Industry fights crypto rules

A university professor wants to delay enforcement of new administration encryption rules and industry groups call on congress to step in and craft less restrictive regulations.

CNET News staff
5 min read
Computer industry and online privacy groups opposing the Clinton administration's new encryption policy said today that Congress needs to step in and craft less restrictive regulations.

Such legislation is likely to be introduced in the next congressional session. But its prospects remain unclear, considering President Clinton's unwavering support for the current restrictions that give law enforcement officials digital wiretapping powers.

"Basically the administration has made cosmetic changes that don't do anything for us," said Diane Smiroldo, vice president of public affairs for the Business Software Alliance, a Washington-based trade group that represents the software industry. "Our members agree that we should go back to Capitol Hill."

The final version of the administration's encryption regulations was made available Friday by the Commerce Department, which now has jurisdiction over encryption export. The rules are not much different from a draft released earlier this month which the BSA deemed "unworkable."

Still, the government this week will begin accepting applications for encryption-export licenses based on the new rules, which loosen the previous, Cold War-era restrictions in exchange for access to users' secret keys, or codes, that unlock encrypted digital data.

But opponents such as the BSA and online privacy advocates will push the new Congress to loosen the export rules further, claiming that the new Commerce rules continue to handicap U.S. software makers trying to sell their products overseas.

"We're probably in a situation where either Congress will provide relief, or the U.S. market will be lost to overseas competition," said David Sobel, legal counsel for the Electronic Privacy Information Center. "There's no question that there is and will be good crypto in the world, but whether it's American crypto remains to be seen."

In the past, products could be exported using "keys" as long as 40 digital bits, a string of 40 ones and zeros. But as the speed of computers has grown, 40-bit keys have become easy to crack and longer keys have come into general use.

The new rules allow the unregulated export of 56-bit encryption as long as the exporter agrees to build a "key-recovery" system that would let the government decode encrypted data within two years. Within the two-year period, the exporter will have to submit detailed business and marketing plans every six months to have the export license renewed.

Both the House and Senate introduced bills last year that mandated unrestricted export of 56-bit encryption and prohibited mandatory key escrow or recovery. Neither bill made it to a floor vote, but Rep. Bob Goodlatte (R-Virginia) has already said he would reintroduce his Security and Freedom through Encryption Act this year.

On the Senate side, legislation known as the Pro-Code bill is likely to be reintroduced as well. Its cosponsor Conrad Burns (R-Montana) is a leading member of the Senate Commerce Committee.

It is unclear if the bills, which drew bipartisan support and the endorsement of Republican presidential candidate Bob Dole last summer, will gain enough momentum the second time around--not only to pass but to overcome the likely prospect of a Clinton veto.

Key players on Capitol Hill will be Billy Tauzin (R-Louisiana), the new head of the House Telecommunications Committee, and Senate majority leader Trent Lott who replaced Dole this summer. Contacted today, Tauzin's office staff were unsure of the congressman's position on encryption.

The departures of James Exon (D-Nebraska), who helped keep Pro-Code from reaching the Senate floor, and Larry Pressler (R-South Dakota), one of the bill's original cosponsors, could also affect Pro-Code's chances next year.

Under the new rules, products containing key-recovery features will be eligible for export after a one-time review. Key recovery is a method of electronic escrow that allows individuals or companies to reclaim lost codes, much in the way a person would store an extra house key in a secret place or with a trusted neighbor. Law enforcement agencies are looking to key recovery as a way to gain access to digital data used in suspected criminal activity.

Last October the administration said it would work with the computer industry to create a business-friendly solution that would be attractive to foreign customers of U.S. products. But critics say the new rules will actually scare buyers away from American software, such as Web browsers and email programs, that have government-mandated key recovery.

Software firms had hoped the key-recovery exception would only apply to stored data, such as a document on a hard drive. But the final rules, like the draft rules, also require key recovery for real-time data transmission. For example, officials bearing a warrant could intercept emails or Internet telephone conversations.

"This really undercuts the whole idea of key recovery that a user or company would want as a feature," said EPIC's Sobel. "There is no set of circumstances we could see where the average user wants a means to recover their own encrypted data in transit."

The new rules have arrived less than two weeks after a federal judge declared that the old rules, which were administered by the State Department, unconstitutionally restricted free speech. Government officials hope the transfer of jurisdiction from State to Commerce could streamline the byzantine licensing process and eliminate one of the major reasons the old rules were deemed unconstitutional.

But others are less optimistic. In a year-end maneuver, university professor Daniel Bernstein has called on the government to postpone enforcement of new restrictions until they can be reviewed by a federal district court judge.

The University of Illinois assistant professor already won a round of litigation two weeks ago, when U.S. District Court Judge Marilyn Patel declared unconstitutional earlier government restrictions on encryption software. After reviewing Bernstein's two-year-old case against the government--Bernstein vs. U.S. Department of State--Patel found that the government restrictions on the distribution of encryption software violate First Amendment rights of free speech.

The professor, who filed suit after officials told him he would have to register as an arms dealer and obtain an export license in order to publish his encryption algorithm, wants the same judge to review the new rules.

He asked the government to voluntarily delay enforcement of new regulations pending Patel's ruling in a letter dated December 30. If the government refuses he plans to ask the court for a temporary restraining order to block enforcement.

Bernstein hopes to dismantle the rules before mid-January, when he may face federal prosecution for teaching a class on encryption at the Chicago campus of the University of Illinois. He has already defied federal officials by teaching the class and publishing class materials on the Internet.

Reuters contributed to this report.