Crypto export called small step
Experts say an export license for 128-bit cryptography issued to Pretty Good Privacy doesn't mean much in the encryption debate.
The license allows PGP to export its software to the overseas offices and subsidiaries of more than 100 specific U.S. corporations without a "key-recovery" plan; the government's regular licenses limit crypto exports to a key length of 56 bits without key recovery.
Key recovery means that the cryptographic keys used to decode encrypted information must be available by court order if a law enforcement agency needs access to the scrambled data.
"It's a small step in the right direction in terms of the government's treatment of the encryption issue," said David Sobel, legal counsel for the Electronic Privacy Information Center, a privacy advocate group in Washington. "I'm not sure it's a major breakthrough in terms of indicating a change in policy."
That view, shared by Steve Walker, CEO of Trusted Information Systems, a security firm that markets a key recovery program, is based on the limited scope of PGP's license.
"It's essentially a preapproval of the list," said Walker, who called PGP's license a distribution agreement. "If PGP is the first to get one, then it means anyone can do it."
PGP said it still opposes export controls on encryption products but welcomed the permission as a boon to encryption needs of U.S. firms overseas.
"Basically, we left it up to the government as to which of the largest American companies they wouldn't trust," said Bob Kohn, PGP general counsel. "If this license is the beginning of a trend, we welcome it wholeheartedly."
PGP's founder, cryptographer Phil Zimmermann, became something of a cause celebre when his PGP technology was posted on the Net in defiance of laws prohibiting international distribution of encryption technology. Zimmermann came close to being charged before the government dropped its case.
Until now, the government had approved only 128-bit encryption exports for protecting financial transactions, but PGP technology can encrypt any kind of digital communication, including its email product, now called Personal Privacy. The company claims more than half of the Fortune 100 companies use its email software.
The export license does not cover foreign offices of U.S. firms in embargoed countries, namely Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria.
The company still has another old foe to worry about. Encryption software giant RSA Data Security earlier this month filed a lawsuit against PGP over royalties RSA wants to collect. The suit alleges that PGP is using RSA technology licensed to Lemcom before its merger with PGP in 1996. PGP representatives say the dispute should be arbitrated as stated in the contract and that RSA's claims are without merit.