Computer Systems Policy Management

Thursday, January 13, 2000

Washington Post

By John Schwartz

U.S. Eases Encryption Export Rules

U.S. companies will finally be able to export products using strong privacy-enhancing encryption software, but they will have to jump through some regulatory hoops to do so.

That's the thrust of long-awaited regulations released yesterday by the Clinton administration.

Encryption, the technology used to scramble information and communications, has been at the heart of a long-running dispute between the administration on the one hand and high-tech companies and privacy advocates on the other.

Law enforcement and national security officials warned that widespread use of strong encryption products would cripple their ability to track criminals and terrorists, and worked to restrict the dissemination of "crypto" products. Industry and its supporters, however, said there already were excellent encryption products available from companies around the globe; the restrictions, they contend, merely hindered the American high-tech industry and prevented the use of products that could enhance computer security and privacy.

Previous attempts to control encryption exports generally focused on "key length," a measure of the strength of the software. The new regulations do away with restrictions on key length and requirements of a license; U.S. companies will be able to export encryption products after review by the government. Retail products can be exported to any user, even foreign governments--except those regarded by the United States as supporters of terrorism.

"We have worked very hard to address privacy concerns and to ensure that our law enforcement and national security concerns are met," Commerce Secretary William Daley said in a statement.

Industry showed strong support for the new rules. "This is good news for America," Ed Gillespie and Jack Quinn, who head a coalition called Americans for Computer Privacy (ACP), said in a statement.

High-tech companies generally said they were pleased with the rules. "It's still more complex than I'd like to see," said Piper Cole, a Sun Microsystems Inc. executive involved in negotiations with the White House over the policy, "but it's just a whole lot better and recognizes the realities of the marketplace and the networked world."

Many of those who have read the new rules complained that the required government review process is too cumbersome. "The good news is you'll be able to export your products," said Bruce Heiman, a Washington lawyer who represents high-tech companies on encryption issues before Congress and the administration. "The bad news is there's still a complicated process you'll have to go through."

Large companies will be able to navigate the regulatory maze to export their products, but the entrepreneur in the garage or the cryptographer who wants to spread a novel approach to the craft might not have the wherewithal to do so, said Alan Davidson of the Center for Democracy and Technology, a high-tech policy group.

"The message is 'Don't try this at home,' " Davidson said. Because of its focus on paving the way for business to export encryption, he said, the new regulation "is not going to address all of the constitutional free speech and privacy concerns that have been raised" about past restrictions on encryption export.

The new rules, based on policies announced Sept. 16, will be published in the Federal Register tomorrow. An earlier draft of the rules that was circulated late last year was roundly criticized by ACP and others.

The White House has come under increasing pressure to relax its encryption stance as momentum built in Congress behind proposed legislation that would have eased export controls--including a measure, the Security and Freedom Through Encryption Act (SAFE), pushed by Reps. Robert W. Goodlatte (R-Va.) and Zoe Lofgren (D-Calif.).

"It's not perfect, but it's not bad," Lofgren said. "Much of what we hoped to achieve through SAFE has been achieved through these regulations."

Lofgren said she and her colleagues had not yet discussed whether they would continue to push their proposal, but said she believes "it would be a mistake to move that bill, because we've gotten so much of what we'd hoped to achieve."