Feature: WH Panel Calls for Crypto Export Reform

Kathleen Ellis, editor of the Privacy News Portal, has written an excellent feature about how The President's Export Council Subcommittee on Encryption (PECSENC) has recommended dropping almost all export controls on strong crypto, and why it is unlikely that this group's recommendations will be acted on in any meaningful way. (More below)

White House Subcommittee Endorses Crypto Reform.
Will Someone Please Listen?
By Kathleen Ellis

Another shot was fired in one of the longest-lasting and most contentious battles regarding Internet policy last Wednesday, when a White House advisory subcommittee announced it has recommended that the Clinton Administration all but reverse its restrictive stance on the export of encryption products.

The President's Export Council Subcommittee on Encryption (PECSENC) was formed earlier this year by the White House to provide guidance in the U.S. Government's development of encryption policy, which has been the subject of heated debate. As many Slashdot readers already know, the government has insisted for years that liberalizing encryption export could cause serious problems for national security by giving terrorists and criminals access to the technology. Of course, net activists and industry folk assert that the right to privacy supercedes the wishes of any bureaucrat, and that terrorists and criminals can just as easily get their crypto from any other country that does not restrict cryptographic exports.

Critics of the Administration's policy had expected to gain little support through the subcommittee's recommendations. William Crowell, the subcommittee's chairman, is currently President and CEO of Cylink Corporation, an internet security firm, but previously served as Deputy Director for the National Security Agency. Several committee members also had ties to law enforcement or other government agencies; Stewart Baker, an attorney with the Washington-based Steptoe & Johnson, is former general counsel to the NSA and is a vocal opponent of loosening restrictions on encryption. Steve Walker is former president of Trusted Information Systems (now owned by Network Associates), a leading producer of key escrowed encryption products, which the FBI has lobbied to make mandatory even for domestic use.

Despite these ties, however, the subcommittee cited a need for the U.S. government to "recognize market realities" and reverse its course on encryption policy. Among its recommendations:

- License-Free Zones: Recognizing that the European Union is planning to drop all cryptographic export rules between member countries, the US should likewise identify a list of countries which do not pose any major terrorist threat, and allow encryption export (hardware and software products) without a license.

- On-Line Merchants: On-line merchants based in other countries will be added to the list of business types permitted to have encryption products exported to them from the US. Banks and a limited number of other financial institutions currently enjoy this license exception.

- Mass-market hardware and software: Mass-market products which utilize up to 128-bit key length triple DES will enjoy license exception. "The US government should recognize the difficulty of controlling mass-market products once they are allowed to be exported to even limited sectors".

The subcommittee also suggests eliminating cumbersome reporting requirements for manufacturers of encryption products, as well as removal of source code, cryptographic Application Programming Interfaces and devices such as encrypting routers from the list of restricted technologies.

So cypherpunks across the nation will soon be free to export their code at will? Subcommittee chairman William Crowell is hesitant to say yes. "The Administration will have its own ideas about which of these recommendations are implementable. Vice President Gore has said that the administration would consider additional liberalization over what they announced last year, so it was important to get these recommendations to the table while they were thinking about it". He expects that the administration will make further changes to its export policy based on the recommendations sometime in September.

There are other signs of change on the horizon regarding the government's attitude toward encryption. The successor to the current Data Encryption Standard algorithm, which will be used by the U.S. Government for a multitude of purposes, will be chosen by the National Institute of Standards and Technology with the next few months. Four out of the five Advanced Encryption Standard finalists were developed, at least in part, by cryptographers based overseas or holding foreign citizenships. The fact that such decisions could be made by NIST requires the acknowledgement, at least on some level, that good encryption can be produced in countries not affected by U.S. export law, and hence, can be made available around the world.

However, one prominent activist is still skeptical about the potential effect this announcement may actually have on U.S. policy. "This doesn't change policy, this is just yet another group that has come forward and said 'the U.S. policy is abysmal, it needs to be scrapped'" says David Banisar, Deputy Director of Privacy International, and co-author of "The Electronic Privacy Papers". "Many distinguished groups in the past have made similar recommendations...the Clinton Administration has thus far rejected any attempts to dramatically reform export control laws".

Banisar likened the potential influence of the PECSENC recommendations to those of a report published by the National Research Council in 1996. Much more conservative than the PECSENC subcommittee's suggestions, "Cryptography's Role In Securing the Information Society" was written by a committee comprised of government officials, representatives from the computing industry, and academics. The NRC committee's recommendation that 56-bit DES encryption took two years for the Bureau of Export Administration to implement, and many of the other valuable points in the report have never been implemented. The NRC report suggested that U.S. policy should take into account the "nonconfidentiality uses" encryption has to offer. U.S. policy still does not support the use of encryption for the purposes of authentication, which the committee identified as an "important crime-fighting measure". Indeed, one would think that the F.B.I. and the Department of Commerce would hasten to encourage the use of such technologies.

Banisar also expressed concerns about the provisions favoring online merchants. "The e-commerce exports have already been promised to online merchants...they will get what they want, which helps the Clinton Administration divide and conquer their opposition". Banisar stated that civil libertarians lost a powerful lobbying ally when banks were granted the same licensing exemptions now promised to entrepreneurs online. "When a wealthier group gets what they want, they stop fighting, and the everyday users get screwed."

It also seems that the recommendations do not go far enough to help the people who need encryption technology most. Barbara Simons is President of the Association for Computing Machinery and one of the members of the PECSENC committee. "It appears that the recommendations don't address the needs of people working for human rights in countries with repressive regimes," she says.

The human rights issue is a valid one within the debate on U.S. encryption policy. The American Association for the Advancement of Science's Cryptography, Scientific Freedom, and Human Rights program trains human rights workers to use encryption technology in countries like Guatemala and China, where oppressive governments have a way of making insurrectionists disappear. A letter from AAAS to the House or Representatives Committee on International relations states that "human rights activists are killed, tortured, disappeared and jailed for trying to expose horrendous abuses...[they] use encryption to protect themselves, the victims and eyewitnesses they are interviewing, and human rights colleagues around the world when they communicate sensitive information on grave abuses of human rights".

It would be wise and compassionate for the Clinton Administration to authorize a new class of license exceptions for human rights workers travelling into countries that don't fall under the "favored nations" exemptions for encryption exports. If national security were really a concern in these cases, they could add strict guidelines describing who the software could legally be distributed to within those countries. Unfortunately, PECSENC seems to have overlooked this important issue.

Despite these shortcomings, there are some definite gains to be made by following PECSENC's recommendations. Net activists will be keeping their fingers crossed when the White House reviews them next month. Progress has been far too slow in coming, and if there's ever been a time for our government to start making some positive decisions, this certainly is it.

Remember these laws are *not* there to slow export

This law is as much to stop US citizens from getting convenient crypto as for any thoughts on the non-US market: because products that use strong crypto are export-controlled, people simply make fewer products that are based on strong crypto, to avoid limiting their sales and probably incurring legal costs and general hassle. This means US citizens use lots of products that would have been crypto-enabled as a matter of course, but aren't, because of this law.

In that sense, it's quite effective despite being manifestly unenforceable and silly.
--

Why haven't we heard any more about Echelon?

As long as we're talking about government, did you notice how Echelon has just disappeared from the news?

Just *gone*.

The last I heard, the NSA, get this, REFUSED to tell Congress about Echelon, citing attorney-client privilege. And we have heard NOTHING more.

I don't know about you, but this scares the hell out of me. Something is going on, folks. Something bad. We need to keep digging. *Write* your Congresscritter and ask him/her what the status is of the Echelon inquiry. Don't let it fade from their memories.

Don't let it fade from yours.

it's not about export, it's about standards

Export controls are pretty clearly ineffective for keeping strong cryptography out of the hands of terrorists or criminals. That tells us that at the heart of the debate has to be something different.

I think it's pretty clear that the reason why the administration and the three letter agencies are fighting so hard against easing export controls is because they don't want strong cryptography become part of the communications infrastructure.

As soon as export controls are lifted, even just to "friendly" countries, most phone systems and communications standards and systems will incorporate strong cryptography, and routine monitoring of communications (for law enforcement, corporate intelligence, etc.) would become prohibitively expensive. Widespread use of strong cryptography would bring us back to the old days where wiretapping, bugging, etc., required specific targets and physical access.

This issue won't get resolved until the real underlying issues are recognized widely and the subject gets discussed openly.

Re:Free the Crypto!

"...I think that the government could easily throw enough computing resources to crack *any* imaginable encryption in a surprisingly short time."

heh. You might want to do the math on that. Forget RSA for a moment, as the keylength|security ratio is a special case, and consider a conventional private key system. A 128-bit key has 340282 decillion possibilities. That's 340282000000000000000000000000000000000 if you like digits, or 3.4*10^38. Get out your calculator and see how fast and large a cluster of computers it would take to crack one of those in a year. Then, consider that you'll need 3.4*10^38 times as many such computers to crack a 256-bit key in a year.

Disclaimer: ...uh, you might want to check my math on that! ;)