U.S. Encryption Policy farfrom 'Home Run', Alliance Says

U.S. Encryption Policy far from 'Home Run', Alliance Says

by Franck Wolfe, Philips Publishing International (28/10/1998)

Oct. 28, 1998 (DEFENSE DAILY, Vol. 200, No. 48 via COMTEX) -- A coalition of leading software developers has praised the Clinton administration for its loosening of export restrictions on encryption products but said the new policy is "far from a home run."

On Sep. 16, the administration moved away from its reliance on the mandatory "key recovery" concept and its prohibition on the export of strong encryption, restrictions that were advocated by the National Security Agency (NSA) and law enforcement personnel. The administration no longer requires "key recovery" on exports of encryption using 56-bit key lengths, the so-called Data Encryption Standard (DES). Key recovery permits authorized law enforcement agencies to access "private" decryption keys. The new policy would also allow American multinational companies to distribute and use strong encryption above 56 bits among their subsidiaries worldwide.

"The administration definitely stepped up to the plate with their new encryption policy...but they are far from hitting a home run," Robert Holleyman, president of the Business Software Alliance (BSA), said in a statement earlier this month. "Tight controls on encryption have slowed the growth of electronic commerce and hurt U.S. companies in the international marketplace. That's why Congress must continue to advocate legislation that will force the administration to completely lift the limits on mass-market encryption technologies." BSA is composed of such firms as Microsoft 1/8MSFT 3/8, Lotus Development and Novell.

But the Clinton administration official overseeing encryption matters disputed BSA's contention, adding that the administration and NSA believe that encryption technologies must be closely regulated because they can fall into the wrong hands. "I appreciate the praise for the administration's actions to date, and I'm sorry they think more needs to be done so soon," William Reinsch, the Department of Commerce's Undersecretary for Export Administration, said in a statement to Defense Daily earlier this month. "The administration policy reflects a balance between the needs of law enforcement and national security on the one hand and personal privacy and electronic commerce on the other."

Software developers like Microsoft, Lotus Development and Novell as well as privacy advocates are urging Congress to pass legislation freeing encryption from export restrictions. The bills may be similar to encryption proposals, such as H.R. 695 and S. 2067, which were introduced earlier this year. Bruce Schneier, a cryptography expert and president of the Minneapolis-based Counterpane Systems, said criminals and terrorists can now download strong 128-bit encryption from the Internet or buy it from other countries. "They can get it like anyone else can," he said.

Such a globalization of the encryption trade means that if U.S. companies cannot export strong encryption, they cannot compete, he said. But Sue Hofer, a spokeswoman for the Bureau of Export Administration, said law enforcement can still decipher messages that are encoded using encryption products available on the Internet. "With encryption, as with most products, you get what you pay for," she said. "Bill Crowell (former NSA deputy director) used to liken encryption to a dead-bolt lock on a cardboard box. Without certification and authentication, the strongest encryption available won't ensure your message goes to its intended receiver without potential diversion."

Schneier, however, said such a point was irrelevant. "There shouldn't be any" restrictions on encryption export, he said, predicting that Congress "will eventually" remove all restrictions on U.S. encryption export in order to allow U.S. companies to compete. Software giants would then be able to export their strong encryption products. "You have to be able to compete," Schneier said.