Crypto policy called a failure

The government's policy restricting the export of strong encryption products has failed and is boosting the foreign market by hog-tying the U.S. industry, Commerce Department secretary William Daley conceded today.

Members of the high-tech industry, privacy advocates, and others long opposed to

William Daley

the Clinton administration's stance on encryption applauded Daley's concession. But they were skeptical that the admission will have an immediate impact on the government's policy.

"The truth is that while our policy goal--balance--is the right one, our implementation has been a failure," Daley told the Information Technology Policy Council today.

Daley made the remarks while unveiling the department's e-commerce report before the government advisory board.

Dubbed the "Emerging Digital Economy," the report backs up the Clinton administration's mantra that e-commerce is flourishing and that federal policy should help bolster online sales by limiting new regulation and levies on Net services. The paper also drives home the message that the industry should adopt self-regulatory guidelines to safeguard Net shoppers' private information and purchasing habits.

But the software industry and privacy advocates were most intrigued today by Daley's admission that the administration's export limits on encryption (technology that secures digital communication) are hindering U.S. companies' ability to compete with global manufacturers.

The export policy went into effect last January, and is overseen by the Commerce Department. Under the rules, software makers that are granted crypto export licenses must submit proof of their plans to build key-recovery features into their products after next year. Key-recovery systems make it possible for law enforcement agents--who have obtained a court order--to access computer users' private key that unscrambles their digital messages or files.

"The ultimate result will be foreign dominance of the market," Daley said. "This means a loss of jobs here, and products that do not meet either our law enforcement or national security needs."

There has been an ongoing fight to overturn the export limits. But a compromise hasn't been reached with law enforcement officials, who assert that access to keys is needed to combat a new wave of high-tech crime in which suspects can cover their tracks with crypto.

The secretary's comments today mimic arguments that have long been made by industry, privacy groups, and some federal lawmakers. For example, the Economic Strategy Institute reported earlier this month that the U.S. economy stands to lose $35 billion over the next five years due to the policy.

Moreover, aside from statements made in a 1996 Commerce Department memo, observers said a high official has yet to publicly poke holes in the export policy as Daley did today.

His statements also confirm the internal struggle within the administration over the export rules, with the FBI on one side clamoring for key-recovery, and Commerce on the other side looking to foster the growth of all export markets.

"In my recollection, it's the highest level of official recognition that we've heard," said Lauren Hall, chief technologist for the Software Publishers Association.

Overall, the move is likely to be more symbolic than an indication that the White House policy is shifting to favor the demands of industry and privacy advocates over those of the FBI. If key recovery in export products remains a government mandate, the fight will continue, Hall said.

"Unfortunately we've already known this," she noted. "I don't see a compromise that continues to put the industry at a disadvantage to foreign competition, or that puts our customers' data and privacy at risk. If there is a policy that doesn't require us to turn keys over to the FBI, then industry has always been willing to talk."

Consumer privacy advocates welcomed Daley's criticism of the policy, but they remain wary.

"I'm not sure that this changes much," said Dave Banisar, staff counsel for the Electronic Privacy Information Center. "If Commerce has been fighting this battle all along--and this is just a public manifestation of it--they still have to fight the battle. This could just be a public cry for assistance."

Although numerous bills before Congress aim to overturn the export limits, none have passed.

"The White House should treat [Daley's] remarks as an opportunity to reconsider counterproductive export restrictions against U.S. companies and allow them to maintain a leading edge in technology rather than ceding it to foreign companies who will not be helpful to U.S. law enforcement the way American companies have been," Ed Gillespie, executive director of Americans for Computer Privacy (ACP), said in a statement.

Sources say ACP has been working on a proposal to end the crypto tug-of-war. The legislation is set to be introduced later this month by Sen. Patrick Leahy (D-Vermont) and Sen. John Ashcroft (R-Missouri). The bill is expected to prohibit mandatory key-recovery systems for export or domestic encryption products, but will protect law enforcement's right to access keys to scrambled files with a court order.

"We have no problem with key recovery if it is voluntary--as an insurance policy that users won't get locked out of their communication [if they lose their key]," David Peyton, director of technology policy for the National Association of Manufacturers, said today.