White House eases crypto limits

Drawing a new line in the sand over the export of strong encryption, the White House relaxes some limits on the security technology.

4 min read
Drawing a new line in the sand over the export of strong encryption, the White House updated its policy again today, relaxing some of its rules for companies that use or ship the security technology.

Easing the export restrictions on data-scrambling technologies is the center of a long-standing political debate and considered a crucial move in stepping up the security for e-commerce transactions and global online communication.

The plan announced today continues See reporters notebook:
Why you should care about crypto the administration's piecemeal strategy of easing some of the export controls without fully lifting the limits as many high-tech companies and civil liberties groups would like.

The rules now allow the rapid export of stronger encryption to protect information carried over computer or communications networks. A group of computer companies led by Cisco Systems proposed such a network-based encryption scheme in July.

Broadening its concessions for financial institutions, the administration said other industry sectors can now use the most powerful crypto products as well.

"The administration will also strengthen its support for electronic commerce by permitting the export of strong encryption when used to protect sensitive financial, health, medical, and business proprietary information in electronic form," White House press secretary Mike McCurry said in a statement.

"These steps are a result of several months of intensive dialogue between the government and U.S. industry, the law enforcement community, and privacy groups that was called for by the vice president and supported by members of Congress," he added.

The revised rules let hardware and software makers ship products with an encryption strength up to 56 bits without a license--although the standard has been easily cracked in some high-profile demonstrations. More significantly, companies will no longer have to submit plans to include key recovery prior to export 56-bit products. Such systems give companies the opportunity to make a "spare key" that unlocks their encrypted digital communication if an original key is lost or stolen.

The White House also said it will support the FBI's proposal to build a one-stop shop to study the issue, dubbed the National Electronic Technology Center by one piece of legislation. The so-called NET Center would bring together encryption makers and nationwide investigators who need assistance in decrypting messages in hunting criminals. To break a code, investigators would have to get the same federal court clearance necessary to conduct a wiretap.

However, today's announcement didn't go far enough to satisfy groups advocating personal privacy. In fact, it could make their plight even more difficult.

A slew of bills have been proposed to ease or eliminate the export controls. The administration's case-by-case approach could persuade the industry sectors to stop fighting for such legislation.

"The concessions have been made to the commercial sector, but this proposal does nothing to enhance the ability and access to strong encryption for individuals," said Barry Steinhardt, president of the Electronic Frontier Foundation, which built a supercomputer that cracked the 56-bit DES standard in July.

The White House strategy, Steinhardt said, "could divide the industry from the broader privacy groups in the debate going on in Congress."

Dave Banisar, policy director at the Electronic Privacy Information Center, added: "They are opening the door another crack. [But] they are retaining the vast bulk of restrictions for individual users."

Still, the White House says its plan will go a long way toward liberating encryption, making room for firms to sell products in almost 70 percent of the world's economy.

"Online merchants in 45 countries will be able to use robust U.S. encryption products to protect their online electronic commerce transactions with their customers over the Internet," McCurry said. "Insurance companies as well as the health and medical sectors be able to purchase and use robust U.S. encryption products to secure health and insurance data among legitimate users such as hospitals, health care professionals, patients, insurers, and their customers."

The Clinton administration's crypto regulations have been under fire for years, and officials have been searching for a middle ground between law enforcement demands and industry needs. Simply put, encryption makers, companies that use their technology, and privacy advocates say the current export rules are bad for business and personal security because they could allow government officials armed with court orders to monitor computer users.

On the other hand, the FBI counters these assertions, saying encryption helps tech-savvy criminals and international terrorists cover their tracks. Despite reports that key-recovery systems are hard to build and not necessarily secure, the FBI also has pitched a similar mandate for the domestic use of encryption technology. The FBI has yet to win domestic controls.

Congress has discussed several bills to ease the export limits dramatically, but the proposals have been stymied by opponents and are unlikely to pass this year. Several lawsuits are also pending challenging the constitutionality of the limits.

But federal lawmakers have remained in gridlock over the issue. It's no surprise, high-tech companies and industry groups praised the White House for yielding on its policy.

"This is a significant advance in the U.S. government's policy on encryption exports," Lewis Platt, president of encryption manufacturer Hewlett-Packard, said in a statement. "The new policies, if put into place quickly and clearly, will pay dividends far into the future by allowing electronic commerce to grow and by allowing American companies to lead that growth."

The Americans for Computer Privacy, which helped broker the revised rules, was happy with the changes but is still fighting for wider export relief.

The plan is not a full resolution, said Ed Gillespie, executive director of the organization.

"American interests are best served by a policy that permits industry to maintain its world leadership in information technology," he stated. "Key to that success is giving consumers around the world the ability to purchase mass market encryption products they need to protect their privacy."

Reuters contributed to this report.