By Elizabeth Corcoran
In a direct challenge to the U.S. government, software maker Network Associates Inc. said yesterday that its Dutch subsidiary will sell data-scrambling software developed in Europe that is a twin of the powerful technology the company sells in the United States.
By doing so, Network Associates sidesteps U.S. export restrictions, which prohibit U.S. companies from selling such technology abroad unless they have promised to develop a spare "key" that law enforcement agencies could use to unlock scrambled information.
The move is the latest round in a wrestling match between the U.S. government, the computer industry and privacy advocates over "encryption" technology, software that protects information from unwanted snoopers by scrambling it into gibberish that can only be deciphered by those with the proper "key."
U.S. law enforcement officials have long been uneasy that as such technology becomes common, criminals and hostile governments will use it to their advantage.
There are no current restrictions on using encryption technology within the United States. But to try to curb the spread, the Clinton administration has long prohibited U.S. firms from selling their best products overseas. U.S. companies chafe under those rules, contending that non-U.S. companies are already selling such software.
Network Associates is now among them. One of its main products is a type of scrambling software called Pretty Good Privacy, or PGP. Network Associates, which is based in Santa Clara, Calif., cannot legally export the most sophisticated versions of PGP. But it has encouraged a small Swiss company, Cnlab Software, to build a "functionally equivalent" version of the product.
"We've provided no technical assistance that would violate export control laws," said Peter Watkins, a vice president with Network Associates. The resulting product is being sold by the U.S. company's Dutch subsidiary.
How did Cnlab develop a version of PGP that so neatly matches the software sold in the United States?
Earlier versions of PGP, which was originally developed by a programmer named Philip Zimmerman, have been available freely abroad for study by programmers.
And Zimmerman also has written a widely published book that describes the programming code that makes up PGP.
Unlike software programs, books that contain the actual programming code are protected by the freedom of expression provisions of the First Amendment and so are not subject to export restrictions. So even if Network Associates didn't help Cnlab develop any software, much of the recipe the developers needed is widely and legally available.
Network Associates is not the only company establishing overseas links to license encryption technology. "A lot of companies are looking into doing this," said Deborah Triant, chief executive of Check Point Software Technologies Ltd., a data security company in Redwood City, Calif.
For instance, last year, Sun Microsystems Inc. said a partner based in Russia was putting the final touches on an encryption package that Sun hoped to sell overseas. But before that product was released, the Commerce Department began a lengthy investigation of whether Sun was abiding by all the rules.
Sun executives say that so far, no government official has found any problems with how the encryption product was developed. They hope the government will give them a green light to sell the software soon.
"Any company can contract with organizations outside the U.S.," said Watkins. "I'm surprised others haven't done it before."
But analysts say companies such as Sun may be less willing to confront the government over such issues because the government is an important customer for other products they sell.
Robert Reinsch, undersecretary for export administration at the Commerce Department, said the government plans to take a close look at whether Network Associates has violated any U.S. rules. He said he was "disappointed" by the company's plan.
"It makes it harder for us to implement our policy internationally," Reinsch said.
"It's one more product that's out there and our argument [has been] that the cat isn't out of the bag yet."