lynx-dev US encryption laws: FT latest

[Philip Webb]

[ NB the US govt says restrictions will remain for open-source products:
towards the end of the story ]

Financial Times (London) 991124

Relaxed US rules could spark scramble for software -- Paul Talacko

Few computer-related issues inspire as much debate as encryption.
On the one hand, it is seen as essential to e-commerce & individual privacy
and, on the other, a way for terrorists, paedophiles, drug dealers
and money launderers (the so-called 4 horsemen of the infocalypse)
to go about their business with impunity.

For suppliers of encryption products, which allow data and
communications to be read only by the intended recipient, the next few
months could be especially challenging.

In mid-December, the US is expected to publish details of a new
policy, announced earlier this autumn, relaxing rules on the export of
so-called "strong" encryption products. It could herald a scramble for
business between US and non-US suppliers.

The US government has insisted for years that, for national security
reasons, strong encryption products could not be exported and should
be classified as weapons technology. The rules became increasingly
controversial with the growth of the internet and e-commerce. US vendors
were banned from supplying international customers with the most robust form
of the technology, raising concerns in the US that domestic suppliers
would fall behind foreign competitors in security technologies.

Then, the US announced in September that it was relaxing controls,
just months after it had been pressing other countries to adopt
similar regulations.

The question is whether the US suppliers have lost too much ground to
their overseas counterparts. Companies such as Finnish-based Data
Fellows have been able to sell their products anywhere. In
international markets, US companies have been telling their customers
that weak encryption is sufficient.

Some US vendors have been reluctant to develop one version of their
technology for domestic use and another, weaker version for foreign
customers, and have resigned themselves to selling the weaker version
to all their customers. But, as Jason Holloway, UK country manager for
Data Fellows, puts it: "Weak encryption is as good as no encryption at all".

Critics of the US export controls long argued that criminals and
terrorists could buy or download strong encryption technology from
non-US sources. Several non-US projects have produced free or "open
source" software programmes such as FreeS/WAN, OpenSSL and GNU Privacy
Guard. Werner Koch, principal author of Privacy Guard, says the US has
probably already lost its lead in encryption products. He says he is
not aware of any significant free cryptographic software produced in the US.

William Reinsch, US under-secretary of commerce for export administration,
disputes the charge that the US has lost ground, even though US industry
had been telling the administration that the export restrictions were
having an adverse effect.

Just as the restrictions were originally created for national security
reasons, so it is for these reasons that controls are being relaxed.
"We decided we could better maintain national security through
a different approach," says Mr Reinsch, including educating
law enforcement agencies in the use of technology and using legislation
to define rights.

Network Associates, the US company which sells a number of security
products, including the widely-used PGP (Pretty Good Privacy), was one
business affected by the restrictions.

Justin Greig, the company's major accounts technical manager for the
UK, says the export restrictions were particularly problematic with
two product suites; the VPN (virtual private network) suite which
allows companies to communicate across the public internet with the
same security as if it were using a private network, and an e-business
suite for secure electronic transactions.

"It got to a ridiculous situation with the new VPN system. Colleagues
in the US could not talk to me about it. We could not offer support
outside the US and could not talk about individual problems", says Mr
Greig: "If someone had PGP on a notebook, did they have to uninstall
the US version when they left the US & install the international version?"

Because of a quirk in the regulations, the PGP Desktop suite, aimed
at personal users, could be exported from the US, as long as it was not
in electronic form. Network Associates printed the source code on to paper
and then took it to Switzerland where it was scanned back into a computer
and the original program recreated.  However, for more sophisticated products
such as the VPN or e-business suite, this was not going to be practical
& US government lawyers indicated they would not be happy with the practice.

Mr Greig is very upbeat about the lifting of export restrictions and says
the new development will assist his business. Data Fellows, too, is looking
forward to the relaxation of controls: "The greatest concern has been the way
these controls were holding back e-business and e-commerce", says Holloway,
who is expecting the logjam built up by the restrictions to be released
with a flood of new business for those selling encryption products.

The US had been forced to modify its stance over the last few months.
First it allowed US government employees to take encryption products
out of the country, then those working for US companies. The lifting
of restrictions was the end of a long process.

Some restrictions on the export from the US of strong encryption products
will remain. These will include post-export reporting, although there will
be no licensing requirement to export to the retail market for all countries
other than those deemed by the US to support terrorism (e.g. Iran, Iraq,
Libya, Yugoslavia and North Korea).

But Mr Reinsch has made it clear that the lifting of restrictions does not
apply to source code. This may have implications for any open-source products'
or other international development efforts, and suggests development
of open-source products will stay outside the US.

There are no fixed definitions of strong and weak encryption. Data Fellows
defines strong encryption as encryption strong enough to withstand
the best known attack against it for any foreseeable period of time.
I.e. it would take almost forever, no matter how many computers were at work.
Weak encryption is easier to crack. Many cryptographic experts consider
encryption keys of less than 128 bits in length to be "weak".

To put this into context, the US government first supported 40-bit encryption
as being sufficient for private and business use, but the US Electronic
Frontier Foundation's Deep Crack project broke this in  6 seconds.
Another EFF project, DES Cracker, recently broke a 56-bit key in 3 days,
while Distributed.net, a volunteer organisation which harnesses the power
of idle computers across the Internet, broke a similar 56-bit key
in  22 h 15 m . US regulations now define weak encryption as below 64 bits.
-- 
========================,,============================================
SUPPORT     ___________//___,  Philip Webb : address@hidden
ELECTRIC   /] [] [] [] [] []|  Centre for Urban & Community Studies
TRANSIT    `-O----------O---'  University of Toronto