Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Pros and cons of the Clinton administration's encryption export announcement

Jim Reavis
Network World on Security, 10/06/99

The Clinton administration's announcement on September 16 of a new policy concerning the encryption export regime was initially presented as a radical policy change that virtually eliminated any restrictions.

To paraphrase Winston Churchill, however, it may be the case where: Never before in the field of encryption policy has so much been made, by so many, over so little.

The new policy appears to be more of an incremental change in current policy. There also seems to be a fair amount of early concern that this policy favors large commercial vendors over individuals developing Open Source or freeware packages. It is important for all of us to keep in mind that the new regulations will not be released in detail until December 15, which gives the stakeholders plenty of time to try to shape policy.

Currently, only very weak cryptography consisting of 40 bit keys is virtually unregulated. One area that the new encryption policy may greatly affect is the current rule requiring a company to apply for a license in order to export encryption technology. The new policy may change this procedure to one that requires just a one-time technical review. Depending upon the requirements for a review, this could prove to be a real benefit to U.S. high-tech companies. A White House press release also mentions that in the case of strong cryptography in excess of 64 bits, post-export reporting is required to maintain compliance with the new regulations. The effect of these changes may be that U.S. companies gain additional markets for their products. However, the cost of the legal advice and other compliance needs are unknown and are likely to favor larger companies. Legal fees needed to comply with the Department of Commerce may be a relatively small cost for large companies. But what about the individual developer who seeks to export a product created in a one-person shop? What about Open Source software?

The comments and sound bites from those in U.S. law enforcement, and those involved with national security, do not seem to indicate a great deal of concern about the new proposed regulations. Attorney General Janet Reno responded with a resolute "no" when asked if the new policy represented a relaxation in export policy. The Department of Defense has positioned this the new plan as a pragmatic approach to the issue of encryption used to conceal hostile activities. What is in it for them? One part of the administration proposal is for $80 million to go to an FBI technical center that will let police respond "to the increasing use of encryption by criminals." In other words, code breaking - looking for exploitable flaws in the technology they are now going to let out of the U.S.

The new proposal also says law enforcement may require access to plain text data, and the government can use decrypted evidence in court without revealing how they decrypted it. The fact that the government does not have to reveal how it decrypted data may be good for law enforcement, but it also leaves open the possibility that companies may be encouraged to assist the government in cracking company software without fear of exposure.

Besides the notable calm from law enforcement agencies regarding the proposed changes, it is also revealing that some large high-tech companies seem to be downright enthusiastic about them. RSA Security President Art Coviello called the changes a "great step forward."

On the other hand, privacy advocates seem to be much more reserved about the policy. "The devil is in the details," said Alan Davidson, policy analyst with the Center for Democracy and Technology.

"From what we could glean, this is not much of a change at all", stated Andrew Shen, an analyst at cyber-rights advocate The Electronic Privacy Information Center.

American politics being what it is, we cannot know with a great deal of certainty what the final policy will look like yet. The policy at this point is more like a trial balloon, and the intervening time allows for a lot of changes to be made. The assumption many of us have held is that real change in American encryption export policy means that the government needs to lose in order for the high-tech industry to win. The bits and pieces that we have heard and the reactions from various stakeholders indicate that big U.S. companies seem to feel they are gaining something. Law enforcement feels it is losing nothing.

Is there an unholy alliance between U.S. companies and the government to allow law enforcement access to encrypted data? Are high-tech companies simply being optimistic about what the proposed changes will ultimately look like? Has the government moved from a stance of attempting to keep strong encryption out of international hands to an approach of aggressively cracking software? Or will the bureaucrats who fill in the details ultimately make this new policy very much the same as the old? Our hope is that the new policy is fair to the little guy, keeps the integrity of U.S. companies intact and recognizes the growing capabilities of encryption products developed outside of America.

RELATED LINKS

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

SecurityPortal.com Export Policy Research Center

Privacy- and security-enhancing technology
Network World, 09/27/99

White House proposes easing encryption export regulation
Network World, 09/17/99

Network World Fusion Focus: Trends in government encryption policies
Network World, 08/18/99

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.