Hope for U.S. Encryption Policy?

America's allies and trading partners are beginning to reject the thinking behind our ban on exporting strong encryption technology. Is it time for us to rethink this murky logic?

by Patricia Fusco ISP-Planet Managing Editor [June 14, 1999]

[June 14, 1999] Last week the German government came out in favor of placing no restrictions on strong encryption. The move came after intense lobbying from the IT industry. It appears that the interests of user privacy have been firmly placed ahead of the desire to catch criminals along the Danube.

In stark contrast, the U.S. Department of Justice continues to contend that restricting the export of strong encryption software is absolutely essential. In Justice's view, strong privacy measures would render law enforcement impotent. If the Federal Bureau of Investigation and other U.S. law enforcement agencies lose the ability to break into criminals' computer systems, the argument goes, they won't be able to gather evidence that will put terrorists, pornographers, and perpetrators of fraud behind bars. Criminal elements would dominate the world; anarchy and tyranny would reign. Consequently, in the U.S., it's illegal to export any program stronger than 56-bit encryption without a waiver from the Department of Commerce.

Policy flaws
Dramatic cracking efforts have underscored the weaknesses in 56-bit encryption products, and research has revealed the vulnerabilities of key recovery systems. The marketplace has failed to embrace these systems, even for stored data.

At the same time, strong encryption technology is readily available elsewhere on the planet. The Internet makes it impossible to control the importation of strong encryption code. As a result, foreign availability of strong encryption products is rising, and U.S. companies are desperately trying to find ways to export the products their customers demand. At least those American companies intent on providing security products for the Virtual Private Network boom can relocate to Germany.

Even our courts have ruled that the restrictions are unconstitutional. In May, the 9th District Court found that the "Export Administration Regulations operate as a prepublication licensing scheme that burdens scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards."

Whatever influence U.S. policy may have had in the past with trading partners, it's clearly dwindling. Foreign governments have proven increasingly unwilling to adopt U.S. export control and key recovery policies. Some--Germany for example--are actively moving in the opposite direction, toward liberalization.

The rapid pace of developments on the Internet makes it clear that broader reform of U.S. policy is urgently needed. The fact is a showdown between privacy and public safety simply isn't necessary. One of the many possible balanced choices on encryption that would let law enforcement officials maintains their right to break encryption codes seems the obvious solution.

Legistlative action?
So what is Congress doing to address this issue? U.S. legislators have put forth several bills with catchy acronyms to address the encryption and privacy issues. The House has the SAFE (Security and Freedom through Encryption) Bill while the Senate has PROTECT (Promote Reliable Online Transactions to Encourage Commerce and Trade) and E-RIGHTS acts of 1999.

The major provisions of the PROTECT Bill are already outdated. The legislation would immediately decontrol 64-bit encryption products in the U.S., while 128-bit is being ramped-up worldwide.

E-RIGHTS is a diluted effort that covers a wide range of issues including wireless phone location information, satellite TV home viewing, book purchases, domain name registration information, records stored on networks, and decryption assistance. If passed, the law would prohibit government-mandated key recovery or key escrow and establish standards for law enforcement access to decryption assistance and plain text data. It would also be illegal to provide decryption assistance to foreign governments without a court order.

Re-introduced in February, the SAFE Bill is the most aggressive policy shift in the House. The SAFE proposal guarantees Americans the freedom to use any type of encryption and allows for domestic sales. The Bill prohibits the government from requiring a backdoor into email and computer files via key codes and also creates criminal penalties for willfully using encryption to conceal evidence of a crime.

Any way you count it, no votes have been tallied in either branch of the government to date while current policy is failing U.S. encryption efforts, now.

American encryption experts have a choice. Pack your bags for Berlin. Or hire an attorney and knowingly violate U.S. sanctions, in the belief that the courts are on your side and legislative solutions may be in the works.

—End