Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Symantec, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
/

Crypto export rules falls short of total decontrol

Today's breaking news
Send to a friendFeedback


The Clinton administration is winning praise for its new encryption export policy, but at the same time software vendors and privacy organizations point out that the government still maintains considerable oversight on the sale of encryption products outside of its home market.

Many advocates for revision of the government's encryption export policy say that while the long-awaited regulation represents fundamental change, the rules are complex and will require many companies to hire experts to ensure compliance. They also say they feel compelled to continue working with the Department of Commerce to try to further liberalize the process of exporting encryption.

The new regulations, which were released by the Commerce Department's Bureau of Export Administration Wednesday, are more in step with the economic realities of the information age than the old policy, according to Americans for Computer Privacy (ACP), a Washington organization that worked closely with the Clinton administration and industry representatives to rewrite the export policy.

"ACP is extremely pleased with the progress that was made. We believe the administration took all our concerns very seriously," says Sue Richards, a spokeswoman for the ACP. "However, the bottom line is there is still a feeling in the government that somehow ... encryption is controllable. We believe encryption is inherently uncontrollable."

The Center for Democracy and Technology (CDT), which also fought for a relaxation of the export rules, concurred with the ACP assessment, but also cautioned that not all export controls have been removed.

The regulations remain very complicated and do not change the premise that those who wish to export encryption - including researchers and others who want to exchange certain kinds of source code - must still comply with a process that may prove daunting for some individuals and small businesses, says Alan Davidson, staff counsel at the CDT.

Throughout the debate on encryption export rules the government defended its tight control on strong encryption products as necessary to ensure that law enforcement and national security bodies would not find themselves unable to access computer files and other digital evidence because it was sheathed in strong encryption.

But encryption vendors complained that the export controls created a void in the market that their competitors outside the U.S. were more than happy to fill. Meanwhile, privacy advocates griped that the strict export rules were hampering worldwide e-commerce.

The new regulations let U.S. companies export any encryption product to commercial firms, individuals and other nongovernment users without a license, but a one-time technical review of the products is required before the products can ship.

The regulations also create a new category of "retail" encryption products that permit the export of encryption products available in the market to any end user. But the Bureau of Export Administration will review any product before it can be exported and the bureau will determine which products qualify as retail encryption offerings. At 30-plus pages, the new regulation leaves a lot of room for interpretation, especially when it comes to the definition of a retail product and the definition of a government entity, says Lynn McNulty, director of government affairs for RSA Security.

"Individual companies still are going to have to probably retain some sort of expertise in order to be able to interpret the regulation and not run afoul of any of its provisions," McNulty says. "This is not ... complete decontrol and anyone who was expecting decontrol is disappointed."

However, McNulty, who provided input for drafting the policy as a member of the encryption subcommittee of the President's Export Council, says RSA is "very encouraged" about being better able to compete for business overseas and praised the Clinton administration for showing flexibility and willingness to listen to people in the industry.

Bill Crowell, president and CEO of Cylink, also praised the U.S. administration. He isn't critical of the new rules' continued restrictions because Cylink has been exporting its products for years and is already familiar with how to comply with regulations.

Crowell says the biggest improvement for Cylink is that the new rules reduce the number of individual licenses the company will have to obtain and eliminate the need entirely for licenses for commercial customers, which is Cylink's primary business.

"This might fall short of complete decontrol, but frankly it's an incredibly large step forward and it levels the playing field," Crowell says.

ACP can be found at www.computerprivacy.org/. CDT can be reached at +1-202-637-9800 or at www.cdt.org/. RSA Security can be found at www.rsasecurity.com/. Cylink can be found at www.cylink.com/.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.