Encryption Export Rules Still Fall Short

By Jonathan cain

The Clinton administration took a small step toward easing encryption export rules last month, but the changes still fall short of recognizing commercial and constitutional realities.

According to the White House statement announcing the policy shift, exports of strong encryption with keys of any length now will be permitted for certain industries, and data recovery plans will no longer be required.

The administration also says online merchants in 45 countries will be able to use robust encryption products to protect electronic commerce transactions on the Internet. Weak encryption products, such as DES with 56-bit keys or less, now may be exported without a Commerce Department license.

While not stating details of the plan, Vice President Al Gore said the administration will support law enforcement's ability to decrypt criminally related communications by helping to develop a federal, state and local technical capacity to decrypt telecommunications.

Inspection of the new interim rule published by the Commerce Department shows the changes are much less significant than the White House policy statement would indicate.

The new rule does permit 56-bit key DES encryption to be exported without a license, but only after a one-time "technical review," to all nations except seven identified terrorist countries.

The change from the previous 40-bit key limit to a 56-bit key limit is not significant in light of the fact that techniques for cracking 56-bit keys using readily available hardware were demonstrated publicly earlier this year. The industry standard for domestic secure transaction software is a 128-bit key.

Eliminating the requirement that encryption software designers also provide for key recovery by law enforcement is subject to significant caveats.

First, only subsidiaries of U.S. firms, insurance companies, banks and medical organizations can export nonrecoverable strong encryption.

Even in those instances, the exports are limited to a list of 45 European, Caribbean and Asian countries. Otherwise, key recovery continues to be a critical element of the administration's encryption export regulation.

Efforts to promote key recovery schemes will continue by providing incentives to developers who have submitted recovery plans. They will no longer have to show progress to implement these plans or name recovery agents to maintain export licenses.

For encryption users, the new rules ease a nagging foreign travel issue. Under the old rules, packing a laptop into baggage with its domestic encryption software loaded exposed the traveling user to a technical violation of encryption export restrictions. The new rules remove that issue by permitting U.S. citizens or permanent residents leaving the United States to take with them as personal baggage strong encryption software used in the traveler's employment or hobby, provided the traveler maintains control over the computer and brings it back to the United States.

Beyond the numerous holes in the administration's frustrated effort to maintain control over strong encryption is the fact that at least one federal court has overruled earlier efforts to restrain export of encryption as a violation of the First Amendment's guarantee of free speech.

The old export rules were issued in the midst of several First Amendment cases brought by plaintiffs who were seeking to bar enforcement of export restrictions on encryption software.

While the administration was engaged in discussions with the industry, which led to the rules issued late last month, a federal court in California issued a final order declaring encryption software was speech protected by the First Amendment and barring the United States from enforcing the encryption export rules against the developer.

A similar case in the District of Columbia and another in Ohio reached the opposite result, holding that encryption was not speech protected by the First Amendment, but merely functional expression that the government may limit by prior restraint.

These three cases are being appealed, and it is unlikely all three appellate courts will reach the same conclusion.

While rational people can argue the merits of restricting encryption exports, the administration missed its chance to address at least one remaining provision of the export rules that defies rational explanation.

The rules, both old and new, make an exception for printed materials.

In other words, it is illegal to export certain grades of encryption source code on CD-ROM or magnetic disk, but it remains legal to export the same source code in printed, scanable form.

In a distinction that one federal court called baffling and untenable, the administration insists it is acceptable to publish source code for strong encryption in a book for export, but not electronically.

This nonsensical distinction exposes the fatal flaw in the administration's efforts to control encryption technology exports. If the rights of U.S. citizens to express ideas in the form of printed source code are protected by the First Amendment, so must those same expressions be protected in an electronic form.



Jonathan Cain chairs the Technology Practice Group of Mays & Valentine LLP, McLean, Va. His e-mail address is jcain@maysval.com.