U.S. to Relax Encryption Limits
Washington Post Staff Writer
Thursday, September 17, 1998; Page C3
The U.S. government plans to loosen restrictions on data-scrambling technologies that U.S. companies can sell to overseas customers involved in medicine, finance and electronic commerce, Vice President Gore said yesterday.
The government also will stop demanding that companies plan to put a "spare key" a feature that allows law enforcement officials to read scrambled data into products of a particular level of sophistication.
Industry executives said they were pleased by the moves, which will make it easier for many firms to sell encryption products overseas. But some executives and privacy advocates said the moves stopped far short of scrapping controls that they believe are slowing the growth of commerce on the Internet and are jeopardizing the privacy rights of individuals.
"Anything that eases encryption restrictions is a step in the right direction," said Dan Scheinman, vice president for legal and government affairs at network equipment maker Cisco Systems Inc. of San Jose. "It's a sign that says the [Clinton] administration is ready to engage in further discussions. But this doesn't resolve the problems we and others have identified."
For about five years, industry and privacy advocates have harshly criticized the administration's export restrictions on encryption technology, which protects information by scrambling it but can also thwart law enforcement and national security agents trying to eavesdrop on foreign governments and criminals.
Although there are currently no controls on what kind of encryption U.S. citizens can use at home, the administration has limited what technologies companies can sell abroad, on grounds it might be used by terrorists or hostile governments.
Critics, however, contend that such controls hurt U.S. companies because foreign companies already make sophisticated encryption products. In addition, privacy advocates say that people should have ready access to technology that will protect messages they send over the Internet or data they store on their computers.
"Balancing these needs is no simple task," Gore said yesterday.
The administration began softening its policies a few years ago by letting U.S. companies export encryption with "56-bit" keys, provided the companies have a plan for creating a spare key that law enforcement officers could use to review the information if they had court authorization. (The more bits in a key, the more sophisticated the encryption and the harder it is to break.)
Gore said that under the government's new regulations, which won't be drafted until November, companies exporting 56-bit encryption would no longer have to include plans for creating spare keys. In addition, U.S. companies that get a single authorization will be allowed to sell their most sophisticated scrambling technology to insurance companies, health maintenance organizations and online merchants in 45 countries that have enacted laws to obstruct money laundering. (In July the administration said U.S. companies could export encryption technology to banks and security firms in the same group of 45 countries.)
William A. Reinsch, an undersecretary of commerce, said that industry has proposed a number of "innovative approaches" around the export restrictions. "We're trying to find a way to get those products out," he said, and the new policy "is a step forward."
Robert Holleyman, who heads the Business Software Alliance, an industry group that has long criticized the administration's encryption policies, was upbeat.
"For many computer users, there is likely to be a significantly higher level of computer online security than ever before," he said. "It's not a complete solution," Holleyman said, but he added that he believes Congress will continue to consider legislation that will nudge the administration toward further liberalizations.
Privacy advocates were less enthusiastic.
Alan Davidson, staff counsel at the Center for Democracy and Technology, noted that the regulations themselves haven't been written. "The devil will be in the details," he said. "We've seen in the past a lot of promises of broad relief that haven't materialized. We'll read the regs carefully."
David Banisar, policy director for the Electronic Privacy Information Center, said that by giving export permission to only specific industry sectors, the administration is slowly giving access to more sophisticated encryption "to favored groups to try to limit the chance" of Congress overriding the administration's policies.
© Copyright 1998 The Washington Post Company