|
|
| |
| EPIC
Analysis of the Encrypted Communications Privacy Act |
| by the Electronic Privacy Information Center (03/1996) |
| |
| Analysis of the Encrypted Communications
Privacy Act of 1996 (S.1587). The proposed legislation would relax
export controls by transferring authority for export decisions to
the Secretary of Commerce, and mandate the removal of controls on
"generally available" encryption software. It would also
create a legal framework for key escrow agents, including an obligation
to disclose keys and assist law enforcement, and establish penalties
for improper disclosure. Finally, it would affirm the freedom to use
and sell encryption within the United States and criminalize the use
of encryption which may have the effect of obstructing a felony investigation. |
| |
| Introduction
of "Pro-CODE" Bill |
| Floor Statement made by Senator Conrad Burns (02/05/1996) |
| |
| Senator Burns presents the "Pro-CODE"
bill, or The Promotion of Commerce Online in the Digital Era Act of
1996, to the American Senate. This bill aims at promoting commerce
domestically and abroad, improving the effectiveness of American software
companies and protecting the intellectual property and privacy or
both businesses and individuals. For doing so, the bill would allow
the unrestricted export of mass-market or public-domain encryption
programs. It would also require the Secretary of Commerce to allow
the export of encryption technologies if products of similar strength
are available elsewhere in the world. Finally, it would prohibit the
government from imposing a mandatory key-escrow system in which the
government or another third party would have a "back door"
to private computer files. |
| |
| Export
of Cryptography |
| by Roszel C. Thomsen II (Esquire) and McKenney
(Thomsen and Burke LLP), Commerce.Net (1996) |
| |
| This paper describes the United
States export controls on cryptography, including recent legislative,
regulatory and other developments of interest. Currently, strong cryptography
is controlled under authority of the Arms Export Control Act ("AECA")
and implementing International Traffic in Arms Regulations ("ITAR")
administered by the State Department's Office of Defense Trade Controls,
whereas some cryptographic products, which are commercial products
containing certain limited security features and are described on
the Commerce Control List, are subject to the jurisdiction of the
Commerce Department under the EAR. Yet, there are a number of areas
where the ITAR and EAR contain overlapping jurisdiction such as the
case of the so-called "mass market" software, which is discussed
in this paper. Indeed, in the early 1990's, when the developers of
mass market software (under the auspices of the Software Publishers
Association) lobbied the Congress and Administration for relief from
onerous ITAR controls, the Bush Administration negotiated a compromise
with the software industry and amended the ITAR by createing an expedited
Commodity Jurisdiction Procedure for mass market software. Under this
procedure, the State Department agreed to transfer non-strategic,
mass market software from the State Department's jurisdiction to the
Commerce Department's jurisdiction within seven days, provided that
the software meets certain criteria. This paper presents the recent
legislative initiatives that were taken in order to rectify some of
the issues that were brought up by such change in juridiction (reform
of the ITAR and EAR by Clinton Administration and introduction of
"key escrow" cryptography).. The paper also presents the
debate between privacy advocates on the one hand and the intelligence
and law enforcement communities on the other hand, and such issues
as electronic commerce, crypto-with-a-hole, PGP, First Amendment issues,
and digital telephony. |
| |
| Export
Controls and Internet Commerce |
| by Roszel C. Thomsen II (Esquire) and McKenney
(Thomsen and Burke LLP), Commerce.Net (1996) |
| |
| Thanks to tight export controls
laws, the US government aims at restricting or even denying the possibility
for companies and individuals to export software and data from the
United States. But aren't these export controls obsolete since it
seems impossible to control such data and software once it has been
made available via the Internet ? This study first describes the different
forms of export controls that are multiple. The vast majority of data
and software exported from the United States via the Internet is so-called
"dual-use", because it has both civilian and military applications.
As such, it is controlled for export under the Export Administration
Act and Export Administration Regulations administered by the Commerce
Department's Bureau of Export Administration. Some data and software
in Internet commerce, for example hardware and software implementing
strong cryptography which are essential to Internet commerce, are
controlled for export from the United States because they are considered
to be "munitions", for they are contrary to the national
security and foreign policy interests of the United States. In this
case, they are controlled under the AECA and ITAR administered by
the State Department's Office of Defense Trade Controls. Lastly, there
are also other even more stringent export controls which are implemented
as embargo regimes, or more liberal export controls implemented as
a result of multilateral agreements. These export controls can be
sources of problems for potential exporters. First, because of the
multiplicity and variety of export controls, it is necessary for companies
to know which export controls apply to particular data and software
if they aim at exporting them legally via the Internet, which is not
always easy to do. Second, the munitions export licensing process,
necessary in the case of export of strong encryption products, is
a long and tough review process. Third, for an export via Internet,
is it necessary to comply with US export controls, knowing that the
laws cannot realistically regulate conducts that would bypass the
power of Customs Service ? Neither the EAR nor the ITAR specifies
that companies or individuals must take any specific affirmative actions
to ensure that their data and software are not downloaded by unauthorized
persons, and anyway there seems to be no completely secure means of
preventing unauthorized access to data and software posted on the
Internet. For these reasons, the authors advise that, unless and until
the Government mandates that individuals and companies engaged in
Internet commerce must meet a prescribed standard of due diligence,
the recommended course of action is to benchmark the best industry
practices, periodically, and adopt those safeguards which are reasonably
widespread. |
| |
| Cryptography's
Role in Securing the Information Society |
| by the Committee to Study National Cryptography
Policy, National Research Council (30/06/1996) |
| |
| This study attempts at defining a
framework for thinking about cryptography policy, identifying a range
of feasible policy options and making recommendations regarding cryptography
policy. The Committee to Study National Cryptography Policy, appointed
by the National Research Council's Computer Science and Telecommunications
Board (CSTB), tried to take into account the varied interests affected
by national cryptography policy, such as personal liberties and constitutional
rights, the maintenance of public order and national security, technology
development and US economic competitiveness and markets. |
| |
| Crypto
Code of Honor Put to Test |
| by CNET News.com Staff (14/09/1996) |
| |
| This document describes the battle
between the supporters of the Pro-Code bill and law enforcement authorities.
Pro-Code seeks to abolish not only export restrictions on encryption
but also a "key escrow" system in which everyone's private
encryption codes, or "keys," would be stored with third-party
agencies sanctioned by the government. Despite its growing popularity,
the measure has little chance to pass quickly before the congress,
especially after such incidents as the TWA explosion and the Olympics
pipe-bombing. |
| |
| Memorandum
: Internet Export Compliance Issues for Software |
| by Fred M. Greguras, John Black Fenwick
& West LLP (01/04/1997) |
| |
| In 1996, the Export Administration
Regulations ("EAR") and the International Traffic in Arms
Regulations ("ITAR") were amended to transfer export control
jurisdiction over "encryption software" to the EAR. This
jurisdiction transfer clarified the U.S. government's existing interpretation
of its former rules governing exports of encryption software and brought
into focus Internet export compliance issues. Indeed, the EAR establishes
two different definitions of Internet "export," one for
encryption software and another for non-encryption software. In this
memo, the author addresses the different regulatory rules for each
of these categories. In the case of encryption software, the compliance
procedures include ensuring that the facility from which the software
is available controls the access to and transfer of the software through
such measures as an access control system, or obtain a specifically
approved export license from BXA. As for non-encryption software,
in the case they are not publicly available, the compliance procedures
for export includes the implementation of procedures to ensure that
the software is not exported to unauthorized parties (there are country
restrictions, which depend on the type of software that is to be exported,
as well as prohibited party restrictions). Nevertheless, if a company
sells software over the Internet and during the course of a transaction
does not receive any "Red Flag"information that may indicate
that the buyer is a foreign party, the sale may be considered a domestic,
that is, non-"export," transaction |
| |
| Encryption
Policy and Market Trends |
| by Dorothy E. Denning (17/05/1997)
|
| |
| This paper reviews encryption policy
and market trends as well as the driving forces behind them. Focus
is the use of encryption for confidentiality protection, which has
been the area of greatest controversy. Interestingly, Denning classifies
the driving forces behind encryption policy and technology in two
groups, which are served by opposing functions: code making and code
breaking. On one hand, corporations (as users and vendors), government
agencies, academics, hobbyists, and individuals (as users) are looking
for strong, robust and cost-effective encryption in order to achieve
information security, economic strength at the corporate and national
level, national security, public safety, crime prevention, privacy,
and academic freedom. On the other hand, the same users have needs
for code breaking which are often complimentary to those of code making,
and that can also be in the national interest. So although the dilemma
is often characterized as one of governments vs. corporations and
citizens, or of national security and law enforcement against security,
privacy, and economic competitiveness, Denning points out the fact
that the actual dilemma is in fact how to effectively serve national,
corporate, and individual interests in both code making and code breaking.
|
| |
| Encryption
Export Control Restrictions |
| by D.C. Toedt III, Intellectual-Property
Law Facts, from The Law and Business of Computer Software (07/1997)
|
| |
| This file briefly describes the U.S.
export control regulations for encryption technology, including the
controversy over the U.S. Government's policy changes in that regard
in 1996. The Clinton Administration took what the author calls a "carrot-and-stick"
approach to encouraging industry cooperation with its objective of
maintaining electronic surveillance capabilities for intelligence
and law-enforcement agencies. The stick is that under the interim
final rule, export licenses for encryption technology are now required
for all destinations, except Canada. The carrot is the possibility
of export and reexport of 56-bit key length DES or equivalent strength
encryption items under the authority of a special License Exception,
provided the exporter makes satisfactory commitments to build and/or
market recoverable encryption items (i.e., "back door" capability
for law enforcement) and to help build the supporting international
infrastructure. As for the congress, it has not taken a position on
encryption export policy, but several bills that aims at liberalizing
encryption export controls are pending : SAFE Act Bill, ECTA Bill
and PRO-CODE Bill. |
| |
| Export
Control Restrictions on Software |
| by D.C. Toedt III, Intellectual-Property
Law Facts, from The Law and Business of Computer Software (07/1997)
|
| |
| This file briefly describes the the
U.S. export controls regime for software products with encryption
capabilities. These controls are defined by the Export Administration
Regulations ("EAR" or "Export Regulations"), which
are administered by the Bureau of Export Administration ("BXA")
in the Department of Commerce. They were completely reorganized in
March 1996, with a major encryption-related revision in December 1996.
Under the Export Regulations, and unless a "License Exception"
applies, the export of high technology products, including sophisticated
computer software and other technical data, is very likely to require
a license, even in the case of some transactions that might not be
regarded as an "export" but are surprisingly defined as
such in the EAR. |
| |
| US
Dual-Use Export Controls |
| by W. Reinsch, Under Secretary of Commerce
for Export Administration, USIA Electronic Journal (09/1997) |
| |
| In this article, William Reinsch,
U.S. under secretary of commerce for export administration, explains
why, as export controls will evolve along with technology and circumstances,
they must remain a part of international trade as the United States
and friendly countries grapple with persistent problems like proliferation
of weapons of mass destruction, regional instability, and terrorism.
Reinsch also explains U.S. use of unilateral controls and re-export
controls. |
| |
| Access
to U.S. software and other U.S. technology by foreign nationals |
| by Fred M. Greguras and Roger M. Golden,
Fenwick & West LLP (03/10/1997) |
| |
| This article describes the impact
of U.S. export controls on foreign engineers
who have nonimmigrant visas and who usually have access to software
and other technology in the course of their employment. Indeed, under
the Export Administration Regulations ("EAR") administered
by the Department of Commerce or under the International Traffic in
Arms RegulationS ("ITAR") administered by the State Department,
a "release" of source code or other technology to a foreign
national in the US, may it be by visual inspection or oral comments,
is considered an "export". |
| |
| Inside
America’s Secret Court: The Foreign Intelligence Surveillance
Court |
| by Patrick S. Poole (1998) |
| |
| This article presents the Foreign
Intelligence Surveillance Court (FISC), which considers surveillance
and physical search orders from the Department of Justice and US intelligence
agencies. It was created with the Foreign Intelligence Surveillance
Act (FISA), passed in 1978 in order to regulate the power of warrantless
surveillance of the State, and addresses the need for control of the
process of judicial review that should be followed by the the FBI
and the National Security Agency (NSA) before initiating domestic
surveillance operations. But the politicization and present use of
the FISA by the CLinton Administration, which is characterized by
a sharp increase in FISC orders occurred since the ascendance of the
Administration, has resulted in the erosion of numerous Constitutional
rights. According to the author, the purpose of the FISC, which was
to add oversight to intelligence agency and law enforcement spying
against US citizens and to subject that spying to minimization procedures,
has totally shifted because of the enormous power that the FISA process
grants to the government to circumvent explicit constitutional protections
in a criminal trial. |
| |
| US
Encryption Policy : A Free-Market Primer |
| by Justin Matlick, Pacific Research Institute
for Public Policy (03/1998) |
| |
| This report is a primer on issues
related to encryption policy. It demonstrates that if maintained or
broadened, a restrictive U.S. encryption policy prevents the Information
Age from flourishing and at the same time does not empower law enforcers
to respond to encryption-related criminal threat. A more effective
policy would harness market forces by eliminating all regulations
on encryption. This would not only assure the security of legitimate
transactions, it also would empower law enforcers to respond to computer
crimes with market-driven innovations instead of government-imposed
regulations. |
| |
| The
risks of key recovery, key escrow & trusted third party encryption |
| by Abelson, Anderson, Bellovin, Benaloh, Blaze,
Diffie, Gilmore, Neumann, Rivest, Schiller & Schneier (06/1998) |
| |
| This report examines the fundamental
properties of key recovery, key escrow and trusted third-party encryption
requirements which have been suggested in the past years by government
agencies, in particular the associated technical risks, costsm and
implications of deploying systems that provide government access to
encryption keys. Key recovery benefits are not discussed here, but
the authors underline the substantial sacrifices in security, convenience
and greatly increased cost to the end-user that are, according to
them, associated to the deployment of key recovery based encryption. |
| |
| Encryption
Policy for the 21st century |
| by Solveig Singleton, Policy Analysis No. 325
(19/11/1998) |
| |
| This article, written after the gouvernment
just announced a new policy in the domain of encryption export controls.
The new policy maintains restrictions on the export of encryption
stronger than 56 bits, and promotes the building of a key-recovery
infrastructure in order to favour law enforcement in the case of export
of stronger technologies. The author explains why such a policy is
not only a threat to individual privacy but also a costly, technically
unfeasible policy, that is not even likely to keep strong encryption
out of the hands of criminals. After assessing the current impact
of export controls and the probable outcome of further attempts at
controlling the export of stron encryption, Singleton shows why it
is unavoidable that, in the end, the power of technology driven by
market demand will win over the power of government. |
| |
| Les
enjeux de la cryptographie |
| by Lionel Thoumyre, Juriscom.net (11/1998) |
| |
| A compared analysis of North-American
policies on encryption. This articles deals mainly about the way the
US and Canadian governments have dealt with the problem of diverging
interests between national security and private interests, or have
met the imperatives of electronic commerce. It is a quick overview
of the many measure adopted by both government in the end of the 90s,
and the issues both countries have had to face. Whereas the US policies
have been focused mainly on security issues, the Canadian government
has apparently focused its efforts on the promotion of electronic
commerce, which is the most important economic issue related to cryptography.
Yet, although the Canadian policy may appear more liberal at first
sight, the proposed solution, which implies the existence of third-party
certification authorities, might apparently become a second "clipper
chip" in the long run. |
| |
| Government
Regulation of Encryption : Domestic & International Developments |
| by Stewart A. Baker & Michael D. Hintze (06/01/2000) |
| |
| Overview of US controls on encryption
and current legislative proposals (SAFE Act, Pro-CODE Act, Secure
Public Networks Act). Comparison with other mechanisms for controlling
encryption that can be found in other countries such as France, UK,
Russia and China. Description of various attempts at regulating encryption
at an international level : the Wassenaar Arrangement and the development
of cryptography guidelines by the OECD. |
| |
| Encryption
Export Control Policy 2000 |
| by Roszel C. Thomsen II and Antoinette D. Paytas,
Thomsen, Burke and Franke LLP (2000) |
| |
| Discussion of new regulations published
by the Commerce Department’s Bureau of Export Administration (BXA)
in January 2000. Indeed, a new interim rule with request for comments
now amends the export controls on encryption products in two important
respects. First, it implements the encryption export control reforms
announced by the White House on September 16, 1999. The encryption
policy is now based on three principles : (1) technical review of
all encryption products prior to sale; (2) post-export reporting of
sales; and (3) review of exports to foreign governments. Second, it
implements changes to the encryption items that are subject to export
controls under the Wassenaar Arrangement, by : (1) transforming Category
5, Part 2 of the Commerce Control List to a positive list; (2) creating
a new Cryptography Note; (3) removing encryption software from the
General Software Note; (4) removing controls on 64-bit mass market
products; and (5) removing controls on 512-bit key management products.
According to the authors, the new regulations are positive because
they allow a greater scope of exports without case-by-case licensing,
but at the same time remain disappointing in the fact that they introduce
a higher level of complexity to the export control process. |
| |
| Export
Controls on Encryption Software |
| by Ira S. Rubinstein and Michael Hintze, Coping
With US Export Controls 2000 (12/2000) |
| |
| This article provides a detailed
and comprehensive review of export controls on encryption software.
It examines the current state of Commerce Department controls on encryption
software and technology, including the October 19, 2000 update to
the regulations. The current export policy is the result of step-by-step
liberalization due, in large part, to the computer industry's constant
pressure on the Administration and on Congress to liberalize U.S.
export controls on products with encryption features. It has evolved
from case-by-case licensing of individual encryption exports, to policies
designed to encourage "key escrow" or "key recovery"
encryption systems, to broad approvals for exports to certain preferred
industry sectors, and finally to nearly free exportability of most
products with after-the-fact reporting. In spite of these improvements,
U.S. exporters are still forced to navigate very complex licensing
processes merely to accomplish what is ultimately a permissible export.
This article also provides a detailed analysis of this burdensome
licensing process. It also looks at a number of selected policy issues
including two federal court cases challenging the constitutionality
of encryption export controls, U.S. government policy regarding source
code, posting encryption software to the Internet, and "crypto
with a hole." |
| |
|
