Crypto export rules lighten up

Cutting some government red tape, Commerce Department Secretary William Daley said today that the Clinton administration will lighten restrictions on strong encryption used by financial institutions to secure electronic transactions sent around the globe.

The government's revised encryption export policy is expected to go into effect this summer and will apply to credit card companies, banks and their branches, security firms, and brokers in 45 countries. Under the new rules, almost 70 percent of the world's financial institutions will have to apply for a one-time license to use encryption of any strength.

Most significantly, now these financial firms don't have to use encryption products with built-in key-recovery systems. These systems give companies the opportunity to make a "spare key" that unlocks their encrypted digital communication if an original key is lost or stolen, but key-recovery centers can be costly and extremely hard to build, according to private sector and government reports.

"This action gives our nation's financial institutions the flexibility they need to remain globally competitive," Daley said today in a statement.

"Importantly, it balances those needs of law enforcement, national security, and foreign policy concerns," he added. "Through steps like this we can continue to encourage the development of an electronic commerce system users can trust."

Banking industry representatives applauded the change, but reaction from software firms was less enthusiastic.

"It's a big step as far as opening up the Internet as a channel for global financial commerce, and that's important to the banking industry on a global basis," said Bill Randle, executive vice president of Huntington Bancshares.

"But I still have some concerns that it's not broad enough for other organizations," added Randle, who sits on a security committee of the Banking Industry Technology Secretariat, an affiliate of the Bankers Roundtable.

"It's great for the banks, but apparently the rest of American industry is not important enough to protect their data," said Lauren Hall, a lobbyist for the Software Publishers Association. "It is very good for banks, and we're glad to see that the administration has recognized that crypto can serve a very legitimate function for protecting data on networks."

Key recovery has been the cornerstone of a long-standing debate over the U.S. crypto export policy. Privacy advocates and industry alike oppose mandatory key-recovery features in export products because they say the systems present the possibility that law enforcement or unauthorized parties could gain access to scrambled data without due process or permission.

On the flip side, law enforcement has held its ground that unfettered export of encryption will lead to terrorists and criminals using the technology to cover their tracks. But proponents of free encryption, without mandated spare keys, contend that strong encryption already is available around the world.

Under the current encryption export policy, crypto manufacturers have to apply for an export license for most companies or private citizens to whom they ship products. To even export products that have been cracked, such as 56-bit length encryption, software makers also have to promise to build in key-recovery systems. This bureaucracy has been bad for business, according to the industry.

Last year, the Commerce Department said it would ease crypto restrictions for companies shipping to financial institutions, but the licenses were still approved on a case-by-case basis. Now the administration plans to phase out individual export approvals for these firms, lifting a burden for crypto makers.

Chuck Williams, chief scientist of encryption vendor Cylink, called the announcement "a grand step in the right direction." Cylink already exports encryption hardware and software to banks under the previous, more restrictive policy. Network Associates, a major supplier of computer security software, likewise applauded the move.

The export relief rules announced today don't apply to private citizens and all companies, however, so the fight over encryption is hardly over. But software makers are glad they can branch out in some markets.

"There were vendors who said they love banks as a market but don't want to go through the paperwork of filing a [key-recovery] plan," said Kawika Daguio, a technology policy analyst for the American Bankers Association, hopes cutting red tape will draw more vendors into the market. "Now we can go to those people and say, 'Now you can sell to us without all that pain and suffering.' It's dramatically lowered the requirements for manufacturers."

Still, data-security technology companies see the policy shift as a building block to ease encryption restrictions for all the world's computer users. Other governments have been known to look to the United States as a basis for their encryption policies.

"Our biggest and most important clients are financial institutions, so we are certainly encouraged by this announcement from the administration. We think it will significantly help our ability to sell to financial institutions in major markets," said Kelly Huebner Blough, director of government affairs for Network Associates.

Network Associates has used some unconventional tactics to sidestep getting a crypto license for every company it ships to overseas. In May, the company said it hired the Swiss firm Cnlab Software to make and sell outside the United States a 128-bit version of Network Associates' Pretty Good Privacy encryption software.

"The more that encryption is used by banks or large companies, the more it will become accepted as a very necessary part of the U.S. economy, world economy, and e-commerce," Blough added. "This will help spread the use of encryption throughout the world."