U.S. exports crypto-export controls

By Rebecca Sykes
IDG News Service, 12/07/98

The U.S. last week said it has persuaded 32 countries to permit tightened control of their export of encryption software-the U.S. has long maintained that this measure is necessary to properly balance national-security interests against personal privacy.

The 33 members of the Wassenaar Arrangement, an agreement on conventional arms and dual-use goods and technologies -- items which could be used for civilian or military purposes -- agreed to restrict exports of 56-bit general encryption products, according to a Department of Commerce spokesman. In addition, Wassenaar signatories agreed to restrict the export of mass-market products with keys more than 64 bits long, he said.

One observer said it was unclear whether the U.S. has really convinced the countries to shift gears and issue encryption controls.

The Wassenaar Arrangement calls for member countries to pass local legislation, at their discretion, if they want its provisions to take effect, according to Barry Steinhardt, executive director of the Electronic Frontier Foundation, which is a U.S.-based, non-profit civil-liberties group. It is not clear whether the new piece of the agreement follows suit or whether it is mandatory for the signatories to pass the legislation, according to Steinhardt. If the new controls are not mandatory nothing much has changed, because almost all the signatories have well-established policies of permitting the unfettered export of encryption, he said.

"The U.S. has a history of exaggerating the concessions that it has won in international forums," Steinhardt said. "The question is whether this is a largely meaningless concession to the U.S. or whether it has some teeth in it."

Another observer agreed that the most recent Wassenaar agreement doesn't appear to be a radical triumph for the U.S. Wassenaar signatories may just have agreed in principal to appease the U.S., knowing that agreement need not translate into changing their own policies, according to Marc Rotenberg, director of the Electronic Privacy Information Center, based in Washington, D.C.

One issue which is quite clear is that the U.S.' aim "is to try to establish a cap on the strength of encryption that's generally available in commercial products," Rotenberg said.

U.S. officials could not be reached for comment.

Most Wassenaar countries are in Europe, with some representation from South America and Asia/Pacific. The current signatories are: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, the U.K. and the U.S.