Slow Change for Crypto Policies

With a great deal of fanfare, the White House announced last month a series of changes to U.S. encryption policies. Specifically, the administration said that export restrictions of the 56-bit data encryption standard (DES) and equivalent products will be streamlined, and requirements for key recovery plans eliminated. In addition, export restrictions of unlimited strength encryption products will be streamlined for [[subsidiaries of U.S. firms]] as well as for insurance companies, health and medical organizations, and online merchants.

Calling it "an important new action that will protect our national security and our safety, and advance our economic interests and safeguard our basic rights and values in this new Information Age," Vice President Al Gore promised that "American companies will be able to use encryption programs of unlimited strength when communicating between most countries."

But most observers say the reforms are a grudging cooperation with unavoidable realities rather than genuine change. Similar products are freely available worldwide from non-U.S. software publishers.

"The administration's approach to export policy is water torture -- a drip here and a drip there," says Lauren Hall, chief technologist at the Software Publishers Association (SPA, Washington, "The new regulations address some of the concerns of our members and their customers, but it falls far short of what is needed to ensure the U.S. industry remains globally competitive."

The relaxation on 56-bit technology also is considered by some to be too little, too late: Earlier this summer, the Electronic Frontier Foundation (EFF) built a machine capable of cracking messages enciphered with the DES in less than three days.

"Export policy seems pretty clear," says Jim Bidzos, president of RSA Data Security Inc. (Redwood City, Calif., "Just show that something can be broken, then, six months later, you can export it."

Also troubling some marketers is the fact that stronger cryptography is only made available to certain types of users. "The administration is beginning to recognize that crypto is necessary for financial transactions, but the rest of America, people with trade secrets or personal communications, don't get the same protection," Hall says.

The Center for Democracy and Technology (CDT, Washington, echoes these concerns, noting that "while a step in the right direction, the new policy leaves major individual privacy concerns unanswered." The CDT also emphasizes that 56-bit (DES level) encryption does not adequately protect online privacy and security.

Legislative changes are unlikely any time soon. Bills introduced in the U.S. Senate by John Ashcroft, R-Mo., and Patrick Leahy, D-Vt., and in the U.S. House by Bob Goodlatte, R-Va., would have allowed vendors to export software with strong encryption. But the legislation is unlikely to pass before Congress adjourns for the year, though sponsors promise they will offer new legislation next year.

Meanwhile, rather than fight U.S. regulation, some software companies, such as Sun Microsystems Computer Co. and C2Net Software Inc. (Oakland, Calif.,, are exporting encryption-related programming jobs to countries without similar export controls. "The European and Israeli software industries are the beneficiaries of current U.S. rules," Hall says.