Jury Is Out on Clinton Encryption Policy

By Anne Gallagher, Contributing WriterLawmakers who pushed the Clinton administration to loosen export restrictions on encrypted software and hardware will watch how the White House's recently announced policy plays out, but said they will turn to legislation if industry is dissatisfied with the plan.The Commerce Department's Bureau of Export Administration released final details of the administration's new encryption policy Jan. 12. The policy lifts several restrictions on the sale of encrypted software and hardware and reduces the red tape IT firms must muddle through to obtain necessary licenses to make sales.Specifically, the rules simplify export controls and multilaterally decontrol mass-market encryption hardware and software up to and including 64 bits. The goal is to ensure U.S. companies have a level playing field in selling their products worldwide, something IT officials and lawmakers said the old policy did not accomplish. The IT industry indicated general satisfaction with the policy, but officials acknowledged that only time would tell if it truly gave industry an edge in the global marketplace or conversely proved too burdensome a framework. Several industry observers said the regulations are extremely complex and were unsure whether to applaud the administration."One overlying concern is that the regulations are really complicated and built on a premise that is not reflective of the marketplace," one IT industry official said. "They tried to patch up all the holes, but the way it works in practice may be more cumbersome to live with than we anticipate."For example, the regulations delineate when a technical review of encryption products would be used in advance of a sale. They also streamline the post-exporting reporting system. The two changes are designed to shorten the time it takes for an IT firm to make a sale.The policy also allows transfer of encryption technology to foreign subsidiaries of U.S. companies without technical review by the government. And previous restrictions limiting exports to foreign commercial companies for internal proprietary use are removed.Many in the IT industry credited Rep. Bob Goodlatte, R-Va., and colleagues such as Reps. Zoe Lofgren, D-Calif., and Sam Gejdenson, D-Conn., for nudging the White House to release an encryption policy because the lawmakers had pushed their own legislation on the issue. "The encryption regulations released today by the administration are a positive step forward towards a common sense encryption policy," Goodlatte said in a Jan. 12 statement. "These changes are long overdue," Goodlatte said. "I am pleased that the administration has reacted to concerns raised by Congress, industry and privacy organizations, and the American people in proposing an encryption export policy that will protect privacy, promote our national security and allow U.S. companies to compete with foreign encryption manufacturers."Goodlatte and the other House members backed off moving their Security and Freedom through Encryption Act (H.R. 850) when the White House promised to change existing rules that would address the needs of the IT community in regard to easier access at selling encrypted software and hardware.Goodlatte said the new regulations are a direct result of the 258 co-sponsors from both parties of the SAFE bill, and promised Congress would still play a role this year."Congress will continue to be watching carefully to make sure that the regulations released today are implemented properly and in a timely manner," he said. "To that end, the House remains ready to take up H.R. 850 if the regulations do not allow American companies to fully compete in the global marketplace." While IT officials largely were pleased with the changes, they were hesitant to applaud fully. Yet some in the industry said they do not necessarily want to see lawmakers jumping back into the fight just yet."If we open that Pandora's box of re-opening up the SAFE bill, we might end up with an un-SAFE bill," one IT industry official remarked.Computer and Communications Industry Association President Edward Black said the existing controls have weakened electronic security and tilted the marketplace so that domestic encryption products could not compete in the global market. The new regulations largely eliminate that inequity, he noted."It took insight and courage to finally change the fundamental concept of a flawed policy, and while the new regulations are somewhat complicated and leave some matters unaddressed, we believe that the interim final regulations will allow our companies to export their products and provide confidentiality and security to consumers," Black said.Others were not so supportive.Internet civil liberties groups, including the American Civil Liberties Union, Electronic Frontier Foundation and the Electronic Privacy Information Center, said the new regulations fall short and vowed to continue to press for changes via a number of existing court cases. Those cases, the groups said, seek to eliminate U.S. government regulations that make Internet encryption software and technology more cumbersome to publish or transmit than when published in other media.Specifically, they said, the new encryption regulations resemble the old ones in that they impose special requirements on Internet speech. That contradicts a 1997 Supreme Court ruling, Reno vs. ACLU, they maintained."The regulations require that the government be notified of any electronic export of publicly available encryption source code and prohibit export to certain countries," they said. "Yet people may freely send the same information anywhere on paper."The White House regulations leave in place export restrictions to countries that support terrorism, including Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.Another area of concern is the issue of source code export."The regulations are still a completely discretionary licensing scheme," the ACLU said in a statement. "They continue to require licenses for a large amount of communications protected by the First Amendment, including transmitting source code that is not 'publicly available,' source code that is 'restricted,' source code forming an 'open cryptographic interface' and various forms of object code."The regulations also retain the ban on providing information on how to create or use some encryption technology, labeling it as prohibited "technical assistance," the ACLU added. The regulations thus leave software publishers open to fine or imprisonment for helping people use their code."The rules are a step forward, but they are still too complex and leave too many questions unanswered," wrote Barry Steinhardt, associate director for the ACLU. "Now that the administration has tacitly admitted that it can't and shouldn't control the use of encryption, it should have announced a simple deregulation rather than a regulatory maze."The White House has not closed discussion on the issue. Interested parties can file their suggestions and complaints within 120 days of the release of the new rules to the Commerce Department.