Everything Amazon Announced Amazon Kindle Scribe Amazon Halo Rise Amazon Fire TV Omni QLED Prime Day 2: Oct. 11-12 Asteroid Crash Site Inside Hurricane Ian's Eye Refurb Roombas for $130
Want CNET to notify you of price drops and the latest stories?
No, thank you

VoIP products could face export crackdown

In flashback to the 1990s, federal panel says high-speed networking gear used with Internet phone calls may be subject to regulations.

WASHINGTON--After spending the last decade denouncing Cold War-era laws against overseas shipments of data-scrambling encryption products, technology firms thought they were off the hook when President Clinton finally eased the rules in 1999.

Well, not quite. The White House's decision seven years ago merely relaxed encryption rules in a few areas--and thousands of pages of export regulations remain on the law books today.

Now some of these obscure export regulations are troubling companies that manufacture or support voice over Internet Protocol (VoIP) products capable of draping a theoretically impenetrable cloak of encryption around every conversation.

During a meeting convened by the U.S. Commerce Department on Wednesday, industry members of a federal technical committee expressed concern that export regulations never intended to cover VoIP may complicate selling enterprise-grade network gear abroad.

At issue is an awkwardly worded definition buried deep in section 740 of the export control regulations. It restricts the export of products that can support "concurrent encrypted data tunnels or channels exceeding 250" connections at once.

Michael Angelo, a committee member who works for network management firm NetIQ, said 250 conversations is an unreasonably low threshold given the capacity of modern networking gear. It's "a very small number," he said.

As large corporations switch to VoIP to trim costs, manufacturers have begun to offer products that can handle thousands of simultaneous users. Cisco Systems' Unified CallManager, for instance, is software that works with the company's hardware products to handle up to 30,000 individual users per server cluster.

One open question is whether the federal government's definition of "concurrent encrypted data tunnels" would apply to software products like Cisco's CallManager as well as hardware. Erik Oliver, a Commerce committee member from chipmaker Rambus, said he thought the regulations were meant to apply to routers and switches, not to CallManager.

Any changes to the rules would be up to Commerce Secretary Carlos Gutierrez. Neither the Commerce Department nor Cisco responded to requests for comment on Wednesday.

Unintended targets
"This appears to be a situation where the technology is overtaking the regulatory structure in ways that were not anticipated by the people who wrote the regulations," said Cindy Cohn, legal director of the Electronic Frontier Foundation in San Francisco.

Cohn, who litigated an encryption export case against the federal government before joining EFF, said this has been a problem with such regulations for a long time. "They attempt to create specific upper limits on how much encryption you can have, in this case how many channels you can have," she said.

It wasn't immediately clear what percentage of enterprise-level networking products could be affected by the export regulations, and members of the Commerce advisory committee were inaccessible for the remainder of the day because they entered a so-called closed session (click for PDF) to discuss classified material. One committee member did indicate, however, that the exact number of permitted conversations would be discussed during a closed session.

As microprocessor speeds and privacy worries have increased, manufacturers are gluing encryption into the routers used for VoIP communications. Cisco's 2800 series offers the Secure Real-time Transport Protocol, a standard that supports an encryption protocol believed to be one of the world's most secure. Patton Electronics, a Gaithersburg, Md.-based manufacturer, in February began selling a VoIP router that, like Cisco, uses the well-regarded AES algorithm.

Export controls' troubled past
This is hardly the first time that export control laws have yielded unexpected results. In 2000, Japan's government slapped on the PlayStation 2, saying it could be used for military purposes.

In the past, U.S. export controls have targeted processors as slow as a 450 MHz Pentium. As recently as 2004, federal rules have required computer sellers to get a license to export a computer using a Pentium 3 processor running at 650MHz.

But encryption restrictions on software were what caused the loudest outcry. Because encryption code could be exported in printed form but not exported on a floppy disk or through the Internet, it led to bizarre twists like a band of cypherpunks legally exporting a book of PGP source code and then scanning it in from a computer in Europe. It also sparked a "munitions" T-shirt on which was printed a functional encryption algorithm written in Perl.

Eventually, after facing at least three federal lawsuits claiming First Amendment violations, strident opposition from the U.S. business community and the reality of programmers abroad churning out high-quality code, the Clinton administration relented in September 1999. Even after the Sept. 11, 2001, terrorist attacks, Sen. Judd Gregg, a New Hampshire Republican, was the only politician to talk seriously about cracking down on encryption use.

Complicating the regulatory picture today is VoIP's flexible nature: Unlike a circuit-switched network that allocates a circuit for each phone call, Internet telephony travels as a stream of bits.

Henry Brandt of IBM, co-chairman of the Commerce committee, said that as phone networks move increasingly toward packet-switching, "the control becomes meaningless... because nowhere along the chain will you ever know it's VoIP."

When data travel over the Internet, packets take multiple different routes that make talking about "channels" a bit awkward, said Don McGill, director of enterprise support systems for CNET Networks, publisher of News.com. "It's not quite the same kind of environment, so it's hard to put it in terms of channels per se," McGill said.

Angelo, the committee member from NetIQ, suggested that "where IPsec lives is where the (export) control would be applied." IPsec, which stands for Internet Protocol security, uses encryption to authenticate messages and scramble them as well. It's often used with virtual private networks, or VPNs.