler referred to a case I have pursued as an individual for over two years. In early 1994 I obtained an official ruling from the State Department that this book, Applied Cryptography, is beyond their licensing jurisdiction because it is freely available to the public. This was true even though the appendix contains software source code listings for Triple DES encryption, among other things. But when I asked about a floppy disk containing the exact same text as in the book, I was told that such a disk was a "munition" requiring a license to export. I guess only Americans can type.
To date I have been unsuccessful in persuading the Executive Branch to change its irrational decision or in obtaining relief in the courts. The government knows that the Applied Cryptography programs have been on the Internet for years. Surely, exporting a floppy disk with the same information cannot possibly threaten national security.
My case is currently before the DC Circuit Court of Appeals. As an aside, my attorney Ken Bass and I make extensive use of Phil Zimmermann's PGP program in our email consultations. It's nice not having to rely on a key-escrow agency to protect my attorney-client privilege.
Here's another example of an export policy out of control. I've written a publicly available Internet software package. Recently I added the Triple DES software so it can encrypt the Internet links between corporation offices. Qualcomm applied to the State Department for a license to export a single copy of my software to our Singapore office solely for internal company use by the US citizens who work there. Our request was "returned without action". They suggested that we remove the Triple DES code and try again.
Mister Chairman, this is totally unacceptable. Not only was this action not in the spirit of the State Department's new "personal use exemption", but there was obviously no issue here of keeping encryption away from unfriendly governments or international terrorists. Just the ability of a US corporation to defend itself against industrial espionage in a hotly competitive international market. Like many other high tech companies, we've already been targeted by hackers. Since we have strong encryption software, it seems only prudent to use it.
Export controls also hamper Qualcomm's ability to sell and support its products overseas. We originally developed our CDMA digital cellular technology for the US domestic market. But we've discovered an enormous market for CDMA in developing countries desperate to deploy the basic phone service vital to a modern economy. In countries like Russia, China, India and Brazil we are in a pitched battle with a European-developed and manufactured technology, GSM. And I don't have to remind you that the Europeans don't have to play by US export rules. And it's probably not a surprise that the European GSM manufacturers can offer voice encryption; we don't. Not even in our domestic model, thanks at least in part to NSA pressure.
Even when we can export, the bureaucratic delays are excruciating. Here's an example. The very first commercial CDMA system in the world is in Hong Kong. So far we have shipped 52,000 CDMA phones to Hong Kong and we're still shipping them about as fast as we can make them. Like all cell phones, our phones contain microprocessors and software to run them. A phone with its software programmed in comes under Commerce Department rules so it's easily exported. But the software includes encryption used solely for authentication to stop the fraud now plaguing analog cellular systems. And because of this the phone software, by itself, comes under State/ITAR control.
And of course, software changes. We'll add features and occasionally fix a minor bug or two. But every time we want to ship a new version to Hong Kong, we must file a whole new export license application and wait 30 days for approval -- even for a trivial change that has nothing to do with encryption. So far we've done this six times. That's half a year of pointless delay!
The whole process is so painful that we've decided never to do it again elsewhere. If our phones have to be upgraded, we'll ship them back to our US factory. Meanwhile, our GSM competitors can offer storefront upgrade service if they like.
As you know, Mister Chairman, the Administration defends all its export controls on cryptography as vital to national security. But I believe I've shown otherwise. Does a public domain floppy disk really threaten national security? Does a US corporation threaten national security by protecting itself with strong encryption? And do long bureaucratic delays promote national security? Mister Chairman, I strongly support S.1726. It will provide exactly the relief we urgently need.
I've provided further details and background information in my written testimony. I'd be happy to answer any questions you may have. Thank you.