WASHINGTON, D.C. - The White House yesterday unveiled plans to ease the current export restrictions on software and hardware products that make use of encryption, and at the same time proposed legislation to help law enforcement pursue criminals who use encryption to hide information.
The proposed export rules still need to be hammered into Department of Commerce regulations, which will be published this December. These proposed rules would not completely lift existing export prohibitions that vendors and users confront concerning encryption use. But the planned revisions will greatly simplify what has become a bureaucratic morass of reporting requirements about the user to the Commerce Department. The product vendor or a lawyer specializing in this is usually the one dealing with the red tape on behalf of the user.
On the hardware side, the government will no longer require vendors to get an export license for hardware using 56-bit encryption or less to ship this type of encryption-enabled device out of the country to about 180 countries. Seven nations, including Iraq and Iran, are still taboo.
On the software side, an export license will not be required any longer for software using 64 bits or less. This decision reflects a recent international agreement between several nations on encryption strength acceptable for import. But since this encryption strength is known to be breakable, users tend to want something stronger.
For software and hardware using stronger encryption, "we can obtain a general license for general export to friendly nations with no key-length restriction after submitting the product for a one-time review," says Bill Crowell, CEO at Cylink.
Crowell chairs the President's Export Control Subcommittee on Encryption and is a member of the President's Export Council, a group of about two dozen industry and congressional participants advising the White House. Crowell is also former deputy director at the National Security Agency, the government's intelligence organization with significant influence in setting encryption export policy for the U.S.
Crowell says the government review process for products with no key-length restrictions will not require vendors to use any type of key escrow process that would give law enforcement access to encrypted data.
"It gives us a level playing field with regard to our competition in the area of electronic commerce," Crowell says. "This is a very broad and sweeping relaxation."
One of the main advantages to the proposed rules will be abolishing the morass of Commerce Department regulations that categorize users into types-banking, insurance, e-commerce, medical and other. These categories of users have each been subject to different sets of restrictions.
When it comes to strong encryption, vendors currently have to make individual applications based on customer type and key length. Kelly Blaugh, director of government affairs at Network Associates, says that under the current rules, only "certain customers, not a wide customer base" are allowed to use exported products with 128-bit encryption or higher.
The rule changes from the White House mean "letting mass-market128-bit based on a one-time review," Blaugh points out. "This is a fundamental shift in export controls policy."
The complex web of user-specific rules in effect now will be swept away in favor of a regimen that separates product buyers only as commercial or government, Crowell says.
Commercial users will not require a specific export permit, although vendors will still probably have to report to Commerce on which corporations are using their stronger encryption-based products abroad.
"This is going to reduce the large and growing burden of paperwork and time," Crowell notes. It will speed how quickly companies can ship out the encryption-based products they want to see overseas.
However, separate applications will still need to be made for export to foreign governments. "We're still concerned about this," Crowell says. "There is a large market for foreign governments, such as Hong Kong, which is putting in a large public-key infrastructure the way our post office would like to do," Crowell adds.
One open question, however, is how easy ISPs or other providers of encryption services will fare under the relaxation of the encryption export rules. At present, the U.S. government doesn't want ISPs abroad to use U.S.-made strong encryption equipment for their encryption services.
This restriction will probably ease up a bit under the new rules, at least for commercial users. However there still may be attempted restriction concerning how ISPs encrypt a foreign-government's traffic.
"A lot of this will come out in the Commerce Department regulations," Blough says.
In addition to the export rules changes, President Bill Clinton, Vice President Al Gore and Justice Department Chief Janet Reno yesterday announced the Administration wants to see Congress pass legislation that would help law enforcement collect evidence that may have been encrypted to hide it. To do that, the Administration wants a new law making it clear that third parties that can get access to a suspect's encrypted data must cooperate with law enforcement. This cooperation might involve using the decryption key or offering access to a network at a point before the data is encrypted. This could impact corporate network managers or ISPs providing encryption services because they could be formally approached to let law enforcement "sniff" data streams before they're encrypted.
This proposed legislation, which is separate from the export rules revisions that will be set by the Commerce Department, is called the Cyberspace Electronic Security Act of 1999.
It requires a law enforcement official to use a decryption key only for explicitly authorized purposes. Law enforcement must inform a person whose key is obtained during court process, and must destroy the keys after their use is complete.
The White House dropped the controversial idea it had made in an earlier draft of the proposed bill that would let law enforcement secretly enter the suspect's home with the help of the landlord in order to disable encryption on the desktop.
Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread
RELATED LINKS
Other recent articles by Messmer
Reaction: Here's what some Fusion users are saying about this article:
What do you think? Add your comments to the thread
