Did crypto industry get wonked?
Two months after promising to make it easier for the American software industry to export strong cryptography, the Clinton administration is circulating a draft of its export rules that has infuriated privacy advocates and software companies alike.
Released this week by the Commerce Department, the rules fail to give the computer industry a leading role in implementing an encryption export scheme, according to software industry representatives.
"We call it unworkable," said Becca Gould, vice president for public policy at the Business Software Alliance. "We think these regulations have to be thrown out in their entirety."
In October, the administration published an outline of its new policy, which would let software companies export strong encryption software as long as they stored the decoding keys and make them available to law officers bearing warrants. The policy referred to this storage system as key recovery or key escrow.
The industry warily agreed to work with the administration to implement the details, but its representatives now say that the government is going ahead with rules that ignore industry concerns and backpedal on previous agreements. The fight is a blow to the relationship that the Clinton administration had carefully cultivated with the software industry during the presidential campaign.
The Commerce Department is accepting public comments on the draft of the rules through next Monday, but Gould doesn't see much chance of reversing the administration's direction before the regulations take effect January 1.
Software companies and privacy advocates have been fighting the administration for three years over cryptography, which the FBI and other law enforcement agencies insist must be controlled to prevent criminal activity over electronic networks. Critics say that strong cryptography, in fact, deters high-tech criminals from cracking private messages and company data.
The specific objections include the closing of the two-year window for developing key recovery systems to six months and the addition of a representative from the Department of Justice to the Bureau of Export Administration's review committee, which approves export permits.
The industry also objects to the requirement that export license applicants must provide the government with a "satisfactory business and marketing plan for exporting recoverable items and services" and that each company appoint a key recovery agent who acts as a liaison with the Bureau of Export Administration. The government requests that this person have "an active U.S. government security clearance of Secret or higher issued or updated within the last five years."
The industry is also upset that the administration still holds that the encryption rules should not be subject to the Administrative Procedures Act because they involve "a military or foreign affairs function of the United States." It was thought that the government would start applying APA rules because encryption regulation has been transferred from the Department of State to the Department of Commerce.
In a letter to Vice President Al Gore on December 3, the BSA outlined five key things that the software industry expected to be implemented in the rules. The BSA says it appears that the government has ignored all of the trade group's requests, as follows:
"We would like to see the administration do a '180' in ten days, but we don't see it happening," said Gould. "We've worked with them a whole year, and this is deja vu back to 1995."
One of the chief objections of BSA members to the rules is the implementation of the key escrow or key recovery system. The BSA says the industry had agreed to store keys for their encryption and make them accessible to law enforcement agencies, but only with the understanding that each company would store its own decryption keys. Instead, they say the rules force companies to turn over their keys to a third-party picked by the government.
"It's a government-approved third party, clearly driven by the Department of Justice," said Gould. "My members say we have to go back to Capitol Hill."
The draft also conflicts with other legislative efforts like the "Pro-Code Bill," sponsored by Sen. Conrad Burns (R-Montana) that would remove all current restrictions on encryption technology, or Rep. Bob Goodlatte's (R-Virginia) Security and Freedom Through Encryption Act (SAFE).
Goodlatte is already planning to reintroduce the SAFE bill to Congress, according to his legislative assistant Ben Cline.
"Two of the major points that the administration's draft regulations don't satisfy are our desire to have a mandatory prohibition on key escrow and to guarantee the freedom to export generally available software and hardware under license, if a comparable commercial product is available from a foreign supplier," he said.
Net privacy advocates are also angry at the White House over the rules. The Electronic Privacy Information Center (EPIC) released an analysis of the draft today that criticized the government for acting like it was interested in working with the software industry and privacy advocates and then ignoring their concerns.
"The administration's insistence on government access to secured communications has always been the sticking point," said David Sobel, legal counsel for EPIC. "It comes down to the philosophical question of whether Internet users are entitled to communicate privately without the government holding a key to those communications."
Net civil liberties groups are also objecting to the government's restrictions on books published online that contain encryption source code, said Stanton McCandlish, program director for the Electronic Frontier Foundation.
"It's extremely unlikely that any court would uphold the draft's holding that a book is a weapon of war," he said. "It is unconstitutional. They're regulating people's writings."