[ISN] U.S. Officials Try to Sell Encryption Policy in Valley

From: mea culpa (jerichoat_private)
Date: Sun Jan 17 1999 - 13:14:00 PST

  • Next message: mea culpa: "[ISN] Sandia initiates program for Info Protection"

    Forwarded From: Stuart Sabel <stuartsat_private>
    
    January 16, 1999
    U.S. Officials Try to Sell Encryption Policy in Valley
    By PETER WAYNER, NY Times
    
    CUPERTINO, Calif. -- The Clinton Administration's campaign against
    exporting strong secret computer codes took to the road on Friday as the
    President's Export Council Subcommittee on Encryption held a meeting in
    Silicon Valley to try and build bridges between the computer industry and
    the government. 
    
    Little harmony emerged, however, as the industry representatives turned a
    cold eye to the Administration's recent proposals and complained that
    increased foreign competition was in danger of surpassing American
    companies. 
    
    The Administration's campaign to restrict cryptography seemed to lose
    momentum this week as some foreign executives suggested that changes in a
    new international agreement announced last year might have little effect
    in practice. The new rules, which are in a diplomatic agreement between
    the United States and 32 other Western countries, would require each
    country to require special permits before allowing the export of
    mass-market software containing encryption. Some executives now suggest
    that some countries may simply satisfy this requirement by issuing blanket
    permits that do little to contain encryption technology. 
    
    The Administration's position was further complicated by an announcement
    by Representative Zoe Lofgren, a California Democrat, who told the
    attendees at the meeting on Friday that she would plan to re-introduce
    legislation to liberalize export controls. Earlier versions of the bill
    were the basis of a strong battle in Congress that ended in a stalemate.
    She suggested that she would push for liberalization of export rules once
    Congress finishes determining the fate of President Clinton's impeachment. 
    
    "I frankly think that all of this mess in Washington heightens people
    awareness," she said. "Grandma and grandpa are e-mailing their grandkids. 
    They're not hiding anything." 
    
    The committee itself is made up of representatives from the major
    government bodies like that National Security Agency, major corporations
    like Motorola and IBM, universities and the legal profession. The first
    discussions of the morning centered on identifying which tasks the
    committee would undertake given that most admitted that little agreement
    was likely. 
    
    The battle over the United States' control over the export of encryption
    software has always been between the arms of the government associated
    with defending national security and the computer industry. The government
    agencies like the National Security Agency and the Federal Bureau of
    Investigation feel that strong secret codes make it possible for
    terrorists, criminals and foreign countries to shield their actions from
    scrutiny. The computer industry suggests that average people also need
    codes to protect the confidentiality of their personal and financial
    information. 
    
    In recent years, the Clinton Administration has turned to a relatively
    informal mechanism for trying to convince the outside countries to adopt
    U.S.-style rules intended to stem the flow of secret code software. The
    new international pact on encryption, called the Wassenaar agreement, is
    not a treaty, but a diplomatic arrangement binding many of the Western
    countries that once united to fight the Soviet Union. It sets goals for
    restricting all sorts of weaponry like armored cars and includes software
    under this umbrella. 
    
    The first major speaker of the meeting was William A. Reinsch, the
    official responsible for leading the Commerce Department's Bureau of
    Export Affairs.  He began by announcing that he had little to say, in part
    because his bureau was "in a cleanup period right now" trying to solve
    unintended problems caused by the new regulations issued in December. He
    promised that his bureau was also working on more new regulations that
    would bring the U.S.  regulations in compliance with the Wassenaar
    agreement. 
    
    The new version of the Wassenaar agreement states that there would be no
    need for regulation of software that protected information with encryption
    algorithms with no more than 64 bits. This was portrayed as a
    liberalization because previous U.S. rules drew the line at 56 bits. Ira
    Rubenstein, a senior corporate lawyer from Microsoft, who attended the
    meeting, suggested that this was not really liberalization since the
    mass-market software was not controlled at all by the Wassenaar agreement. 
    
    In fact, this lack of control was cited by Canada last year when it
    decided to let the Canadian subsidiary of Entrust Technologies freely
    export its full-strength security software throughout the world. The
    Wassenaar agreement was expected to hamper this push by a Canadian company
    because the company would be required to get a permit. 
    
    There are new indications that the Canadians may simply issue blanket
    permits. John Ryan, the president of Entrust Technologies, said in a
    telephone interview earlier this week that the Canadian government was
    very pro-industry and he expected little real problem. "When you net it
    all out, we don't think there will be a significant change," he said. "We
    actually believe that most countries will just issue blanket permits." He
    added, "The effect of the change will be very modest, if any." 
    
    In fact, the effects may even be more liberal. France, one of the few
    European countries with stiff regulations on encryption, may be loosening
    its grip in order to foster electronic commerce. The French publication
    Liberation on Thursday reported that the Finance Minister, Dominique
    Strauss-Khan, said that the French were at the mercy of "large ears" who
    did not care about personal privacy. This may simply be a reference to
    credit card thieves who snag account numbers through illicit wiretaps or
    it could be a veiled reference to United States spy agencies, which are
    often believed to eavesdrop on a significant fraction of the telephone and
    Internet traffic in Europe. The article reported that she said, "I want to
    make cryptography widely available." 
    
    Several people at the meeting suggested that the Clinton Administration
    often stretched and even violated the spirit of the Wassenaar by
    permitting the export of high quality encryption devices to countries like
    China. When this happens, other countries sometimes view the regulations
    as just a cynical ploy to help U.S. industry instead of a sincere effort. 
    
    The Clinton Administration faces further problems convincing non-Western
    countries to follow its lead. This week in India, the Defense Research and
    Development Organization warned Indians to avoid American-made encryption
    software, saying that the U.S. government only allowed the export of
    software that was easy to break in order to facilitate espionage. 
    
    Ryan contends that this worry is often a problem for Entrust's sales
    force.  He said, "The No. 1 pitch of our competitors is 'The cryptographic
    work was done in Europe so you can trust it.'" 
    
    In fact, many other countries are quickly becoming centers of
    cryptographic excellence. The American company RSA Data Security based in
    San Mateo, Calif., recently hired two Australian programmers to help
    solidify its offerings in Web security. The two programmers had gained
    notice for distribution one of the most widely used versions of SSL, one
    of the most common forms of security used to protect credit card purchases
    on the Internet. All purchases at Amazon.com, for instance, are shielded
    by SSL-based technology. 
    
    The meeting on Friday itself just marks the beginning of many
    security-related events in the San Fransisco Bay Area. Next week, the
    annual RSA Data Security conference will begin in San Jose and many
    companies will be announcing new products and initiatives. 
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:17 PDT