16 January 1999
Source:
http://www.nytimes.com/library/tech/99/01/cyber/articles/16encrypt.html
CUPERTINO, Calif. -- The Clinton Administration's campaign against exporting strong secret computer codes took to the road on Friday as the President's Export Council Subcommittee on Encryption held a meeting in Silicon Valley to try and build bridges between the computer industry and the government.
Little harmony emerged, however, as the industry representatives turned a cold eye to the Administration's recent proposals and complained that increased foreign competition was in danger of surpassing American companies.
The Administration's campaign to restrict cryptography seemed to lose momentum this week as some foreign executives suggested that changes in a new international agreement announced last year might have little effect in practice. The new rules, which are an diplomatic agreement between the United States and 32 other Western countries, would require each country to require special permits before allowing the export of mass-market software containing encryption. Some executives now suggest that some countries may simply satisfy this requirement by issuing blanket permits that do little to contain encryption technology.
The Administration's position was further complicated by an announcement by Representative Zoe Lofgren, a California Democrat, who told the attendees at the meeting on Friday that she would plan to re-introduce legislation to liberalize export controls. Earlier versions of the bill were the basis of a strong battle in Congress that ended in a stalemate. She suggested that she would push for liberalization of export rules once Congress finishes determining the fate of President Clinton's impeachment.
"I frankly think that all of this mess in Washington heightens people awareness," she said. "Grandma and grandpa are e-mailing their grandkids. They're not hiding anything."
The committee itself is made up of representatives from the major government bodies like that National Security Agency, major corporations like Motorola and IBM, universities and the legal profession. The first discussions of the morning centered on identifying which tasks the committee would undertake given that most admitted that little agreement was likely.
The battle over the United States' control over the export of encryption software has always been between the arms of the government associated with defending national security and the computer industry. The government agencies like the National Security Agency and the Federal Bureau of Investigation feel that strong secret codes make it possible for terrorists, criminals and foreign countries to shield their actions from scrutiny. The computer industry suggests that average people also need codes to protect the confidentiality of their personal and financial information.
In recent years, the Clinton Administration has turned to a relatively informal mechanism for trying to convince the outside countries to adopt U.S.-style rules intended to stem the flow of secret code software. The new international pact on encryption, called the Wassenaar agreement, is not a treaty, but a diplomatic arrangement binding many of the Western countries that once united to fight the Soviet Union. It sets goals for restricting all sorts of weaponry like armored cars and includes software under this umbrella.
The first major speaker of the meeting was William A. Reinsch, the official responsible for leading the Commerce Department's Bureau of Export Administration. He began by announcing that he had little to say, in part because his bureau was "in a cleanup period right now" trying to solve unintended problems caused by the new regulations issued in December. He promised that his bureau was also working on more new regulations that would bring the U.S. regulations in compliance with the Wassenaar agreement.
The new version of the Wassenaar agreement states that there would be no need for regulation of software that protected information with encryption algorithms with no more than 64 bits. This was portrayed as a liberalization because previous U.S. rules drew the line at 56 bits. Ira Rubenstein, a senior corporate lawyer from Microsoft, who attended the meeting, suggested that this was not really liberalization since the mass-market software was not controlled at all by the Wassenaar agreement.
In fact, this lack of control was cited by Canada last year when it decided to let the Canadian subsidiary of Entrust Technologies freely export its full-strength security software throughout the world. The Wassenaar agreement was expected to hamper this push by a Canadian company because the company would be required to get a permit.
There are new indications that the Canadians may simply issue blanket permits. John Ryan, the president of Entrust Technologies, said in a telephone interview earlier this week that the Canadian government was very pro-industry and he expected little real problem. "When you net it all out, we don't think there will be a significant change," he said. "We actually believe that most countries will just issue blanket permits." He added, "The effect of the change will be very modest, if any."
In fact, the effects may even be more liberal. France, one of the few European countries with stiff regulations on encryption, may be loosening its grip in order to foster electronic commerce. The French publication Liberation on Thursday reported that the Finance Minister, Dominique Strauss-Khan, said that the French were at the mercy of "large ears" who did not care about personal privacy. This may simply be a reference to credit card thieves who snag account numbers through illicit wiretaps or it could be a veiled reference to United States spy agencies, which are often believed to eavesdrop on a significant fraction of the telephone and Internet traffic in Europe. The article reported that she said, "I want to make cryptography widely available."
Several people at the meeting suggested that the Clinton Administration often stretched and even violated the spirit of the Wassenaar by permitting the export of high quality encryption devices to countries like China. When this happens, other countries sometimes view the regulations as just a cynical ploy to help U.S. industry instead of a sincere effort.
The Clinton Administration faces further problems convincing non-Western countries to follow its lead. This week in India, the Defense Research and Development Organization warned Indians to avoid American-made encryption software, saying that the U.S. government only allowed the export of software that was easy to break in order to facilitate espionage.
Ryan contends that this worry is often a problem for Entrust's sales force. He said, "The No. 1 pitch of our competitors is 'The cryptographic work was done in Europe so you can trust it.'"
In fact, many other countries are quickly becoming centers of cryptographic excellence. The American company RSA Data Security based in San Mateo, Calif., recently hired two Australian programmers to help solidify its offerings in Web security. The two programmers had gained notice for distribution one of the most widely used versions of SSL, one of the most common forms of security used to protect credit card purchases on the Internet. All purchases at Amazon.com, for instance, are shielded by SSL-based technology.
The meeting on Friday itself just marks the beginning of many security-related events in the San Fransisco Bay Area. Next week, the annual RSA Data Security conference will begin in San Jose and many companies will be announcing new products and initiatives.
Related Sites
Date: Fri, 15 Jan 1999 23:37:59 -0800 To: Robert Hettinga <rah@shipwright.com> From: Steve Schear <schear@lvcm.com> Subject: Re: Watch the gov't discuss crypto policy Friday in Cupertino: PECSENC Cc: John Young <jya@pipeline.com> Thanks for passing this along. I attended and got to meet and talk one-on-one with Stewart Baker, Esther Dyson and William Reinsch. It was dejá vu all over again (i.e., my stunt at last year's RSA conference when I pinned the tail on the FBI speaker over ECHELON). At the public comment period I was the first to speak. I told them that being there elicited an odd experience. I imagined observing a meeting 500 years ago of archbishops and cardinals dressed in colorful silk and gold robes. They were discussing recommendations to the pope regarding the movable type printing press. I told the PECSENC that historically technology shaped society and its laws much more frequently than the other way around and that (as Gibson puts it) "the street has its own uses for technology." I predicted their efforts would have no more lasting value than the Vatican's actions to limit print to ecclesastical topics and, in essence, told them to go home. Jaws dropped and there were nervous laughter around the room. Minutes earlier Reinsch had posited whether PECSENC's role should be to concentrate on short- or long-term goals. William with great aplomb reponded that if I was right then they should concentrate on short-term goals, since long term planning might be wasted. He seemed at least a little serious. Dave Del Torto, who sat just in front of me, spoke next. He admonished PECSENC to take into consideration the great importance of crypto in protecting the lives and information of human rights workers world wide. It also struck a cord with the panel. --Steve