Encryption restrictions

Regulations regarding the import and export of encryption products affect buying decisions worldwide.

Encryption is subject to a web of regulations around the world because nations view encryption as “dual-use technology” that has military and commercial value. To varying degrees, they set restrictions on import, export and use.

Network managers who want to use encryption methods for ensuring voice and data secrecy across global operations must learn the rules that prevail where they intend to conduct business -lest they be in for a rude surprise in countries where encryption use is still closely controlled by the state. Many countries are tougher than the U.S. on what they let corporations do.

“We have part of our business in Beijing,” says Bernie Cowens, vice president for security services at encryption vendor Rainbow Technologies. “If you encrypt data in China, you have to provide the Chinese government the ability to access the keys. By this regulation, the Chinese should be able to get access to [Secure Sockets Layer]-encrypted traffic, too.”

The result is that businesses – including Rainbow – tend not to use encryption in China, Cowens says.

“Every country has its own rules,” says David Addis, attorney with law firm Covington & Burling in Washington, D.C. “China has restrictions on the import and use of encryption, and so do Russia and Israel.”

Complications with China

Chinese government officials have had an ongoing dialogue about encryption with foreign corporations doing business there. According to attorneys familiar with the matter, Chinese officials say the encryption restrictions are aimed at Chinese citizens, not foreign corporations. However, Addis says companies can expect the Chinese government to ask for details about the encryption they’re using – in addition to requiring them to appoint an “encryption contact” who will give the government the encryption keys when asked.

“China is the big problem area now,” confirms Stewart Baker, attorney at law firm Steptoe & Johnson in Washington, D.C. “China really has an enthusiasm for regulation and standardization that is unmatched anywhere else in the world.”

Baker said it appears likely that by June all businesses in China using wireless LANs will be required to use the Chinese WLAN Authentication and Privacy Infrastructure (WAPI) standard if they want to encrypt WLAN traffic. WAPI, which has become a point of trade friction between the U.S. and China, “seems to be an effort to drive industrial policy,” he says.

That has many network vendors concerned, particularly because the Chinese government wants to compel foreign manufacturers to license the WAPI protocol technology from designated Chinese manufacturers. That would force foreign manufacturers into a new kind of dependency and close contact with their Chinese competitors to gain use of WAPI.

“We’re just going to have to see how this turns out,” said Jeff Platon, a marketing director for Cisco who tracks the U.S.-Chinese government trade negotiations. Cisco sells WLAN equipment to the Chinese government but is not eager to work closely with a competitor such as Huawei Technologies, which is one of the approximately dozen Chinese firms that will have access to WAPI.

Other areas of the world also remain problematic in terms of encryption use.

In Russia, the Federal Agency of Governmental Communications and Information is the source for regulations requiring users to register to approve encryption. In Russia, the interpretation of the rules seem to vary according to which government official you contact, Baker says.

Addis also says encryption regulations are often not “transparent” around the world – a polite way to say that governments might not exactly spell things out clearly.

“Rules are often hard to find and hard to follow,” says Bruce Schneier, an encryption expert and founder of managed security provider Counterpane. The underlying reason, he maintains, is “governments want people not to do anything.”

The international trade accord called the Wassenaar Arrangement was hammered out five years ago by 33 countries to clarify the commercial exchange of dual-use goods and technologies, including encryption between participants. While Wassenaar is intended to harmonize export rules by the 33 participants, it’s what each nation spells out in its own rules that ultimately counts.

Robert Lane, vice president of product management at AEP Systems, a U.K maker of SSL VPN and other encryption-based products, says it’s getting harder to export to countries that aren’t part of Wassenaar, where approval on a case-by-case basis still might be needed.

Getting export licenses for customers in Malaysia and the Middle East is coming more slowly as worries about terrorism have risen since the Sept. 11 attacks, Lane notes. “The attitude has changed quite a lot after 9/11. There’s been a subtle hardening of attitudes to export of crypto,” he says.

The U.K. government’s Department of Trade and Industry tends to look hard at certain types of companies – particularly start-ups or online gambling – that want to use cryptography. In some cases, AEP won’t dedicate resources to apply for certain licenses because it’s clear they won’t be approved. In general, AEP shares information about upcoming products with the government agency in order to understand the export implications they might have.

In the U.S., the Commerce Department’s Bureau of Industry and Security has a list of forbidden countries that includes Iran, Cuba and Libya, where U.S. export of cryptography technology is completely prohibited. “There are still embargoed countries, and the list, now at 12 countries, changes biannually,” says Neville Pattinson, director of business and development technology at Axalto, the Schlumberger company that makes smart cards.