Although the bill doesn't call for the same magnitude of relief as the Security and Freedom through Encryption Act (SAFE), observers say McCain's change of heart is significant and could finally push Congress over the line toward passage of crypto export policy reforms.
McCain's bill will allow for the immediate unfettered export of 64-bit crypto, and by 2002 could permit the easy export of 128-bit encryption. Currently this rule applies only to 56-bit crypto, but that standard has been cracked.
The legislation also would authorize more funding to help law enforcement stay on top of the latest security technologies, and maintains President Clinton and the Secretary of Commerce's power to refuse export licenses to certain countries or individuals.
"This bill protects our national security and law enforcement interests while maintaining the United States' leadership role in information technology," McCain said in a statement. Sens. Conrad Burns (R-Montana), Patrick Leahy (D-Vermont) and Ron Wyden (D-Oregon) will cosponsor the legislation.
The U.S. government has long regulated encryption exports under weapons controls, based on law enforcement assertions that tech-savvy criminals can use the products to conceal their activity.
But opponents of the rules argue that they cost the software industry profits and threaten global computer users' privacy. This same camp hit the roof in 1997 when McCain himself cosponsored a bill that for the first time would have imposed domestic controls on encryption used by government-funded institutions.
So it's no surprise that McCain's policy shift was greeted warmly.
"Having McCain, the chair of the powerful Commerce Committee, as a key sponsor, is a signal to the administration that their encryption export policy is losing support in Congress," said Lusan Chua a policy analyst at the Center for Democracy and Technology.
Still, McCain's isn't the best bill on the market, she added. Unlike SAFE, which would grant immediate relief, the major changes proposed by the McCain bill might not go into effect until 2002.
"The legislation is an important move in the right direction and a great start to the Senate process. However, it must be noted that the bill doesn't go as far or as fast as the SAFE Act, which now has 248 cosponsors in the House, and was favorably reported by the House Judiciary Committee last week," Ed Gillespie, executive director of Americans for Computer Privacy, said in a statement.
As part of a piecemeal concession plan, the White House has updated its policy to allow for certain industries to export 56-bit encryption products after a one-time technical review. The administration also removed a requirement that those products must include "key recovery" mechanisms, which give companies or law enforcement officials with court orders a way to get access to encrypted data via a "spare key."
"Granting sectoral relief doesn't address the individual privacy concerns of computer users," CDT's Chua added.
Along with partial export relief, McCain's bill would do the following:
Set up a 12-member Encryption Export Advisory Board to review export policy exemption applications. The Secretary of Commerce can reject an exemption, which can then be appealed to the courts by the applicant. Clinton will pick seven people, including one each from the National Security Agency, the CIA, and his office, with four more chosen from the private sector. The other four members will be picked by Congress.
Direct the National Institute for Science and Technology to establish an advance crypto standard, likely 128-bit, by January 1, 2002.
Prohibits domestic controls on encryption products as well as mandatory government access to plain-text encrypted material as a condition for export.
Unlike SAFE, the bill doesn't make it a crime to use encryption to cover up illegal activity.