Infotech and the Law
White House Encryption Policy Opens Some Doors
By David Nadler
The Clinton administration seems determined to prevent foreign nationals from obtaining access to strong encryption technology for fear of undermining law enforcement efforts aimed at drug traffickers, terrorists and others.
However, the White House is moving ahead with its strategy of giving certain business sectors access to more secure data encryption systems.
The Clinton administration's encryption export policy, announced Sept. 16, marked a significant shift from a narrow focus on promotion of key recovery systems to an approach tailored to the needs of sectors of the global economy. The new policy still maintains stringent controls on the export of mass-market strong encryption products intended for individual end users.
The Commerce Department published new rules in the Federal Register Dec. 30, revising the Export Administration Regulations to implement the more liberal policy. Under U.S. encryption policy in place since 1996, restrictions imposed by the bureau were a function of the exporter's commitment to implementing key recovery systems, the strength of the encryption capability, and the ultimate country of destination for the export.
The most common measure of the encryption capability's strength is the length of the software key measured in bits. The 1996 policy established License Exception KMI that allowed companies with key recovery plans approved by the bureau to export encryption products with 56-bit or less keys after a review. Companies were required to renew this exception every six months, and renewal was contingent upon demonstrating progress in developing the key recovery products in their plans.
Key recovery products allow access by law enforcement agencies to plain text without the knowledge or consent of the user. By March 1998, 32 companies had obtained approval of their key recovery plans and qualified to export 56-bit products.
The 1996 policy permitted the export of mass-market 40-bit encryption products to all countries except the seven nations determined to be supporters of terrorism (Cuba, Iran, Iraq, Libya, North Korea, Syria and Sudan) after a one-time review.
The new policy will extend treatment afforded 40-bit encryption products to products using the 56-bit Data Encryption Standard algorithm or equivalent.
This modest step toward liberalization illustrates the administration's continued desire to keep tight reigns on the encryption capability available to individual end users.
The Clinton administration could further relax export restrictions on mass-market encryption software using 64-bit keys in the near future. On Dec. 3, the White House persuaded the 33 nations that have signed the Wassenaar Arrangement limiting arms exports (including Japan, Germany and England) to impose controls on mass-market encryption products with keys at least 64-bits long for American exporters subject to more stringent restrictions.
For all but three of these nations, this is the first time they will restrict the export of encryption products. As the Wassenaar countries implement more stringent export controls, the United States may elect to relax its own restrictions to be consistent with the Wassenaar requirements and ensure its software companies remain competitive.
The Commerce Department's Bureau of Export Administration began implementing the sector-based approach Sept. 22, when it revised the Export Administration Regulations. Those revisions provide for export of nonrecoverable, nonvoice encryption products of any key length for use by financial institutions to secure electronic transactions under a license exception.
The license exception facilitates the export of encryption products to financial institutions in 45 countries, excluding the seven state supporters of terrorism, provided the end use is limited to securing financial communications between institutions and their customers.
On Dec. 30, the Bureau of Export Administration extended the relaxed export treatment to other economic sectors, including insurance companies, health and medical companies (excluding biochemical or pharmaceutical firms and military agencies) and overseas subsidiaries of U.S. companies.
The new policy will facilitate growth of Internet commerce by providing a license exception for the export of client-server encryption applications with any algorithm, any key length and with or without key recovery capability, to online merchants located in the 45 countries. The policy is a positive step toward balancing the needs of industry and law enforcement by liberalizing exports in key business sectors while maintaining strict control over exports to individuals and hostile governments.
David Nadler is a partner in the Washington law firm of Dickstein Shapiro Morin & Oshinsky LLP. He may be contacted at NadlerD@dsmo.com. Edward Kirsch, an associate with the firm, contributed to this article.